3593 changed files with 204068 additions and 516439 deletions
--- a/.ci/apt-internal.gitlab-ci.yml
+++ b/.ci/apt-internal.gitlab-ci.yml
@ -1,151 +0,0 @@
 .register_inputs: &register_inputs
  stage: release-internal
  runOnBranches: "^master$"
  COMPONENT: "common"
 .register_inputs_stable_bookworm: &register_inputs_stable_bookworm
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "bookworm"
  SERIES: "stable"
 .register_inputs_stable_trixie: &register_inputs_stable_trixie
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "trixie"
  SERIES: "stable"
 .register_inputs_next_bookworm: &register_inputs_next_bookworm
  <<: *register_inputs
  FLAVOR: "bookworm"
  SERIES: next
 .register_inputs_next_trixie: &register_inputs_next_trixie
  <<: *register_inputs
  FLAVOR: "trixie"
  SERIES: next
 ################################################
 ### Generate Debian Package for Internal APT ###
 ################################################
 .cloudflared-apt-build: &cloudflared_apt_build
  stage: package
  needs:
    - ci-image-get-image-ref
    - linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
  image: $BUILD_IMAGE
  cache: {}
  script:
    - make cloudflared-deb
  artifacts:
    paths:
      - cloudflared*.deb
 ##############
 ### Stable ###
 ##############
 cloudflared-amd64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &amd64-stable-vars
    GOOS: linux
    GOARCH: amd64
    FIPS: true
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 cloudflared-arm64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &arm64-stable-vars
    GOOS: linux
    GOARCH: arm64
    FIPS: false # TUN-7595
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 ############
 ### Next ###
 ############
 cloudflared-amd64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *amd64-stable-vars
    NIGHTLY: true
 cloudflared-arm64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *arm64-stable-vars
    NIGHTLY: true
 include:
  - local: .ci/commons.gitlab-ci.yml
  ##########################################
  ### Publish Packages to Internal Repos ###
  ##########################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-amd64
      needs: &amd64-stable ["cloudflared-amd64-stable"]
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-arm64
      needs: &arm64-stable ["cloudflared-arm64-stable"]
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-amd64
      needs: *amd64-stable
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-arm64
      needs: *arm64-stable
  ##################################################
  ### Publish Nightly Packages to Internal Repos ###
  ##################################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-amd64
      needs: &amd64-next ['cloudflared-amd64-next']
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-arm64
      needs: &arm64-next ['cloudflared-arm64-next']
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-amd64
      needs: *amd64-next
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-arm64
      needs: *arm64-next
--- a/.ci/ci-image.gitlab-ci.yml
+++ b/.ci/ci-image.gitlab-ci.yml
@ -1,31 +0,0 @@
 # Builds a custom CI Image when necessary
 include:
  #####################################################
  ############## Build and Push CI Image ##############
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
    inputs:
      stage: pre-build
      jobPrefix: ci-image
      runOnChangesTo: [".ci/image/**"]
      runOnMR: true
      runOnBranches: '^master$'
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      EXTRA_DIB_ARGS: "--manifest=.ci/image/.docker-images"
  #####################################################
  ## Resolve the image reference for downstream jobs ##
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/get-image-ref@~latest
    inputs:
      stage: pre-build
      jobPrefix: ci-image
      runOnMR: true
      runOnBranches: '^master$'
      IMAGE_PATH: "$REGISTRY_HOST/stash/tun/cloudflared/ci-image/master"
      VARIABLE_NAME: BUILD_IMAGE
      needs:
        - job: ci-image-build-push-image
          optional: true
--- a/.ci/commons.gitlab-ci.yml
+++ b/.ci/commons.gitlab-ci.yml
@ -1,45 +0,0 @@
 ## A set of predefined rules to use on the different jobs
 .default-rules:
  # Rules to run the job only on the master branch
  run-on-master:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - when: never
  # Rules to run the job only on merge requests
  run-on-mr:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: on_success
    - when: never
  # Rules to run the job on merge_requests and master branch
  run-always:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - when: never
  # Rules to run the job only when a release happens
  run-on-release:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      changes:
          - 'RELEASE_NOTES'
      when: on_success
    - when: never
 .component-tests:
  image: $BUILD_IMAGE
  rules:
    - !reference [.default-rules, run-always]
  variables:
    COMPONENT_TESTS_CONFIG: component-test-config.yaml
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
  secrets:
    DNS_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/component_tests_token/data@kv
      file: false
    COMPONENT_TESTS_ORIGINCERT:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/component_tests_cert_pem/data@kv
      file: false
  cache: {}
--- a/.ci/github.gitlab-ci.yml
+++ b/.ci/github.gitlab-ci.yml
@ -1,17 +0,0 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ######################################
 ### Sync master branch with Github ###
 ######################################
 push-github:
  stage: sync
  rules:
    - !reference [.default-rules, run-on-master]
  script:
    - ./.ci/scripts/github-push.sh
  secrets:
    CLOUDFLARED_DEPLOY_SSH_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
      file: false
  cache: {}
--- a/.ci/image/.docker-images
+++ b/.ci/image/.docker-images
@ -1,2 +0,0 @@
 images:
  - name: ci-image
--- a/.ci/image/Dockerfile
+++ b/.ci/image/Dockerfile
@ -1,35 +0,0 @@
 ARG CLOUDFLARE_DOCKER_REGISTRY_HOST
 FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/bookworm/main:2025.7.0@sha256:6350da2f7e728dae2c1420f6dafc38e23cacc0b399d3d5b2f40fe48d9c8ff1ca
 RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install --no-install-recommends --allow-downgrades -y \
        build-essential \
        git \
        go-boring=1.24.9-1 \
        libffi-dev \
        procps \
        python3-dev \
        python3-pip \
        python3-setuptools \
        python3-venv \
        # libmsi and libgcab are libraries the wixl binary depends on.
        libmsi-dev \
        libgcab-dev \
        # deb and rpm build tools
        rubygem-fpm \
        rpm \
        # create deb and rpm repository files
        reprepro \
        createrepo-c \
        # gcc for cross architecture compilation in arm
        gcc-aarch64-linux-gnu \
        libc6-dev-arm64-cross && \
    rm -rf /var/lib/apt/lists/* && \
    # Install wixl
    curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \
    chmod a+x /usr/local/bin/wixl && \
    mkdir -p opt
 WORKDIR /opt
--- a/.ci/linux.gitlab-ci.yml
+++ b/.ci/linux.gitlab-ci.yml
@ -1,122 +0,0 @@
 .golang-inputs: &golang_inputs
  runOnMR: true
  runOnBranches: '^master$'
  outputDir: artifacts
  runner: linux-x86-8cpu-16gb
  stage: build
  golangVersion: "boring-1.24"
  imageVersion: "3371-f5539bd6f83d@sha256:a2a68f580070f9411d0d3155959ed63b700ef319b5fcc62db340e92227bbc628"
  CGO_ENABLED: 1
 .default-packaging-job: &packaging-job-defaults
  stage: package
  needs:
    - ci-image-get-image-ref
  rules:
    - !reference [.default-rules, run-on-master]
  image: $BUILD_IMAGE
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 include:
  ###################
  ### Linux Build ###
  ###################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      jobPrefix: linux-build
      GOLANG_MAKE_TARGET: ci-build
  ########################
  ### Linux FIPS Build ###
  ########################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      jobPrefix: linux-fips-build
      GOLANG_MAKE_TARGET: ci-fips-build
  #################
  ### Unit Tests ##
  #################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      stage: test
      jobPrefix: test
      GOLANG_MAKE_TARGET: ci-test
  ######################
  ### Unit Tests FIPS ##
  ######################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      stage: test
      jobPrefix: test-fips
      GOLANG_MAKE_TARGET: ci-fips-test
  #################
  ### Vuln Check ##
  #################
  - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
    inputs:
      <<: *golang_inputs
      runOnBranches: '^$'
      stage: validate
      jobPrefix: vulncheck
      GOLANG_MAKE_TARGET: vulncheck
 #################################
 ### Run Linux Component Tests ###
 #################################
 linux-component-tests: &linux-component-tests
  stage: test
  extends: .component-tests
  needs:
    - ci-image-get-image-ref
    - linux-build-boring-make
  script:
    - ./.ci/scripts/component-tests.sh
  variables: &component-tests-variables
    CI: 1
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
  tags:
    - linux-x86-8cpu-16gb
  artifacts:
    reports:
      junit: report.xml
 ######################################
 ### Run Linux FIPS Component Tests ###
 ######################################
 linux-component-tests-fips:
  <<: *linux-component-tests
  needs:
    - ci-image-get-image-ref
    - linux-fips-build-boring-make
  variables:
    <<: *component-tests-variables
    COMPONENT_TESTS_FIPS: 1
 ################################
 ####### Linux Packaging ########
 ################################
 linux-packaging:
  <<: *packaging-job-defaults
  parallel:
    matrix:
      - ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
  script:
    - ./.ci/scripts/linux/build-packages.sh ${ARCH}
 ################################
 ##### Linux FIPS Packaging #####
 ################################
 linux-packaging-fips:
  <<: *packaging-job-defaults
  script:
    - ./.ci/scripts/linux/build-packages-fips.sh
--- a/.ci/mac.gitlab-ci.yml
+++ b/.ci/mac.gitlab-ci.yml
@ -1,66 +0,0 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ###############################
 ### Defaults for Mac Builds ###
 ###############################
 .mac-build-defaults: &mac-build-defaults
  rules:
    - !reference [.default-rules, run-on-mr]
  tags:
    - "macstadium-${RUNNER_ARCH}"
  parallel:
    matrix:
      - RUNNER_ARCH: [arm, intel]
  cache: {}
 ######################################
 ### Build Cloudflared Mac Binaries ###
 ######################################
 macos-build-cloudflared: &mac-build
  <<: *mac-build-defaults
  stage: build
  artifacts:
    paths:
      - artifacts/*
  script:
    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
    - ARCH=$(uname -m)
    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
    - ./.ci/scripts/mac/install-go.sh
    - BUILD_SCRIPT=.ci/scripts/mac/build.sh
    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
    - set -euo pipefail
    - echo "Executing ${BUILD_SCRIPT}"
    - exec ${BUILD_SCRIPT}
 ###############################################
 ### Build and Sign Cloudflared Mac Binaries ###
 ###############################################
 macos-build-and-sign-cloudflared:
  <<: *mac-build
  rules:
    - !reference [.default-rules, run-on-master]
  secrets:
    APPLE_DEV_CA_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
      file: false
    CFD_CODE_SIGN_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
      file: false
    CFD_CODE_SIGN_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
      file: false
    CFD_INSTALLER_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
      file: false
    CFD_INSTALLER_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
      file: false
    CFD_INSTALLER_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
      file: false
--- a/.ci/release.gitlab-ci.yml
+++ b/.ci/release.gitlab-ci.yml
@ -1,133 +0,0 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
  ######################################
  ### Build and Push DockerHub Image ###
  ######################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
    inputs:
      stage: release
      jobPrefix: docker-hub
      runOnMR: false
      runOnBranches: '^master$'
      runOnChangesTo: ['RELEASE_NOTES']
      needs:
        - generate-version-file
        - release-cloudflared-to-r2
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      # Based on if the CI reference is protected or not the CI component will
      # either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
      # we simply set both to the same value.
      DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
      DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
      DOCKER_USER_PROD: *docker-hub-user
      DOCKER_PASSWORD_PROD: *docker-hub-password
      EXTRA_DIB_ARGS: --overwrite
 .default-release-job: &release-job-defaults
  stage: release
  image: $BUILD_IMAGE
  cache:
    paths:
      - .cache/pip
  variables: &release-job-variables
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    # KV Vars
    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
    KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
    # R2 Vars
    R2_BUCKET: cloudflared-pkgs
    R2_ACCOUNT_ID: *cf-account
    # APT and RPM Repository Vars
    GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://pkg.cloudflare.com/cloudflared"
    BINARY_NAME: cloudflared
  secrets:
    KV_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
      file: false
    API_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
      file: false
    R2_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
      file: false
    R2_CLIENT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
      file: false
 ###########################################
 ### Push Cloudflared Binaries to Github ###
 ###########################################
 release-cloudflared-to-github:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging
    - linux-packaging-fips
    - macos-build-and-sign-cloudflared
    - windows-package-sign
  script:
    - ./.ci/scripts/release-target.sh github-release
 #########################################
 ### Upload Cloudflared Binaries to R2 ###
 #########################################
 release-cloudflared-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
    - release-cloudflared-to-github
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #################################################
 ### Upload Cloudflared Nightly Binaries to R2 ###
 #################################################
 release-cloudflared-nightly-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *release-job-variables
    R2_BUCKET: cloudflared-pkgs-next
    GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #############################
 ### Generate Version File ###
 #############################
 generate-version-file:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
  script:
    - make generate-docker-version
  artifacts:
    paths:
      - versions
--- a/.ci/scripts/component-tests.sh
+++ b/.ci/scripts/component-tests.sh
@ -1,25 +0,0 @@
 #!/bin/bash
 set -e -o pipefail
 # Fetch cloudflared from the artifacts folder
 mv ./artifacts/cloudflared ./cloudflared
 python3 -m venv env
 . env/bin/activate
 pip install --upgrade -r component-tests/requirements.txt
 # Creates and routes a Named Tunnel for this build. Also constructs
 # config file from env vars.
 python3 component-tests/setup.py --type create
 # Define the cleanup function
 cleanup() {
    # The Named Tunnel is deleted and its route unprovisioned here.
    python3 component-tests/setup.py --type cleanup
 }
 # The trap will call the cleanup function on script exit
 trap cleanup EXIT
 pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
--- a/.ci/scripts/fmt-check.sh
+++ b/.ci/scripts/fmt-check.sh
@ -1,13 +0,0 @@
 #!/bin/bash
 set -e -o pipefail
 OUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
 if [ -n "$OUTPUT" ] ; then
  PAGER=$(which colordiff || echo cat)
  echo
  echo "Code formatting issues found, use 'make fmt' to correct them"
  echo
  echo "$OUTPUT" | $PAGER
  exit 1
 fi
--- a/.ci/scripts/github-push.sh
+++ b/.ci/scripts/github-push.sh
@ -1,31 +0,0 @@
 #!/bin/bash
 set -e -o pipefail
 BRANCH="master"
 TMP_PATH="$PWD/tmp"
 PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
 PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
 mkdir -p $TMP_PATH
 # Setup Private Key
 echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
 chmod 400 $PRIVATE_KEY_PATH
 # Download GitHub Public Key for KnownHostsFile
 ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
 # Setup git ssh command with the right configurations
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
 # Add GitHub as a new remote
 git remote add github git@github.com:cloudflare/cloudflared.git || true
 # GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
 # Therefore, we need to manually fetch the reference to then push it to GitHub.
 git fetch origin $BRANCH:$BRANCH
 git push -u github $BRANCH
 if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
  git push -u github "$TAG"
 fi
--- a/.ci/scripts/linux/build-packages-fips.sh
+++ b/.ci/scripts/linux/build-packages-fips.sh
@ -1,26 +0,0 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 arch=("amd64")
 export TARGET_ARCH=$arch
 export TARGET_OS=linux
 export FIPS=true
 # For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails.
 export CGO_ENABLED=1
 make cloudflared-deb
 mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
 RPMVERSION=$(echo $VERSION | sed -r 's/-/_/g')
 RPMARCH="x86_64"
 make cloudflared-rpm
 mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm
 # finally move the linux binary as well.
 mv ./cloudflared $ARTIFACT_DIR/cloudflared-fips-linux-$arch
--- a/.ci/scripts/linux/build-packages.sh
+++ b/.ci/scripts/linux/build-packages.sh
@ -1,59 +0,0 @@
 #!/bin/bash
 # Check if architecture argument is provided
 if [ $# -eq 0 ]; then
    echo "Error: Architecture argument is required"
    echo "Usage: $0 <architecture>"
    exit 1
 fi
 # Parameters
 arch=$1
 # Get Version
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 export TARGET_OS=linux
 unset TARGET_ARM
 export TARGET_ARCH=$arch
 ## Support for arm platforms without hardware FPU enabled
 if [[ $arch == arm ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=5
 fi
 ## Support for armhf builds
 if [[ $arch == armhf ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=7
 fi
 make cloudflared-deb
 mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
 RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
 RPMARCH=$arch
 if [ $arch == "amd64" ];then
    RPMARCH="x86_64"
 fi
 if [ $arch == "arm64" ]; then
    RPMARCH="aarch64"
 fi
 make cloudflared-rpm
 mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
 # finally move the linux binary as well.
 mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
--- a/.ci/scripts/mac/build.sh
+++ b/.ci/scripts/mac/build.sh
@ -1,228 +0,0 @@
 #!/bin/bash
 set -exo pipefail
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
 then
  echo "TARGET_ARCH must be amd64 or arm64"
  exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 APPLE_CA_CERT="apple_dev_ca.cert"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 # Imports certificates to the Apple KeyChain
 import_certificate() {
    local CERTIFICATE_NAME=$1
    local CERTIFICATE_ENV_VAR=$2
    local CERTIFICATE_FILE_NAME=$3
    echo "Importing $CERTIFICATE_NAME"
    if [[ ! -z "$CERTIFICATE_ENV_VAR" ]]; then
      # write certificate to disk and then import it keychain
      echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}
      # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
      # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
      local out=$(security import ${CERTIFICATE_FILE_NAME} -T /usr/bin/pkgbuild -A 2>&1) || true
      local exitcode=$?
      # delete the certificate from disk
      rm -rf ${CERTIFICATE_FILE_NAME}
      if [ -n "$out" ]; then
        if [ $exitcode -eq 0 ]; then
            echo "$out"
        else
            if [ "$out" != "${SEC_DUP_MSG}" ]; then
                echo "$out" >&2
                exit $exitcode
            else
                echo "already imported code signing certificate"
            fi
        fi
      fi
    fi
 }
 create_cloudflared_build_keychain() {
  # Reusing the private key password as the keychain key
  local PRIVATE_KEY_PASS=$1
  # Create keychain only if it doesn't already exist
  if [ ! -f "$HOME/Library/Keychains/cloudflared_build_keychain.keychain-db" ]; then
    security create-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
  else
    echo "Keychain already exists: cloudflared_build_keychain"
  fi
  # Append temp keychain to the user domain
  security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\"//g)
  # Remove relock timeout
  security set-keychain-settings cloudflared_build_keychain
  # Unlock keychain so it doesn't require password
  security unlock-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
 }
 # Imports private keys to the Apple KeyChain
 import_private_keys() {
    local PRIVATE_KEY_NAME=$1
    local PRIVATE_KEY_ENV_VAR=$2
    local PRIVATE_KEY_FILE_NAME=$3
    local PRIVATE_KEY_PASS=$4
    echo "Importing $PRIVATE_KEY_NAME"
    if [[ ! -z "$PRIVATE_KEY_ENV_VAR" ]]; then
      if [[ ! -z "$PRIVATE_KEY_PASS" ]]; then
        # write private key to disk and then import it keychain
        echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
        # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
        # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
        local exitcode=$?
        rm -rf ${PRIVATE_KEY_FILE_NAME}
        if [ -n "$out" ]; then
          if [ $exitcode -eq 0 ]; then
              echo "$out"
          else
              if [ "$out" != "${SEC_DUP_MSG}" ]; then
                  echo "$out" >&2
                  exit $exitcode
              fi
          fi
        fi
      fi
    fi
 }
 # Create temp keychain only for this build
 create_cloudflared_build_keychain "${CFD_CODE_SIGN_PASS}"
 # Add Apple Root Developer certificate to the key chain
 import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
 # Add code signing private key to the key chain
 import_private_keys "Developer ID Application" "${CFD_CODE_SIGN_KEY}" "${CODE_SIGN_PRIV}" "${CFD_CODE_SIGN_PASS}"
 # Add code signing certificate to the key chain
 import_certificate "Developer ID Application" "${CFD_CODE_SIGN_CERT}" "${CODE_SIGN_CERT}"
 # Add package signing private key to the key chain
 import_private_keys "Developer ID Installer" "${CFD_INSTALLER_KEY}" "${INSTALLER_PRIV}" "${CFD_INSTALLER_PASS}"
 # Add package signing certificate to the key chain
 import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER_CERT}"
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # cleanup the build directory because the previous execution might have failed without cleaning up.
 rm -rf "${TARGET_DIRECTORY}"
 export TARGET_OS="darwin"
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # This allows apple tools to use the certificates in the keychain without requiring password input.
 # This command always needs to run after the certificates have been loaded into the keychain
 if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
  security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" cloudflared_build_keychain
 fi
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
 # notarize the binary
 # TODO: TUN-5789
 fi
 ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
 # creating build directory
 rm -rf $ARCH_TARGET_DIRECTORY
 mkdir -p "${ARCH_TARGET_DIRECTORY}"
 mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --keychain cloudflared_build_keychain \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      # TODO: TUN-5789
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleanup build directory because this script is not ran within containers,
 # which might lead to future issues in subsequent runs.
 rm -rf "${TARGET_DIRECTORY}"
 # cleanup the keychain
 security default-keychain -d user -s login.keychain-db
 security list-keychains -d user -s login.keychain-db
 security delete-keychain cloudflared_build_keychain
--- a/.ci/scripts/mac/install-go.sh
+++ b/.ci/scripts/mac/install-go.sh
@ -1,10 +0,0 @@
 rm -rf /tmp/go
 export GOCACHE=/tmp/gocache
 rm -rf $GOCACHE
 brew install go@1.24
 go version
 which go
 go env
--- a/.ci/scripts/package-windows.sh
+++ b/.ci/scripts/package-windows.sh
@ -1,23 +0,0 @@
 #!/bin/bash
 python3 -m venv env
 . env/bin/activate
 pip install pynacl==1.4.0 pygithub==1.55
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
 export BUILT_ARTIFACT_DIR=artifacts/
 export FINAL_ARTIFACT_DIR=artifacts/
 mkdir -p $BUILT_ARTIFACT_DIR
 mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
    # Copy .exe from artifacts directory
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
 done
--- a/.ci/scripts/release-target.sh
+++ b/.ci/scripts/release-target.sh
@ -1,18 +0,0 @@
 #!/bin/bash
 set -e -o pipefail
 # Check if a make target is provided as an argument
 if [ $# -eq 0 ]; then
    echo "Error: Make target argument is required"
    echo "Usage: $0 <make-target>"
    exit 1
 fi
 MAKE_TARGET=$1
 python3 -m venv venv
 source venv/bin/activate
 # Our release scripts are written in python, so we should install their dependecies here.
 pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
 make $MAKE_TARGET
--- a/.ci/scripts/vuln-check.sh
+++ b/.ci/scripts/vuln-check.sh
@ -1,52 +0,0 @@
 #!/bin/bash
 set -e
 # Define the file to store the list of vulnerabilities to ignore.
 IGNORE_FILE=".vulnignore"
 # Check if the ignored vulnerabilities file exists. If not, create an empty one.
 if [ ! -f "$IGNORE_FILE" ]; then
    touch "$IGNORE_FILE"
    echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
    echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE"
    echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE"
    echo "" >> "$IGNORE_FILE"
 fi
 # Run govulncheck and capture its output.
 VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)
 # Print the govuln output
 echo "====================================="
 echo "Full Output of govulncheck:"
 echo "====================================="
 echo "$VULN_OUTPUT"
 echo "====================================="
 echo "End of govulncheck Output"
 echo "====================================="
 # Process the ignore file to remove comments and empty lines.
 # The 'cut' command gets the vulnerability ID and removes anything after the '#'.
 # The 'grep' command filters out empty lines and lines starting with '#'.
 CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)
 # Filter out the ignored vulnerabilities.
 UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability')
 # If the list of ignored vulnerabilities is not empty, filter them out.
 if [ -n "$CLEAN_IGNORES" ]; then
    UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
 fi
 # If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
 if [ -n "$UNIGNORED_VULNS" ]; then
    echo "🚨 Found new, unignored vulnerabilities:"
    echo "-------------------------------------"
    echo "$UNIGNORED_VULNS"
    echo "-------------------------------------"
    echo "Exiting with an error. ❌"
    exit 1
 else
    echo "🎉 No new vulnerabilities found. All clear! ✨"
    exit 0
 fi
--- a/.ci/scripts/windows/builds.ps1
+++ b/.ci/scripts/windows/builds.ps1
@ -1,29 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 New-Item -Path ".\artifacts" -ItemType Directory
 Write-Output "Building for amd64"
 $env:TARGET_ARCH = "amd64"
 $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 # Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:TARGET_ARCH = "386"
 $env:LOCAL_ARCH = "386"
 $env:CGO_ENABLED = 0
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 ## Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe
--- a/.ci/scripts/windows/component-test.ps1
+++ b/.ci/scripts/windows/component-test.ps1
@ -1,40 +0,0 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $env:TARGET_ARCH = "amd64"
 $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 python --version
 python -m pip --version
 Write-Host "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 Write-Host "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 go test -failfast -v -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 # On Gitlab runners we need to add all of this addresses to the NO_PROXY list in order for the tests to run.
 $env:NO_PROXY = "pypi.org,files.pythonhosted.org,api.cloudflare.com,argotunneltest.com,argotunnel.com,trycloudflare.com,${env:NO_PROXY}"
 Write-Host "No Proxy: ${env:NO_PROXY}"
 Write-Host "Running component tests"
 try {
    python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
    python component-tests/setup.py --type create
    python -m pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
    if ($LASTEXITCODE -ne 0) {
        throw "Failed component tests"
    }
 } finally {
    python component-tests/setup.py --type cleanup
 }
--- a/.ci/scripts/windows/go-wrapper.ps1
+++ b/.ci/scripts/windows/go-wrapper.ps1
@ -1,69 +0,0 @@
 Param(
    [string]$GoVersion,
    [string]$ScriptToExecute
 )
 # The script is a wrapper that downloads a specific version
 # of go, adds it to the PATH and executes a script with that go
 # version in the path.
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Get the path to the system's temporary directory.
 $tempPath = [System.IO.Path]::GetTempPath()
 # Create a unique name for the new temporary folder.
 $folderName = "go_" + (Get-Random)
 # Join the temp path and the new folder name to create the full path.
 $fullPath = Join-Path -Path $tempPath -ChildPath $folderName
 # Store the current value of PATH environment variable.
 $oldPath = $env:Path
 # Use a try...finally block to ensure the temporrary folder and PATH are cleaned up.
 try {
    # Create the temporary folder.
    Write-Host "Creating temporary folder at: $fullPath"
    $newTempFolder = New-Item -ItemType Directory -Path $fullPath -Force
    # Download go
    $url = "https://go.dev/dl/$GoVersion.windows-amd64.zip"
    $destinationFile = Join-Path -Path $newTempFolder.FullName -ChildPath "go$GoVersion.windows-amd64.zip"
    Write-Host "Downloading go from: $url"
    Invoke-WebRequest -Uri $url -OutFile $destinationFile
    Write-Host "File downloaded to: $destinationFile"
    # Unzip the downloaded file.
    Write-Host "Unzipping the file..."
    Expand-Archive -Path $destinationFile -DestinationPath $newTempFolder.FullName -Force
    Write-Host "File unzipped successfully."
    # Define the go/bin path wich is inside the temporary folder
    $goBinPath = Join-Path -Path $fullPath -ChildPath "go\bin"
    # Add the go/bin path to the PATH environment variable.
    $env:Path = "$goBinPath;$($env:Path)"
    Write-Host "Added $goBinPath to the environment PATH."
    go env
    go version
    & $ScriptToExecute
 } finally {
    # Cleanup: Remove the path from the environment variable and then the temporary folder.
    Write-Host "Starting cleanup..."
    $env:Path = $oldPath
    Write-Host "Reverted changes in the environment PATH."
    # Remove the temporary folder and its contents.
    if (Test-Path -Path $fullPath) {
        Remove-Item -Path $fullPath -Recurse -Force
        Write-Host "Temporary folder and its contents have been removed."
    } else {
        Write-Host "Temporary folder does not exist, no cleanup needed."
    }
 }
--- a/.ci/scripts/windows/sign-msi.ps1
+++ b/.ci/scripts/windows/sign-msi.ps1
@ -1,26 +0,0 @@
 # Sign Windows artifacts using azuretool
 # This script processes MSI files from the artifacts directory
 $ErrorActionPreference = "Stop"
 # Define paths
 $ARTIFACT_DIR = "artifacts"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
 # Find all Windows MSI files
 $msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
 if ($msiFiles.Count -eq 0) {
    Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
    exit 1
 }
 Write-Host "Found $($msiFiles.Count) file(s) to sign:"
 foreach ($file in $msiFiles) {
    Write-Host "Running azuretool sign for $($file.Name)"
    azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
 }
 Write-Host "Signing process completed"
--- a/.ci/windows.gitlab-ci.yml
+++ b/.ci/windows.gitlab-ci.yml
@ -1,114 +0,0 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
 ###################################
 ### Defaults for Windows Builds ###
 ###################################
 .windows-build-defaults: &windows-build-defaults
  rules:
    - !reference [.default-rules, run-always]
  tags:
    - windows-x86
  cache: {}
 ##########################################
 ### Build Cloudflared Windows Binaries ###
 ##########################################
 windows-build-cloudflared:
  <<: *windows-build-defaults
  stage: build
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
  artifacts:
    paths:
      - artifacts/*
 ######################################################
 ### Load Environment Variables for Component Tests ###
 ######################################################
 windows-load-env-variables:
  stage: pre-build
  extends: .component-tests
  script:
    - echo "COMPONENT_TESTS_CONFIG=$COMPONENT_TESTS_CONFIG" >> windows.env
    - echo "COMPONENT_TESTS_CONFIG_CONTENT=$COMPONENT_TESTS_CONFIG_CONTENT" >> windows.env
    - echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
    # We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
    - echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
    - echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
    - echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
    - echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
    - echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
    - echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
  variables:
    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
  secrets:
    KEY_VAULT_URL:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
      file: false
    KEY_VAULT_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
      file: false
    KEY_VAULT_TENANT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
      file: false
    KEY_VAULT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
      file: false
    KEY_VAULT_CERTIFICATE:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate/key_vault_certificate@kv
      file: false
  artifacts:
    access: 'none'
    reports:
      dotenv: windows.env
 ###################################
 ### Run Windows Component Tests ###
 ###################################
 windows-component-tests-cloudflared:
  <<: *windows-build-defaults
  stage: test
  needs: ["windows-load-env-variables"]
  script:
    # We have to decode the secret we encoded on the `windows-load-env-variables` job
    - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
  artifacts:
    reports:
      junit: report.xml
 ################################
 ### Package Windows Binaries ###
 ################################
 windows-package:
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - ci-image-get-image-ref
    - windows-build-cloudflared
  image: $BUILD_IMAGE
  script:
    - .ci/scripts/package-windows.sh
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 #############################
 ### Sign Windows Binaries ###
 #############################
 windows-package-sign:
  <<: *windows-build-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - windows-package
    - windows-load-env-variables
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
  artifacts:
    paths:
      - artifacts/*
--- a/.docker-images
+++ b/.docker-images
@ -1,12 +1,8 @@
 images:
  - name: cloudflared
-    dockerfile: Dockerfile.$ARCH
+    dockerfile: Dockerfile
    context: .
    version_file: versions
    registries:
    - name: docker.io/cloudflare
      user: env:DOCKER_USER
      password: env:DOCKER_PASSWORD
    architectures:
    - amd64
    - arm64
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1 @@
 .git
--- a/.github/ISSUE_TEMPLATE/---bug-report.md
+++ b/.github/ISSUE_TEMPLATE/---bug-report.md
@ -1,34 +0,0 @@
 ---
 name: "\U0001F41B Bug report"
 about: Create a report to help us improve cloudflared
 title: "\U0001F41B"
 labels: 'Priority: Normal, Type: Bug'
 ---
 **Describe the bug**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Configure '...'
 2. Run '....'
 3. See error
 If it's an issue with Cloudflare Tunnel:
 4. Tunnel ID : 
 5. cloudflared config: 
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Environment and versions**
 - OS: [e.g. MacOS]
 - Architecture: [e.g. AMD, ARM]
 - Version: [e.g. 2022.02.0]
 **Logs and errors**
 If applicable, add logs or errors to help explain your problem.
 **Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/---documentation.md
+++ b/.github/ISSUE_TEMPLATE/---documentation.md
@ -1,16 +0,0 @@
 ---
 name: "\U0001F4DD Documentation"
 about: Request new or updated documentation for cloudflared
 title: "\U0001F4DD"
 labels: 'Priority: Normal, Type: Documentation'
 ---
 **Available Documentation**
 A link to the documentation that is available today and the areas which could be improved. 
 **Suggested Documentation**
 A clear and concise description of the documentation, tutorial, or guide that should be added. 
 **Additional context**
 Add any other context or screenshots about the documentation request here.
--- a/.github/ISSUE_TEMPLATE/---feature-request.md
+++ b/.github/ISSUE_TEMPLATE/---feature-request.md
@ -1,16 +0,0 @@
 ---
 name: "\U0001F4A1 Feature request"
 about: Suggest a feature or enhancement for cloudflared
 title: "\U0001F4A1"
 labels: 'Priority: Normal, Type: Feature Request'
 ---
 **Describe the feature you'd like**
 A clear and concise description of the feature. What problem does it solve for you?
 **Describe alternatives you've considered**
 Are there any alternatives to solving this problem? If so, what was your experience with them?
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@ -1,18 +0,0 @@
 on: [push, pull_request]
 name: Check
 jobs:
  check:
    strategy:
      matrix:
        go-version: [1.22.x]
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    steps:
    - name: Install Go
      uses: actions/setup-go@v5
      with:
        go-version: ${{ matrix.go-version }}
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Test
      run: make test
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -1,24 +0,0 @@
 on:
  pull_request: {}
  workflow_dispatch: {}
  push: 
    branches:
      - main
      - master
  schedule:
    - cron: '0 0 * * *'
 name: Semgrep config
 jobs:
  semgrep:
    name: semgrep/ci
    runs-on: ubuntu-latest
    env:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
      SEMGREP_URL: https://cloudflare.semgrep.dev
      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
    container:
      image: semgrep/semgrep
    steps:
      - uses: actions/checkout@v4
      - run: semgrep ci
--- a/.gitignore
+++ b/.gitignore
@ -1,20 +1,21 @@
-/tmp
+.GOPATH/
 bin/
 tmp/
 guide/public
 /.GOPATH
 /bin
 .idea
 .build
 .vscode
 \#*\#
 cscope.*
-/cloudflared
+cloudflared
-/cloudflared.pkg
+cloudflared.pkg
-/cloudflared.exe
+cloudflared.exe
-/cloudflared.msi
+cloudflared.msi
-/cloudflared-x86-64*
+cloudflared-x86-64*
-/cloudflared.1
+!cmd/cloudflared/
 /packaging
 .DS_Store
 *-session.log
 ssh_server_tests/.env
-/.cover
+.cover
 built_artifacts/
 component-tests/.venv
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,58 +0,0 @@
 variables:
  GO_VERSION: "go1.24.9"
  GIT_DEPTH: "0"
 default:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.cfdata.org
 stages: [sync, pre-build, build, validate, test, package, release, release-internal, review]
 include:
  #####################################################
  ########## Import Commons Configurations ############
  #####################################################
  - local: .ci/commons.gitlab-ci.yml
  #####################################################
  ########### Sync Repository with Github #############
  #####################################################
  - local: .ci/github.gitlab-ci.yml
  #####################################################
  ############# Build or Fetch CI Image ###############
  #####################################################
  - local: .ci/ci-image.gitlab-ci.yml
  #####################################################
  ################## Linux Builds ###################
  #####################################################
  - local: .ci/linux.gitlab-ci.yml
  #####################################################
  ################## Windows Builds ###################
  #####################################################
  - local: .ci/windows.gitlab-ci.yml
  #####################################################
  ################### macOS Builds ####################
  #####################################################
  - local: .ci/mac.gitlab-ci.yml
  #####################################################
  ################# Release Packages ##################
  #####################################################
  - local: .ci/release.gitlab-ci.yml
  #####################################################
  ########## Release Packages Internally ##############
  #####################################################
  - local: .ci/apt-internal.gitlab-ci.yml
  #####################################################
  ############## Manual Claude Review #################
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest
    inputs:
      whenToRun: "manual"
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -1,89 +0,0 @@
 linters:
  enable:
    # Some of the linters below are commented out. We should uncomment and start running them, but they return
    # too many problems to fix in one commit. Something for later.
    - asasalint        # Check for pass []any as any in variadic func(...any).
    - asciicheck       # Checks that all code identifiers does not have non-ASCII symbols in the name.
    - bidichk          # Checks for dangerous unicode character sequences.
    - bodyclose        # Checks whether HTTP response body is closed successfully.
    - decorder         # Check declaration order and count of types, constants, variables and functions.
    - dogsled          # Checks assignments with too many blank identifiers (e.g. x, , , _, := f()).
    - dupl             # Tool for code clone detection.
    - dupword          # Checks for duplicate words in the source code.
    - durationcheck    # Check for two durations multiplied together.
    - errcheck         # Errcheck is a program for checking for unchecked errors in Go code. These unchecked errors can be critical bugs in some cases.
    - errname          # Checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error.
    - exhaustive       # Check exhaustiveness of enum switch statements.
    - gofmt            # Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification.
    - goimports        # Check import statements are formatted according to the 'goimport' command. Reformat imports in autofix mode.
    - gosec            # Inspects source code for security problems.
    - gosimple         # Linter for Go source code that specializes in simplifying code.
    - govet            # Vet examines Go source code and reports suspicious constructs. It is roughly the same as 'go vet' and uses its passes.
    - ineffassign      # Detects when assignments to existing variables are not used.
    - importas         # Enforces consistent import aliases.
    - misspell         # Finds commonly misspelled English words.
    - prealloc         # Finds slice declarations that could potentially be pre-allocated.
    - promlinter       # Check Prometheus metrics naming via promlint.
    - sloglint         # Ensure consistent code style when using log/slog.
    - sqlclosecheck    # Checks that sql.Rows, sql.Stmt, sqlx.NamedStmt, pgx.Query are closed.
    - staticcheck      # It's a set of rules from staticcheck. It's not the same thing as the staticcheck binary.
    - usetesting       # Reports uses of functions with replacement inside the testing package.
    - testableexamples # Linter checks if examples are testable (have an expected output).
    - testifylint      # Checks usage of github.com/stretchr/testify.
    - tparallel        # Tparallel detects inappropriate usage of t.Parallel() method in your Go test codes.
    - unconvert        # Remove unnecessary type conversions.
    - unused           # Checks Go code for unused constants, variables, functions and types.
    - wastedassign     # Finds wasted assignment statements.
    - whitespace       # Whitespace is a linter that checks for unnecessary newlines at the start and end of functions, if, for, etc.
    - zerologlint      # Detects the wrong usage of zerolog that a user forgets to dispatch with Send or Msg.
  # Other linters are disabled, list of all is here: https://golangci-lint.run/usage/linters/
 run:
  timeout: 5m
  modules-download-mode: vendor
 # output configuration options
 output:
  formats:
    - format: 'colored-line-number'
  print-issued-lines: true
  print-linter-name: true
 issues:
  # Maximum issues count per one linter.
  # Set to 0 to disable.
  # Default: 50
  max-issues-per-linter: 50
  # Maximum count of issues with the same text.
  # Set to 0 to disable.
  # Default: 3
  max-same-issues: 15
  # Show only new issues: if there are unstaged changes or untracked files,
  # only those changes are analyzed, else only changes in HEAD~ are analyzed.
  # It's a super-useful option for integration of golangci-lint into existing large codebase.
  # It's not practical to fix all existing issues at the moment of integration:
  # much better don't allow issues in new code.
  #
  # Default: false
  new: true
  # Show only new issues created after git revision `REV`.
  # Default: ""
  new-from-rev: ac34f94d423273c8fa8fdbb5f2ac60e55f2c77d5
  # Show issues in any part of update files (requires new-from-rev or new-from-patch).
  # Default: false
  whole-files: true
  # Which dirs to exclude: issues from them won't be reported.
  # Can use regexp here: `generated.*`, regexp is applied on full path,
  # including the path prefix if one is set.
  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
  # "/" will be replaced by current OS file path separator to properly work on Windows.
  # Default: []
  exclude-dirs:
    - vendor
 linters-settings:
  # Check exhaustiveness of enum switch statements.
  exhaustive:
    # Presence of "default" case in switch statements satisfies exhaustiveness,
    # even if all enum members are not listed.
    # Default: false
    default-signifies-exhaustive: true
--- a/.teamcity/build-macos.sh
+++ b/.teamcity/build-macos.sh
@ -0,0 +1,187 @@
 #!/bin/bash
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-amd64.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-amd64.pkg"
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # Add code signing private key to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
  if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
    # write private key to disk and then import it keychain
    echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
    out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1)
    exitcode=$?
    if [ -n "$out" ]; then
      if [ $exitcode -eq 0 ]; then
          echo "$out"
      else
          if [ "$out" != "${SEC_DUP_MSG}" ]; then
              echo "$out" >&2
              exit $exitcode
          fi
      fi
    fi
    rm ${CODE_SIGN_PRIV}
  fi
 fi
 # Add code signing certificate to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
  out1=$(security import ${CODE_SIGN_CERT} -A 2>&1)
  exitcode1=$?
  if [ -n "$out1" ]; then
    if [ $exitcode1 -eq 0 ]; then
        echo "$out1"
    else
        if [ "$out1" != "${SEC_DUP_MSG}" ]; then
            echo "$out1" >&2
            exit $exitcode1
        else 
            echo "already imported code signing certificate"
        fi
    fi
  fi
  rm ${CODE_SIGN_CERT}
 fi
 # Add package signing private key to the key chain
 if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
  if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
    # write private key to disk and then import it into the keychain
    echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
    out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1)
    exitcode2=$?
    if [ -n "$out2" ]; then
      if [ $exitcode2 -eq 0 ]; then
          echo "$out2"
      else
          if [ "$out2" != "${SEC_DUP_MSG}" ]; then
              echo "$out2" >&2
              exit $exitcode2
          fi
      fi
    fi
    rm ${INSTALLER_PRIV}
  fi
 fi
 # Add package signing certificate to the key chain
 if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
  out3=$(security import ${INSTALLER_CERT} -A 2>&1)
  exitcode3=$?
  if [ -n "$out3" ]; then
    if [ $exitcode3 -eq 0 ]; then
        echo "$out3"
    else
        if [ "$out3" != "${SEC_DUP_MSG}" ]; then
            echo "$out3" >&2
            exit $exitcode3
        else 
            echo "already imported installer certificate"
        fi
    fi
  fi
  rm ${INSTALLER_CERT}
 fi
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
  # notarize the binary
  if [[ ! -z "$CFD_NOTE_PASSWORD" ]]; then
    zip "${BINARY_NAME}.zip" ${BINARY_NAME} 
    xcrun altool --notarize-app -f "${BINARY_NAME}.zip" -t osx -u ${CFD_NOTE_USERNAME} -p ${CFD_NOTE_PASSWORD} --primary-bundle-id ${BUNDLE_ID}
  fi
 fi
 # creating build directory
 rm -rf $TARGET_DIRECTORY
 mkdir "${TARGET_DIRECTORY}"
 mkdir "${TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${TARGET_DIRECTORY}/scripts \
      --root ${TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      if [[ ! -z "$CFD_NOTE_PASSWORD" ]]; then
        xcrun altool --notarize-app -f ${PKGNAME} -t osx -u ${CFD_NOTE_USERNAME} -p ${CFD_NOTE_PASSWORD} --primary-bundle-id ${BUNDLE_ID}
        xcrun stapler staple ${PKGNAME}
      fi
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${TARGET_DIRECTORY}/scripts \
      --root ${TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleaning up the build directory
 rm -rf $TARGET_DIRECTORY
--- a/.teamcity/update-homebrew.sh
+++ b/.teamcity/update-homebrew.sh
@ -0,0 +1,67 @@
 #!/bin/bash
 set -euo pipefail
 FILENAME="${PWD}/artifacts/cloudflared-darwin-amd64.tgz"
 if ! VERSION="$(git describe --tags --exact-match 2>/dev/null)" ; then
    echo "Skipping public release for an untagged commit."
    echo "##teamcity[buildStatus status='SUCCESS' text='Skipped due to lack of tag']"
    exit 0
 fi
 if [[ ! -f "$FILENAME" ]] ; then
    echo "Missing $FILENAME"
    exit 1
 fi
 if [[ "${GITHUB_PRIVATE_KEY:-}" == "" ]] ; then
    echo "Missing GITHUB_PRIVATE_KEY"
    exit 1
 fi
 # upload to s3 bucket for use by Homebrew formula
 s3cmd \
    --acl-public --signature-v2 --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
    put "$FILENAME" "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz"
 s3cmd \
    --acl-public --signature-v2 --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
    cp "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz" "s3://cftunnel-docs/dl/cloudflared-stable-darwin-amd64.tgz"
 SHA256=$(sha256sum "$FILENAME" | cut -b1-64)
 # set up git (note that UserKnownHostsFile is an absolute path so we can cd wherever)
 mkdir -p tmp
 ssh-keyscan -t rsa github.com > tmp/github.txt
 echo "$GITHUB_PRIVATE_KEY" > tmp/private.key
 chmod 0400 tmp/private.key
 export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PWD/tmp/github.txt -i $PWD/tmp/private.key -o IdentitiesOnly=yes"
 # clone Homebrew repo into tmp/homebrew-cloudflare
 git clone git@github.com:cloudflare/homebrew-cloudflare.git tmp/homebrew-cloudflare    
 cd tmp/homebrew-cloudflare
 git checkout -f master
 git reset --hard origin/master
 # modify cloudflared.rb
 URL="https://packages.argotunnel.com/dl/cloudflared-$VERSION-darwin-amd64.tgz"
 tee cloudflared.rb <<EOF
 class Cloudflared < Formula
  desc 'Argo Tunnel'
  homepage 'https://developers.cloudflare.com/argo-tunnel/'
  url '$URL'
  sha256 '$SHA256'
  version '$VERSION'
  def install
    bin.install 'cloudflared'
  end
 end
 EOF
 # push cloudflared.rb
 git add cloudflared.rb
 git diff
 git config user.name "cloudflare-warp-bot"
 git config user.email "warp-bot@cloudflare.com"
 git commit -m "Release Argo Tunnel $VERSION"
 git push -v origin master
--- a/.vulnignore
+++ b/.vulnignore
@ -1,3 +0,0 @@
 # Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.
 # You can also add comments on the same line after the ID.
 GO-2025-3942 # Ignore core-dns vulnerability since we will be removing the proxy-dns feature in the near future
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,376 +1,16 @@
-## 2025.7.1
+# Experimental: This is a new format for release notes. The format and availability is subject to change.
 ### Notices
 - `cloudflared` will no longer officially support Debian and Ubuntu distros that reached end-of-life: `buster`, `bullseye`, `impish`, `trusty`.
 ## 2025.1.1
 ### New Features
 - This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.
 ## 2024.12.2
 ### New Features
 - This release introduces the ability to collect troubleshooting information from one instance of cloudflared running on the local machine. The command can be executed as `cloudflared tunnel diag`.
 ## 2024.12.1
 ### Notices
 - The use of the `--metrics` is still honoured meaning that if this flag is set the metrics server will try to bind it, however, this version includes a change that makes the metrics server bind to a port with a semi-deterministic approach. If the metrics flag is not present the server will bind to the first available port of the range 20241 to 20245. In case of all ports being unavailable then the fallback is to bind to a random port.
 ## 2024.10.0
 ### Bug Fixes
 - We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received.
 ## 2024.2.1
 ### Notices
 - Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).
 ## 2023.9.0
 ### Notices
 - The `warp-routing` `enabled: boolean` flag is no longer supported in the configuration file. Warp Routing traffic (eg TCP, UDP, ICMP) traffic is proxied to cloudflared if routes to the target tunnel are configured. This change does not affect remotely managed tunnels, but for locally managed tunnels, users that might be relying on this feature flag to block traffic should instead guarantee that tunnel has no Private Routes configured for the tunnel.
 ## 2023.7.0
 ### New Features
 - You can now enable additional diagnostics over the management.argotunnel.com service for your active cloudflared connectors via a new runtime flag `--management-diagnostics` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`). This feature is provided as opt-in and requires the flag to enable. Endpoints such as /metrics provides your prometheus metrics endpoint another mechanism to be reached. Additionally /debug/pprof/(goroutine|heap) are also introduced to allow for remotely retrieving active pprof information from a running cloudflared connector.
 ## 2023.4.1
 ### New Features
 - You can now stream your logs from your remote cloudflared to your local terminal with `cloudflared tail <TUNNEL-ID>`. This new feature requires the remote cloudflared to be version 2023.4.1 or higher.
 ## 2023.3.2
 ### Notices
 - Due to the nature of QuickTunnels (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/trycloudflare/) and its intended usage for testing and experiment of Cloudflare Tunnels, starting from 2023.3.2, QuickTunnels only make a single connection to the edge. If users want to use Tunnels in a production environment, they should move to Named Tunnels instead. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/remote/#set-up-a-tunnel-remotely-dashboard-setup)
 ## 2023.3.1
 ### Breaking Change
 - Running a tunnel without ingress rules defined in configuration file nor from the CLI flags will no longer provide a default ingress rule to localhost:8080 and instead will return HTTP response code 503 for all incoming HTTP requests.
 ### Security Fixes
 - Windows 32 bit machines MSI now defaults to Program Files to install cloudflared. (See CVE-2023-1314). The cloudflared client itself is unaffected. This just changes how the installer works on 32 bit windows machines.
 ### Bug Fixes
 - Fixed a bug that would cause running tunnel on Bastion mode and without ingress rules to crash.
 ## 2023.2.2
 ### Notices
 - Legacy tunnels were officially deprecated on December 1, 2022. Starting with this version, cloudflared no longer supports connecting legacy tunnels.
 - h2mux tunnel connection protocol is no longer supported. Any tunnels still configured to use this protocol will alert and use http2 tunnel protocol instead. We recommend using quic protocol for all tunnels going forward.
 ## 2023.2.1
 ### Bug fixes
 - Fixed a bug in TCP connection proxy that could result in the connection being closed before all data was written.
 - cloudflared now correctly aborts body write if connection to origin service fails after response headers were sent already.
 - Fixed a bug introduced in the previous release where debug endpoints were removed.
 ## 2022.12.0
 ### Improvements
 - cloudflared now attempts to try other edge addresses before falling back to a lower protocol.
 - cloudflared tunnel no longer spins up a quick tunnel. The call has to be explicit and provide a --url flag.
 - cloudflared will now randomly pick the first or second region to connect to instead of always connecting to region2 first.
 ## 2022.9.0
 ### New Features
 - cloudflared now rejects ingress rules with invalid http status codes for http_status.
 ## 2022.8.1
 ### New Features
 - cloudflared now remembers if it connected to a certain protocol successfully. If it did, it does not fall back to a lower
  protocol on connection failures.
 ## 2022.7.1
 ### New Features
 - It is now possible to connect cloudflared tunnel to Cloudflare Global Network with IPv6. See `cloudflared tunnel --help` and look for `edge-ip-version` for more information. For now, the default behavior is to still connect with IPv4 only.
 ### Bug Fixes
 - Several bug fixes related with QUIC transport (used between cloudflared tunnel and Cloudflare Global Network). Updating to this version is highly recommended.
 ## 2022.4.0
 ### Bug Fixes
 - `cloudflared tunnel run` no longer logs the Tunnel token or JSON credentials in clear text as those are the secret
 that allows to run the Tunnel.
 ## 2022.3.4
 ### New Features
 - It is now possible to retrieve the credentials that allow to run a Tunnel in case you forgot/lost them. This is
 achievable with: `cloudflared tunnel token --cred-file /path/to/file.json TUNNEL`. This new feature only works for
 Tunnels created with cloudflared version 2022.3.0 or more recent.
 ### Bug Fixes
 - `cloudflared service install` now starts the underlying agent service on Linux operating system (similarly to the
 behaviour in Windows and MacOS).
 ## 2022.3.3
 ### Bug Fixes
 - `cloudflared service install` now starts the underlying agent service on Windows operating system (similarly to the
 behaviour in MacOS).
 ## 2022.3.1
 ### Bug Fixes
 - Various fixes to the reliability of `quic` protocol, including an edge case that could lead to cloudflared crashing.
 ## 2022.3.0
 ### New Features
 - It is now possible to configure Ingress Rules to point to an origin served by unix socket with either HTTP or HTTPS.
 If the origin starts with `unix:/` then we assume HTTP (existing behavior). Otherwise, the origin can start with
 `unix+tls:/` for HTTPS.
 ## 2022.2.1
 ### New Features
 - This project now has a new LICENSE that is more compliant with open source purposes.
 ### Bug Fixes
 - Various fixes to the reliability of `quic` protocol.
 ## 2022.1.3
 ### New Features
 - New `cloudflared tunnel vnet` commands to allow for private routing to be virtualized. This means that the same CIDR
 can now be used to point to two different Tunnels with `cloudflared tunnel route ip` command. More information will be
 made available on blog.cloudflare.com and developers.cloudflare.com/cloudflare-one once the feature is globally available.
 ### Bug Fixes
 - Correctly handle proxying UDP datagrams with no payload.
 - Bug fix for origins that use Server-Sent Events (SSE).
 ## 2022.1.0
 ### Improvements
 - If a specific `protocol` property is defined (e.g. for `quic`), cloudflared no longer falls back to an older protocol
 (such as `http2`) in face of connectivity errors. This is important because some features are only supported in a specific
 protocol (e.g. UDP proxying only works for `quic`). Hence, if a user chooses a protocol, cloudflared now adheres to it
 no matter what.
 ### Bug Fixes
 - Stopping cloudflared running with `quic` protocol now respects graceful shutdown.
 ## 2021.12.2
 ### Bug Fixes
 - Fix logging when `quic` transport is used and UDP traffic is proxied.
 - FIPS compliant cloudflared binaries will now be released as separate artifacts. Recall that these are only for linux
 and amd64.
 ## 2021.12.1
 ### Bug Fixes
 - Fixes Github issue #530 where cloudflared 2021.12.0 could not reach origins that were HTTPS and using certain encryption
 methods forbidden by FIPS compliance (such as Let's Encrypt certificates). To address this fix we have temporarily reverted
 FIPS compliance from amd64 linux binaries that was recently introduced (or fixed actually as it was never working before).
 ## 2021.12.0
 ### New Features
 - Cloudflared binary released for amd64 linux is now FIPS compliant.
 ### Improvements
 - Logging about connectivity to Cloudflare edge now only yields `ERR` level logging if there are no connections to
 Cloudflare edge that are active. Otherwise it logs `WARN` level.
 ### Bug Fixes
 - Fixes Github issue #501.
 ## 2021.11.0
 ### Improvements
 - Fallback from `protocol:quic` to `protocol:http2` immediately if UDP connectivity isn't available. This could be because of a firewall or 
 egress rule.
 ## 2021.10.4
 ### Improvements
 - Collect quic transport metrics on RTT, packets and bytes transferred.
 ### Bug Fixes
 - Fix race condition that was writing to the connection after the http2 handler returns.
 ## 2021.9.2
 ### New features
 - `cloudflared` can now run with `quic` as the underlying tunnel transport protocol. To try it, change or add "protocol: quic" to your config.yml file or
 run cloudflared with the `--protocol quic` flag. e.g:
    `cloudflared tunnel --protocol quic run <tunnel-name>`
 ### Bug Fixes
 - Fixed some generic transport bugs in `quic` mode. It's advised to upgrade to at least this version (2021.9.2) when running `cloudflared`
 with `quic` protocol.
 - `cloudflared` docker images will now show version.
 ## 2021.8.4
 ### Improvements
 - Temporary tunnels (those hosted on trycloudflare.com that do not require a Cloudflare login) now run as Named Tunnels
 underneath. We recall that these tunnels should not be relied upon for production usage as they come with no guarantee
 of uptime. Previous cloudflared versions will soon be unable to run legacy temporary tunnels and will require an update
 (to this version or more recent).
 ## 2021.8.2
 ### Improvements
 - Because Equinox os shutting down, all cloudflared releases are now present [here](https://github.com/cloudflare/cloudflared/releases).
 [Equinox](https://dl.equinox.io/cloudflare/cloudflared/stable) will no longer receive updates. 
 ## 2021.8.0
 ### Bug fixes
 - Prevents tunnel from accidentally running when only proxy-dns should run. 
 ### Improvements
 - If auto protocol transport lookup fails, we now default to a transport instead of not connecting.
 ## 2021.6.0
 ### Bug Fixes
 - Fixes a http2 transport (the new default for Named Tunnels) to work with unix socket origins.
 ## 2021.5.10
 ### Bug Fixes
 - Fixes a memory leak in h2mux transport that connects cloudflared to Cloudflare edge.
 ## 2021.5.9
 ### New Features
 - Uses new Worker based login helper service to facilitate token exchange in cloudflared flows.
 ### Bug Fixes
 - Fixes Centos-7 builds.
 ## 2021.5.8
 ### New Features
 - When creating a DNS record to point a hostname at a tunnel, you can now use --overwrite-dns to overwrite any existing
  DNS records with that hostname. This works both when using the CLI to provision DNS, as well as when starting an adhoc
  named tunnel, e.g.:
  - `cloudflared tunnel route dns --overwrite-dns foo-tunnel foo.example.com`
  - `cloudflared tunnel --overwrite-dns --name foo-tunnel --hostname foo.example.com`
 ## 2021.5.7
 ### New Features
 - Named Tunnels will automatically select the protocol to connect to Cloudflare's edge network.
 ## 2021.5.0
 ### New Features
 - It is now possible to run the same tunnel using more than one `cloudflared` instance. This is a server-side change and
  is compatible with any client version that uses Named Tunnels.
  To get started, visit our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas).
 - `cloudflared tunnel ingress validate` will now warn about unused keys in your config file. This is helpful for
  detecting typos in your config.
 - If `cloudflared` detects it is running inside a Linux container, it will limit itself to use only the number of CPUs
  the pod has been granted, instead of trying to use every CPU available.
 ## 2021.4.0
 ### Bug Fixes
 - Fixed proxying of websocket requests to avoid possibility of losing initial frames that were sent in the same TCP
  packet as response headers [#345](https://github.com/cloudflare/cloudflared/issues/345).
 - `proxy-dns` option now works in conjunction with running a named tunnel [#346](https://github.com/cloudflare/cloudflared/issues/346).
 ## 2021.3.6
 ### Bug Fixes
 - Reverted 2021.3.5 improvement to use HTTP/2 in a best-effort manner between cloudflared and origin services because
  it was found to break in some cases.
 ## 2021.3.5
 ### Improvements
 - HTTP/2 transport is now always chosen if origin server supports it and the service url scheme is HTTPS.
   This was previously done in a best attempt manner.
 ### Bug Fixes
 - The MacOS binaries were not successfully released in 2021.3.3 and 2021.3.4. This release is aimed at addressing that.
 ## 2021.3.3
 ### Improvements
 - Tunnel create command, as well as, running ad-hoc tunnels using `cloudflared tunnel -name NAME`, will not overwrite
  existing files when writing tunnel credentials.
 ### Bug Fixes
 - Tunnel create and delete commands no longer use path to credentials from the configuration file.
  If you need ot place tunnel credentials file at a specific location, you must use `--credentials-file` flag.
 - Access ssh-gen creates properly named keys for SSH short lived certs.
 ## 2021.3.2
 ### New Features
 - It is now possible to obtain more detailed information about the cloudflared connectors to Cloudflare Edge via
  `cloudflared tunnel info <name/uuid>`. It is possible to sort the output as well as output in different formats,
  such as: `cloudflared tunnel info --sort-by version --invert-sort --output json <name/uuid>`.
  You can obtain more information via `cloudflared tunnel info --help`.
 ### Bug Fixes
 - Don't look for configuration file in default paths when `--config FILE` flag is present after `tunnel` subcommand.
 - cloudflared access token command now functions correctly with the new token-per-app change from 2021.3.0.
 ## 2021.3.0
 ### New Features
 - [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) specific commands
  now show up in the `cloudflared tunnel route --help` output.
 - There is a new ingress type that allows cloudflared to proxy SOCKS5 as a bastion. You can use it with an ingress
  rule by adding `service: socks-proxy`. Traffic is routed to any destination specified by the SOCKS5 packet but only
  if allowed by a rule. In the following example we allow proxying to a certain CIDR but explicitly forbid one address
  within it:
 ```
 ingress:
  - hostname: socks.example.com
    service: socks-proxy
    originRequest:
      ipRules:
        - prefix: 192.168.1.8/32
          allow: false
        - prefix: 192.168.1.0/24
          ports: [80, 443]
          allow: true
 ```
 ### Improvements
 - Nested commands, such as `cloudflared tunnel run`, now consider CLI arguments even if they appear earlier on the
  command. For instance, `cloudflared --config config.yaml tunnel run` will now behave the same as
  `cloudflared tunnel --config config.yaml run`
 - Warnings are now shown in the output logs whenever cloudflared is running without the most recent version and
  `no-autoupdate` is `true`.
 - Access tokens are now stored per Access App instead of per request path. This decreases the number of times that the
  user is required to authenticate with an Access policy redundantly.
 ### Bug Fixes
 - GitHub [PR #317](https://github.com/cloudflare/cloudflared/issues/317) was broken in 2021.2.5 and is now fixed again.
 ## 2021.2.5
 ### New Features
 - We introduce [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) in
  beta mode. Cloudflare customer can now connect users and private networks with RFC 1918 IP addresses via the
  Cloudflare edge network. Users running Cloudflare WARP client in the same organization can connect to the services
  made available by Argo Tunnel IP routes. Please share your feedback in the GitHub issue tracker.
 ## 2021.2.4
 ### Bug Fixes
 - Reverts the Improvement released in 2021.2.3 for CLI arguments as it introduced a regression where cloudflared failed
  to read URLs in configuration files.
 - cloudflared now logs the reason for failed connections if the error is recoverable.
 ## 2021.2.3
-
+ 
 ### Backward Incompatible Changes
-
+[db-connect] Removes db-connect from `cloudflared`. The Cloudflare Workers product will continue to support db-connect implementations with versions of `cloudflared` that predate this release and include support for db-connect.
- Removes db-connect. The Cloudflare Workers product will continue to support db-connect implementations with versions
+ 
  of cloudflared that predate this release and include support for db-connect.
 ### New Features
-
+[TCP connects] Introduces support for proxy configurations with websockets in arbitrary TCP connections (#318)
- Introduces support for proxy configurations with websockets in arbitrary TCP connections (#318).
+ 
 ### Improvements
-
+[command line interface] Nested commands (such as cloudflared tunnel run) now consider CLI arguments even if they appear earlier in the command. E.g. `cloudflared --config config.yaml tunnel run` will now behave similarly to `cloudflared tunnel --config config.yaml run`
- (reverted) Nested command line argument handling.
+ 
 ### Bug Fixes
 [dns-proxy] The maximum number of upstream connections is now limited by default which should fix reported issues of cloudflared exhausting CPU usage when faced with connectivity issues.
 - The maximum number of upstream connections is now limited by default which should fix reported issues of cloudflared
  exhausting CPU usage when faced with connectivity issues.
--- a/23
+++ b/23
@ -1,15 +1,11 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.24.9 AS builder
+FROM golang:1.15.7 as builder
 ENV GO111MODULE=on \
-  CGO_ENABLED=0 \
+    CGO_ENABLED=0 \
-  TARGET_GOOS=${TARGET_GOOS} \
+    TARGET_GOOS=${TARGET_GOOS} \
-  TARGET_GOARCH=${TARGET_GOARCH} \
+    TARGET_GOARCH=${TARGET_GOARCH}
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
@ -20,18 +16,13 @@ COPY . .
 RUN make cloudflared
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian12:nonroot
+FROM gcr.io/distroless/base-debian10:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-# run as nonroot user
+# run as non-privileged user
-# We need to use numeric user id's because Kubernetes doesn't support strings:
+USER nonroot
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -1,33 +0,0 @@
 # use a builder image for building cloudflare
 FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1 
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 # compile cloudflared
 RUN GOOS=linux GOARCH=amd64 make cloudflared
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian12:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 # run as nonroot user
 # We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@ -1,33 +0,0 @@
 # use a builder image for building cloudflare
 FROM golang:1.24.9 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
  # which changes how cloudflared binds the metrics server
  CONTAINER_BUILD=1
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 # compile cloudflared
 RUN GOOS=linux GOARCH=arm64 make cloudflared
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian12:nonroot-arm64
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 # run as nonroot user
 # We need to use numeric user id's because Kubernetes doesn't support strings:
 # https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
--- a/313
+++ b/313
@ -1,202 +1,155 @@
 SERVICES AGREEMENT
-                                 Apache License
+Your installation of this software is symbol of your signature indicating that
-                           Version 2.0, January 2004
+you accept the terms of this Services Agreement (this "Agreement").  This
-                        http://www.apache.org/licenses/
+Agreement is a legal agreement between you (either an individual or a single
 entity) and CloudFlare, Inc. for the services being provided to you by
 CloudFlare or its authorized representative (the "Services"), including any
 computer software and any associated media, printed materials, and "online" or
 electronic documentation provided in connection with the Services (the
 "Software" and together with the Services are hereinafter collectively referred
 to as the "Solution").  If the user is not an individual, then "you" means your
 company, its officers, members, employees, agents, representatives, successors
 and assigns.  BY USING THE SOLUTION, YOU ARE INDICATING THAT YOU HAVE READ, AND
 AGREE TO BE BOUND BY, THE POLICIES, TERMS, AND CONDITIONS SET FORTH BELOW IN
 THEIR ENTIRETY WITHOUT LIMITATION OR QUALIFICATION, AS WELL AS BY ALL APPLICABLE
 LAWS AND REGULATIONS, AS IF YOU HAD HANDWRITTEN YOUR NAME ON A CONTRACT.  IF YOU
 DO NOT AGREE TO THESE TERMS AND CONDITIONS, YOU MAY NOT USE THE SOLUTION.
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+1.    GRANT OF RIGHTS
-   1. Definitions.
+1.1	Grant of License.  The Solution is licensed by CloudFlare and its
 licensors, not sold.  Subject to the terms and conditions of this Agreement,
 CloudFlare hereby grants you a nonexclusive, nonsublicensable, nontransferable
 license to use the Solution.  You may examine source code, if provided to you,
 solely for the limited purpose of evaluating the Software for security flaws.
 You may also use the Service to create derivative works which are exclusively
 compatible with any CloudFlare product serviceand no other product or service.
 This license applies to the parts of the Solution developed by CloudFlare.  The
 Solution may also incorporate externally maintained libraries and other open software.
 These resources may be governed by other licenses.
-      "License" shall mean the terms and conditions for use, reproduction,
+1.2	Restrictions.  The license granted herein is granted solely to you and
-      and distribution as defined by Sections 1 through 9 of this document.
+not, by implication or otherwise, to any of your parents, subsidiaries or
 affiliates.  No right is granted hereunder to use the Solution to perform
 services for third parties. All rights not expressly granted hereunder are
 reserved to CloudFlare.  You may not use the Solution except as explicitly
 permitted under this Agreement.  You are expressly prohibited from modifying,
 adapting, translating, preparing derivative works from, decompiling, reverse
 engineering, disassembling or otherwise attempting to derive source code from
 the Software used to provide the Services or any internal data files generated
 by the Solution.  You are also prohibited from removing, obscuring or altering
 any copyright notice, trademarks, or other proprietary rights notices affixed to
 or associated with the Solution.
-      "Licensor" shall mean the copyright owner or entity authorized by
+1.3	Ownership.  As between the parties, CloudFlare and/or its licensors own
-      the copyright owner that is granting the License.
+and shall retain all right, title, and interest in and to the Solution,
 including any and all technology embodied therein, including all copyrights,
 patents, trade secrets, trade dress and other proprietary rights associated
 therewith, and any derivative works created there from.
-      "Legal Entity" shall mean the union of the acting entity and all
+2.	LIMITATION OF LIABILITY
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
-      "You" (or "Your") shall mean an individual or Legal Entity
+YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT DOWNLOADING THE SOFTWARE IS AT YOUR
-      exercising permissions granted by this License.
+SOLE RISK.  THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTY OF ANY KIND
 AND CLOUDFLARE, ITS LICENSORS AND ITS AUTHORIZED REPRESENTATIVES (TOGETHER FOR
 PURPOSES HEREOF, "CLOUDFLARE") EXPRESSLY DISCLAIM ALL WARRANTIES, EXPRESS OR
 IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  CLOUDFLARE DOES NOT
 WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR
 REQUIREMENTS, OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR
 ERROR-FREE, OR THAT DEFECTS IN THE SOFTWARE WILL BE CORRECTED.  FURTHERMORE,
 CLOUDFLARE DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE SOFTWARE
 OR RELATED DOCUMENTATION IN TERMS OF THEIR CORRECTNESS, ACCURACY, RELIABILITY,
 OR OTHERWISE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY CLOUDFLARE SHALL
 CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF THIS WARRANTY.
-      "Source" form shall mean the preferred form for making modifications,
+3.	CONFIDENTIALITY
      including but not limited to software source code, documentation
      source, and configuration files.
-      "Object" form shall mean any form resulting from mechanical
+It may be necessary during the set up and performance of the Solution for the
-      transformation or translation of a Source form, including but
+parties to exchange Confidential Information. "Confidential Information" means
-      not limited to compiled object code, generated documentation,
+any information whether oral, or written, of a private, secret, proprietary or
-      and conversions to other media types.
+confidential nature, concerning either party or its business operations,
 including without limitation: (a) your data and (b) CloudFlare's access control
 systems, specialized network equipment and techniques related to the Solution,
 use policies, which include trade secrets of CloudFlare and its licensors. Each
 party agrees to use the same degree of care to protect the confidentiality of
 the Confidential Information of the other party and to prevent its unauthorized
 use or dissemination as it uses to protect its own Confidential Information of a
 similar nature, but in no event shall exercise less than due diligence and
 reasonable care. Each party agrees to use the Confidential Information of the
 other party only for purposes related to the performance of this Agreement. All
 Confidential Information remains the property of the party disclosing the
 information and no license or other rights to Confidential Information is
 granted or implied hereby.
-      "Work" shall mean the work of authorship, whether in Source or
+4.	TERM AND TERMINATION
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
-      "Derivative Works" shall mean any work, whether in Source or Object
+4.1	Term.  This Agreement shall be effective upon download or install of the
-      form, that is based on (or derived from) the Work and for which the
+Software.
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
-      "Contribution" shall mean any work of authorship, including
+4.2	Termination. This Agreement may be terminated by CloudFlare or its
-      the original version of the Work and any modifications or additions
+authorized representative by written notice to you if any of the following
-      to that Work or Derivative Works thereof, that is intentionally
+events occur:  (i) you fail to pay any amounts due for the Services and the
-      submitted to Licensor for inclusion in the Work by the copyright owner
+Solution when due and after written notice of such nonpayment has been given to
-      or by an individual or Legal Entity authorized to submit on behalf of
+you; (ii) you are in material breach of any term, condition, or provision of
-      the copyright owner. For the purposes of this definition, "submitted"
+this Agreement or any other agreement executed by you with CloudFlare or its
-      means any form of electronic, verbal, or written communication sent
+authorized representative in connection with the provision of the Solution and
-      to the Licensor or its representatives, including but not limited to
+Services (a "Related Agreement"); or (iii) you terminate or suspend your
-      communication on electronic mailing lists, source code control systems,
+business, becomes subject to any bankruptcy or insolvency proceeding under
-      and issue tracking systems that are managed by, or on behalf of, the
+federal or state statutes, or become insolvent or subject to direct control by a
-      Licensor for the purpose of discussing and improving the Work, but
+trustee, receiver or similar authority.
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
-      "Contributor" shall mean Licensor and any individual or Legal Entity
+4.3	Effect of Termination.  Upon the termination of this Agreement for any
-      on behalf of whom a Contribution has been received by Licensor and
+reason: (1) all license rights granted hereunder shall terminate and (2) all
-      subsequently incorporated within the Work.
+Confidential Information shall be returned to the disclosing party or destroyed.
-   2. Grant of Copyright License. Subject to the terms and conditions of
+5.	MISCELLANEOUS
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
-   3. Grant of Patent License. Subject to the terms and conditions of
+5.1	Assignment.  You may not assign any of your rights or delegate any of
-      this License, each Contributor hereby grants to You a perpetual,
+your obligations under this Agreement, whether by operation of law or otherwise,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+without the prior express written consent of CloudFlare or its authorized
-      (except as stated in this section) patent license to make, have made,
+representative.  Any such assignment without the prior express written consent
-      use, offer to sell, sell, import, and otherwise transfer the Work,
+of CloudFlare or its authorized representative shall be void.  Subject to the
-      where such license applies only to those patent claims licensable
+foregoing, this Agreement will bind and inure to the benefit of the parties,
-      by such Contributor that are necessarily infringed by their
+their respective successors and permitted assigns.
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
-   4. Redistribution. You may reproduce and distribute copies of the
+5.2	Waiver and Amendment.  No modification, amendment or waiver of any
-      Work or Derivative Works thereof in any medium, with or without
+provision of this Agreement shall be effective unless in writing and signed by
-      modifications, and in Source or Object form, provided that You
+the party to be charged.  No failure or delay by either party in exercising any
-      meet the following conditions:
+right, power, or remedy under this Agreement, except as specifically provided
 herein, shall operate as a waiver of any such right, power or remedy.  Without
 limiting the foregoing, terms and conditions on any purchase orders or similar
 materials submitted by you to CloudFlare or its authorized representative shall
 be of no force or effect.
-      (a) You must give any other recipients of the Work or
+5.3	Governing Law.  This Agreement shall be governed by the laws of the State
-          Derivative Works a copy of this License; and
+of California, USA, excluding conflict of laws and provisions, and excluding the
 United Nations Convention on Contracts for the International Sale of Goods.
-      (b) You must cause any modified files to carry prominent notices
+5.4	Notices.  All notices, demands or consents required or permitted under
-          stating that You changed the files; and
+this Agreement shall be in writing.  Notice shall be sent to you at the e-mail
 address provided by you to CloudFlare or its authorized representative in
 connection with the Solution.
-      (c) You must retain, in the Source form of any Derivative Works
+5.5	Independent Contractors. The parties are independent contractors.
-          that You distribute, all copyright, patent, trademark, and
+Neither party shall be deemed to be an employee, agent, partner or legal
-          attribution notices from the Source form of the Work,
+representative of the other for any purpose and neither shall have any right,
-          excluding those notices that do not pertain to any part of
+power or authority to create any obligation or responsibility on behalf of the
-          the Derivative Works; and
+other.
-      (d) If the Work includes a "NOTICE" text file as part of its
+5.6	Severability.  If any provision of this Agreement is held by a court of
-          distribution, then any Derivative Works that You distribute must
+competent jurisdiction to be contrary to law, such provision shall be changed
-          include a readable copy of the attribution notices contained
+and interpreted so as to best accomplish the objectives of the original
-          within such NOTICE file, excluding those notices that do not
+provision to the fullest extent allowed by law and the remaining provisions of
-          pertain to any part of the Derivative Works, in at least one
+this Agreement shall remain in full force and effect.
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
-      You may add Your own copyright statement to Your modifications and
+5.7	Force Majeure.  CloudFlare shall not be liable to the other party for any
-      may provide additional or different license terms and conditions
+failure or delay in performance caused by reasons beyond its reasonable control.
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
-   5. Submission of Contributions. Unless You explicitly state otherwise,
+5.8	Complete Understanding.  This Agreement and the Related Agreement
-      any Contribution intentionally submitted for inclusion in the Work
+constitute the final, complete and exclusive agreement between the parties with
-      by You to the Licensor shall be under the terms and conditions of
+respect to the subject matter hereof, and supersedes all previous written and
-      this License, without any additional terms or conditions.
+oral agreements and communications related to the subject matter of this
-      Notwithstanding the above, nothing herein shall supersede or modify
+Agreement.  To the extent this Agreement and the Related Agreement conflict,
-      the terms of any separate license agreement you may have executed
+this Agreement shall control.
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.
   Copyright [yyyy] [name of copyright owner]
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--- a/337
+++ b/337
@ -1,89 +1,47 @@
-# The targets cannot be run in parallel
+VERSION       := $(shell git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*")
 .NOTPARALLEL:
 VERSION       := $(shell git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 MSI_VERSION   := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut -c2-)
 #MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
 #e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
 ifeq ($(ORIGINAL_NAME), true)
 	# Used for builds that want FIPS compilation but want the artifacts generated to still have the original name.
 	BINARY_NAME := cloudflared
 else ifeq ($(FIPS), true)
 	# Used for FIPS compliant builds that do not match the case above.
 	BINARY_NAME := cloudflared-fips
 else
 	# Used for all other (non-FIPS) builds.
 	BINARY_NAME := cloudflared
 endif
 ifeq ($(NIGHTLY), true)
 	DEB_PACKAGE_NAME := $(BINARY_NAME)-nightly
 	NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared
 else
 	DEB_PACKAGE_NAME := $(BINARY_NAME)
 endif
 # Use git in windows since we don't have access to the `date` tool
 ifeq ($(TARGET_OS), windows)
 	DATE := $(shell git log -1 --format="%ad" --date=format-local:'%Y-%m-%dT%H:%M UTC' -- RELEASE_NOTES)
 else
 	DATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H:%M UTC')
 endif
 VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
 ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
 endif
 ifdef CONTAINER_BUILD
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/metrics.Runtime=virtual"
 endif
 LINK_FLAGS :=
 ifeq ($(FIPS), true)
-	LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
+	GO_BUILD_TAGS := $(GO_BUILD_TAGS) fips
 	# Prevent linking with libc regardless of CGO enabled or not.
 	GO_BUILD_TAGS := $(GO_BUILD_TAGS) osusergo netgo fips
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "main.BuildType=FIPS"
 endif
 LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)'
 ifneq ($(GO_BUILD_TAGS),)
-	GO_BUILD_TAGS := -tags "$(GO_BUILD_TAGS)"
+	GO_BUILD_TAGS := -tags $(GO_BUILD_TAGS)
 endif
-ifeq ($(debug), 1)
+DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
-	GO_BUILD_TAGS += -gcflags="all=-N -l"
+VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
 endif
-IMPORT_PATH    := github.com/cloudflare/cloudflared
+IMPORT_PATH   := github.com/cloudflare/cloudflared
-PACKAGE_DIR    := $(CURDIR)/packaging
+PACKAGE_DIR   := $(CURDIR)/packaging
-PREFIX         := /usr
+INSTALL_BINDIR := /usr/bin/
-INSTALL_BINDIR := $(PREFIX)/bin/
+MAN_DIR := /usr/share/man/man1/
-INSTALL_MANDIR := $(PREFIX)/share/man/man1/
+
 EQUINOX_FLAGS = --version="$(VERSION)" \
 	--platforms="$(EQUINOX_BUILD_PLATFORMS)" \
 	--app="$(EQUINOX_APP_ID)" \
 	--token="$(EQUINOX_TOKEN)" \
 	--channel="$(EQUINOX_CHANNEL)"
 ifeq ($(EQUINOX_IS_DRAFT), true)
 	EQUINOX_FLAGS := --draft $(EQUINOX_FLAGS)
 endif
 LOCAL_ARCH ?= $(shell uname -m)
 ifneq ($(GOARCH),)
    TARGET_ARCH ?= $(GOARCH)
 else ifeq ($(LOCAL_ARCH),x86_64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),amd64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),386)
    TARGET_ARCH ?= 386
 else ifeq ($(LOCAL_ARCH),i686)
    TARGET_ARCH ?= amd64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
    TARGET_ARCH ?= arm64
 else ifeq ($(LOCAL_ARCH),aarch64)
    TARGET_ARCH ?= arm64
 else ifeq ($(LOCAL_ARCH),arm64)
    TARGET_ARCH ?= arm64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 4),armv)
    TARGET_ARCH ?= arm
 else ifeq ($(LOCAL_ARCH),s390x)
    TARGET_ARCH ?= s390x
 else
    $(error This system's architecture $(LOCAL_ARCH) isn't supported)
 endif
@ -97,16 +55,14 @@ else ifeq ($(LOCAL_OS),windows)
    TARGET_OS ?= windows
 else ifeq ($(LOCAL_OS),freebsd)
    TARGET_OS ?= freebsd
 else ifeq ($(LOCAL_OS),openbsd)
    TARGET_OS ?= openbsd
 else
    $(error This system's OS $(LOCAL_OS) isn't supported)
 endif
 ifeq ($(TARGET_OS), windows)
-	EXECUTABLE_PATH=./$(BINARY_NAME).exe
+	EXECUTABLE_PATH=./cloudflared.exe
 else
-	EXECUTABLE_PATH=./$(BINARY_NAME)
+	EXECUTABLE_PATH=./cloudflared
 endif
 ifeq ($(FLAVOR), centos-7)
@ -115,21 +71,6 @@ else
 	TARGET_PUBLIC_REPO ?= $(FLAVOR)
 endif
 ifneq ($(TARGET_ARM), )
 	ARM_COMMAND := GOARM=$(TARGET_ARM)
 endif
 ifeq ($(TARGET_ARM), 7)
 	PACKAGE_ARCH := armhf
 else
 	PACKAGE_ARCH := $(TARGET_ARCH)
 endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256
 GO_TEST_LOG_OUTPUT = /tmp/gotest.log
 .PHONY: all
 all: cloudflared test
@ -137,155 +78,167 @@ all: cloudflared test
 clean:
 	go clean
 .PHONY: vulncheck
 vulncheck:
 	@./.ci/scripts/vuln-check.sh
 .PHONY: cloudflared
-cloudflared:
+cloudflared: tunnel-deps
-ifeq ($(FIPS), true)
+	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(GO_BUILD_TAGS) $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
 	$(info Building cloudflared with go-fips)
 endif
 	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
 ifeq ($(FIPS), true)
 	./check-fips.sh cloudflared
 endif
 .PHONY: container
 container:
 	docker build --build-arg=TARGET_ARCH=$(TARGET_ARCH) --build-arg=TARGET_OS=$(TARGET_OS) -t cloudflare/cloudflared-$(TARGET_OS)-$(TARGET_ARCH):"$(VERSION)" .
 .PHONY: generate-docker-version
 generate-docker-version:
 	echo latest $(VERSION) > versions
 .PHONY: test
 test: vet
-	$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT)
+ifndef CI
-ifneq ($(FIPS), true)
+	go test -v -mod=vendor -race $(VERSION_FLAGS) ./...
-	@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT)
+else
 	@mkdir -p .cover
 	go test -v -mod=vendor -race $(VERSION_FLAGS) -coverprofile=".cover/c.out" ./...
 	go tool cover -html ".cover/c.out" -o .cover/all.html
 endif
-.PHONY: cover
+.PHONY: test-ssh-server
-cover:
+test-ssh-server:
-	@echo ""
+	docker-compose -f ssh_server_tests/docker-compose.yml up
 	@echo "=====> Total test coverage: <====="
 	@echo ""
 	# Print the overall coverage here for quick access.
 	$Q go tool cover -func ".cover/c.out" | grep "total:" | awk '{print $$3}'
 	# Generate the HTML report that can be viewed from the browser in CI.
 	$Q go tool cover -html ".cover/c.out" -o .cover/all.html
-.PHONY: fuzz
+define publish_package
-fuzz:
+	for HOST in $(CF_PKG_HOSTS); do \
-	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
+		ssh-keyscan -t rsa $$HOST >> ~/.ssh/known_hosts; \
-	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
+		scp -4 cloudflared*.$(1) cfsync@$$HOST:/state/cf-pkg/staging/$(2)/$(TARGET_PUBLIC_REPO)/cloudflared/; \
-	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
+		ssh cfsync@$$HOST 'chmod g+w /state/cf-pkg/staging/$(2)/$(TARGET_PUBLIC_REPO)/cloudflared/*.$(1)'; \
-	@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3
+	done
-	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
+endef
 	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
 	@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing
 	@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation
-cloudflared.1: cloudflared_man_template
+.PHONY: publish-deb
-	sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
+publish-deb: cloudflared-deb
 	$(call publish_package,deb,apt)
-install: cloudflared cloudflared.1
+.PHONY: publish-rpm
-	mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
+publish-rpm: cloudflared-rpm
-	install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
+	$(call publish_package,rpm,yum)
 	install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
 # When we build packages, the package name will be FIPS-aware.
 # But we keep the binary installed by it to be named "cloudflared" regardless.
 define build_package
 	mkdir -p $(PACKAGE_DIR)
 	cp cloudflared $(PACKAGE_DIR)/cloudflared
-	cp cloudflared.1 $(PACKAGE_DIR)/cloudflared.1
+	cat cloudflared_man_template | sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' > $(PACKAGE_DIR)/cloudflared.1
-	fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
+	fakeroot fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
-		--description 'Cloudflare Tunnel daemon' \
+		--description 'Cloudflare Argo tunnel daemon' \
 		--vendor 'Cloudflare' \
-		--license 'Apache License Version 2.0' \
+		--license 'Cloudflare Service Agreement' \
 		--url 'https://github.com/cloudflare/cloudflared' \
 		-m 'Cloudflare <support@cloudflare.com>' \
-	    -a $(PACKAGE_ARCH) -v $(VERSION) -n $(DEB_PACKAGE_NAME) $(RPM_DIGEST) $(NIGHTLY_FLAGS) --after-install postinst.sh --after-remove postrm.sh \
+		-a $(TARGET_ARCH) -v $(VERSION) -n cloudflared --after-install postinst.sh --after-remove postrm.sh \
-		cloudflared=$(INSTALL_BINDIR) cloudflared.1=$(INSTALL_MANDIR)
+		cloudflared=$(INSTALL_BINDIR) cloudflared.1=$(MAN_DIR)
 endef
 .PHONY: cloudflared-deb
-cloudflared-deb: cloudflared cloudflared.1
+cloudflared-deb: cloudflared
 	$(call build_package,deb)
 .PHONY: cloudflared-rpm
-cloudflared-rpm: cloudflared cloudflared.1
+cloudflared-rpm: cloudflared
 	$(call build_package,rpm)
-.PHONY: cloudflared-msi
+.PHONY: cloudflared-darwin-amd64.tgz
-cloudflared-msi:
+cloudflared-darwin-amd64.tgz: cloudflared
-	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
+	tar czf cloudflared-darwin-amd64.tgz cloudflared
 	rm cloudflared
-.PHONY: github-release-dryrun
+.PHONY: cloudflared-junos
-github-release-dryrun:
+cloudflared-junos: cloudflared jetez-certificate.pem jetez-key.pem
-	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION) --dry-run
+	jetez --source . \
 		  -j jet.yaml \
 		  --key jetez-key.pem \
 		  --cert jetez-certificate.pem \
 		  --version $(VERSION)
 	rm jetez-*.pem
 jetez-certificate.pem:
 ifndef JETEZ_CERT
 	$(error JETEZ_CERT not defined)
 endif
 	@echo "Writing JetEZ certificate"
 	@echo "$$JETEZ_CERT" > jetez-certificate.pem
 jetez-key.pem:
 ifndef JETEZ_KEY
 	$(error JETEZ_KEY not defined)
 endif
 	@echo "Writing JetEZ key"
 	@echo "$$JETEZ_KEY" > jetez-key.pem
 .PHONY: publish-cloudflared-junos
 publish-cloudflared-junos: cloudflared-junos cloudflared-x86-64.latest.s3
 ifndef S3_ENDPOINT
 	$(error S3_HOST not defined)
 endif
 ifndef S3_URI
 	$(error S3_URI not defined)
 endif
 ifndef S3_ACCESS_KEY
 	$(error S3_ACCESS_KEY not defined)
 endif
 ifndef S3_SECRET_KEY
 	$(error S3_SECRET_KEY not defined)
 endif
 	sha256sum cloudflared-x86-64-$(VERSION).tgz | awk '{printf $$1}' > cloudflared-x86-64-$(VERSION).tgz.shasum
 	s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
 		put cloudflared-x86-64-$(VERSION).tgz $(S3_URI)/cloudflared-x86-64-$(VERSION).tgz
 	s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
 		put cloudflared-x86-64-$(VERSION).tgz.shasum $(S3_URI)/cloudflared-x86-64-$(VERSION).tgz.shasum
 	dpkg --compare-versions "$(VERSION)" gt "$(shell cat cloudflared-x86-64.latest.s3)" && \
 		echo -n "$(VERSION)" > cloudflared-x86-64.latest && \
 		s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
 			put cloudflared-x86-64.latest $(S3_URI)/cloudflared-x86-64.latest || \
 		echo "Latest version not updated"
 cloudflared-x86-64.latest.s3:
 	s4cmd --endpoint-url $(S3_ENDPOINT) --force \
 		get $(S3_URI)/cloudflared-x86-64.latest cloudflared-x86-64.latest.s3
 .PHONY: homebrew-upload
 homebrew-upload: cloudflared-darwin-amd64.tgz
 	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $$^ $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz
 	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz  $(S3_URI)/cloudflared-stable-$1.tgz
 .PHONY: homebrew-release
 homebrew-release: homebrew-upload
 	./publish-homebrew-formula.sh cloudflared-darwin-amd64.tgz $(VERSION) homebrew-cloudflare
 .PHONY: release
 release: bin/equinox
 	bin/equinox release $(EQUINOX_FLAGS) -- $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
 .PHONY: github-release
-github-release:
+github-release: cloudflared
-	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
+	python3 github_release.py --path $(EXECUTABLE_PATH) --release-version $(VERSION)
 .PHONY: github-message
 github-message:
 	python3 github_message.py --release-version $(VERSION)
-.PHONY: r2-linux-release
+.PHONY: github-mac-upload
-r2-linux-release:
+github-mac-upload:
-	python3 ./release_pkgs.py
+	python3 github_release.py --path artifacts/cloudflared-darwin-amd64.tgz --release-version $(VERSION) --name cloudflared-darwin-amd64.tgz
 	python3 github_release.py --path artifacts/cloudflared-amd64.pkg --release-version $(VERSION) --name cloudflared-amd64.pkg
-.PHONY: r2-next-linux-release
+bin/equinox:
-# Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.
+	mkdir -p bin
-r2-next-linux-release:
+	curl -s https://bin.equinox.io/c/75JtLRTsJ3n/release-tool-beta-$(EQUINOX_PLATFORM).tgz | tar xz -C bin/
 	python3 ./release_pkgs.py --upload-repo-file
-.PHONY: capnp
+.PHONY: tunnel-deps
-capnp:
+tunnel-deps: tunnelrpc/tunnelrpc.capnp.go
 tunnelrpc/tunnelrpc.capnp.go: tunnelrpc/tunnelrpc.capnp
 	which capnp  # https://capnproto.org/install.html
-	which capnpc-go  # go install zombiezen.com/go/capnproto2/capnpc-go@latest
+	which capnpc-go  # go get zombiezen.com/go/capnproto2/capnpc-go
-	capnp compile -ogo tunnelrpc/proto/tunnelrpc.capnp tunnelrpc/proto/quic_metadata_protocol.capnp
+	capnp compile -ogo tunnelrpc/tunnelrpc.capnp
 .PHONY: vet
 vet:
-	$Q go vet -mod=vendor github.com/cloudflare/cloudflared/...
+	go vet -mod=vendor ./...
 	which go-sumtype  # go get github.com/BurntSushi/go-sumtype
 	go-sumtype $$(go list -mod=vendor ./...)
-.PHONY: fmt
+.PHONY: msi
-fmt:
+msi: cloudflared
-	@goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
+	go-msi make --msi cloudflared.msi --version $(MSI_VERSION)
 	@go fmt $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
 .PHONY: fmt-check
 fmt-check:
 	@./.ci/scripts/fmt-check.sh
 .PHONY: lint
 lint:
 	@golangci-lint run
 .PHONY: mocks
 mocks:
 	go generate mocks/mockgen.go
 .PHONY: ci-build
 ci-build:
 	@GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
 	@mkdir -p artifacts
 	@mv cloudflared artifacts/cloudflared
 .PHONY: ci-fips-build
 ci-fips-build:
 	@FIPS=true GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
 	@mkdir -p artifacts
 	@mv cloudflared artifacts/cloudflared
 .PHONY: ci-test
 ci-test: fmt-check lint test
 	@go run -mod=readonly github.com/jstemmer/go-junit-report/v2@latest -in $(GO_TEST_LOG_OUTPUT) -parser gojson -out report.xml -set-exit-code
 .PHONY: ci-fips-test
 ci-fips-test:
 	@FIPS=true $(MAKE) ci-test
--- a/README.md
+++ b/README.md
@ -1,82 +1,43 @@
-# Cloudflare Tunnel client
+# Argo Tunnel client
 Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
 Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.
 You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.
 You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
 Contains the command-line client for Argo Tunnel, a tunneling daemon that proxies any local webserver through the Cloudflare network. Extensive documentation can be found in the [Argo Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
 ## Before you get started
-Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
+Before you use Argo Tunnel, you'll need to complete a few steps in the Cloudflare dashboard. The website you add to Cloudflare will be used to route traffic to your Tunnel.
 website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
 routing), but for legacy reasons this requirement is still necessary:
 1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
 2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)
 1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
 2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
 ## Installing `cloudflared`
-Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
+Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases here on the `cloudflared` GitHub repository.
-* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
+* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
-* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)
+* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
-* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)
+* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
 * To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.
 User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
 User documentation for Argo Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
 ## Creating Tunnels and routing traffic
-Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
+Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels that serve traffic for hostnames in your account.
 * Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/)
 * Route traffic to that Tunnel:
  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)
  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)
  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)
 * Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
 * Route traffic to that Tunnel with [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns) or with a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
 ## TryCloudflare
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).
+Want to test Argo Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/trycloudflare).
 ## Deprecated versions
-Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).
+Cloudflare currently supports all versions of `cloudflared`. Starting on March 20, 2021, Cloudflare will no longer support versions released prior to 2020.5.1.
-For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
+All features available in versions released prior to 2020.5.1 are available in current versions. Breaking changes unrelated to feature availability may be introduced that will impact versions released prior to 2020.5.1. You can read more about upgrading `cloudflared` in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#updating-cloudflared).
-## Development
+| Version(s) | Deprecation status |
-
+|---|---|
-### Requirements
+| 2020.5.1 and later | Supported |
- [GNU Make](https://www.gnu.org/software/make/)
+| Versions prior to 2020.5.1 | Will no longer be supported starting March 20, 2021 |
 - [capnp](https://capnproto.org/install.html)
 - [go >= 1.24](https://go.dev/doc/install)
 - Optional tools:
  - [capnpc-go](https://pkg.go.dev/zombiezen.com/go/capnproto2/capnpc-go)
  - [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)
  - [golangci-lint](https://github.com/golangci/golangci-lint)
  - [gomocks](https://pkg.go.dev/go.uber.org/mock)
 ### Build
 To build cloudflared locally run `make cloudflared`
 ### Test
 To locally run the tests run `make test`
 ### Linting
 To format the code and keep a good code quality use `make fmt` and `make lint`
 ### Mocks
 After changes on interfaces you might need to regenerate the mocks, so run `make mock`
--- a/1210
+++ b/1210
--- a/buffer/pool.go
+++ b/buffer/pool.go
@ -0,0 +1,29 @@
 package buffer
 import (
 	"sync"
 )
 type Pool struct {
 	// A Pool must not be copied after first use.
 	// https://golang.org/pkg/sync/#Pool
 	buffers sync.Pool
 }
 func NewPool(bufferSize int) *Pool {
 	return &Pool{
 		buffers: sync.Pool{
 			New: func() interface{} {
 				return make([]byte, bufferSize)
 			},
 		},
 	}
 }
 func (p *Pool) Get() []byte {
 	return p.buffers.Get().([]byte)
 }
 func (p *Pool) Put(buf []byte) {
 	p.buffers.Put(buf)
 }
--- a/carrier/carrier.go
+++ b/carrier/carrier.go
@ -1,53 +1,47 @@
-// Package carrier provides a WebSocket proxy to carry or proxy a connection
+//Package carrier provides a WebSocket proxy to carry or proxy a connection
-// from the local client to the edge. See it as a wrapper around any protocol
+//from the local client to the edge. See it as a wrapper around any protocol
-// that it packages up in a WebSocket connection to the edge.
+//that it packages up in a WebSocket connection to the edge.
 package carrier
 import (
 	"crypto/tls"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
 	"github.com/cloudflare/cloudflared/h2mux"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/token"
 )
-const (
+const LogFieldOriginURL = "originURL"
 	LogFieldOriginURL       = "originURL"
 	CFAccessTokenHeader     = "Cf-Access-Token"
 	cfJumpDestinationHeader = "Cf-Access-Jump-Destination"
 )
 type StartOptions struct {
-	AppInfo               *token.AppInfo
+	OriginURL string
-	OriginURL             string
+	Headers   http.Header
 	Headers               http.Header
 	Host                  string
 	TLSClientConfig       *tls.Config
 	AutoCloseInterstitial bool
 	IsFedramp             bool
 }
 // Connection wraps up all the needed functions to forward over the tunnel
 type Connection interface {
 	// ServeStream is used to forward data from the client to the edge
 	ServeStream(*StartOptions, io.ReadWriter) error
 	// StartServer is used to listen for incoming connections from the edge to the origin
 	StartServer(net.Listener, string, <-chan struct{}) error
 }
 // StdinoutStream is empty struct for wrapping stdin/stdout
 // into a single ReadWriter
-type StdinoutStream struct{}
+type StdinoutStream struct {
 }
 // Read will read from Stdin
 func (c *StdinoutStream) Read(p []byte) (int, error) {
 	return os.Stdin.Read(p)
 }
 // Write will write to Stdout
@ -55,7 +49,7 @@ func (c *StdinoutStream) Write(p []byte) (int, error) {
 	return os.Stdout.Write(p)
 }
-// Helper to allow deferring the response close with a check that the resp is not nil
+// Helper to allow defering the response close with a check that the resp is not nil
 func closeRespBody(resp *http.Response) {
 	if resp != nil {
 		_ = resp.Body.Close()
@ -126,7 +120,7 @@ func IsAccessResponse(resp *http.Response) bool {
 	if err != nil || location == nil {
 		return false
 	}
-	if strings.HasPrefix(location.Path, token.AccessLoginWorkerPath) {
+	if strings.HasPrefix(location.Path, "/cdn-cgi/access/login") {
 		return true
 	}
@ -140,7 +134,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 		return nil, err
 	}
-	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, options.AutoCloseInterstitial, options.IsFedramp, log)
+	token, err := token.FetchTokenWithRedirect(req.URL, log)
 	if err != nil {
 		return nil, err
 	}
@ -151,7 +145,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 	if err != nil {
 		return nil, err
 	}
-	originRequest.Header.Set(CFAccessTokenHeader, token)
+	originRequest.Header.Set(h2mux.CFAccessTokenHeader, token)
 	for k, v := range options.Headers {
 		if len(v) >= 1 {
@ -161,26 +155,3 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 	return originRequest, nil
 }
 func SetBastionDest(header http.Header, destination string) {
 	if destination != "" {
 		header.Set(cfJumpDestinationHeader, destination)
 	}
 }
 func ResolveBastionDest(r *http.Request) (string, error) {
 	jumpDestination := r.Header.Get(cfJumpDestinationHeader)
 	if jumpDestination == "" {
 		return "", fmt.Errorf("Did not receive final destination from client. The --destination flag is likely not set on the client side")
 	}
 	// Strip scheme and path set by client. Without a scheme
 	// Parsing a hostname and path without scheme might not return an error due to parsing ambiguities
 	if jumpURL, err := url.Parse(jumpDestination); err == nil && jumpURL.Host != "" {
 		return removePath(jumpURL.Host), nil
 	}
 	return removePath(jumpDestination), nil
 }
 func removePath(dest string) string {
 	return strings.SplitN(dest, "/", 2)[0]
 }
--- a/carrier/carrier_test.go
+++ b/carrier/carrier_test.go
@ -44,7 +44,7 @@ func (s *testStreamer) Write(p []byte) (int, error) {
 func TestStartClient(t *testing.T) {
 	message := "Good morning Austin! Time for another sunny day in the great state of Texas."
 	log := zerolog.Nop()
-	wsConn := NewWSConnection(&log)
+	wsConn := NewWSConnection(&log, false)
 	ts := newTestWebSocketServer()
 	defer ts.Close()
@ -70,7 +70,7 @@ func TestStartServer(t *testing.T) {
 	message := "Good morning Austin! Time for another sunny day in the great state of Texas."
 	log := zerolog.Nop()
 	shutdownC := make(chan struct{})
-	wsConn := NewWSConnection(&log)
+	wsConn := NewWSConnection(&log, false)
 	ts := newTestWebSocketServer()
 	defer ts.Close()
 	options := &StartOptions{
@ -81,8 +81,7 @@ func TestStartServer(t *testing.T) {
 	go func() {
 		err := Serve(wsConn, listener, shutdownC, options)
 		if err != nil {
-			t.Errorf("Error running server: %v", err)
+			t.Fatalf("Error running server: %v", err)
 			return
 		}
 	}()
@ -156,99 +155,3 @@ func testRequest(t *testing.T, url string, stream io.ReadWriter) *http.Request {
 	return req
 }
 func TestBastionDestination(t *testing.T) {
 	tests := []struct {
 		name         string
 		header       http.Header
 		expectedDest string
 		wantErr      bool
 	}{
 		{
 			name: "hostname destination",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"localhost"},
 			},
 			expectedDest: "localhost",
 		},
 		{
 			name: "hostname destination with port",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"localhost:9000"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "hostname destination with scheme and port",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"ssh://localhost:9000"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "full hostname url",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"ssh://localhost:9000/metrics"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "hostname destination with port and path",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"localhost:9000/metrics"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "ip destination",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"127.0.0.1"},
 			},
 			expectedDest: "127.0.0.1",
 		},
 		{
 			name: "ip destination with port",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"127.0.0.1:9000"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name: "ip destination with port and path",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"127.0.0.1:9000/metrics"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name: "ip destination with schem and port",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"tcp://127.0.0.1:9000"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name: "full ip url",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"ssh://127.0.0.1:9000/metrics"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name:    "no destination",
 			wantErr: true,
 		},
 	}
 	for _, test := range tests {
 		r := &http.Request{
 			Header: test.header,
 		}
 		dest, err := ResolveBastionDest(r)
 		if test.wantErr {
 			assert.Error(t, err, "Test %s expects error", test.name)
 		} else {
 			assert.NoError(t, err, "Test %s expects no error, got error %v", test.name, err)
 			assert.Equal(t, test.expectedDest, dest, "Test %s expect dest %s, got %s", test.name, test.expectedDest, dest)
 		}
 	}
 }
--- a/carrier/websocket.go
+++ b/carrier/websocket.go
@ -1,17 +1,18 @@
 package carrier
 import (
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/http/httputil"
-	"net/url"
+
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
 	"github.com/cloudflare/cloudflared/socks"
 	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
 	"github.com/gorilla/websocket"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/stream"
 	"github.com/cloudflare/cloudflared/token"
 	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
 )
 // Websocket is used to carry data via WS binary frames over the tunnel from client to the origin
@ -21,10 +22,25 @@ type Websocket struct {
 	isSocks bool
 }
 type wsdialer struct {
 	conn *cfwebsocket.Conn
 }
 func (d *wsdialer) Dial(address string) (io.ReadWriteCloser, *socks.AddrSpec, error) {
 	local, ok := d.conn.LocalAddr().(*net.TCPAddr)
 	if !ok {
 		return nil, nil, fmt.Errorf("not a tcp connection")
 	}
 	addr := socks.AddrSpec{IP: local.IP, Port: local.Port}
 	return d.conn, &addr, nil
 }
 // NewWSConnection returns a new connection object
-func NewWSConnection(log *zerolog.Logger) Connection {
+func NewWSConnection(log *zerolog.Logger, isSocks bool) Connection {
 	return &Websocket{
-		log: log,
+		log:     log,
 		isSocks: isSocks,
 	}
 }
@ -38,49 +54,41 @@ func (ws *Websocket) ServeStream(options *StartOptions, conn io.ReadWriter) erro
 	}
 	defer wsConn.Close()
-	stream.Pipe(wsConn, conn, ws.log)
+	if ws.isSocks {
 		dialer := &wsdialer{conn: wsConn}
 		requestHandler := socks.NewRequestHandler(dialer)
 		socksServer := socks.NewConnectionHandler(requestHandler)
 		_ = socksServer.Serve(conn)
 	} else {
 		cfwebsocket.Stream(wsConn, conn)
 	}
 	return nil
 }
 // StartServer creates a Websocket server to listen for connections.
 // This is used on the origin (tunnel) side to take data from the muxer and send it to the origin
 func (ws *Websocket) StartServer(listener net.Listener, remote string, shutdownC <-chan struct{}) error {
 	return cfwebsocket.StartProxyServer(ws.log, listener, remote, shutdownC, cfwebsocket.DefaultStreamHandler)
 }
 // createWebsocketStream will create a WebSocket connection to stream data over
 // It also handles redirects from Access and will present that flow if
 // the token is not present on the request
-func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebsocket.GorillaConn, error) {
+func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebsocket.Conn, error) {
 	req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
 	if err != nil {
 		return nil, err
 	}
 	req.Header = options.Headers
 	if options.Host != "" {
 		req.Host = options.Host
 	}
 	dump, err := httputil.DumpRequest(req, false)
 	if err != nil {
 		return nil, err
 	}
 	log.Debug().Msgf("Websocket request: %s", string(dump))
-	dialer := &websocket.Dialer{
+	wsConn, resp, err := cfwebsocket.ClientConnect(req, nil)
 		TLSClientConfig: options.TLSClientConfig,
 		Proxy:           http.ProxyFromEnvironment,
 	}
 	wsConn, resp, err := clientConnect(req, dialer)
 	defer closeRespBody(resp)
 	if err != nil && IsAccessResponse(resp) {
 		// Only get Access app info if we know the origin is protected by Access
 		originReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
 		if err != nil {
 			return nil, err
 		}
 		appInfo, err := token.GetAppInfo(originReq.URL)
 		if err != nil {
 			return nil, err
 		}
 		options.AppInfo = appInfo
 		wsConn, err = createAccessAuthenticatedStream(options, log)
 		if err != nil {
 			return nil, err
@ -89,64 +97,7 @@ func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebso
 		return nil, err
 	}
-	return &cfwebsocket.GorillaConn{Conn: wsConn}, nil
+	return &cfwebsocket.Conn{Conn: wsConn}, nil
 }
 var stripWebsocketHeaders = []string{
 	"Upgrade",
 	"Connection",
 	"Sec-Websocket-Key",
 	"Sec-Websocket-Version",
 	"Sec-Websocket-Extensions",
 }
 // the gorilla websocket library sets its own Upgrade, Connection, Sec-WebSocket-Key,
 // Sec-WebSocket-Version and Sec-Websocket-Extensions headers.
 // https://github.com/gorilla/websocket/blob/master/client.go#L189-L194.
 func websocketHeaders(req *http.Request) http.Header {
 	wsHeaders := make(http.Header)
 	for key, val := range req.Header {
 		wsHeaders[key] = val
 	}
 	// Assume the header keys are in canonical format.
 	for _, header := range stripWebsocketHeaders {
 		wsHeaders.Del(header)
 	}
 	wsHeaders.Set("Host", req.Host) // See TUN-1097
 	return wsHeaders
 }
 // clientConnect creates a WebSocket client connection for provided request. Caller is responsible for closing
 // the connection. The response body may not contain the entire response and does
 // not need to be closed by the application.
 func clientConnect(req *http.Request, dialler *websocket.Dialer) (*websocket.Conn, *http.Response, error) {
 	req.URL.Scheme = changeRequestScheme(req.URL)
 	wsHeaders := websocketHeaders(req)
 	if dialler == nil {
 		dialler = &websocket.Dialer{
 			Proxy: http.ProxyFromEnvironment,
 		}
 	}
 	conn, response, err := dialler.Dial(req.URL.String(), wsHeaders)
 	if err != nil {
 		return nil, response, err
 	}
 	return conn, response, nil
 }
 // changeRequestScheme is needed as the gorilla websocket library requires the ws scheme.
 // (even though it changes it back to http/https, but ¯\_(ツ)_/¯.)
 func changeRequestScheme(reqURL *url.URL) string {
 	switch reqURL.Scheme {
 	case "https":
 		return "wss"
 	case "http":
 		return "ws"
 	case "":
 		return "ws"
 	default:
 		return reqURL.Scheme
 	}
 }
 // createAccessAuthenticatedStream will try load a token from storage and make
@ -166,7 +117,11 @@ func createAccessAuthenticatedStream(options *StartOptions, log *zerolog.Logger)
 	}
 	// Access Token is invalid for some reason. Go through regen flow
-	if err := token.RemoveTokenIfExists(options.AppInfo); err != nil {
+	originReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
 	if err != nil {
 		return nil, err
 	}
 	if err := token.RemoveTokenIfExists(originReq.URL); err != nil {
 		return nil, err
 	}
 	wsConn, resp, err = createAccessWebSocketStream(options, log)
@ -186,12 +141,9 @@ func createAccessWebSocketStream(options *StartOptions, log *zerolog.Logger) (*w
 	}
 	dump, err := httputil.DumpRequest(req, false)
 	if err != nil {
 		return nil, nil, err
 	}
 	log.Debug().Msgf("Access Websocket request: %s", string(dump))
-	conn, resp, err := clientConnect(req, nil)
+	conn, resp, err := cfwebsocket.ClientConnect(req, nil)
 	if resp != nil {
 		r, err := httputil.DumpResponse(resp, true)
--- a/carrier/websocket_test.go
+++ b/carrier/websocket_test.go
@ -1,123 +0,0 @@
 package carrier
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"math/rand"
 	"testing"
 	"time"
 	gws "github.com/gorilla/websocket"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/websocket"
 	"github.com/cloudflare/cloudflared/hello"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
 )
 func websocketClientTLSConfig(t *testing.T) *tls.Config {
 	certPool := x509.NewCertPool()
 	helloCert, err := tlsconfig.GetHelloCertificateX509()
 	assert.NoError(t, err)
 	certPool.AddCert(helloCert)
 	assert.NotNil(t, certPool)
 	return &tls.Config{RootCAs: certPool}
 }
 func TestWebsocketHeaders(t *testing.T) {
 	req := testRequest(t, "http://example.com", nil)
 	wsHeaders := websocketHeaders(req)
 	for _, header := range stripWebsocketHeaders {
 		assert.Empty(t, wsHeaders[header])
 	}
 	assert.Equal(t, "curl/7.59.0", wsHeaders.Get("User-Agent"))
 }
 func TestServe(t *testing.T) {
 	log := zerolog.Nop()
 	shutdownC := make(chan struct{})
 	errC := make(chan error)
 	listener, err := hello.CreateTLSListener("localhost:1111")
 	assert.NoError(t, err)
 	defer listener.Close()
 	go func() {
 		errC <- hello.StartHelloWorldServer(&log, listener, shutdownC)
 	}()
 	req := testRequest(t, "https://localhost:1111/ws", nil)
 	tlsConfig := websocketClientTLSConfig(t)
 	assert.NotNil(t, tlsConfig)
 	d := gws.Dialer{TLSClientConfig: tlsConfig}
 	conn, resp, err := clientConnect(req, &d)
 	assert.NoError(t, err)
 	assert.Equal(t, "websocket", resp.Header.Get("Upgrade"))
 	for i := 0; i < 1000; i++ {
 		messageSize := rand.Int()%2048 + 1
 		clientMessage := make([]byte, messageSize)
 		// rand.Read always returns len(clientMessage) and a nil error
 		rand.Read(clientMessage)
 		err = conn.WriteMessage(websocket.BinaryFrame, clientMessage)
 		assert.NoError(t, err)
 		messageType, message, err := conn.ReadMessage()
 		assert.NoError(t, err)
 		assert.Equal(t, websocket.BinaryFrame, messageType)
 		assert.Equal(t, clientMessage, message)
 	}
 	_ = conn.Close()
 	close(shutdownC)
 	<-errC
 }
 func TestWebsocketWrapper(t *testing.T) {
 	listener, err := hello.CreateTLSListener("localhost:0")
 	require.NoError(t, err)
 	serverErrorChan := make(chan error)
 	helloSvrCtx, cancelHelloSvr := context.WithCancel(context.Background())
 	defer func() { <-serverErrorChan }()
 	defer cancelHelloSvr()
 	go func() {
 		log := zerolog.Nop()
 		serverErrorChan <- hello.StartHelloWorldServer(&log, listener, helloSvrCtx.Done())
 	}()
 	tlsConfig := websocketClientTLSConfig(t)
 	d := gws.Dialer{TLSClientConfig: tlsConfig, HandshakeTimeout: time.Minute}
 	testAddr := fmt.Sprintf("https://%s/ws", listener.Addr().String())
 	req := testRequest(t, testAddr, nil)
 	conn, resp, err := clientConnect(req, &d)
 	require.NoError(t, err)
 	assert.Equal(t, "websocket", resp.Header.Get("Upgrade"))
 	// Websocket now connected to test server so lets check our wrapper
 	wrapper := cfwebsocket.GorillaConn{Conn: conn}
 	buf := make([]byte, 100)
 	wrapper.Write([]byte("abc"))
 	n, err := wrapper.Read(buf)
 	require.NoError(t, err)
 	require.Equal(t, n, 3)
 	require.Equal(t, "abc", string(buf[:n]))
 	// Test partial read, read 1 of 3 bytes in one read and the other 2 in another read
 	wrapper.Write([]byte("abc"))
 	buf = buf[:1]
 	n, err = wrapper.Read(buf)
 	require.NoError(t, err)
 	require.Equal(t, n, 1)
 	require.Equal(t, "a", string(buf[:n]))
 	buf = buf[:cap(buf)]
 	n, err = wrapper.Read(buf)
 	require.NoError(t, err)
 	require.Equal(t, n, 2)
 	require.Equal(t, "bc", string(buf[:n]))
 }
--- a/catalog-info.yaml
+++ b/catalog-info.yaml
@ -1,20 +0,0 @@
 apiVersion: backstage.io/v1alpha1
 kind: Component
 metadata:
  name: cloudflared
  description: Client for Cloudflare Tunnels
  annotations:
    cloudflare.com/software-excellence-opt-in: "true"
    cloudflare.com/jira-project-key: "TUN"
    cloudflare.com/jira-project-component: "Cloudflare Tunnel"
  tags:
    - internal
 spec:
  type: "service"
  lifecycle: "Active"
  owner: "teams/tunnel-teams-routing"
  cf:
    compliance:
      fedramp-high: "pending"
      fedramp-moderate: "yes"
    FIPS: "required"
--- a/certutil/certutil.go
+++ b/certutil/certutil.go
@ -0,0 +1,94 @@
 package certutil
 import (
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"strings"
 )
 type namedTunnelToken struct {
 	ZoneID     string `json:"zoneID"`
 	AccountID  string `json:"accountID"`
 	ServiceKey string `json:"serviceKey"`
 }
 type OriginCert struct {
 	PrivateKey interface{}
 	Cert       *x509.Certificate
 	ZoneID     string
 	ServiceKey string
 	AccountID  string
 }
 func DecodeOriginCert(blocks []byte) (*OriginCert, error) {
 	if len(blocks) == 0 {
 		return nil, fmt.Errorf("Cannot decode empty certificate")
 	}
 	originCert := OriginCert{}
 	block, rest := pem.Decode(blocks)
 	for {
 		if block == nil {
 			break
 		}
 		switch block.Type {
 		case "PRIVATE KEY":
 			if originCert.PrivateKey != nil {
 				return nil, fmt.Errorf("Found multiple private key in the certificate")
 			}
 			// RSA private key
 			privateKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
 			if err != nil {
 				return nil, fmt.Errorf("Cannot parse private key")
 			}
 			originCert.PrivateKey = privateKey
 		case "CERTIFICATE":
 			if originCert.Cert != nil {
 				return nil, fmt.Errorf("Found multiple certificates in the certificate")
 			}
 			cert, err := x509.ParseCertificates(block.Bytes)
 			if err != nil {
 				return nil, fmt.Errorf("Cannot parse certificate")
 			} else if len(cert) > 1 {
 				return nil, fmt.Errorf("Found multiple certificates in the certificate")
 			}
 			originCert.Cert = cert[0]
 		case "WARP TOKEN", "ARGO TUNNEL TOKEN":
 			if originCert.ZoneID != "" || originCert.ServiceKey != "" {
 				return nil, fmt.Errorf("Found multiple tokens in the certificate")
 			}
 			// The token is a string,
 			// Try the newer JSON format
 			ntt := namedTunnelToken{}
 			if err := json.Unmarshal(block.Bytes, &ntt); err == nil {
 				originCert.ZoneID = ntt.ZoneID
 				originCert.ServiceKey = ntt.ServiceKey
 				originCert.AccountID = ntt.AccountID
 			} else {
 				// Try the older format, where the zoneID and service key are seperated by
 				// a new line character
 				token := string(block.Bytes)
 				s := strings.Split(token, "\n")
 				if len(s) != 2 {
 					return nil, fmt.Errorf("Cannot parse token")
 				}
 				originCert.ZoneID = s[0]
 				originCert.ServiceKey = s[1]
 			}
 		default:
 			return nil, fmt.Errorf("Unknown block %s in the certificate", block.Type)
 		}
 		block, rest = pem.Decode(rest)
 	}
 	if originCert.PrivateKey == nil {
 		return nil, fmt.Errorf("Missing private key in the certificate")
 	} else if originCert.Cert == nil {
 		return nil, fmt.Errorf("Missing certificate in the certificate")
 	} else if originCert.ZoneID == "" || originCert.ServiceKey == "" {
 		return nil, fmt.Errorf("Missing token in the certificate")
 	}
 	return &originCert, nil
 }
--- a/certutil/certutil_test.go
+++ b/certutil/certutil_test.go
@ -0,0 +1,67 @@
 package certutil
 import (
 	"fmt"
 	"io/ioutil"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestLoadOriginCert(t *testing.T) {
 	cert, err := DecodeOriginCert([]byte{})
 	assert.Equal(t, fmt.Errorf("Cannot decode empty certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err := ioutil.ReadFile("test-cert-no-key.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Equal(t, fmt.Errorf("Missing private key in the certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err = ioutil.ReadFile("test-cert-two-certificates.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Equal(t, fmt.Errorf("Found multiple certificates in the certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err = ioutil.ReadFile("test-cert-unknown-block.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Equal(t, fmt.Errorf("Unknown block RSA PRIVATE KEY in the certificate"), err)
 	assert.Nil(t, cert)
 	blocks, err = ioutil.ReadFile("test-cert.pem")
 	assert.Nil(t, err)
 	cert, err = DecodeOriginCert(blocks)
 	assert.Nil(t, err)
 	assert.NotNil(t, cert)
 	assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
 	key := "v1.0-58bd4f9e28f7b3c28e05a35ff3e80ab4fd9644ef3fece537eb0d12e2e9258217-183442fbb0bbdb3e571558fec9b5589ebd77aafc87498ee3f09f64a4ad79ffe8791edbae08b36c1d8f1d70a8670de56922dff92b15d214a524f4ebfa1958859e-7ce80f79921312a6022c5d25e2d380f82ceaefe3fbdc43dd13b080e3ef1e26f7"
 	assert.Equal(t, key, cert.ServiceKey)
 }
 func TestNewlineArgoTunnelToken(t *testing.T) {
 	ArgoTunnelTokenTest(t, "test-argo-tunnel-cert.pem")
 }
 func TestJSONArgoTunnelToken(t *testing.T) {
 	// The given cert's Argo Tunnel Token was generated by base64 encoding this JSON:
 	// {
 	// "zoneID": "7b0a4d77dfb881c1a3b7d61ea9443e19",
 	// "serviceKey": "test-service-key",
 	// "accountID": "abcdabcdabcdabcd1234567890abcdef"
 	// }
 	ArgoTunnelTokenTest(t, "test-argo-tunnel-cert-json.pem")
 }
 func ArgoTunnelTokenTest(t *testing.T, path string) {
 	blocks, err := ioutil.ReadFile(path)
 	assert.Nil(t, err)
 	cert, err := DecodeOriginCert(blocks)
 	assert.Nil(t, err)
 	assert.NotNil(t, cert)
 	assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
 	key := "test-service-key"
 	assert.Equal(t, key, cert.ServiceKey)
 }
--- a/certutil/test-argo-tunnel-cert-json.pem
+++ b/certutil/test-argo-tunnel-cert-json.pem
@ -0,0 +1,57 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
 1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
 z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
 6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
 x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
 1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
 IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
 xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
 sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
 2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
 sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
 Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
 AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
 m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
 QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
 P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
 pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
 G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
 6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
 LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
 OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
 W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
 M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN ARGO TUNNEL TOKEN-----
 eyJ6b25lSUQiOiAiN2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkiLCAi
 c2VydmljZUtleSI6ICJ0ZXN0LXNlcnZpY2Uta2V5IiwgImFjY291bnRJRCI6ICJh
 YmNkYWJjZGFiY2RhYmNkMTIzNDU2Nzg5MGFiY2RlZiJ9
 -----END ARGO TUNNEL TOKEN-----
--- a/certutil/test-argo-tunnel-cert.pem
+++ b/certutil/test-argo-tunnel-cert.pem
@ -0,0 +1,56 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
 1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
 z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
 6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
 x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
 1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
 IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
 xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
 sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
 2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
 sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
 Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
 AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
 m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
 QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
 P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
 pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
 G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
 6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
 LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
 OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
 W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
 M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN ARGO TUNNEL TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdGVzdC1zZXJ2aWNlLWtl
 eQ==
 -----END ARGO TUNNEL TOKEN-----
--- a/certutil/test-cert-no-key.pem
+++ b/certutil/test-cert-no-key.pem
@ -0,0 +1,33 @@
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
 NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
 -----END WARP TOKEN-----
--- a/certutil/test-cert-two-certificates.pem
+++ b/certutil/test-cert-two-certificates.pem
@ -0,0 +1,85 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
 1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
 z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
 6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
 x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
 1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
 IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
 xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
 sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
 2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
 sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
 Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
 AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
 m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
 QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
 P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
 pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
 G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
 6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
 LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
 OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
 W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
 M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
 NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
 -----END WARP TOKEN-----
--- a/credentials/test-cert-unknown-block.pem
+++ b/credentials/test-cert-unknown-block.pem
@ -50,7 +50,7 @@ cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
-----BEGIN ARGO TUNNEL TOKEN-----
+-----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
@ -58,7 +58,7 @@ NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
-----END ARGO TUNNEL TOKEN-----
+-----END WARP TOKEN-----
 -----BEGIN RSA PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
@ -87,4 +87,3 @@ M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END RSA PRIVATE KEY-----
--- a/certutil/test-cert.pem
+++ b/certutil/test-cert.pem
@ -0,0 +1,61 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
 sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
 1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
 z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
 6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
 x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
 1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
 IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
 xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
 sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
 2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
 sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
 Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
 AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
 m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
 QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
 P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
 pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
 G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
 6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
 LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
 OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
 W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
 M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
 gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
 VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
 cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
 YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
 MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
 ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
 aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
 GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
 6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
 tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
 PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
 AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
 HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
 VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
 zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
 RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
 YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
 YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
 cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
 K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
 x+Yo/cL8fGfVpPt4UM8=
 -----END CERTIFICATE-----
 -----BEGIN WARP TOKEN-----
 N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
 ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
 MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
 NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
 NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
 OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
 ZWYxZTI2Zjc=
 -----END WARP TOKEN-----
--- a/cfapi/base_client.go
+++ b/cfapi/base_client.go
@ -1,247 +0,0 @@
 package cfapi
 import (
 	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"golang.org/x/net/http2"
 )
 const (
 	defaultTimeout  = 15 * time.Second
 	jsonContentType = "application/json"
 )
 var (
 	ErrUnauthorized = errors.New("unauthorized")
 	ErrBadRequest   = errors.New("incorrect request parameters")
 	ErrNotFound     = errors.New("not found")
 	ErrAPINoSuccess = errors.New("API call failed")
 )
 type RESTClient struct {
 	baseEndpoints *baseEndpoints
 	authToken     string
 	userAgent     string
 	client        http.Client
 	log           *zerolog.Logger
 }
 type baseEndpoints struct {
 	accountLevel  url.URL
 	zoneLevel     url.URL
 	accountRoutes url.URL
 	accountVnets  url.URL
 }
 var _ Client = (*RESTClient)(nil)
 func NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, log *zerolog.Logger) (*RESTClient, error) {
 	if strings.HasSuffix(baseURL, "/") {
 		baseURL = baseURL[:len(baseURL)-1]
 	}
 	accountLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/cfd_tunnel", baseURL, accountTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create account level endpoint")
 	}
 	accountRoutesEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/teamnet/routes", baseURL, accountTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create route account-level endpoint")
 	}
 	accountVnetsEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/teamnet/virtual_networks", baseURL, accountTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create virtual network account-level endpoint")
 	}
 	zoneLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/zones/%s/tunnels", baseURL, zoneTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create account level endpoint")
 	}
 	httpTransport := http.Transport{
 		TLSHandshakeTimeout:   defaultTimeout,
 		ResponseHeaderTimeout: defaultTimeout,
 	}
 	http2.ConfigureTransport(&httpTransport)
 	return &RESTClient{
 		baseEndpoints: &baseEndpoints{
 			accountLevel:  *accountLevelEndpoint,
 			zoneLevel:     *zoneLevelEndpoint,
 			accountRoutes: *accountRoutesEndpoint,
 			accountVnets:  *accountVnetsEndpoint,
 		},
 		authToken: authToken,
 		userAgent: userAgent,
 		client: http.Client{
 			Transport: &httpTransport,
 			Timeout:   defaultTimeout,
 		},
 		log: log,
 	}, nil
 }
 func (r *RESTClient) sendRequest(method string, url url.URL, body interface{}) (*http.Response, error) {
 	var bodyReader io.Reader
 	if body != nil {
 		if bodyBytes, err := json.Marshal(body); err != nil {
 			return nil, errors.Wrap(err, "failed to serialize json body")
 		} else {
 			bodyReader = bytes.NewBuffer(bodyBytes)
 		}
 	}
 	req, err := http.NewRequest(method, url.String(), bodyReader)
 	if err != nil {
 		return nil, errors.Wrapf(err, "can't create %s request", method)
 	}
 	req.Header.Set("User-Agent", r.userAgent)
 	if bodyReader != nil {
 		req.Header.Set("Content-Type", jsonContentType)
 	}
 	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", r.authToken))
 	req.Header.Add("Accept", "application/json;version=1")
 	return r.client.Do(req)
 }
 func parseResponseEnvelope(reader io.Reader) (*response, error) {
 	// Schema for Tunnelstore responses in the v1 API.
 	// Roughly, it's a wrapper around a particular result that adds failures/errors/etc
 	var result response
 	// First, parse the wrapper and check the API call succeeded
 	if err := json.NewDecoder(reader).Decode(&result); err != nil {
 		return nil, errors.Wrap(err, "failed to decode response")
 	}
 	if err := result.checkErrors(); err != nil {
 		return nil, err
 	}
 	if !result.Success {
 		return nil, ErrAPINoSuccess
 	}
 	return &result, nil
 }
 func parseResponse(reader io.Reader, data interface{}) error {
 	result, err := parseResponseEnvelope(reader)
 	if err != nil {
 		return err
 	}
 	return parseResponseBody(result, data)
 }
 func parseResponseBody(result *response, data interface{}) error {
 	// At this point we know the API call succeeded, so, parse out the inner
 	// result into the datatype provided as a parameter.
 	if err := json.Unmarshal(result.Result, &data); err != nil {
 		return errors.Wrap(err, "the Cloudflare API response was an unexpected type")
 	}
 	return nil
 }
 func fetchExhaustively[T any](requestFn func(int) (*http.Response, error)) ([]*T, error) {
 	page := 0
 	var fullResponse []*T
 	for {
 		page += 1
 		envelope, parsedBody, err := fetchPage[T](requestFn, page)
 		if err != nil {
 			return nil, errors.Wrap(err, fmt.Sprintf("Error Parsing page %d", page))
 		}
 		fullResponse = append(fullResponse, parsedBody...)
 		if envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount {
 			break
 		}
 	}
 	return fullResponse, nil
 }
 func fetchPage[T any](requestFn func(int) (*http.Response, error), page int) (*response, []*T, error) {
 	pageResp, err := requestFn(page)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "REST request failed")
 	}
 	defer pageResp.Body.Close()
 	if pageResp.StatusCode == http.StatusOK {
 		envelope, err := parseResponseEnvelope(pageResp.Body)
 		if err != nil {
 			return nil, nil, err
 		}
 		var parsedRspBody []*T
 		return envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody)
 	}
 	return nil, nil, errors.New(fmt.Sprintf("Failed to fetch page. Server returned: %d", pageResp.StatusCode))
 }
 type response struct {
 	Success    bool            `json:"success,omitempty"`
 	Errors     []apiErr        `json:"errors,omitempty"`
 	Messages   []string        `json:"messages,omitempty"`
 	Result     json.RawMessage `json:"result,omitempty"`
 	Pagination Pagination      `json:"result_info,omitempty"`
 }
 type Pagination struct {
 	Count      int `json:"count,omitempty"`
 	Page       int `json:"page,omitempty"`
 	PerPage    int `json:"per_page,omitempty"`
 	TotalCount int `json:"total_count,omitempty"`
 }
 func (r *response) checkErrors() error {
 	if len(r.Errors) == 0 {
 		return nil
 	}
 	if len(r.Errors) == 1 {
 		return r.Errors[0]
 	}
 	var messages string
 	for _, e := range r.Errors {
 		messages += fmt.Sprintf("%s; ", e)
 	}
 	return fmt.Errorf("API errors: %s", messages)
 }
 type apiErr struct {
 	Code    json.Number `json:"code,omitempty"`
 	Message string      `json:"message,omitempty"`
 }
 func (e apiErr) Error() string {
 	return fmt.Sprintf("code: %v, reason: %s", e.Code, e.Message)
 }
 func (r *RESTClient) statusCodeToError(op string, resp *http.Response) error {
 	if resp.Header.Get("Content-Type") == "application/json" {
 		var errorsResp response
 		if json.NewDecoder(resp.Body).Decode(&errorsResp) == nil {
 			if err := errorsResp.checkErrors(); err != nil {
 				return errors.Errorf("Failed to %s: %s", op, err)
 			}
 		}
 	}
 	switch resp.StatusCode {
 	case http.StatusOK:
 		return nil
 	case http.StatusBadRequest:
 		return ErrBadRequest
 	case http.StatusUnauthorized, http.StatusForbidden:
 		return ErrUnauthorized
 	case http.StatusNotFound:
 		return ErrNotFound
 	}
 	return errors.Errorf("API call to %s failed with status %d: %s", op,
 		resp.StatusCode, http.StatusText(resp.StatusCode))
 }
--- a/cfapi/client.go
+++ b/cfapi/client.go
@ -1,41 +0,0 @@
 package cfapi
 import (
 	"github.com/google/uuid"
 )
 type TunnelClient interface {
 	CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error)
 	GetTunnel(tunnelID uuid.UUID) (*Tunnel, error)
 	GetTunnelToken(tunnelID uuid.UUID) (string, error)
 	GetManagementToken(tunnelID uuid.UUID) (string, error)
 	DeleteTunnel(tunnelID uuid.UUID, cascade bool) error
 	ListTunnels(filter *TunnelFilter) ([]*Tunnel, error)
 	ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)
 	CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error
 }
 type HostnameClient interface {
 	RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error)
 }
 type IPRouteClient interface {
 	ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error)
 	AddRoute(newRoute NewRoute) (Route, error)
 	DeleteRoute(id uuid.UUID) error
 	GetByIP(params GetRouteByIpParams) (DetailedRoute, error)
 }
 type VnetClient interface {
 	CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error)
 	ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error)
 	DeleteVirtualNetwork(id uuid.UUID, force bool) error
 	UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error
 }
 type Client interface {
 	TunnelClient
 	HostnameClient
 	IPRouteClient
 	VnetClient
 }
--- a/cfapi/hostname.go
+++ b/cfapi/hostname.go
@ -1,192 +0,0 @@
 package cfapi
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"path"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 type Change = string
 const (
 	ChangeNew       = "new"
 	ChangeUpdated   = "updated"
 	ChangeUnchanged = "unchanged"
 )
 // HostnameRoute represents a record type that can route to a tunnel
 type HostnameRoute interface {
 	json.Marshaler
 	RecordType() string
 	UnmarshalResult(body io.Reader) (HostnameRouteResult, error)
 	String() string
 }
 type HostnameRouteResult interface {
 	// SuccessSummary explains what will route to this tunnel when it's provisioned successfully
 	SuccessSummary() string
 }
 type DNSRoute struct {
 	userHostname      string
 	overwriteExisting bool
 }
 type DNSRouteResult struct {
 	route *DNSRoute
 	CName Change `json:"cname"`
 	Name  string `json:"name"`
 }
 func NewDNSRoute(userHostname string, overwriteExisting bool) HostnameRoute {
 	return &DNSRoute{
 		userHostname:      userHostname,
 		overwriteExisting: overwriteExisting,
 	}
 }
 func (dr *DNSRoute) MarshalJSON() ([]byte, error) {
 	s := struct {
 		Type              string `json:"type"`
 		UserHostname      string `json:"user_hostname"`
 		OverwriteExisting bool   `json:"overwrite_existing"`
 	}{
 		Type:              dr.RecordType(),
 		UserHostname:      dr.userHostname,
 		OverwriteExisting: dr.overwriteExisting,
 	}
 	return json.Marshal(&s)
 }
 func (dr *DNSRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {
 	var result DNSRouteResult
 	err := parseResponse(body, &result)
 	result.route = dr
 	return &result, err
 }
 func (dr *DNSRoute) RecordType() string {
 	return "dns"
 }
 func (dr *DNSRoute) String() string {
 	return fmt.Sprintf("%s %s", dr.RecordType(), dr.userHostname)
 }
 func (res *DNSRouteResult) SuccessSummary() string {
 	var msgFmt string
 	switch res.CName {
 	case ChangeNew:
 		msgFmt = "Added CNAME %s which will route to this tunnel"
 	case ChangeUpdated: // this is not currently returned by tunnelsore
 		msgFmt = "%s updated to route to your tunnel"
 	case ChangeUnchanged:
 		msgFmt = "%s is already configured to route to your tunnel"
 	}
 	return fmt.Sprintf(msgFmt, res.hostname())
 }
 // hostname yields the resulting name for the DNS route; if that is not available from Cloudflare API, then the
 // requested name is returned instead (should not be the common path, it is just a fall-back).
 func (res *DNSRouteResult) hostname() string {
 	if res.Name != "" {
 		return res.Name
 	}
 	return res.route.userHostname
 }
 type LBRoute struct {
 	lbName string
 	lbPool string
 }
 type LBRouteResult struct {
 	route        *LBRoute
 	LoadBalancer Change `json:"load_balancer"`
 	Pool         Change `json:"pool"`
 }
 func NewLBRoute(lbName, lbPool string) HostnameRoute {
 	return &LBRoute{
 		lbName: lbName,
 		lbPool: lbPool,
 	}
 }
 func (lr *LBRoute) MarshalJSON() ([]byte, error) {
 	s := struct {
 		Type   string `json:"type"`
 		LBName string `json:"lb_name"`
 		LBPool string `json:"lb_pool"`
 	}{
 		Type:   lr.RecordType(),
 		LBName: lr.lbName,
 		LBPool: lr.lbPool,
 	}
 	return json.Marshal(&s)
 }
 func (lr *LBRoute) RecordType() string {
 	return "lb"
 }
 func (lb *LBRoute) String() string {
 	return fmt.Sprintf("%s %s %s", lb.RecordType(), lb.lbName, lb.lbPool)
 }
 func (lr *LBRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {
 	var result LBRouteResult
 	err := parseResponse(body, &result)
 	result.route = lr
 	return &result, err
 }
 func (res *LBRouteResult) SuccessSummary() string {
 	var msg string
 	switch res.LoadBalancer + "," + res.Pool {
 	case "new,new":
 		msg = "Created load balancer %s and added a new pool %s with this tunnel as an origin"
 	case "new,updated":
 		msg = "Created load balancer %s with an existing pool %s which was updated to use this tunnel as an origin"
 	case "new,unchanged":
 		msg = "Created load balancer %s with an existing pool %s which already has this tunnel as an origin"
 	case "updated,new":
 		msg = "Added new pool %[2]s with this tunnel as an origin to load balancer %[1]s"
 	case "updated,updated":
 		msg = "Updated pool %[2]s to use this tunnel as an origin and added it to load balancer %[1]s"
 	case "updated,unchanged":
 		msg = "Added pool %[2]s, which already has this tunnel as an origin, to load balancer %[1]s"
 	case "unchanged,updated":
 		msg = "Added this tunnel as an origin in pool %[2]s which is already used by load balancer %[1]s"
 	case "unchanged,unchanged":
 		msg = "Load balancer %s already uses pool %s which has this tunnel as an origin"
 	case "unchanged,new":
 		// this state is not possible
 		fallthrough
 	default:
 		msg = "Something went wrong: failed to modify load balancer %s with pool %s; please check traffic manager configuration in the dashboard"
 	}
 	return fmt.Sprintf(msg, res.route.lbName, res.route.lbPool)
 }
 func (r *RESTClient) RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error) {
 	endpoint := r.baseEndpoints.zoneLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/routes", tunnelID))
 	resp, err := r.sendRequest("PUT", endpoint, route)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return route.UnmarshalResult(resp.Body)
 	}
 	return nil, r.statusCodeToError("add route", resp)
 }
--- a/cfapi/hostname_test.go
+++ b/cfapi/hostname_test.go
@ -1,99 +0,0 @@
 package cfapi
 import (
 	"strings"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestDNSRouteUnmarshalResult(t *testing.T) {
 	route := &DNSRoute{
 		userHostname: "example.com",
 	}
 	result, err := route.UnmarshalResult(strings.NewReader(`{"success": true, "result": {"cname": "new"}}`))
 	assert.NoError(t, err)
 	assert.Equal(t, &DNSRouteResult{
 		route: route,
 		CName: ChangeNew,
 	}, result)
 	badJSON := []string{
 		`abc`,
 		`{"success": false, "result": {"cname": "new"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"cname": "new"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}, {"code": 1004, "message":"Cannot use tunnel as origin for non-proxied load balancer"}], "result": {"cname": "new"}}`,
 		`{"result": {"cname": "new"}}`,
 		`{"result": {"cname": "new"}}`,
 	}
 	for _, j := range badJSON {
 		_, err = route.UnmarshalResult(strings.NewReader(j))
 		assert.NotNil(t, err)
 	}
 }
 func TestLBRouteUnmarshalResult(t *testing.T) {
 	route := &LBRoute{
 		lbName: "lb.example.com",
 		lbPool: "pool",
 	}
 	result, err := route.UnmarshalResult(strings.NewReader(`{"success": true, "result": {"pool": "unchanged", "load_balancer": "updated"}}`))
 	assert.NoError(t, err)
 	assert.Equal(t, &LBRouteResult{
 		route:        route,
 		LoadBalancer: ChangeUpdated,
 		Pool:         ChangeUnchanged,
 	}, result)
 	badJSON := []string{
 		`abc`,
 		`{"success": false, "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}, {"code": 1004, "message":"Cannot use tunnel as origin for non-proxied load balancer"}], "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 		`{"result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 	}
 	for _, j := range badJSON {
 		_, err = route.UnmarshalResult(strings.NewReader(j))
 		assert.NotNil(t, err)
 	}
 }
 func TestLBRouteResultSuccessSummary(t *testing.T) {
 	route := &LBRoute{
 		lbName: "lb.example.com",
 		lbPool: "POOL",
 	}
 	tests := []struct {
 		lb       Change
 		pool     Change
 		expected string
 	}{
 		{ChangeNew, ChangeNew, "Created load balancer lb.example.com and added a new pool POOL with this tunnel as an origin"},
 		{ChangeNew, ChangeUpdated, "Created load balancer lb.example.com with an existing pool POOL which was updated to use this tunnel as an origin"},
 		{ChangeNew, ChangeUnchanged, "Created load balancer lb.example.com with an existing pool POOL which already has this tunnel as an origin"},
 		{ChangeUpdated, ChangeNew, "Added new pool POOL with this tunnel as an origin to load balancer lb.example.com"},
 		{ChangeUpdated, ChangeUpdated, "Updated pool POOL to use this tunnel as an origin and added it to load balancer lb.example.com"},
 		{ChangeUpdated, ChangeUnchanged, "Added pool POOL, which already has this tunnel as an origin, to load balancer lb.example.com"},
 		{ChangeUnchanged, ChangeNew, "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
 		{ChangeUnchanged, ChangeUpdated, "Added this tunnel as an origin in pool POOL which is already used by load balancer lb.example.com"},
 		{ChangeUnchanged, ChangeUnchanged, "Load balancer lb.example.com already uses pool POOL which has this tunnel as an origin"},
 		{"", "", "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
 		{"a", "b", "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
 	}
 	for i, tt := range tests {
 		res := &LBRouteResult{
 			route:        route,
 			LoadBalancer: tt.lb,
 			Pool:         tt.pool,
 		}
 		actual := res.SuccessSummary()
 		assert.Equal(t, tt.expected, actual, "case %d", i+1)
 	}
 }
--- a/cfapi/ip_route.go
+++ b/cfapi/ip_route.go
@ -1,235 +0,0 @@
 package cfapi
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"path"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 // Route is a mapping from customer's IP space to a tunnel.
 // Each route allows the customer to route eyeballs in their corporate network
 // to certain private IP ranges. Each Route represents an IP range in their
 // network, and says that eyeballs can reach that route using the corresponding
 // tunnel.
 type Route struct {
 	Network  CIDR      `json:"network"`
 	TunnelID uuid.UUID `json:"tunnel_id"`
 	// Optional field. When unset, it means the Route belongs to the default virtual network.
 	VNetID    *uuid.UUID `json:"virtual_network_id,omitempty"`
 	Comment   string     `json:"comment"`
 	CreatedAt time.Time  `json:"created_at"`
 	DeletedAt time.Time  `json:"deleted_at"`
 }
 // CIDR is just a newtype wrapper around net.IPNet. It adds JSON unmarshalling.
 type CIDR net.IPNet
 func (c CIDR) String() string {
 	n := net.IPNet(c)
 	return n.String()
 }
 func (c CIDR) MarshalJSON() ([]byte, error) {
 	str := c.String()
 	json, err := json.Marshal(str)
 	if err != nil {
 		return nil, errors.Wrap(err, "error serializing CIDR into JSON")
 	}
 	return json, nil
 }
 // UnmarshalJSON parses a JSON string into net.IPNet
 func (c *CIDR) UnmarshalJSON(data []byte) error {
 	var s string
 	if err := json.Unmarshal(data, &s); err != nil {
 		return errors.Wrap(err, "error parsing cidr string")
 	}
 	_, network, err := net.ParseCIDR(s)
 	if err != nil {
 		return errors.Wrap(err, "error parsing invalid network from backend")
 	}
 	if network == nil {
 		return fmt.Errorf("backend returned invalid network %s", s)
 	}
 	*c = CIDR(*network)
 	return nil
 }
 // NewRoute has all the parameters necessary to add a new route to the table.
 type NewRoute struct {
 	Network  net.IPNet
 	TunnelID uuid.UUID
 	Comment  string
 	// Optional field. If unset, backend will assume the default vnet for the account.
 	VNetID *uuid.UUID
 }
 // MarshalJSON handles fields with non-JSON types (e.g. net.IPNet).
 func (r NewRoute) MarshalJSON() ([]byte, error) {
 	return json.Marshal(&struct {
 		Network  string     `json:"network"`
 		TunnelID uuid.UUID  `json:"tunnel_id"`
 		Comment  string     `json:"comment"`
 		VNetID   *uuid.UUID `json:"virtual_network_id,omitempty"`
 	}{
 		Network:  r.Network.String(),
 		TunnelID: r.TunnelID,
 		Comment:  r.Comment,
 		VNetID:   r.VNetID,
 	})
 }
 // DetailedRoute is just a Route with some extra fields, e.g. TunnelName.
 type DetailedRoute struct {
 	ID       uuid.UUID `json:"id"`
 	Network  CIDR      `json:"network"`
 	TunnelID uuid.UUID `json:"tunnel_id"`
 	// Optional field. When unset, it means the DetailedRoute belongs to the default virtual network.
 	VNetID     *uuid.UUID `json:"virtual_network_id,omitempty"`
 	Comment    string     `json:"comment"`
 	CreatedAt  time.Time  `json:"created_at"`
 	DeletedAt  time.Time  `json:"deleted_at"`
 	TunnelName string     `json:"tunnel_name"`
 }
 // IsZero checks if DetailedRoute is the zero value.
 func (r *DetailedRoute) IsZero() bool {
 	return r.TunnelID == uuid.Nil
 }
 // TableString outputs a table row summarizing the route, to be used
 // when showing the user their routing table.
 func (r DetailedRoute) TableString() string {
 	deletedColumn := "-"
 	if !r.DeletedAt.IsZero() {
 		deletedColumn = r.DeletedAt.Format(time.RFC3339)
 	}
 	vnetColumn := "default"
 	if r.VNetID != nil {
 		vnetColumn = r.VNetID.String()
 	}
 	return fmt.Sprintf(
 		"%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t",
 		r.ID,
 		r.Network.String(),
 		vnetColumn,
 		r.Comment,
 		r.TunnelID,
 		r.TunnelName,
 		r.CreatedAt.Format(time.RFC3339),
 		deletedColumn,
 	)
 }
 type GetRouteByIpParams struct {
 	Ip net.IP
 	// Optional field. If unset, backend will assume the default vnet for the account.
 	VNetID *uuid.UUID
 }
 // ListRoutes calls the Tunnelstore GET endpoint for all routes under an account.
 // Due to pagination on the server side it will call the endpoint multiple times if needed.
 func (r *RESTClient) ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error) {
 	fetchFn := func(page int) (*http.Response, error) {
 		endpoint := r.baseEndpoints.accountRoutes
 		filter.Page(page)
 		endpoint.RawQuery = filter.Encode()
 		rsp, err := r.sendRequest("GET", endpoint, nil)
 		if err != nil {
 			return nil, errors.Wrap(err, "REST request failed")
 		}
 		if rsp.StatusCode != http.StatusOK {
 			rsp.Body.Close()
 			return nil, r.statusCodeToError("list routes", rsp)
 		}
 		return rsp, nil
 	}
 	return fetchExhaustively[DetailedRoute](fetchFn)
 }
 // AddRoute calls the Tunnelstore POST endpoint for a given route.
 func (r *RESTClient) AddRoute(newRoute NewRoute) (Route, error) {
 	endpoint := r.baseEndpoints.accountRoutes
 	endpoint.Path = path.Join(endpoint.Path)
 	resp, err := r.sendRequest("POST", endpoint, newRoute)
 	if err != nil {
 		return Route{}, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseRoute(resp.Body)
 	}
 	return Route{}, r.statusCodeToError("add route", resp)
 }
 // DeleteRoute calls the Tunnelstore DELETE endpoint for a given route.
 func (r *RESTClient) DeleteRoute(id uuid.UUID) error {
 	endpoint := r.baseEndpoints.accountRoutes
 	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		_, err := parseRoute(resp.Body)
 		return err
 	}
 	return r.statusCodeToError("delete route", resp)
 }
 // GetByIP checks which route will proxy a given IP.
 func (r *RESTClient) GetByIP(params GetRouteByIpParams) (DetailedRoute, error) {
 	endpoint := r.baseEndpoints.accountRoutes
 	endpoint.Path = path.Join(endpoint.Path, "ip", url.PathEscape(params.Ip.String()))
 	setVnetParam(&endpoint, params.VNetID)
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return DetailedRoute{}, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseDetailedRoute(resp.Body)
 	}
 	return DetailedRoute{}, r.statusCodeToError("get route by IP", resp)
 }
 func parseRoute(body io.ReadCloser) (Route, error) {
 	var route Route
 	err := parseResponse(body, &route)
 	return route, err
 }
 func parseDetailedRoute(body io.ReadCloser) (DetailedRoute, error) {
 	var route DetailedRoute
 	err := parseResponse(body, &route)
 	return route, err
 }
 // setVnetParam overwrites the URL's query parameters with a query param to scope the HostnameRoute action to a certain
 // virtual network (if one is provided).
 func setVnetParam(endpoint *url.URL, vnetID *uuid.UUID) {
 	queryParams := url.Values{}
 	if vnetID != nil {
 		queryParams.Set("virtual_network_id", vnetID.String())
 	}
 	endpoint.RawQuery = queryParams.Encode()
 }
--- a/cfapi/ip_route_filter.go
+++ b/cfapi/ip_route_filter.go
@ -1,176 +0,0 @@
 package cfapi
 import (
 	"fmt"
 	"net"
 	"net/url"
 	"strconv"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )
 var (
 	filterIpRouteDeleted = cli.BoolFlag{
 		Name:  "filter-is-deleted",
 		Usage: "If false (default), only show non-deleted routes. If true, only show deleted routes.",
 	}
 	filterIpRouteTunnelID = cli.StringFlag{
 		Name:  "filter-tunnel-id",
 		Usage: "Show only routes with the given tunnel ID.",
 	}
 	filterSubsetIpRoute = cli.StringFlag{
 		Name:    "filter-network-is-subset-of",
 		Aliases: []string{"nsub"},
 		Usage:   "Show only routes whose network is a subset of the given network.",
 	}
 	filterSupersetIpRoute = cli.StringFlag{
 		Name:    "filter-network-is-superset-of",
 		Aliases: []string{"nsup"},
 		Usage:   "Show only routes whose network is a superset of the given network.",
 	}
 	filterIpRouteComment = cli.StringFlag{
 		Name:  "filter-comment-is",
 		Usage: "Show only routes with this comment.",
 	}
 	filterIpRouteByVnet = cli.StringFlag{
 		Name:  "filter-vnet-id",
 		Usage: "Show only routes that are attached to the given virtual network ID.",
 	}
 	// Flags contains all filter flags.
 	IpRouteFilterFlags = []cli.Flag{
 		&filterIpRouteDeleted,
 		&filterIpRouteTunnelID,
 		&filterSubsetIpRoute,
 		&filterSupersetIpRoute,
 		&filterIpRouteComment,
 		&filterIpRouteByVnet,
 	}
 )
 // IpRouteFilter which routes get queried.
 type IpRouteFilter struct {
 	queryParams url.Values
 }
 // NewIpRouteFilterFromCLI parses CLI flags to discover which filters should get applied.
 func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
 	f := NewIPRouteFilter()
 	// Set deletion filter
 	if flag := filterIpRouteDeleted.Name; c.IsSet(flag) && c.Bool(flag) {
 		f.Deleted()
 	} else {
 		f.NotDeleted()
 	}
 	if subset, err := cidrFromFlag(c, filterSubsetIpRoute); err != nil {
 		return nil, err
 	} else if subset != nil {
 		f.NetworkIsSupersetOf(*subset)
 	}
 	if superset, err := cidrFromFlag(c, filterSupersetIpRoute); err != nil {
 		return nil, err
 	} else if superset != nil {
 		f.NetworkIsSupersetOf(*superset)
 	}
 	if comment := c.String(filterIpRouteComment.Name); comment != "" {
 		f.CommentIs(comment)
 	}
 	if tunnelID := c.String(filterIpRouteTunnelID.Name); tunnelID != "" {
 		u, err := uuid.Parse(tunnelID)
 		if err != nil {
 			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteTunnelID.Name)
 		}
 		f.TunnelID(u)
 	}
 	if vnetId := c.String(filterIpRouteByVnet.Name); vnetId != "" {
 		u, err := uuid.Parse(vnetId)
 		if err != nil {
 			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteByVnet.Name)
 		}
 		f.VNetID(u)
 	}
 	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
 		f.MaxFetchSize(uint(maxFetch))
 	}
 	return f, nil
 }
 // Parses a CIDR from the flag. If the flag was unset, returns (nil, nil).
 func cidrFromFlag(c *cli.Context, flag cli.StringFlag) (*net.IPNet, error) {
 	if !c.IsSet(flag.Name) {
 		return nil, nil
 	}
 	_, subset, err := net.ParseCIDR(c.String(flag.Name))
 	if err != nil {
 		return nil, err
 	} else if subset == nil {
 		return nil, fmt.Errorf("Invalid CIDR supplied for %s", flag.Name)
 	}
 	return subset, nil
 }
 func NewIPRouteFilter() *IpRouteFilter {
 	values := &IpRouteFilter{queryParams: url.Values{}}
 	// always list cfd_tunnel routes only
 	values.queryParams.Set("tun_types", "cfd_tunnel")
 	return values
 }
 func (f *IpRouteFilter) CommentIs(comment string) {
 	f.queryParams.Set("comment", comment)
 }
 func (f *IpRouteFilter) NotDeleted() {
 	f.queryParams.Set("is_deleted", "false")
 }
 func (f *IpRouteFilter) Deleted() {
 	f.queryParams.Set("is_deleted", "true")
 }
 func (f *IpRouteFilter) NetworkIsSubsetOf(superset net.IPNet) {
 	f.queryParams.Set("network_subset", superset.String())
 }
 func (f *IpRouteFilter) NetworkIsSupersetOf(subset net.IPNet) {
 	f.queryParams.Set("network_superset", subset.String())
 }
 func (f *IpRouteFilter) ExistedAt(existedAt time.Time) {
 	f.queryParams.Set("existed_at", existedAt.Format(time.RFC3339))
 }
 func (f *IpRouteFilter) TunnelID(id uuid.UUID) {
 	f.queryParams.Set("tunnel_id", id.String())
 }
 func (f *IpRouteFilter) VNetID(id uuid.UUID) {
 	f.queryParams.Set("virtual_network_id", id.String())
 }
 func (f *IpRouteFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f *IpRouteFilter) Page(page int) {
 	f.queryParams.Set("page", strconv.Itoa(page))
 }
 func (f IpRouteFilter) Encode() string {
 	return f.queryParams.Encode()
 }
--- a/cfapi/ip_route_test.go
+++ b/cfapi/ip_route_test.go
@ -1,178 +0,0 @@
 package cfapi
 import (
 	"encoding/json"
 	"fmt"
 	"net"
 	"strings"
 	"testing"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 )
 func TestUnmarshalRoute(t *testing.T) {
 	testCases := []struct {
 		Json    string
 		HasVnet bool
 	}{
 		{
 			`{
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":null
 			}`,
 			false,
 		},
 		{
 			`{
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":null,
 				"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9"
 			}`,
 			true,
 		},
 	}
 	for _, testCase := range testCases {
 		data := testCase.Json
 		var r Route
 		err := json.Unmarshal([]byte(data), &r)
 		// Check everything worked
 		require.NoError(t, err)
 		require.Equal(t, uuid.MustParse("fba6ffea-807f-4e7a-a740-4184ee1b82c8"), r.TunnelID)
 		require.Equal(t, "test", r.Comment)
 		_, cidr, err := net.ParseCIDR("10.1.2.40/29")
 		require.NoError(t, err)
 		require.Equal(t, CIDR(*cidr), r.Network)
 		require.Equal(t, "test", r.Comment)
 		if testCase.HasVnet {
 			require.Equal(t, uuid.MustParse("38c95083-8191-4110-8339-3f438d44fdb9"), *r.VNetID)
 		} else {
 			require.Nil(t, r.VNetID)
 		}
 	}
 }
 func TestDetailedRouteJsonRoundtrip(t *testing.T) {
 	testCases := []struct {
 		Json    string
 		HasVnet bool
 	}{
 		{
 			`{
 				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":"2021-01-14T05:01:42.183002Z",
 				"tunnel_name":"Mr. Tun"
 			}`,
 			false,
 		},
 		{
 			`{
 				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":"2021-01-14T05:01:42.183002Z",
 				"tunnel_name":"Mr. Tun"
 			}`,
 			true,
 		},
 	}
 	for _, testCase := range testCases {
 		data := testCase.Json
 		var r DetailedRoute
 		err := json.Unmarshal([]byte(data), &r)
 		// Check everything worked
 		require.NoError(t, err)
 		require.Equal(t, uuid.MustParse("fba6ffea-807f-4e7a-a740-4184ee1b82c8"), r.TunnelID)
 		require.Equal(t, "test", r.Comment)
 		_, cidr, err := net.ParseCIDR("10.1.2.40/29")
 		require.NoError(t, err)
 		require.Equal(t, CIDR(*cidr), r.Network)
 		require.Equal(t, "test", r.Comment)
 		require.Equal(t, "Mr. Tun", r.TunnelName)
 		if testCase.HasVnet {
 			require.Equal(t, uuid.MustParse("38c95083-8191-4110-8339-3f438d44fdb9"), *r.VNetID)
 		} else {
 			require.Nil(t, r.VNetID)
 		}
 		bytes, err := json.Marshal(r)
 		require.NoError(t, err)
 		obtainedJson := string(bytes)
 		data = strings.Replace(data, "\t", "", -1)
 		data = strings.Replace(data, "\n", "", -1)
 		require.Equal(t, data, obtainedJson)
 	}
 }
 func TestMarshalNewRoute(t *testing.T) {
 	_, network, err := net.ParseCIDR("1.2.3.4/32")
 	require.NoError(t, err)
 	require.NotNil(t, network)
 	vnetId := uuid.New()
 	newRoutes := []NewRoute{
 		{
 			Network:  *network,
 			TunnelID: uuid.New(),
 			Comment:  "hi",
 		},
 		{
 			Network:  *network,
 			TunnelID: uuid.New(),
 			Comment:  "hi",
 			VNetID:   &vnetId,
 		},
 	}
 	for _, newRoute := range newRoutes {
 		// Test where receiver is struct
 		serialized, err := json.Marshal(newRoute)
 		require.NoError(t, err)
 		require.True(t, strings.Contains(string(serialized), "tunnel_id"))
 		// Test where receiver is pointer to struct
 		serialized, err = json.Marshal(&newRoute)
 		require.NoError(t, err)
 		require.True(t, strings.Contains(string(serialized), "tunnel_id"))
 		if newRoute.VNetID == nil {
 			require.False(t, strings.Contains(string(serialized), "virtual_network_id"))
 		} else {
 			require.True(t, strings.Contains(string(serialized), "virtual_network_id"))
 		}
 	}
 }
 func TestRouteTableString(t *testing.T) {
 	_, network, err := net.ParseCIDR("1.2.3.4/32")
 	require.NoError(t, err)
 	require.NotNil(t, network)
 	r := DetailedRoute{
 		ID:      uuid.Nil,
 		Network: CIDR(*network),
 	}
 	row := r.TableString()
 	fmt.Println(row)
 	require.True(t, strings.HasPrefix(row, "00000000-0000-0000-0000-000000000000\t1.2.3.4/32"))
 }
--- a/cfapi/tunnel.go
+++ b/cfapi/tunnel.go
@ -1,237 +0,0 @@
 package cfapi
 import (
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"path"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 var ErrTunnelNameConflict = errors.New("tunnel with name already exists")
 type Tunnel struct {
 	ID          uuid.UUID    `json:"id"`
 	Name        string       `json:"name"`
 	CreatedAt   time.Time    `json:"created_at"`
 	DeletedAt   time.Time    `json:"deleted_at"`
 	Connections []Connection `json:"connections"`
 }
 type TunnelWithToken struct {
 	Tunnel
 	Token string `json:"token"`
 }
 type Connection struct {
 	ColoName           string    `json:"colo_name"`
 	ID                 uuid.UUID `json:"id"`
 	IsPendingReconnect bool      `json:"is_pending_reconnect"`
 	OriginIP           net.IP    `json:"origin_ip"`
 	OpenedAt           time.Time `json:"opened_at"`
 }
 type ActiveClient struct {
 	ID          uuid.UUID    `json:"id"`
 	Features    []string     `json:"features"`
 	Version     string       `json:"version"`
 	Arch        string       `json:"arch"`
 	RunAt       time.Time    `json:"run_at"`
 	Connections []Connection `json:"conns"`
 }
 type newTunnel struct {
 	Name         string `json:"name"`
 	TunnelSecret []byte `json:"tunnel_secret"`
 }
 type managementRequest struct {
 	Resources []string `json:"resources"`
 }
 type CleanupParams struct {
 	queryParams url.Values
 }
 func NewCleanupParams() *CleanupParams {
 	return &CleanupParams{
 		queryParams: url.Values{},
 	}
 }
 func (cp *CleanupParams) ForClient(clientID uuid.UUID) {
 	cp.queryParams.Set("client_id", clientID.String())
 }
 func (cp CleanupParams) encode() string {
 	return cp.queryParams.Encode()
 }
 func (r *RESTClient) CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error) {
 	if name == "" {
 		return nil, errors.New("tunnel name required")
 	}
 	if _, err := uuid.Parse(name); err == nil {
 		return nil, errors.New("you cannot use UUIDs as tunnel names")
 	}
 	body := &newTunnel{
 		Name:         name,
 		TunnelSecret: tunnelSecret,
 	}
 	resp, err := r.sendRequest("POST", r.baseEndpoints.accountLevel, body)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	switch resp.StatusCode {
 	case http.StatusOK:
 		var tunnel TunnelWithToken
 		if serdeErr := parseResponse(resp.Body, &tunnel); serdeErr != nil {
 			return nil, serdeErr
 		}
 		return &tunnel, nil
 	case http.StatusConflict:
 		return nil, ErrTunnelNameConflict
 	}
 	return nil, r.statusCodeToError("create tunnel", resp)
 }
 func (r *RESTClient) GetTunnel(tunnelID uuid.UUID) (*Tunnel, error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return unmarshalTunnel(resp.Body)
 	}
 	return nil, r.statusCodeToError("get tunnel", resp)
 }
 func (r *RESTClient) GetTunnelToken(tunnelID uuid.UUID) (token string, err error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/token", tunnelID))
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return "", errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		err = parseResponse(resp.Body, &token)
 		return token, err
 	}
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
 func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID) (token string, err error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/management", tunnelID))
 	body := &managementRequest{
 		Resources: []string{"logs"},
 	}
 	resp, err := r.sendRequest("POST", endpoint, body)
 	if err != nil {
 		return "", errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		err = parseResponse(resp.Body, &token)
 		return token, err
 	}
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
 func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
 	// Cascade will delete all tunnel dependencies (connections, routes, etc.) that
 	// are linked to the deleted tunnel.
 	if cascade {
 		endpoint.RawQuery = "cascade=true"
 	}
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	return r.statusCodeToError("delete tunnel", resp)
 }
 func (r *RESTClient) ListTunnels(filter *TunnelFilter) ([]*Tunnel, error) {
 	fetchFn := func(page int) (*http.Response, error) {
 		endpoint := r.baseEndpoints.accountLevel
 		filter.Page(page)
 		endpoint.RawQuery = filter.encode()
 		rsp, err := r.sendRequest("GET", endpoint, nil)
 		if err != nil {
 			return nil, errors.Wrap(err, "REST request failed")
 		}
 		if rsp.StatusCode != http.StatusOK {
 			rsp.Body.Close()
 			return nil, r.statusCodeToError("list tunnels", rsp)
 		}
 		return rsp, nil
 	}
 	return fetchExhaustively[Tunnel](fetchFn)
 }
 func (r *RESTClient) ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseConnectionsDetails(resp.Body)
 	}
 	return nil, r.statusCodeToError("list connection details", resp)
 }
 func parseConnectionsDetails(reader io.Reader) ([]*ActiveClient, error) {
 	var clients []*ActiveClient
 	err := parseResponse(reader, &clients)
 	return clients, err
 }
 func (r *RESTClient) CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.RawQuery = params.encode()
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	return r.statusCodeToError("cleanup connections", resp)
 }
 func unmarshalTunnel(reader io.Reader) (*Tunnel, error) {
 	var tunnel Tunnel
 	err := parseResponse(reader, &tunnel)
 	return &tunnel, err
 }
--- a/cfapi/tunnel_filter.go
+++ b/cfapi/tunnel_filter.go
@ -1,59 +0,0 @@
 package cfapi
 import (
 	"net/url"
 	"strconv"
 	"time"
 	"github.com/google/uuid"
 )
 const (
 	TimeLayout = time.RFC3339
 )
 type TunnelFilter struct {
 	queryParams url.Values
 }
 func NewTunnelFilter() *TunnelFilter {
 	return &TunnelFilter{
 		queryParams: url.Values{},
 	}
 }
 func (f *TunnelFilter) ByName(name string) {
 	f.queryParams.Set("name", name)
 }
 func (f *TunnelFilter) ByNamePrefix(namePrefix string) {
 	f.queryParams.Set("name_prefix", namePrefix)
 }
 func (f *TunnelFilter) ExcludeNameWithPrefix(excludePrefix string) {
 	f.queryParams.Set("exclude_prefix", excludePrefix)
 }
 func (f *TunnelFilter) NoDeleted() {
 	f.queryParams.Set("is_deleted", "false")
 }
 func (f *TunnelFilter) ByExistedAt(existedAt time.Time) {
 	f.queryParams.Set("existed_at", existedAt.Format(TimeLayout))
 }
 func (f *TunnelFilter) ByTunnelID(tunnelID uuid.UUID) {
 	f.queryParams.Set("uuid", tunnelID.String())
 }
 func (f *TunnelFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f *TunnelFilter) Page(page int) {
 	f.queryParams.Set("page", strconv.Itoa(page))
 }
 func (f TunnelFilter) encode() string {
 	return f.queryParams.Encode()
 }
--- a/cfapi/tunnel_test.go
+++ b/cfapi/tunnel_test.go
@ -1,102 +0,0 @@
 package cfapi
 import (
 	"bytes"
 	"fmt"
 	"net"
 	"reflect"
 	"strings"
 	"testing"
 	"time"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 var loc, _ = time.LoadLocation("UTC")
 func Test_unmarshalTunnel(t *testing.T) {
 	type args struct {
 		body string
 	}
 	tests := []struct {
 		name    string
 		args    args
 		want    *Tunnel
 		wantErr bool
 	}{
 		{
 			name: "empty list",
 			args: args{body: `{"success": true, "result": {"id":"b34cc7ce-925b-46ee-bc23-4cb5c18d8292","created_at":"2021-07-29T13:46:14.090955Z","deleted_at":"2021-07-29T14:07:27.559047Z","name":"qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV","account_id":6946212,"account_tag":"5ab4e9dfbd435d24068829fda0077963","conns_active_at":null,"conns_inactive_at":"2021-07-29T13:47:22.548482Z","tun_type":"cfd_tunnel","metadata":{"qtid":"a6fJROgkXutNruBGaJjD"}}}`},
 			want: &Tunnel{
 				ID:          uuid.MustParse("b34cc7ce-925b-46ee-bc23-4cb5c18d8292"),
 				Name:        "qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV",
 				CreatedAt:   time.Date(2021, 07, 29, 13, 46, 14, 90955000, loc),
 				DeletedAt:   time.Date(2021, 07, 29, 14, 7, 27, 559047000, loc),
 				Connections: nil,
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := unmarshalTunnel(strings.NewReader(tt.args.body))
 			if (err != nil) != tt.wantErr {
 				t.Errorf("unmarshalTunnel() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("unmarshalTunnel() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 func TestUnmarshalTunnelOk(t *testing.T) {
 	jsonBody := `{"success": true, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}`
 	expected := Tunnel{
 		ID:          uuid.Nil,
 		Name:        "test",
 		CreatedAt:   time.Time{},
 		Connections: []Connection{},
 	}
 	actual, err := unmarshalTunnel(bytes.NewReader([]byte(jsonBody)))
 	assert.NoError(t, err)
 	assert.Equal(t, &expected, actual)
 }
 func TestUnmarshalTunnelErr(t *testing.T) {
 	tests := []string{
 		`abc`,
 		`{"success": true, "result": abc}`,
 		`{"success": false, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
 	}
 	for i, test := range tests {
 		_, err := unmarshalTunnel(bytes.NewReader([]byte(test)))
 		assert.Error(t, err, fmt.Sprintf("Test #%v failed", i))
 	}
 }
 func TestUnmarshalConnections(t *testing.T) {
 	jsonBody := `{"success":true,"messages":[],"errors":[],"result":[{"id":"d4041254-91e3-4deb-bd94-b46e11680b1e","features":["ha-origin"],"version":"2021.2.5","arch":"darwin_amd64","conns":[{"colo_name":"LIS","id":"ac2286e5-c708-4588-a6a0-ba6b51940019","is_pending_reconnect":false,"origin_ip":"148.38.28.2","opened_at":"0001-01-01T00:00:00Z"}],"run_at":"0001-01-01T00:00:00Z"}]}`
 	expected := ActiveClient{
 		ID:       uuid.MustParse("d4041254-91e3-4deb-bd94-b46e11680b1e"),
 		Features: []string{"ha-origin"},
 		Version:  "2021.2.5",
 		Arch:     "darwin_amd64",
 		RunAt:    time.Time{},
 		Connections: []Connection{{
 			ID:                 uuid.MustParse("ac2286e5-c708-4588-a6a0-ba6b51940019"),
 			ColoName:           "LIS",
 			IsPendingReconnect: false,
 			OriginIP:           net.ParseIP("148.38.28.2"),
 			OpenedAt:           time.Time{},
 		}},
 	}
 	actual, err := parseConnectionsDetails(bytes.NewReader([]byte(jsonBody)))
 	assert.NoError(t, err)
 	assert.Equal(t, []*ActiveClient{&expected}, actual)
 }
--- a/cfapi/virtual_network.go
+++ b/cfapi/virtual_network.go
@ -1,134 +0,0 @@
 package cfapi
 import (
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"path"
 	"strconv"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 type NewVirtualNetwork struct {
 	Name      string `json:"name"`
 	Comment   string `json:"comment"`
 	IsDefault bool   `json:"is_default_network"`
 }
 type VirtualNetwork struct {
 	ID        uuid.UUID `json:"id"`
 	Comment   string    `json:"comment"`
 	Name      string    `json:"name"`
 	IsDefault bool      `json:"is_default_network"`
 	CreatedAt time.Time `json:"created_at"`
 	DeletedAt time.Time `json:"deleted_at"`
 }
 type UpdateVirtualNetwork struct {
 	Name      *string `json:"name,omitempty"`
 	Comment   *string `json:"comment,omitempty"`
 	IsDefault *bool   `json:"is_default_network,omitempty"`
 }
 func (virtualNetwork VirtualNetwork) TableString() string {
 	deletedColumn := "-"
 	if !virtualNetwork.DeletedAt.IsZero() {
 		deletedColumn = virtualNetwork.DeletedAt.Format(time.RFC3339)
 	}
 	return fmt.Sprintf(
 		"%s\t%s\t%s\t%s\t%s\t%s\t",
 		virtualNetwork.ID,
 		virtualNetwork.Name,
 		strconv.FormatBool(virtualNetwork.IsDefault),
 		virtualNetwork.Comment,
 		virtualNetwork.CreatedAt.Format(time.RFC3339),
 		deletedColumn,
 	)
 }
 func (r *RESTClient) CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error) {
 	resp, err := r.sendRequest("POST", r.baseEndpoints.accountVnets, newVnet)
 	if err != nil {
 		return VirtualNetwork{}, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseVnet(resp.Body)
 	}
 	return VirtualNetwork{}, r.statusCodeToError("add virtual network", resp)
 }
 func (r *RESTClient) ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error) {
 	endpoint := r.baseEndpoints.accountVnets
 	endpoint.RawQuery = filter.Encode()
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseListVnets(resp.Body)
 	}
 	return nil, r.statusCodeToError("list virtual networks", resp)
 }
 func (r *RESTClient) DeleteVirtualNetwork(id uuid.UUID, force bool) error {
 	endpoint := r.baseEndpoints.accountVnets
 	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	queryParams := url.Values{}
 	if force {
 		queryParams.Set("force", strconv.FormatBool(force))
 	}
 	endpoint.RawQuery = queryParams.Encode()
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		_, err := parseVnet(resp.Body)
 		return err
 	}
 	return r.statusCodeToError("delete virtual network", resp)
 }
 func (r *RESTClient) UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error {
 	endpoint := r.baseEndpoints.accountVnets
 	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	resp, err := r.sendRequest("PATCH", endpoint, updates)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		_, err := parseVnet(resp.Body)
 		return err
 	}
 	return r.statusCodeToError("update virtual network", resp)
 }
 func parseListVnets(body io.ReadCloser) ([]*VirtualNetwork, error) {
 	var vnets []*VirtualNetwork
 	err := parseResponse(body, &vnets)
 	return vnets, err
 }
 func parseVnet(body io.ReadCloser) (VirtualNetwork, error) {
 	var vnet VirtualNetwork
 	err := parseResponse(body, &vnet)
 	return vnet, err
 }
--- a/cfapi/virtual_network_filter.go
+++ b/cfapi/virtual_network_filter.go
@ -1,99 +0,0 @@
 package cfapi
 import (
 	"net/url"
 	"strconv"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )
 var (
 	filterVnetId = cli.StringFlag{
 		Name:  "id",
 		Usage: "List virtual networks with the given `ID`",
 	}
 	filterVnetByName = cli.StringFlag{
 		Name:  "name",
 		Usage: "List virtual networks with the given `NAME`",
 	}
 	filterDefaultVnet = cli.BoolFlag{
 		Name:  "is-default",
 		Usage: "If true, lists the virtual network that is the default one. If false, lists all non-default virtual networks for the account. If absent, all are included in the results regardless of their default status.",
 	}
 	filterDeletedVnet = cli.BoolFlag{
 		Name:  "show-deleted",
 		Usage: "If false (default), only show non-deleted virtual networks. If true, only show deleted virtual networks.",
 	}
 	VnetFilterFlags = []cli.Flag{
 		&filterVnetId,
 		&filterVnetByName,
 		&filterDefaultVnet,
 		&filterDeletedVnet,
 	}
 )
 // VnetFilter which virtual networks get queried.
 type VnetFilter struct {
 	queryParams url.Values
 }
 func NewVnetFilter() *VnetFilter {
 	return &VnetFilter{
 		queryParams: url.Values{},
 	}
 }
 func (f *VnetFilter) ById(vnetId uuid.UUID) {
 	f.queryParams.Set("id", vnetId.String())
 }
 func (f *VnetFilter) ByName(name string) {
 	f.queryParams.Set("name", name)
 }
 func (f *VnetFilter) ByDefaultStatus(isDefault bool) {
 	f.queryParams.Set("is_default", strconv.FormatBool(isDefault))
 }
 func (f *VnetFilter) WithDeleted(isDeleted bool) {
 	f.queryParams.Set("is_deleted", strconv.FormatBool(isDeleted))
 }
 func (f *VnetFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f VnetFilter) Encode() string {
 	return f.queryParams.Encode()
 }
 // NewFromCLI parses CLI flags to discover which filters should get applied to list virtual networks.
 func NewFromCLI(c *cli.Context) (*VnetFilter, error) {
 	f := NewVnetFilter()
 	if id := c.String("id"); id != "" {
 		vnetId, err := uuid.Parse(id)
 		if err != nil {
 			return nil, errors.Wrapf(err, "%s is not a valid virtual network ID", id)
 		}
 		f.ById(vnetId)
 	}
 	if name := c.String("name"); name != "" {
 		f.ByName(name)
 	}
 	if c.IsSet("is-default") {
 		f.ByDefaultStatus(c.Bool("is-default"))
 	}
 	f.WithDeleted(c.Bool("show-deleted"))
 	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
 		f.MaxFetchSize(uint(maxFetch))
 	}
 	return f, nil
 }
--- a/cfapi/virtual_network_test.go
+++ b/cfapi/virtual_network_test.go
@ -1,79 +0,0 @@
 package cfapi
 import (
 	"encoding/json"
 	"strings"
 	"testing"
 	"time"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 )
 func TestVirtualNetworkJsonRoundtrip(t *testing.T) {
 	data := `{
 		"id":"74fce949-351b-4752-b261-81a56cfd3130",
 		"comment":"New York DC1",
 		"name":"us-east-1",
 		"is_default_network":true,
 		"created_at":"2021-11-26T14:40:02.600673Z",
 		"deleted_at":"2021-12-01T10:23:13.102645Z"
 	}`
 	var v VirtualNetwork
 	err := json.Unmarshal([]byte(data), &v)
 	require.NoError(t, err)
 	require.Equal(t, uuid.MustParse("74fce949-351b-4752-b261-81a56cfd3130"), v.ID)
 	require.Equal(t, "us-east-1", v.Name)
 	require.Equal(t, "New York DC1", v.Comment)
 	require.Equal(t, true, v.IsDefault)
 	bytes, err := json.Marshal(v)
 	require.NoError(t, err)
 	obtainedJson := string(bytes)
 	data = strings.Replace(data, "\t", "", -1)
 	data = strings.Replace(data, "\n", "", -1)
 	require.Equal(t, data, obtainedJson)
 }
 func TestMarshalNewVnet(t *testing.T) {
 	newVnet := NewVirtualNetwork{
 		Name:      "eu-west-1",
 		Comment:   "London office",
 		IsDefault: true,
 	}
 	serialized, err := json.Marshal(newVnet)
 	require.NoError(t, err)
 	require.True(t, strings.Contains(string(serialized), newVnet.Name))
 }
 func TestMarshalUpdateVnet(t *testing.T) {
 	newName := "bulgaria-1"
 	updates := UpdateVirtualNetwork{
 		Name: &newName,
 	}
 	// Test where receiver is struct
 	serialized, err := json.Marshal(updates)
 	require.NoError(t, err)
 	require.True(t, strings.Contains(string(serialized), newName))
 }
 func TestVnetTableString(t *testing.T) {
 	virtualNet := VirtualNetwork{
 		ID:        uuid.New(),
 		Name:      "us-east-1",
 		Comment:   "New York DC1",
 		IsDefault: true,
 		CreatedAt: time.Now(),
 		DeletedAt: time.Time{},
 	}
 	row := virtualNet.TableString()
 	require.True(t, strings.HasPrefix(row, virtualNet.ID.String()))
 	require.True(t, strings.Contains(row, virtualNet.Name))
 	require.True(t, strings.Contains(row, virtualNet.Comment))
 	require.True(t, strings.Contains(row, "true"))
 	require.True(t, strings.HasSuffix(row, "-\t"))
 }
--- a/cfio/copy.go
+++ b/cfio/copy.go
@ -1,27 +0,0 @@
 package cfio
 import (
 	"io"
 	"sync"
 )
 const defaultBufferSize = 16 * 1024
 var bufferPool = sync.Pool{
 	New: func() interface{} {
 		return make([]byte, defaultBufferSize)
 	},
 }
 func Copy(dst io.Writer, src io.Reader) (written int64, err error) {
 	_, okWriteTo := src.(io.WriterTo)
 	_, okReadFrom := dst.(io.ReaderFrom)
 	var buffer []byte = nil
 	if !(okWriteTo || okReadFrom) {
 		buffer = bufferPool.Get().([]byte)
 		defer bufferPool.Put(buffer)
 	}
 	return io.CopyBuffer(dst, src, buffer)
 }
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@ -1,2 +1,278 @@
-# A valid cfsetup.yaml is required but we dont have any real config to specify
+pinned_go: &pinned_go go=1.15.7-1
-dummy_key: true
+pinned_go_fips: &pinned_go_fips go-fips=1.15.5-3
 build_dir: &build_dir /cfsetup_build
 default-flavor: buster
 stretch: &stretch
  build:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - make cloudflared
  build-deb:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - make cloudflared-deb
  build-deb-arm64:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - make cloudflared-deb
  publish-deb:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
      - fakeroot
      - rubygem-fpm
      - openssh-client
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - make publish-deb
  release-linux-amd64:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - make release
  github-release-linux-amd64:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
      - python3-setuptools
      - python3-pip
    pre-cache: &install_pygithub
      - pip3 install pygithub
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - make github-release
  release-linux-armv6:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - crossbuild-essential-armhf
      - gcc-arm-linux-gnueabihf
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm
      - export CC=arm-linux-gnueabihf-gcc
      - make release
  github-release-linux-armv6:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - crossbuild-essential-armhf
      - gcc-arm-linux-gnueabihf
      - python3-setuptools
      - python3-pip
    pre-cache: *install_pygithub
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm
      - export CC=arm-linux-gnueabihf-gcc
      - make github-release
  release-linux-386:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - gcc-multilib
    post-cache:
      - export GOOS=linux
      - export GOARCH=386
      - make release
  github-release-linux-386:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - gcc-multilib
      - python3-setuptools
      - python3-pip
    pre-cache: *install_pygithub
    post-cache:
      - export GOOS=linux
      - export GOARCH=386
      - make github-release
  release-windows-amd64:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - gcc-mingw-w64
    post-cache:
      - export GOOS=windows
      - export GOARCH=amd64
      - export CC=x86_64-w64-mingw32-gcc
      - make release
  github-release-windows-amd64:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - gcc-mingw-w64
      - python3-setuptools
      - python3-pip
    pre-cache: *install_pygithub
    post-cache:
      - export GOOS=windows
      - export GOARCH=amd64
      - export CC=x86_64-w64-mingw32-gcc
      - make github-release
  release-windows-386:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - gcc-mingw-w64
    post-cache:
      - export GOOS=windows
      - export GOARCH=386
      - export CC=i686-w64-mingw32-gcc-win32
      - make release
  github-release-windows-386:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - gcc-mingw-w64
      - python3-setuptools
      - python3-pip
    pre-cache: *install_pygithub
    post-cache:
      - export GOOS=windows
      - export GOARCH=386
      - export CC=i686-w64-mingw32-gcc-win32
      - make github-release
  github-release-linux-arm64:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - crossbuild-essential-armhf
      - g++-aarch64-linux-gnu
      - python3-setuptools
      - python3-pip
    pre-cache: *install_pygithub
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - export CC=aarch64-linux-gnu-gcc
      - make github-release
  github-release-macos-amd64:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - python3-setuptools
      - python3-pip
    pre-cache: *install_pygithub
    post-cache:
      - make github-mac-upload
  test:
    build_dir: *build_dir
    builddeps:
      - *pinned_go_fips
      - build-essential
      - gotest-to-teamcity
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      # cd to a non-module directory: https://github.com/golang/go/issues/24250
      - (cd / && go get github.com/BurntSushi/go-sumtype)
      - export PATH="$HOME/go/bin:$PATH"
      - make test | gotest-to-teamcity
  update-homebrew:
    builddeps:
      - openssh-client
      - s3cmd
    post-cache:
      - .teamcity/update-homebrew.sh
  github-message-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - python3-setuptools
      - python3-pip
    pre-cache: *install_pygithub
    post-cache:
      - make github-message
  build-junos:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3
      - genisoimage
      - jetez
    pre-cache:
      - ln -s /usr/bin/genisoimage /usr/bin/mkisofs
    post-cache:
      - export GOOS=freebsd
      - export GOARCH=amd64
      - make cloudflared-junos
  publish-junos:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3
      - genisoimage
      - jetez
      - s4cmd
    pre-cache:
      - ln -s /usr/bin/genisoimage /usr/bin/mkisofs
    post-cache:
      - export GOOS=freebsd
      - export GOARCH=amd64
      - make publish-cloudflared-junos
 buster: *stretch
 bullseye: *stretch
 centos-7:
  publish-rpm:
    build_dir: *build_dir
    builddeps: &el7_builddeps
      - https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    pre-cache:
      - yum install -y fakeroot
      - wget https://golang.org/dl/go1.15.7.linux-amd64.tar.gz -P /tmp/
      - tar -C /usr/local -xzf /tmp/go1.15.7.linux-amd64.tar.gz
    post-cache:
      - export PATH=$PATH:/usr/local/go/bin
      - export GOOS=linux
      - export GOARCH=amd64
      - make publish-rpm
  build-rpm:
    build_dir: *build_dir
    builddeps: *el7_builddeps
    pre-cache:
      - yum install -y fakeroot
      - wget https://golang.org/dl/go1.15.7.linux-amd64.tar.gz -P /tmp/
      - tar -C /usr/local -xzf /tmp/go1.15.7.linux-amd64.tar.gz
    post-cache:
      - export PATH=$PATH:/usr/local/go/bin
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared-rpm
--- a/check-fips.sh
+++ b/check-fips.sh
@ -1,15 +0,0 @@
 # Pass the path to the executable to check for FIPS compliance
 exe=$1
 if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
    # Asserts that executable is using FIPS-compliant boringcrypto
    echo "${exe}: missing goboring symbols" >&2
    exit 1
 fi
 if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
    # Asserts that executable is using FIPS-only schemes
    echo "${exe}: missing fipsonly symbols" >&2
    exit 1
 fi
 echo "${exe} is FIPS-compliant"
--- a/client/config.go
+++ b/client/config.go
@ -1,74 +0,0 @@
 package client
 import (
 	"fmt"
 	"net"
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 // Config captures the local client runtime configuration.
 type Config struct {
 	ConnectorID uuid.UUID
 	Version     string
 	Arch        string
 	featureSelector features.FeatureSelector
 }
 func NewConfig(version string, arch string, featureSelector features.FeatureSelector) (*Config, error) {
 	connectorID, err := uuid.NewRandom()
 	if err != nil {
 		return nil, fmt.Errorf("unable to generate a connector UUID: %w", err)
 	}
 	return &Config{
 		ConnectorID:     connectorID,
 		Version:         version,
 		Arch:            arch,
 		featureSelector: featureSelector,
 	}, nil
 }
 // ConnectionOptionsSnapshot is a snapshot of the current client information used to initialize a connection.
 //
 // The FeatureSnapshot is the features that are available for this connection. At the client level they may
 // change, but they will not change within the scope of this struct.
 type ConnectionOptionsSnapshot struct {
 	client              pogs.ClientInfo
 	originLocalIP       net.IP
 	numPreviousAttempts uint8
 	FeatureSnapshot     features.FeatureSnapshot
 }
 func (c *Config) ConnectionOptionsSnapshot(originIP net.IP, previousAttempts uint8) *ConnectionOptionsSnapshot {
 	snapshot := c.featureSelector.Snapshot()
 	return &ConnectionOptionsSnapshot{
 		client: pogs.ClientInfo{
 			ClientID: c.ConnectorID[:],
 			Version:  c.Version,
 			Arch:     c.Arch,
 			Features: snapshot.FeaturesList,
 		},
 		originLocalIP:       originIP,
 		numPreviousAttempts: previousAttempts,
 		FeatureSnapshot:     snapshot,
 	}
 }
 func (c ConnectionOptionsSnapshot) ConnectionOptions() *pogs.ConnectionOptions {
 	return &pogs.ConnectionOptions{
 		Client:              c.client,
 		OriginLocalIP:       c.originLocalIP,
 		ReplaceExisting:     false,
 		CompressionQuality:  0,
 		NumPreviousAttempts: c.numPreviousAttempts,
 	}
 }
 func (c ConnectionOptionsSnapshot) LogFields(event *zerolog.Event) *zerolog.Event {
 	return event.Strs("features", c.client.Features)
 }
--- a/client/config_test.go
+++ b/client/config_test.go
@ -1,50 +0,0 @@
 package client
 import (
 	"net"
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/features"
 )
 func TestGenerateConnectionOptions(t *testing.T) {
 	version := "1234"
 	arch := "linux_amd64"
 	originIP := net.ParseIP("192.168.1.1")
 	var previousAttempts uint8 = 4
 	config, err := NewConfig(version, arch, &mockFeatureSelector{})
 	require.NoError(t, err)
 	require.Equal(t, version, config.Version)
 	require.Equal(t, arch, config.Arch)
 	// Validate ConnectionOptionsSnapshot fields
 	connOptions := config.ConnectionOptionsSnapshot(originIP, previousAttempts)
 	require.Equal(t, version, connOptions.client.Version)
 	require.Equal(t, arch, connOptions.client.Arch)
 	require.Equal(t, config.ConnectorID[:], connOptions.client.ClientID)
 	// Vaidate snapshot feature fields against the connOptions generated
 	snapshot := config.featureSelector.Snapshot()
 	require.Equal(t, features.DatagramV3, snapshot.DatagramVersion)
 	require.Equal(t, features.DatagramV3, connOptions.FeatureSnapshot.DatagramVersion)
 	pogsConnOptions := connOptions.ConnectionOptions()
 	require.Equal(t, connOptions.client, pogsConnOptions.Client)
 	require.Equal(t, originIP, pogsConnOptions.OriginLocalIP)
 	require.False(t, pogsConnOptions.ReplaceExisting)
 	require.Equal(t, uint8(0), pogsConnOptions.CompressionQuality)
 	require.Equal(t, previousAttempts, pogsConnOptions.NumPreviousAttempts)
 }
 type mockFeatureSelector struct{}
 func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {
 	return features.FeatureSnapshot{
 		PostQuantum:     features.PostQuantumPrefer,
 		DatagramVersion: features.DatagramV3,
 		FeaturesList:    []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},
 	}
 }
--- a/cloudflared.wxs
+++ b/cloudflared.wxs
@ -1,64 +0,0 @@
 <?xml version="1.0"?>
 <?if $(var.Platform)="x64" ?>
    <?define Program_Files="ProgramFiles64Folder"?>
 <?else ?>
    <?define Program_Files="ProgramFilesFolder"?>
 <?endif ?>
 <?ifndef var.Version?>
    <?error Undefined Version variable?>
 <?endif ?>
 <?ifndef var.Path?>
    <?error Undefined Path variable?>
 <?endif ?>
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
    <Product Id="*"
        UpgradeCode="23f90fdd-9328-47ea-ab52-5380855a4b12"
        Name="cloudflared"
        Version="$(var.Version)"
        Manufacturer="cloudflare"
        Language="1033">
        <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" InstallScope="perMachine" />
        <Media Id="1" Cabinet="product.cab" EmbedCab="yes" />
        <MajorUpgrade DowngradeErrorMessage="A later version of [ProductName] is already installed. Setup will now exit." />
        <Upgrade Id="23f90fdd-9328-47ea-ab52-5380855a4b12">
            <UpgradeVersion Minimum="$(var.Version)" OnlyDetect="yes" Property="NEWERVERSIONDETECTED" />
            <UpgradeVersion Minimum="2020.8.0" Maximum="$(var.Version)" IncludeMinimum="yes" IncludeMaximum="no"
                Property="OLDERVERSIONBEINGUPGRADED" />
        </Upgrade>
        <Condition Message="A newer version of this software is already installed.">NOT NEWERVERSIONDETECTED</Condition>
        <Directory Id="TARGETDIR" Name="SourceDir">
            <!--This specifies where the cloudflared.exe is moved to in the windows Operation System-->
            <Directory Id="$(var.Program_Files)">
                <Directory Id="INSTALLDIR" Name="cloudflared">
                    <Component Id="ApplicationFiles" Guid="35e5e858-9372-4449-bf73-1cd6f7267128">
                        <File Id="ApplicationFile0" Source="$(var.Path)" />
                    </Component>
                </Directory>
            </Directory>
            <Component Id="ENVS" Guid="6bb74449-d10d-4f4a-933e-6fc9fa006eae">
                <!--Set the cloudflared bin location to the Path Environment Variable-->
                <Environment Id="ENV0"
                    Name="PATH"
                    Value="[INSTALLDIR]"
                    Permanent="no"
                    Part="last"
                    Action="create"
                    System="yes" />
            </Component>
        </Directory>
        <Feature Id='Complete' Level='1'>
            <ComponentRef Id="ENVS" />
            <ComponentRef Id='ApplicationFiles' />
        </Feature>
    </Product>
 </Wix>
--- a/cmd/cloudflared/access/carrier.go
+++ b/cmd/cloudflared/access/carrier.go
@ -1,27 +1,22 @@
 package access
 import (
 	"crypto/tls"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
 	"github.com/cloudflare/cloudflared/carrier"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
 	"github.com/cloudflare/cloudflared/h2mux"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/validation"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/carrier"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/stream"
 	"github.com/cloudflare/cloudflared/validation"
 )
 const (
-	LogFieldHost               = "host"
+	LogFieldHost = "host"
 	cfAccessClientIDHeader     = "Cf-Access-Client-Id"
 	cfAccessClientSecretHeader = "Cf-Access-Client-Secret"
 )
 // StartForwarder starts a client side websocket forward
@ -34,24 +29,24 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	// get the headers from the config file and add to the request
 	headers := make(http.Header)
 	if forwarder.TokenClientID != "" {
-		headers.Set(cfAccessClientIDHeader, forwarder.TokenClientID)
+		headers.Set(h2mux.CFAccessClientIDHeader, forwarder.TokenClientID)
 	}
 	if forwarder.TokenSecret != "" {
-		headers.Set(cfAccessClientSecretHeader, forwarder.TokenSecret)
+		headers.Set(h2mux.CFAccessClientSecretHeader, forwarder.TokenSecret)
 	}
 	headers.Set("User-Agent", userAgent)
-	carrier.SetBastionDest(headers, forwarder.Destination)
+	if forwarder.Destination != "" {
 		headers.Add(h2mux.CFJumpDestinationHeader, forwarder.Destination)
 	}
 	options := &carrier.StartOptions{
 		OriginURL: forwarder.URL,
 		Headers:   headers, //TODO: TUN-2688 support custom headers from config file
 		IsFedramp: forwarder.IsFedramp,
 	}
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
-	wsConn := carrier.NewWSConnection(log)
+	wsConn := carrier.NewWSConnection(log, false)
 	log.Info().Str(LogFieldHost, validURL.Host).Msg("Start Websocket listener")
 	return carrier.StartForwarder(wsConn, validURL.Host, shutdown, options)
@ -62,61 +57,37 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 // useful for proxying other protocols (like ssh) over websockets
 // (which you can put Access in front of)
 func ssh(c *cli.Context) error {
-	// If not running as a forwarder, disable terminal logs as it collides with the stdin/stdout of the parent process
+	log := logger.CreateSSHLoggerFromContext(c, logger.EnableTerminalLog)
 	outputTerminal := logger.DisableTerminalLog
 	if c.IsSet(sshURLFlag) {
 		outputTerminal = logger.EnableTerminalLog
 	}
 	log := logger.CreateSSHLoggerFromContext(c, outputTerminal)
 	// get the hostname from the cmdline and error out if its not provided
 	rawHostName := c.String(sshHostnameFlag)
-	url, err := parseURL(rawHostName)
+	hostname, err := validation.ValidateHostname(rawHostName)
-	if err != nil {
+	if err != nil || rawHostName == "" {
 		log.Err(err).Send()
 		return cli.ShowCommandHelp(c, "ssh")
 	}
 	originURL := ensureURLScheme(hostname)
 	// get the headers from the cmdline and add them
-	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
+	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
-		headers.Set(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
+		headers.Set(h2mux.CFAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
 	if c.IsSet(sshTokenSecretFlag) {
-		headers.Set(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
+		headers.Set(h2mux.CFAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
 	headers.Set("User-Agent", userAgent)
-	carrier.SetBastionDest(headers, c.String(sshDestinationFlag))
+	destination := c.String(sshDestinationFlag)
 	if destination != "" {
 		headers.Add(h2mux.CFJumpDestinationHeader, destination)
 	}
 	options := &carrier.StartOptions{
-		OriginURL: url.String(),
+		OriginURL: originURL,
 		Headers:   headers,
 		Host:      url.Host,
 		IsFedramp: c.Bool(fedrampFlag),
 	}
 	if connectTo := c.String(sshConnectTo); connectTo != "" {
 		parts := strings.Split(connectTo, ":")
 		switch len(parts) {
 		case 1:
 			options.OriginURL = fmt.Sprintf("https://%s", parts[0])
 		case 2:
 			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[0], parts[1])
 		case 3:
 			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
 			options.TLSClientConfig = &tls.Config{
 				InsecureSkipVerify: true, // #nosec G402
 				ServerName:         parts[0],
 			}
 			log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
 		default:
 			return fmt.Errorf("invalid connection override: %s", connectTo)
 		}
 	}
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
-	wsConn := carrier.NewWSConnection(log)
+	wsConn := carrier.NewWSConnection(log, false)
 	if c.NArg() > 0 || c.IsSet(sshURLFlag) {
 		forwarder, err := config.ValidateUrl(c, true)
@ -124,6 +95,7 @@ func ssh(c *cli.Context) error {
 			log.Err(err).Msg("Error validating origin URL")
 			return errors.Wrap(err, "error validating origin URL")
 		}
 		log.Info().Str(LogFieldHost, forwarder.Host).Msg("Start Websocket listener")
 		err = carrier.StartForwarder(wsConn, forwarder.Host, shutdownC, options)
 		if err != nil {
@ -132,16 +104,16 @@ func ssh(c *cli.Context) error {
 		return err
 	}
-	var s io.ReadWriter
+	return carrier.StartClient(wsConn, &carrier.StdinoutStream{}, options)
-	s = &carrier.StdinoutStream{}
+}
-	if c.IsSet(sshDebugStream) {
+
-		maxMessages := c.Uint64(sshDebugStream)
+func buildRequestHeaders(values []string) http.Header {
-		if maxMessages == 0 {
+	headers := make(http.Header)
-			// default to 10 if provided but unset
+	for _, valuePair := range values {
-			maxMessages = 10
+		split := strings.Split(valuePair, ":")
-		}
+		if len(split) > 1 {
-		logger := log.With().Str("host", url.Host).Logger()
+			headers.Add(strings.TrimSpace(split[0]), strings.TrimSpace(split[1]))
-		s = stream.NewDebugStream(s, &logger, maxMessages)
+		}
-	}
+	}
-	return carrier.StartClient(wsConn, s, options)
+	return headers
 }
--- a/cmd/cloudflared/access/carrier_test.go
+++ b/cmd/cloudflared/access/carrier_test.go
@ -0,0 +1,18 @@
 package access
 import (
 	"net/http"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestBuildRequestHeaders(t *testing.T) {
 	headers := make(http.Header)
 	headers.Add("client", "value")
 	headers.Add("secret", "safe-value")
 	values := buildRequestHeaders([]string{"client: value", "secret: safe-value", "trash"})
 	assert.Equal(t, headers.Get("client"), values.Get("client"))
 	assert.Equal(t, headers.Get("secret"), values.Get("secret"))
 }
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@ -2,33 +2,30 @@ package access
 import (
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
 	"os/exec"
 	"strings"
 	"text/template"
 	"time"
-	"github.com/getsentry/sentry-go"
+	"github.com/cloudflare/cloudflared/carrier"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/shell"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
 	"github.com/cloudflare/cloudflared/h2mux"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/sshgen"
 	"github.com/cloudflare/cloudflared/validation"
 	"github.com/getsentry/raven-go"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"golang.org/x/net/idna"
 	"github.com/cloudflare/cloudflared/carrier"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/sshgen"
 	"github.com/cloudflare/cloudflared/token"
 	"github.com/cloudflare/cloudflared/validation"
 )
 const (
 	appURLFlag         = "app"
 	loginQuietFlag     = "quiet"
 	sshHostnameFlag    = "hostname"
 	sshDestinationFlag = "destination"
 	sshURLFlag         = "url"
@ -36,35 +33,33 @@ const (
 	sshTokenIDFlag     = "service-token-id"
 	sshTokenSecretFlag = "service-token-secret"
 	sshGenCertFlag     = "short-lived-cert"
 	sshConnectTo       = "connect-to"
 	sshDebugStream     = "debug-stream"
 	sshConfigTemplate  = `
 Add to your {{.Home}}/.ssh/config:
 {{- if .ShortLivedCerts}}
 Match host {{.Hostname}} exec "{{.Cloudflared}} access ssh-gen --hostname %h"
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
  IdentityFile ~/.cloudflared/%h-cf_key
  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
 {{- else}}
 Host {{.Hostname}}
 {{- if .ShortLivedCerts}}
  ProxyCommand bash -c '{{.Cloudflared}} access ssh-gen --hostname %h; ssh -tt %r@cfpipe-{{.Hostname}} >&2 <&1' 
 Host cfpipe-{{.Hostname}}
  HostName {{.Hostname}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
  IdentityFile ~/.cloudflared/{{.Hostname}}-cf_key
  CertificateFile ~/.cloudflared/{{.Hostname}}-cf_key-cert.pub
 {{- else}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
 	fedrampFlag = "fedramp"
 )
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
 var (
-	shutdownC chan struct{}
+	shutdownC      chan struct{}
 	userAgent = "DEV"
 )
 // Init will initialize and store vars from the main program
-func Init(shutdown chan struct{}, version string) {
+func Init(shutdown chan struct{}) {
 	shutdownC = shutdown
 	userAgent = fmt.Sprintf("cloudflared/%s", version)
 }
 // Flags return the global flags for Access related commands (hopefully none)
@ -80,47 +75,30 @@ func Commands() []*cli.Command {
 			Aliases:  []string{"forward"},
 			Category: "Access",
 			Usage:    "access <subcommand>",
-			Flags: []cli.Flag{&cli.BoolFlag{
+			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access 
-				Name:  fedrampFlag,
+			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are 
-				Usage: "use when performing operations in fedramp account",
+			able to reach sensitive resources. The commands provided here allow you to interact with Access protected 
 			}},
 			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
 			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
 			able to reach sensitive resources. The commands provided here allow you to interact with Access protected
 			applications from the command line.`,
 			Subcommands: []*cli.Command{
 				{
-					Name:      "login",
+					Name:   "login",
-					Action:    cliutil.Action(login),
+					Action: cliutil.ErrorHandler(login),
-					Usage:     "login <url of access application>",
+					Usage:  "login <url of access application>",
 					ArgsUsage: "url of Access application",
 					Description: `The login subcommand initiates an authentication flow with your identity provider.
 					The subcommand will launch a browser. For headless systems, a url is provided.
 					Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
-					scoped to your identity, the application you intend to reach, and valid for a session duration set by your
+					scoped to your identity, the application you intend to reach, and valid for a session duration set by your 
 					administrator. cloudflared stores the token in local storage.`,
 					Flags: []cli.Flag{
 						&cli.BoolFlag{
 							Name:    loginQuietFlag,
 							Aliases: []string{"q"},
 							Usage:   "do not print the jwt to the command line",
 						},
 						&cli.BoolFlag{
 							Name:  "no-verbose",
 							Usage: "print only the jwt to stdout",
 						},
 						&cli.BoolFlag{
 							Name:  "auto-close",
 							Usage: "automatically close the auth interstitial after action",
 						},
 						&cli.StringFlag{
-							Name: appURLFlag,
+							Name:   "url",
 							Hidden: true,
 						},
 					},
 				},
 				{
 					Name:   "curl",
-					Action: cliutil.Action(curl),
+					Action: cliutil.ErrorHandler(curl),
 					Usage:  "curl [--allow-request, -ar] <url> [<curl args>...]",
 					Description: `The curl subcommand wraps curl and automatically injects the JWT into a cf-access-token
 					header when using curl to reach an application behind Access.`,
@ -129,19 +107,19 @@ func Commands() []*cli.Command {
 				},
 				{
 					Name:        "token",
-					Action:      cliutil.Action(generateToken),
+					Action:      cliutil.ErrorHandler(generateToken),
-					Usage:       "token <url of access application>",
+					Usage:       "token -app=<url of access application>",
 					ArgsUsage:   "url of Access application",
 					Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
-							Name: appURLFlag,
+							Name: "app",
 						},
 					},
 				},
 				{
 					Name:        "tcp",
-					Action:      cliutil.Action(ssh),
+					Action:      cliutil.ErrorHandler(ssh),
 					Aliases:     []string{"rdp", "ssh", "smb"},
 					Usage:       "",
 					ArgsUsage:   "",
@ -151,18 +129,15 @@ func Commands() []*cli.Command {
 							Name:    sshHostnameFlag,
 							Aliases: []string{"tunnel-host", "T"},
 							Usage:   "specify the hostname of your application.",
 							EnvVars: []string{"TUNNEL_SERVICE_HOSTNAME"},
 						},
 						&cli.StringFlag{
-							Name:    sshDestinationFlag,
+							Name:  sshDestinationFlag,
-							Usage:   "specify the destination address of your SSH server.",
+							Usage: "specify the destination address of your SSH server.",
 							EnvVars: []string{"TUNNEL_SERVICE_DESTINATION"},
 						},
 						&cli.StringFlag{
 							Name:    sshURLFlag,
 							Aliases: []string{"listener", "L"},
 							Usage:   "specify the host:port to forward data to Cloudflare edge.",
 							EnvVars: []string{"TUNNEL_SERVICE_URL"},
 						},
 						&cli.StringSliceFlag{
 							Name:    sshHeaderFlag,
@ -173,42 +148,27 @@ func Commands() []*cli.Command {
 							Name:    sshTokenIDFlag,
 							Aliases: []string{"id"},
 							Usage:   "specify an Access service token ID you wish to use.",
 							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_ID"},
 						},
 						&cli.StringFlag{
 							Name:    sshTokenSecretFlag,
 							Aliases: []string{"secret"},
 							Usage:   "specify an Access service token secret you wish to use.",
 							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"},
 						},
 						&cli.StringFlag{
-							Name:  cfdflags.LogFile,
+							Name:    logger.LogSSHDirectoryFlag,
-							Usage: "Save application log to this file for reporting issues.",
+							Aliases: []string{"logfile"}, //added to match the tunnel side
 							Usage:   "Save application log to this directory for reporting issues.",
 						},
 						&cli.StringFlag{
-							Name:  cfdflags.LogDirectory,
+							Name:    logger.LogSSHLevelFlag,
 							Usage: "Save application log to this directory for reporting issues.",
 						},
 						&cli.StringFlag{
 							Name:    cfdflags.LogLevelSSH,
 							Aliases: []string{"loglevel"}, //added to match the tunnel side
-							Usage:   "Application logging level {debug, info, warn, error, fatal}. ",
+							Usage:   "Application logging level {fatal, error, info, debug}. ",
 						},
 						&cli.StringFlag{
 							Name:   sshConnectTo,
 							Hidden: true,
 							Usage:  "Connect to alternate location for testing, value is host, host:port, or sni:port:host",
 						},
 						&cli.Uint64Flag{
 							Name:   sshDebugStream,
 							Hidden: true,
 							Usage:  "Writes up-to the max provided stream payloads to the logger as debug statements.",
 						},
 					},
 				},
 				{
 					Name:        "ssh-config",
-					Action:      cliutil.Action(sshConfig),
+					Action:      cliutil.ErrorHandler(sshConfig),
 					Usage:       "",
 					Description: `Prints an example configuration ~/.ssh/config`,
 					Flags: []cli.Flag{
@ -224,7 +184,7 @@ func Commands() []*cli.Command {
 				},
 				{
 					Name:        "ssh-gen",
-					Action:      cliutil.Action(sshGen),
+					Action:      cliutil.ErrorHandler(sshGen),
 					Usage:       "",
 					Description: `Generates a short lived certificate for given hostname`,
 					Flags: []cli.Flag{
@ -241,33 +201,25 @@ func Commands() []*cli.Command {
 // login pops up the browser window to do the actual login and JWT generation
 func login(c *cli.Context) error {
-	err := sentry.Init(sentry.ClientOptions{
+	if err := raven.SetDSN(sentryDSN); err != nil {
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
-	appURL, err := getAppURLFromArgs(c)
+	args := c.Args()
-	if err != nil {
+	rawURL := ensureURLScheme(args.First())
 	appURL, err := url.Parse(rawURL)
 	if args.Len() < 1 || err != nil {
 		log.Error().Msg("Please provide the url of the Access application")
 		return err
 	}
-
+	if err := verifyTokenAtEdge(appURL, c, log); err != nil {
 	appInfo, err := token.GetAppInfo(appURL)
 	if err != nil {
 		return err
 	}
 	if err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {
 		log.Err(err).Msg("Could not verify token")
 		return err
 	}
-	cfdToken, err := token.GetAppTokenIfExists(appInfo)
+	cfdToken, err := token.GetAppTokenIfExists(appURL)
 	if err != nil {
 		fmt.Fprintln(os.Stderr, "Unable to find token for provided application.")
 		return err
@ -275,29 +227,24 @@ func login(c *cli.Context) error {
 		fmt.Fprintln(os.Stderr, "token for provided application was empty.")
 		return errors.New("empty application token")
 	}
-
+	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
 	if c.Bool(loginQuietFlag) {
 		return nil
 	}
 	// Chatty by default for backward compat. The new --app flag
 	// is an implicit opt-out of the backwards-compatible chatty output.
 	if c.Bool("no-verbose") || c.IsSet(appURLFlag) {
 		fmt.Fprint(os.Stdout, cfdToken)
 	} else {
 		fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
 	}
 	return nil
 }
 // ensureURLScheme prepends a URL with https:// if it doesnt have a scheme. http:// URLs will not be converted.
 func ensureURLScheme(url string) string {
 	url = strings.Replace(strings.ToLower(url), "http://", "https://", 1)
 	if !strings.HasPrefix(url, "https://") {
 		url = fmt.Sprintf("https://%s", url)
 	}
 	return url
 }
 // curl provides a wrapper around curl, passing Access JWT along in request
 func curl(c *cli.Context) error {
-	err := sentry.Init(sentry.ClientOptions{
+	if err := raven.SetDSN(sentryDSN); err != nil {
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
@ -314,24 +261,13 @@ func curl(c *cli.Context) error {
 		return err
 	}
-	appInfo, err := token.GetAppInfo(appURL)
+	tok, err := token.GetAppTokenIfExists(appURL)
 	if err != nil {
 		return err
 	}
 	// Verify that the existing token is still good; if not fetch a new one
 	if err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {
 		log.Err(err).Msg("Could not verify token")
 		return err
 	}
 	tok, err := token.GetAppTokenIfExists(appInfo)
 	if err != nil || tok == "" {
 		if allowRequest {
 			log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
-			return run("curl", cmdArgs...)
+			return shell.Run("curl", cmdArgs...)
 		}
-		tok, err = token.FetchToken(appURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
+		tok, err = token.FetchToken(appURL, log)
 		if err != nil {
 			log.Err(err).Msg("Failed to refresh token")
 			return err
@ -339,63 +275,21 @@ func curl(c *cli.Context) error {
 	}
 	cmdArgs = append(cmdArgs, "-H")
-	cmdArgs = append(cmdArgs, fmt.Sprintf("%s: %s", carrier.CFAccessTokenHeader, tok))
+	cmdArgs = append(cmdArgs, fmt.Sprintf("%s: %s", h2mux.CFAccessTokenHeader, tok))
-	return run("curl", cmdArgs...)
+	return shell.Run("curl", cmdArgs...)
 }
 // run kicks off a shell task and pipe the results to the respective std pipes
 func run(cmd string, args ...string) error {
 	c := exec.Command(cmd, args...)
 	c.Stdin = os.Stdin
 	stderr, err := c.StderrPipe()
 	if err != nil {
 		return err
 	}
 	go func() {
 		_, _ = io.Copy(os.Stderr, stderr)
 	}()
 	stdout, err := c.StdoutPipe()
 	if err != nil {
 		return err
 	}
 	go func() {
 		_, _ = io.Copy(os.Stdout, stdout)
 	}()
 	return c.Run()
 }
 func getAppURLFromArgs(c *cli.Context) (*url.URL, error) {
 	var appURLStr string
 	args := c.Args()
 	if args.Len() < 1 {
 		appURLStr = c.String(appURLFlag)
 	} else {
 		appURLStr = args.First()
 	}
 	return parseURL(appURLStr)
 }
 // token dumps provided token to stdout
 func generateToken(c *cli.Context) error {
-	err := sentry.Init(sentry.ClientOptions{
+	if err := raven.SetDSN(sentryDSN); err != nil {
 		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
-	appURL, err := getAppURLFromArgs(c)
+	appURL, err := url.Parse(c.String("app"))
-	if err != nil {
+	if err != nil || c.NumFlags() < 1 {
 		fmt.Fprintln(os.Stderr, "Please provide a url.")
 		return err
 	}
-
+	tok, err := token.GetAppTokenIfExists(appURL)
 	appInfo, err := token.GetAppInfo(appURL)
 	if err != nil {
 		return err
 	}
 	tok, err := token.GetAppTokenIfExists(appInfo)
 	if err != nil || tok == "" {
 		fmt.Fprintln(os.Stderr, "Unable to find token for provided application. Please run login command to generate token.")
 		return err
@ -438,7 +332,7 @@ func sshGen(c *cli.Context) error {
 		return cli.ShowCommandHelp(c, "ssh-gen")
 	}
-	originURL, err := parseURL(hostname)
+	originURL, err := url.Parse(ensureURLScheme(hostname))
 	if err != nil {
 		return err
 	}
@ -446,12 +340,7 @@ func sshGen(c *cli.Context) error {
 	// this fetchToken function mutates the appURL param. We should refactor that
 	fetchTokenURL := &url.URL{}
 	*fetchTokenURL = *originURL
-
+	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, log)
 	appInfo, err := token.GetAppInfo(fetchTokenURL)
 	if err != nil {
 		return err
 	}
 	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log)
 	if err != nil {
 		return err
 	}
@ -463,7 +352,7 @@ func sshGen(c *cli.Context) error {
 	return nil
 }
-// getAppURL will pull the request URL needed for fetching a user's Access token
+// getAppURL will pull the appURL needed for fetching a user's Access token
 func getAppURL(cmdArgs []string, log *zerolog.Logger) (*url.URL, error) {
 	if len(cmdArgs) < 1 {
 		log.Error().Msg("Please provide a valid URL as the first argument to curl.")
@ -517,11 +406,6 @@ func processURL(s string) (*url.URL, error) {
 // cloudflaredPath pulls the full path of cloudflared on disk
 func cloudflaredPath() string {
 	path, err := os.Executable()
 	if err == nil && isFileThere(path) {
 		return path
 	}
 	for _, p := range strings.Split(os.Getenv("PATH"), ":") {
 		path := fmt.Sprintf("%s/%s", p, "cloudflared")
 		if isFileThere(path) {
@ -541,17 +425,17 @@ func isFileThere(candidate string) bool {
 }
 // verifyTokenAtEdge checks for a token on disk, or generates a new one.
-// Then makes a request to the origin with the token to ensure it is valid.
+// Then makes a request to to the origin with the token to ensure it is valid.
 // Returns nil if token is valid.
-func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
+func verifyTokenAtEdge(appUrl *url.URL, c *cli.Context, log *zerolog.Logger) error {
-	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
+	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
-		headers.Add(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
+		headers.Add(h2mux.CFAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
 	if c.IsSet(sshTokenSecretFlag) {
-		headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
+		headers.Add(h2mux.CFAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
-	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers, AutoCloseInterstitial: c.Bool(cfdflags.AutoCloseInterstitial), IsFedramp: c.Bool(fedrampFlag)}
+	options := &carrier.StartOptions{OriginURL: appUrl.String(), Headers: headers}
 	if valid, err := isTokenValid(options, log); err != nil {
 		return err
@ -559,7 +443,7 @@ func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context,
 		return nil
 	}
-	if err := token.RemoveTokenIfExists(appInfo); err != nil {
+	if err := token.RemoveTokenIfExists(appUrl); err != nil {
 		return err
 	}
@ -578,11 +462,6 @@ func isTokenValid(options *carrier.StartOptions, log *zerolog.Logger) (bool, err
 	if err != nil {
 		return false, errors.Wrap(err, "Could not create access request")
 	}
 	req.Header.Set("User-Agent", userAgent)
 	query := req.URL.Query()
 	query.Set("cloudflared_token_check", "true")
 	req.URL.RawQuery = query.Encode()
 	// Do not follow redirects
 	client := &http.Client{
--- a/cmd/cloudflared/access/cmd_test.go
+++ b/cmd/cloudflared/access/cmd_test.go
@ -0,0 +1,25 @@
 package access
 import "testing"
 func Test_ensureURLScheme(t *testing.T) {
 	type args struct {
 		url string
 	}
 	tests := []struct {
 		name string
 		args args
 		want string
 	}{
 		{"no scheme", args{"localhost:123"}, "https://localhost:123"},
 		{"http scheme", args{"http://test"}, "https://test"},
 		{"https scheme", args{"https://test"}, "https://test"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if got := ensureURLScheme(tt.args.url); got != tt.want {
 				t.Errorf("ensureURLScheme() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
--- a/cmd/cloudflared/access/validation.go
+++ b/cmd/cloudflared/access/validation.go
@ -1,55 +0,0 @@
 package access
 import (
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
 	"golang.org/x/net/http/httpguts"
 )
 // parseRequestHeaders will take user-provided header values as strings "Content-Type: application/json" and create
 // a http.Header object.
 func parseRequestHeaders(values []string) http.Header {
 	headers := make(http.Header)
 	for _, valuePair := range values {
 		header, value, found := strings.Cut(valuePair, ":")
 		if found {
 			headers.Add(strings.TrimSpace(header), strings.TrimSpace(value))
 		}
 	}
 	return headers
 }
 // parseHostname will attempt to convert a user provided URL string into a string with some light error checking on
 // certain expectations from the URL.
 // Will convert all HTTP URLs to HTTPS
 func parseURL(input string) (*url.URL, error) {
 	if input == "" {
 		return nil, errors.New("no input provided")
 	}
 	if !strings.HasPrefix(input, "https://") && !strings.HasPrefix(input, "http://") {
 		input = fmt.Sprintf("https://%s", input)
 	}
 	url, err := url.ParseRequestURI(input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse as URL: %w", err)
 	}
 	if url.Scheme != "https" {
 		url.Scheme = "https"
 	}
 	if url.Host == "" {
 		return nil, errors.New("failed to parse Host")
 	}
 	host, err := httpguts.PunycodeHostPort(url.Host)
 	if err != nil || host == "" {
 		return nil, err
 	}
 	if !httpguts.ValidHostHeader(host) {
 		return nil, errors.New("invalid Host provided")
 	}
 	url.Host = host
 	return url, nil
 }
--- a/cmd/cloudflared/access/validation_test.go
+++ b/cmd/cloudflared/access/validation_test.go
@ -1,80 +0,0 @@
 package access
 import (
 	"fmt"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestParseRequestHeaders(t *testing.T) {
 	values := parseRequestHeaders([]string{"client: value", "secret: safe-value", "trash", "cf-trace-id: 000:000:0:1:asd"})
 	assert.Len(t, values, 3)
 	assert.Equal(t, "value", values.Get("client"))
 	assert.Equal(t, "safe-value", values.Get("secret"))
 	assert.Equal(t, "000:000:0:1:asd", values.Get("cf-trace-id"))
 }
 func TestParseURL(t *testing.T) {
 	schemes := []string{
 		"http://",
 		"https://",
 		"",
 	}
 	hosts := []struct {
 		input    string
 		expected string
 	}{
 		{"localhost", "localhost"},
 		{"127.0.0.1", "127.0.0.1"},
 		{"127.0.0.1:9090", "127.0.0.1:9090"},
 		{"::1", "::1"},
 		{"::1:8080", "::1:8080"},
 		{"[::1]", "[::1]"},
 		{"[::1]:8080", "[::1]:8080"},
 		{":8080", ":8080"},
 		{"example.com", "example.com"},
 		{"hello.example.com", "hello.example.com"},
 		{"bücher.example.com", "xn--bcher-kva.example.com"},
 	}
 	paths := []string{
 		"",
 		"/test",
 		"/example.com?qwe=123",
 	}
 	for i, scheme := range schemes {
 		for j, host := range hosts {
 			for k, path := range paths {
 				t.Run(fmt.Sprintf("%d_%d_%d", i, j, k), func(t *testing.T) {
 					input := fmt.Sprintf("%s%s%s", scheme, host.input, path)
 					expected := fmt.Sprintf("%s%s%s", "https://", host.expected, path)
 					url, err := parseURL(input)
 					assert.NoError(t, err, "input: %s\texpected: %s", input, expected)
 					assert.Equal(t, expected, url.String())
 					assert.Equal(t, host.expected, url.Host)
 					assert.Equal(t, "https", url.Scheme)
 				})
 			}
 		}
 	}
 	t.Run("no input", func(t *testing.T) {
 		_, err := parseURL("")
 		assert.ErrorContains(t, err, "no input provided")
 	})
 	t.Run("missing host", func(t *testing.T) {
 		_, err := parseURL("https:///host")
 		assert.ErrorContains(t, err, "failed to parse Host")
 	})
 	t.Run("invalid path only", func(t *testing.T) {
 		_, err := parseURL("/host")
 		assert.ErrorContains(t, err, "failed to parse Host")
 	})
 	t.Run("invalid parse URL", func(t *testing.T) {
 		_, err := parseURL("https://host\\host")
 		assert.ErrorContains(t, err, "failed to parse as URL")
 	})
 }
--- a/cmd/cloudflared/app_forward_service.go
+++ b/cmd/cloudflared/app_forward_service.go
@ -1,10 +1,10 @@
 package main
 import (
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
-	"github.com/cloudflare/cloudflared/config"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
 	"github.com/rs/zerolog"
 )
 // ForwardServiceType is used to identify what kind of overwatch service this is
--- a/cmd/cloudflared/app_resolver_service.go
+++ b/cmd/cloudflared/app_resolver_service.go
@ -1,10 +1,10 @@
 package main
 import (
-	"github.com/rs/zerolog"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/tunneldns"
 	"github.com/rs/zerolog"
 )
 const (
--- a/cmd/cloudflared/app_service.go
+++ b/cmd/cloudflared/app_service.go
@ -1,10 +1,10 @@
 package main
 import (
-	"github.com/rs/zerolog"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/overwatch"
 	"github.com/rs/zerolog"
 )
 // AppService is the main service that runs when no command lines flags are passed to cloudflared
--- a/cmd/cloudflared/buildinfo/build_info.go
+++ b/cmd/cloudflared/buildinfo/build_info.go
@ -0,0 +1,27 @@
 package buildinfo
 import (
 	"github.com/rs/zerolog"
 	"runtime"
 )
 type BuildInfo struct {
 	GoOS               string `json:"go_os"`
 	GoVersion          string `json:"go_version"`
 	GoArch             string `json:"go_arch"`
 	CloudflaredVersion string `json:"cloudflared_version"`
 }
 func GetBuildInfo(cloudflaredVersion string) *BuildInfo {
 	return &BuildInfo{
 		GoOS:               runtime.GOOS,
 		GoVersion:          runtime.Version(),
 		GoArch:             runtime.GOARCH,
 		CloudflaredVersion: cloudflaredVersion,
 	}
 }
 func (bi *BuildInfo) Log(log *zerolog.Logger) {
 	log.Info().Msgf("Version %s", bi.CloudflaredVersion)
 	log.Info().Msgf("GOOS: %s, GOVersion: %s, GoArch: %s", bi.GoOS, bi.GoVersion, bi.GoArch)
 }
--- a/cmd/cloudflared/cliutil/build_info.go
+++ b/cmd/cloudflared/cliutil/build_info.go
@ -1,83 +0,0 @@
 package cliutil
 import (
 	"crypto/sha256"
 	"fmt"
 	"io"
 	"os"
 	"runtime"
 	"github.com/rs/zerolog"
 )
 type BuildInfo struct {
 	GoOS               string `json:"go_os"`
 	GoVersion          string `json:"go_version"`
 	GoArch             string `json:"go_arch"`
 	BuildType          string `json:"build_type"`
 	CloudflaredVersion string `json:"cloudflared_version"`
 	Checksum           string `json:"checksum"`
 }
 func GetBuildInfo(buildType, version string) *BuildInfo {
 	return &BuildInfo{
 		GoOS:               runtime.GOOS,
 		GoVersion:          runtime.Version(),
 		GoArch:             runtime.GOARCH,
 		BuildType:          buildType,
 		CloudflaredVersion: version,
 		Checksum:           currentBinaryChecksum(),
 	}
 }
 func (bi *BuildInfo) Log(log *zerolog.Logger) {
 	log.Info().Msgf("Version %s (Checksum %s)", bi.CloudflaredVersion, bi.Checksum)
 	if bi.BuildType != "" {
 		log.Info().Msgf("Built%s", bi.GetBuildTypeMsg())
 	}
 	log.Info().Msgf("GOOS: %s, GOVersion: %s, GoArch: %s", bi.GoOS, bi.GoVersion, bi.GoArch)
 }
 func (bi *BuildInfo) OSArch() string {
 	return fmt.Sprintf("%s_%s", bi.GoOS, bi.GoArch)
 }
 func (bi *BuildInfo) Version() string {
 	return bi.CloudflaredVersion
 }
 func (bi *BuildInfo) GetBuildTypeMsg() string {
 	if bi.BuildType == "" {
 		return ""
 	}
 	return fmt.Sprintf(" with %s", bi.BuildType)
 }
 func (bi *BuildInfo) UserAgent() string {
 	return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
 }
 // FileChecksum opens a file and returns the SHA256 checksum.
 func FileChecksum(filePath string) (string, error) {
 	f, err := os.Open(filePath)
 	if err != nil {
 		return "", err
 	}
 	defer f.Close()
 	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
 		return "", err
 	}
 	return fmt.Sprintf("%x", h.Sum(nil)), nil
 }
 func currentBinaryChecksum() string {
 	currentPath, err := os.Executable()
 	if err != nil {
 		return ""
 	}
 	sum, _ := FileChecksum(currentPath)
 	return sum
 }
--- a/cmd/cloudflared/cliutil/deprecated.go
+++ b/cmd/cloudflared/cliutil/deprecated.go
@ -9,13 +9,13 @@ import (
 func RemovedCommand(name string) *cli.Command {
 	return &cli.Command{
 		Name: name,
-		Action: func(context *cli.Context) error {
+		Action: ErrorHandler(func(context *cli.Context) error {
 			return cli.Exit(
-				fmt.Sprintf("%s command is no longer supported by cloudflared. Consult Cloudflare Tunnel documentation for possible alternative solutions.", name),
+				fmt.Sprintf("%s command is no longer supported by cloudflared. Consult Argo Tunnel documentation for possible alternative solutions.", name),
 				-1,
 			)
-		},
+		}),
 		Description: fmt.Sprintf("%s is deprecated", name),
-		Hidden:      true,
+		Hidden: true,
 	}
 }
--- a/cmd/cloudflared/cliutil/errors.go
+++ b/cmd/cloudflared/cliutil/errors.go
@ -2,7 +2,6 @@ package cliutil
 import (
 	"fmt"
 	"github.com/urfave/cli/v2"
 )
@ -22,7 +21,7 @@ func UsageError(format string, args ...interface{}) error {
 }
 // Ensures exit with error code if actionFunc returns an error
-func WithErrorHandler(actionFunc cli.ActionFunc) cli.ActionFunc {
+func ErrorHandler(actionFunc cli.ActionFunc) cli.ActionFunc {
 	return func(ctx *cli.Context) error {
 		err := actionFunc(ctx)
 		if err != nil {
--- a/cmd/cloudflared/cliutil/handler.go
+++ b/cmd/cloudflared/cliutil/handler.go
@ -1,50 +0,0 @@
 package cliutil
 import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 )
 func Action(actionFunc cli.ActionFunc) cli.ActionFunc {
 	return WithErrorHandler(actionFunc)
 }
 func ConfiguredAction(actionFunc cli.ActionFunc) cli.ActionFunc {
 	// Adapt actionFunc to the type signature required by ConfiguredActionWithWarnings
 	f := func(context *cli.Context, _ string) error {
 		return actionFunc(context)
 	}
 	return ConfiguredActionWithWarnings(f)
 }
 // Just like ConfiguredAction, but accepts a second parameter with configuration warnings.
 func ConfiguredActionWithWarnings(actionFunc func(*cli.Context, string) error) cli.ActionFunc {
 	return WithErrorHandler(func(c *cli.Context) error {
 		warnings, err := setFlagsFromConfigFile(c)
 		if err != nil {
 			return err
 		}
 		return actionFunc(c, warnings)
 	})
 }
 func setFlagsFromConfigFile(c *cli.Context) (configWarnings string, err error) {
 	const errorExitCode = 1
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	inputSource, warnings, err := config.ReadConfigFile(c, log)
 	if err != nil {
 		if err == config.ErrNoConfigFile {
 			return "", nil
 		}
 		return "", cli.Exit(err, errorExitCode)
 	}
 	if err := altsrc.ApplyInputSource(c, inputSource); err != nil {
 		return "", cli.Exit(err, errorExitCode)
 	}
 	return warnings, nil
 }
--- a/cmd/cloudflared/cliutil/logger.go
+++ b/cmd/cloudflared/cliutil/logger.go
@ -1,59 +0,0 @@
 package cliutil
 import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 )
 var (
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
 	FlagLogOutput = &cli.StringFlag{
 		Name:    flags.LogFormatOutput,
 		Usage:   "Output format for the logs (default, json)",
 		Value:   flags.LogFormatOutputValueDefault,
 		EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT", "TUNNEL_LOG_OUTPUT"},
 	}
 )
 func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    flags.LogLevel,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    flags.TransportLogLevel,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
 			EnvVars: []string{"TUNNEL_PROTO_LOGLEVEL", "TUNNEL_TRANSPORT_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    flags.LogFile,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    flags.LogDirectory,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    flags.TraceOutput,
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
 		FlagLogOutput,
 	}
 }
--- a/cmd/cloudflared/common_service.go
+++ b/cmd/cloudflared/common_service.go
@ -1,30 +0,0 @@
 package main
 import (
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
 )
 func buildArgsForToken(c *cli.Context, log *zerolog.Logger) ([]string, error) {
 	token := c.Args().First()
 	if _, err := tunnel.ParseToken(token); err != nil {
 		return nil, cliutil.UsageError("Provided tunnel token is not valid (%s).", err)
 	}
 	return []string{
 		"tunnel", "run", "--token", token,
 	}, nil
 }
 func getServiceExtraArgsFromCliArgs(c *cli.Context, log *zerolog.Logger) ([]string, error) {
 	if c.NArg() > 0 {
 		// currently, we only support extra args for token
 		return buildArgsForToken(c, log)
 	} else {
 		// empty extra args
 		return make([]string, 0), nil
 	}
 }
--- a/cmd/cloudflared/config/configuration.go
+++ b/cmd/cloudflared/config/configuration.go
@ -0,0 +1,375 @@
 package config
 import (
 	"fmt"
 	"io"
 	"net/url"
 	"os"
 	"path/filepath"
 	"runtime"
 	"time"
 	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"gopkg.in/yaml.v2"
 	"github.com/cloudflare/cloudflared/validation"
 	"github.com/rs/zerolog"
 )
 var (
 	// DefaultConfigFiles is the file names from which we attempt to read configuration.
 	DefaultConfigFiles = []string{"config.yml", "config.yaml"}
 	// DefaultUnixConfigLocation is the primary location to find a config file
 	DefaultUnixConfigLocation = "/usr/local/etc/cloudflared"
 	// DefaultUnixLogLocation is the primary location to find log files
 	DefaultUnixLogLocation = "/var/log/cloudflared"
 	// Launchd doesn't set root env variables, so there is default
 	// Windows default config dir was ~/cloudflare-warp in documentation; let's keep it compatible
 	defaultUserConfigDirs = []string{"~/.cloudflared", "~/.cloudflare-warp", "~/cloudflare-warp"}
 	defaultNixConfigDirs  = []string{"/etc/cloudflared", DefaultUnixConfigLocation}
 	ErrNoConfigFile = fmt.Errorf("Cannot determine default configuration path. No file %v in %v", DefaultConfigFiles, DefaultConfigSearchDirectories())
 )
 const (
 	DefaultCredentialFile = "cert.pem"
 	// BastionFlag is to enable bastion, or jump host, operation
 	BastionFlag = "bastion"
 )
 // DefaultConfigDirectory returns the default directory of the config file
 func DefaultConfigDirectory() string {
 	if runtime.GOOS == "windows" {
 		path := os.Getenv("CFDPATH")
 		if path == "" {
 			path = filepath.Join(os.Getenv("ProgramFiles(x86)"), "cloudflared")
 			if _, err := os.Stat(path); os.IsNotExist(err) { //doesn't exist, so return an empty failure string
 				return ""
 			}
 		}
 		return path
 	}
 	return DefaultUnixConfigLocation
 }
 // DefaultLogDirectory returns the default directory for log files
 func DefaultLogDirectory() string {
 	if runtime.GOOS == "windows" {
 		return DefaultConfigDirectory()
 	}
 	return DefaultUnixLogLocation
 }
 // DefaultConfigPath returns the default location of a config file
 func DefaultConfigPath() string {
 	dir := DefaultConfigDirectory()
 	if dir == "" {
 		return DefaultConfigFiles[0]
 	}
 	return filepath.Join(dir, DefaultConfigFiles[0])
 }
 // DefaultConfigSearchDirectories returns the default folder locations of the config
 func DefaultConfigSearchDirectories() []string {
 	dirs := make([]string, len(defaultUserConfigDirs))
 	copy(dirs, defaultUserConfigDirs)
 	if runtime.GOOS != "windows" {
 		dirs = append(dirs, defaultNixConfigDirs...)
 	}
 	return dirs
 }
 // FileExists checks to see if a file exist at the provided path.
 func FileExists(path string) (bool, error) {
 	f, err := os.Open(path)
 	if err != nil {
 		if os.IsNotExist(err) {
 			// ignore missing files
 			return false, nil
 		}
 		return false, err
 	}
 	_ = f.Close()
 	return true, nil
 }
 // FindDefaultConfigPath returns the first path that contains a config file.
 // If none of the combination of DefaultConfigSearchDirectories() and DefaultConfigFiles
 // contains a config file, return empty string.
 func FindDefaultConfigPath() string {
 	for _, configDir := range DefaultConfigSearchDirectories() {
 		for _, configFile := range DefaultConfigFiles {
 			dirPath, err := homedir.Expand(configDir)
 			if err != nil {
 				continue
 			}
 			path := filepath.Join(dirPath, configFile)
 			if ok, _ := FileExists(path); ok {
 				return path
 			}
 		}
 	}
 	return ""
 }
 // FindOrCreateConfigPath returns the first path that contains a config file
 // or creates one in the primary default path if it doesn't exist
 func FindOrCreateConfigPath() string {
 	path := FindDefaultConfigPath()
 	if path == "" {
 		// create the default directory if it doesn't exist
 		path = DefaultConfigPath()
 		if err := os.MkdirAll(filepath.Dir(path), os.ModePerm); err != nil {
 			return ""
 		}
 		// write a new config file out
 		file, err := os.Create(path)
 		if err != nil {
 			return ""
 		}
 		defer file.Close()
 		logDir := DefaultLogDirectory()
 		_ = os.MkdirAll(logDir, os.ModePerm) //try and create it. Doesn't matter if it succeed or not, only byproduct will be no logs
 		c := Root{
 			LogDirectory: logDir,
 		}
 		if err := yaml.NewEncoder(file).Encode(&c); err != nil {
 			return ""
 		}
 	}
 	return path
 }
 // ValidateUnixSocket ensures --unix-socket param is used exclusively
 // i.e. it fails if a user specifies both --url and --unix-socket
 func ValidateUnixSocket(c *cli.Context) (string, error) {
 	if c.IsSet("unix-socket") && (c.IsSet("url") || c.NArg() > 0) {
 		return "", errors.New("--unix-socket must be used exclusivly.")
 	}
 	return c.String("unix-socket"), nil
 }
 // ValidateUrl will validate url flag correctness. It can be either from --url or argument
 // Notice ValidateUnixSocket, it will enforce --unix-socket is not used with --url or argument
 func ValidateUrl(c *cli.Context, allowURLFromArgs bool) (*url.URL, error) {
 	var url = c.String("url")
 	if allowURLFromArgs && c.NArg() > 0 {
 		if c.IsSet("url") {
 			return nil, errors.New("Specified origin urls using both --url and argument. Decide which one you want, I can only support one.")
 		}
 		url = c.Args().Get(0)
 	}
 	validUrl, err := validation.ValidateUrl(url)
 	return validUrl, err
 }
 type UnvalidatedIngressRule struct {
 	Hostname      string
 	Path          string
 	Service       string
 	OriginRequest OriginRequestConfig `yaml:"originRequest"`
 }
 // OriginRequestConfig is a set of optional fields that users may set to
 // customize how cloudflared sends requests to origin services. It is used to set
 // up general config that apply to all rules, and also, specific per-rule
 // config.
 // Note: To specify a time.Duration in go-yaml, use e.g. "3s" or "24h".
 type OriginRequestConfig struct {
 	// HTTP proxy timeout for establishing a new connection
 	ConnectTimeout *time.Duration `yaml:"connectTimeout"`
 	// HTTP proxy timeout for completing a TLS handshake
 	TLSTimeout *time.Duration `yaml:"tlsTimeout"`
 	// HTTP proxy TCP keepalive duration
 	TCPKeepAlive *time.Duration `yaml:"tcpKeepAlive"`
 	// HTTP proxy should disable "happy eyeballs" for IPv4/v6 fallback
 	NoHappyEyeballs *bool `yaml:"noHappyEyeballs"`
 	// HTTP proxy maximum keepalive connection pool size
 	KeepAliveConnections *int `yaml:"keepAliveConnections"`
 	// HTTP proxy timeout for closing an idle connection
 	KeepAliveTimeout *time.Duration `yaml:"keepAliveTimeout"`
 	// Sets the HTTP Host header for the local webserver.
 	HTTPHostHeader *string `yaml:"httpHostHeader"`
 	// Hostname on the origin server certificate.
 	OriginServerName *string `yaml:"originServerName"`
 	// Path to the CA for the certificate of your origin.
 	// This option should be used only if your certificate is not signed by Cloudflare.
 	CAPool *string `yaml:"caPool"`
 	// Disables TLS verification of the certificate presented by your origin.
 	// Will allow any certificate from the origin to be accepted.
 	// Note: The connection from your machine to Cloudflare's Edge is still encrypted.
 	NoTLSVerify *bool `yaml:"noTLSVerify"`
 	// Disables chunked transfer encoding.
 	// Useful if you are running a WSGI server.
 	DisableChunkedEncoding *bool `yaml:"disableChunkedEncoding"`
 	// Runs as jump host
 	BastionMode *bool `yaml:"bastionMode"`
 	// Listen address for the proxy.
 	ProxyAddress *string `yaml:"proxyAddress"`
 	// Listen port for the proxy.
 	ProxyPort *uint `yaml:"proxyPort"`
 	// Valid options are 'socks' or empty.
 	ProxyType *string `yaml:"proxyType"`
 }
 type Configuration struct {
 	TunnelID      string `yaml:"tunnel"`
 	Ingress       []UnvalidatedIngressRule
 	OriginRequest OriginRequestConfig `yaml:"originRequest"`
 	sourceFile    string
 }
 type configFileSettings struct {
 	Configuration `yaml:",inline"`
 	// older settings will be aggregated into the generic map, should be read via cli.Context
 	Settings map[string]interface{} `yaml:",inline"`
 }
 func (c *Configuration) Source() string {
 	return c.sourceFile
 }
 func (c *configFileSettings) Int(name string) (int, error) {
 	if raw, ok := c.Settings[name]; ok {
 		if v, ok := raw.(int); ok {
 			return v, nil
 		}
 		return 0, fmt.Errorf("expected int found %T for %s", raw, name)
 	}
 	return 0, nil
 }
 func (c *configFileSettings) Duration(name string) (time.Duration, error) {
 	if raw, ok := c.Settings[name]; ok {
 		switch v := raw.(type) {
 		case time.Duration:
 			return v, nil
 		case string:
 			return time.ParseDuration(v)
 		}
 		return 0, fmt.Errorf("expected duration found %T for %s", raw, name)
 	}
 	return 0, nil
 }
 func (c *configFileSettings) Float64(name string) (float64, error) {
 	if raw, ok := c.Settings[name]; ok {
 		if v, ok := raw.(float64); ok {
 			return v, nil
 		}
 		return 0, fmt.Errorf("expected float found %T for %s", raw, name)
 	}
 	return 0, nil
 }
 func (c *configFileSettings) String(name string) (string, error) {
 	if raw, ok := c.Settings[name]; ok {
 		if v, ok := raw.(string); ok {
 			return v, nil
 		}
 		return "", fmt.Errorf("expected string found %T for %s", raw, name)
 	}
 	return "", nil
 }
 func (c *configFileSettings) StringSlice(name string) ([]string, error) {
 	if raw, ok := c.Settings[name]; ok {
 		if slice, ok := raw.([]interface{}); ok {
 			strSlice := make([]string, len(slice))
 			for i, v := range slice {
 				str, ok := v.(string)
 				if !ok {
 					return nil, fmt.Errorf("expected string, found %T for %v", i, v)
 				}
 				strSlice[i] = str
 			}
 			return strSlice, nil
 		}
 		return nil, fmt.Errorf("expected string slice found %T for %s", raw, name)
 	}
 	return nil, nil
 }
 func (c *configFileSettings) IntSlice(name string) ([]int, error) {
 	if raw, ok := c.Settings[name]; ok {
 		if slice, ok := raw.([]interface{}); ok {
 			intSlice := make([]int, len(slice))
 			for i, v := range slice {
 				str, ok := v.(int)
 				if !ok {
 					return nil, fmt.Errorf("expected int, found %T for %v ", v, v)
 				}
 				intSlice[i] = str
 			}
 			return intSlice, nil
 		}
 		if v, ok := raw.([]int); ok {
 			return v, nil
 		}
 		return nil, fmt.Errorf("expected int slice found %T for %s", raw, name)
 	}
 	return nil, nil
 }
 func (c *configFileSettings) Generic(name string) (cli.Generic, error) {
 	return nil, errors.New("option type Generic not supported")
 }
 func (c *configFileSettings) Bool(name string) (bool, error) {
 	if raw, ok := c.Settings[name]; ok {
 		if v, ok := raw.(bool); ok {
 			return v, nil
 		}
 		return false, fmt.Errorf("expected boolean found %T for %s", raw, name)
 	}
 	return false, nil
 }
 var configuration configFileSettings
 func GetConfiguration() *Configuration {
 	return &configuration.Configuration
 }
 // ReadConfigFile returns InputSourceContext initialized from the configuration file.
 // On repeat calls returns with the same file, returns without reading the file again; however,
 // if value of "config" flag changes, will read the new config file
 func ReadConfigFile(c *cli.Context, log *zerolog.Logger) (*configFileSettings, error) {
 	configFile := c.String("config")
 	if configuration.Source() == configFile || configFile == "" {
 		if configuration.Source() == "" {
 			return nil, ErrNoConfigFile
 		}
 		return &configuration, nil
 	}
 	log.Debug().Msgf("Loading configuration from %s", configFile)
 	file, err := os.Open(configFile)
 	if err != nil {
 		if os.IsNotExist(err) {
 			err = ErrNoConfigFile
 		}
 		return nil, err
 	}
 	defer file.Close()
 	if err := yaml.NewDecoder(file).Decode(&configuration); err != nil {
 		if err == io.EOF {
 			log.Error().Msgf("Configuration file %s was empty", configFile)
 			return &configuration, nil
 		}
 		return nil, errors.Wrap(err, "error parsing YAML in config file at "+configFile)
 	}
 	configuration.sourceFile = configFile
 	return &configuration, nil
 }
--- a/cmd/cloudflared/config/configuration_test.go
+++ b/cmd/cloudflared/config/configuration_test.go
@ -0,0 +1,76 @@
 package config
 import (
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"gopkg.in/yaml.v2"
 )
 func TestConfigFileSettings(t *testing.T) {
 	var (
 		firstIngress = UnvalidatedIngressRule{
 			Hostname: "tunnel1.example.com",
 			Path:     "/id",
 			Service:  "https://localhost:8000",
 		}
 		secondIngress = UnvalidatedIngressRule{
 			Hostname: "*",
 			Path:     "",
 			Service:  "https://localhost:8001",
 		}
 	)
 	rawYAML := `
 tunnel: config-file-test
 ingress:
 - hostname: tunnel1.example.com
   path: /id
   service: https://localhost:8000
 - hostname: "*"
   service: https://localhost:8001
 retries: 5
 grace-period: 30s
 percentage: 3.14
 hostname: example.com
 tag:
 - test
 - central-1
 counters:
 - 123
 - 456
 `
 	var config configFileSettings
 	err := yaml.Unmarshal([]byte(rawYAML), &config)
 	assert.NoError(t, err)
 	assert.Equal(t, "config-file-test", config.TunnelID)
 	assert.Equal(t, firstIngress, config.Ingress[0])
 	assert.Equal(t, secondIngress, config.Ingress[1])
 	retries, err := config.Int("retries")
 	assert.NoError(t, err)
 	assert.Equal(t, 5, retries)
 	gracePeriod, err := config.Duration("grace-period")
 	assert.NoError(t, err)
 	assert.Equal(t, time.Second*30, gracePeriod)
 	percentage, err := config.Float64("percentage")
 	assert.NoError(t, err)
 	assert.Equal(t, 3.14, percentage)
 	hostname, err := config.String("hostname")
 	assert.NoError(t, err)
 	assert.Equal(t, "example.com", hostname)
 	tags, err := config.StringSlice("tag")
 	assert.NoError(t, err)
 	assert.Equal(t, "test", tags[0])
 	assert.Equal(t, "central-1", tags[1])
 	counters, err := config.IntSlice("counters")
 	assert.NoError(t, err)
 	assert.Equal(t, 123, counters[0])
 	assert.Equal(t, 456, counters[1])
 }
--- a/cmd/cloudflared/config/manager.go
+++ b/cmd/cloudflared/config/manager.go
@ -0,0 +1,112 @@
 package config
 import (
 	"io"
 	"os"
 	"github.com/cloudflare/cloudflared/watcher"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"gopkg.in/yaml.v2"
 )
 // Notifier sends out config updates
 type Notifier interface {
 	ConfigDidUpdate(Root)
 }
 // Manager is the base functions of the config manager
 type Manager interface {
 	Start(Notifier) error
 	Shutdown()
 }
 // FileManager watches the yaml config for changes
 // sends updates to the service to reconfigure to match the updated config
 type FileManager struct {
 	watcher    watcher.Notifier
 	notifier   Notifier
 	configPath string
 	log        *zerolog.Logger
 	ReadConfig func(string, *zerolog.Logger) (Root, error)
 }
 // NewFileManager creates a config manager
 func NewFileManager(watcher watcher.Notifier, configPath string, log *zerolog.Logger) (*FileManager, error) {
 	m := &FileManager{
 		watcher:    watcher,
 		configPath: configPath,
 		log:        log,
 		ReadConfig: readConfigFromPath,
 	}
 	err := watcher.Add(configPath)
 	return m, err
 }
 // Start starts the runloop to watch for config changes
 func (m *FileManager) Start(notifier Notifier) error {
 	m.notifier = notifier
 	// update the notifier with a fresh config on start
 	config, err := m.GetConfig()
 	if err != nil {
 		return err
 	}
 	notifier.ConfigDidUpdate(config)
 	m.watcher.Start(m)
 	return nil
 }
 // GetConfig reads the yaml file from the disk
 func (m *FileManager) GetConfig() (Root, error) {
 	return m.ReadConfig(m.configPath, m.log)
 }
 // Shutdown stops the watcher
 func (m *FileManager) Shutdown() {
 	m.watcher.Shutdown()
 }
 func readConfigFromPath(configPath string, log *zerolog.Logger) (Root, error) {
 	if configPath == "" {
 		return Root{}, errors.New("unable to find config file")
 	}
 	file, err := os.Open(configPath)
 	if err != nil {
 		return Root{}, err
 	}
 	defer file.Close()
 	var config Root
 	if err := yaml.NewDecoder(file).Decode(&config); err != nil {
 		if err == io.EOF {
 			log.Error().Msgf("Configuration file %s was empty", configPath)
 			return Root{}, nil
 		}
 		return Root{}, errors.Wrap(err, "error parsing YAML in config file at "+configPath)
 	}
 	return config, nil
 }
 // File change notifications from the watcher
 // WatcherItemDidChange triggers when the yaml config is updated
 // sends the updated config to the service to reload its state
 func (m *FileManager) WatcherItemDidChange(filepath string) {
 	config, err := m.GetConfig()
 	if err != nil {
 		m.log.Err(err).Msg("Failed to read new config")
 		return
 	}
 	m.log.Info().Msg("Config file has been updated")
 	m.notifier.ConfigDidUpdate(config)
 }
 // WatcherDidError notifies of errors with the file watcher
 func (m *FileManager) WatcherDidError(err error) {
 	m.log.Err(err).Msg("Config watcher encountered an error")
 }
--- a/cmd/cloudflared/config/manager_test.go
+++ b/cmd/cloudflared/config/manager_test.go
@ -0,0 +1,88 @@
 package config
 import (
 	"os"
 	"testing"
 	"github.com/cloudflare/cloudflared/watcher"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 )
 type mockNotifier struct {
 	configs []Root
 }
 func (n *mockNotifier) ConfigDidUpdate(c Root) {
 	n.configs = append(n.configs, c)
 }
 type mockFileWatcher struct {
 	path     string
 	notifier watcher.Notification
 	ready    chan struct{}
 }
 func (w *mockFileWatcher) Start(n watcher.Notification) {
 	w.notifier = n
 	w.ready <- struct{}{}
 }
 func (w *mockFileWatcher) Add(string) error {
 	return nil
 }
 func (w *mockFileWatcher) Shutdown() {
 }
 func (w *mockFileWatcher) TriggerChange() {
 	w.notifier.WatcherItemDidChange(w.path)
 }
 func TestConfigChanged(t *testing.T) {
 	filePath := "config.yaml"
 	f, err := os.Create(filePath)
 	assert.NoError(t, err)
 	defer func() {
 		_ = f.Close()
 		_ = os.Remove(filePath)
 	}()
 	c := &Root{
 		Forwarders: []Forwarder{
 			{
 				URL:      "test.daltoniam.com",
 				Listener: "127.0.0.1:8080",
 			},
 		},
 	}
 	configRead := func(configPath string, log *zerolog.Logger) (Root, error) {
 		return *c, nil
 	}
 	wait := make(chan struct{})
 	w := &mockFileWatcher{path: filePath, ready: wait}
 	log := zerolog.Nop()
 	service, err := NewFileManager(w, filePath, &log)
 	service.ReadConfig = configRead
 	assert.NoError(t, err)
 	n := &mockNotifier{}
 	go service.Start(n)
 	<-wait
 	c.Forwarders = append(c.Forwarders, Forwarder{URL: "add.daltoniam.com", Listener: "127.0.0.1:8081"})
 	w.TriggerChange()
 	service.Shutdown()
 	assert.Len(t, n.configs, 2, "did not get 2 config updates as expected")
 	assert.Len(t, n.configs[0].Forwarders, 1, "not the amount of forwarders expected")
 	assert.Len(t, n.configs[1].Forwarders, 2, "not the amount of forwarders expected")
 	assert.Equal(t, n.configs[0].Forwarders[0].Hash(), c.Forwarders[0].Hash(), "forwarder hashes don't match")
 	assert.Equal(t, n.configs[1].Forwarders[0].Hash(), c.Forwarders[0].Hash(), "forwarder hashes don't match")
 	assert.Equal(t, n.configs[1].Forwarders[1].Hash(), c.Forwarders[1].Hash(), "forwarder hashes don't match")
 }
--- a/cmd/cloudflared/config/model.go
+++ b/cmd/cloudflared/config/model.go
@ -0,0 +1,113 @@
 package config
 import (
 	"crypto/md5"
 	"fmt"
 	"io"
 	"strings"
 	"github.com/cloudflare/cloudflared/tunneldns"
 )
 // Forwarder represents a client side listener to forward traffic to the edge
 type Forwarder struct {
 	URL           string `json:"url"`
 	Listener      string `json:"listener"`
 	TokenClientID string `json:"service_token_id" yaml:"serviceTokenID"`
 	TokenSecret   string `json:"secret_token_id" yaml:"serviceTokenSecret"`
 	Destination   string `json:"destination"`
 }
 // Tunnel represents a tunnel that should be started
 type Tunnel struct {
 	URL          string `json:"url"`
 	Origin       string `json:"origin"`
 	ProtocolType string `json:"type"`
 }
 // DNSResolver represents a client side DNS resolver
 type DNSResolver struct {
 	Enabled                bool     `json:"enabled"`
 	Address                string   `json:"address,omitempty"`
 	Port                   uint16   `json:"port,omitempty"`
 	Upstreams              []string `json:"upstreams,omitempty"`
 	Bootstraps             []string `json:"bootstraps,omitempty"`
 	MaxUpstreamConnections int      `json:"max_upstream_connections,omitempty"`
 }
 // Root is the base options to configure the service
 type Root struct {
 	LogDirectory string      `json:"log_directory" yaml:"logDirectory,omitempty"`
 	LogLevel     string      `json:"log_level" yaml:"logLevel,omitempty"`
 	Forwarders   []Forwarder `json:"forwarders,omitempty" yaml:"forwarders,omitempty"`
 	Tunnels      []Tunnel    `json:"tunnels,omitempty" yaml:"tunnels,omitempty"`
 	Resolver     DNSResolver `json:"resolver,omitempty" yaml:"resolver,omitempty"`
 }
 // Hash returns the computed values to see if the forwarder values change
 func (f *Forwarder) Hash() string {
 	h := md5.New()
 	io.WriteString(h, f.URL)
 	io.WriteString(h, f.Listener)
 	io.WriteString(h, f.TokenClientID)
 	io.WriteString(h, f.TokenSecret)
 	io.WriteString(h, f.Destination)
 	return fmt.Sprintf("%x", h.Sum(nil))
 }
 // Hash returns the computed values to see if the forwarder values change
 func (r *DNSResolver) Hash() string {
 	h := md5.New()
 	io.WriteString(h, r.Address)
 	io.WriteString(h, strings.Join(r.Bootstraps, ","))
 	io.WriteString(h, strings.Join(r.Upstreams, ","))
 	io.WriteString(h, fmt.Sprintf("%d", r.Port))
 	io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
 	io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
 	return fmt.Sprintf("%x", h.Sum(nil))
 }
 // EnabledOrDefault returns the enabled property
 func (r *DNSResolver) EnabledOrDefault() bool {
 	return r.Enabled
 }
 // AddressOrDefault returns the address or returns the default if empty
 func (r *DNSResolver) AddressOrDefault() string {
 	if r.Address != "" {
 		return r.Address
 	}
 	return "localhost"
 }
 // PortOrDefault return the port or returns the default if 0
 func (r *DNSResolver) PortOrDefault() uint16 {
 	if r.Port > 0 {
 		return r.Port
 	}
 	return 53
 }
 // UpstreamsOrDefault returns the upstreams or returns the default if empty
 func (r *DNSResolver) UpstreamsOrDefault() []string {
 	if len(r.Upstreams) > 0 {
 		return r.Upstreams
 	}
 	return []string{"https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"}
 }
 // BootstrapsOrDefault returns the bootstraps or returns the default if empty
 func (r *DNSResolver) BootstrapsOrDefault() []string {
 	if len(r.Bootstraps) > 0 {
 		return r.Bootstraps
 	}
 	return []string{"https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"}
 }
 // MaxUpstreamConnectionsOrDefault return the max upstream connections or returns the default if negative
 func (r *DNSResolver) MaxUpstreamConnectionsOrDefault() int {
 	if r.MaxUpstreamConnections >= 0 {
 		return r.MaxUpstreamConnections
 	}
 	return tunneldns.MaxUpstreamConnsDefault
 }
--- a/cmd/cloudflared/encrypter/encrypt.go
+++ b/cmd/cloudflared/encrypter/encrypt.go
@ -3,27 +3,27 @@
 // tldr is it uses Elliptic Curves (Curve25519) for the keys, XSalsa20 and Poly1305 for encryption.
 // You can read more here https://godoc.org/golang.org/x/crypto/nacl/box.
 //
-//	msg := []byte("super safe message.")
+//		msg := []byte("super safe message.")
-//	alice, err := NewEncrypter("alice_priv_key.pem", "alice_pub_key.pem")
+//		alice, err := New("alice_priv_key.pem", "alice_pub_key.pem")
-//	if err != nil {
+//		if err != nil {
-//		log.Fatal(err)
+//			log.Fatal(err)
-//	}
+//		}
 //
-//	bob, err := NewEncrypter("bob_priv_key.pem", "bob_pub_key.pem")
+//		bob, err := New("bob_priv_key.pem", "bob_pub_key.pem")
-//	if err != nil {
+//		if err != nil {
-//		log.Fatal(err)
+//			log.Fatal(err)
-//	}
+//		}
-//	encrypted, err := alice.Encrypt(msg, bob.PublicKey())
+//		encrypted, err := alice.Encrypt(msg, bob.PublicKey())
-//	if err != nil {
+//		if err != nil {
-//		log.Fatal(err)
+//			log.Fatal(err)
-//	}
+//		}
 //
-//	data, err := bob.Decrypt(encrypted, alice.PublicKey())
+//		data, err := bob.Decrypt(encrypted, alice.PublicKey())
-//	if err != nil {
+//		if err != nil {
-//		log.Fatal(err)
+//			log.Fatal(err)
-//	}
+//		}
-//	fmt.Println(string(data))
+//		fmt.Println(string(data))
-package token
+package encrypter
 import (
 	"bytes"
@ -44,8 +44,8 @@ type Encrypter struct {
 	publicKey  *[32]byte
 }
-// NewEncrypter returns a new encrypter with initialized keypair
+// New returns a new encrypter with initialized keypair
-func NewEncrypter(privateKey, publicKey string) (*Encrypter, error) {
+func New(privateKey, publicKey string) (*Encrypter, error) {
 	e := &Encrypter{}
 	pubKey, key, err := e.fetchOrGenerateKeys(privateKey, publicKey)
 	if err != nil {
--- a/Show More
+++ b/Show More