Chrome policy updates

Fixed bug in gam print|show chromepolicies that caused a trap.
2026-06-06 23:31:38 +00:00 · 2025-05-09 14:34:59 -07:00 · 2025-05-09 14:32:38 -07:00 · 2025-05-08 14:28:27 -07:00 · 2025-05-07 08:53:56 -07:00 · 2025-05-07 08:14:26 -07:00
274 changed files with 23826 additions and 37975 deletions
--- a/.github/actions/creds.tar.xz.gpg
+++ b/.github/actions/creds.tar.xz.gpg
--- a/.github/actions/decrypt.sh
+++ b/.github/actions/decrypt.sh
@@ -1,32 +1,19 @@
 #!/bin/sh
-credspath="$3"
+credspath="$1"
 if [ ! -d "$credspath" ]; then
    echo "creating ${credspath}"
    mkdir -p "$credspath"
 fi
-gpgfile="$1"
-if [ -f "$gpgfile" ]; then
-    echo "source file is ${gpgfile}"
+credsfile="${credspath}/oauth2.txt"
+echo "$oa2" > "$credsfile"
+echo "File size:"
+wc -c "$credsfile"
+echo "File type:"
+file "$credsfile"
+echo "Validation:"
+jq -e . "$credsfile" > /dev/null
+if [ $? -eq 0 ]; then
+  echo "Valid JSON"
 else
-    echo "ERROR: ${gpgfile} does not exist"
-    exit 1
+  echo "Invalid JSON"
 fi
-credsfile="$2"
-echo "target file is ${credsfile}"
-if [ -z ${PASSCODE+x} ]; then
-  echo "ERROR: PASSCODE is unset";
-  exit 2
-else
-  echo "PASSCODE is set";
-fi
-
-gpg --batch \
-    --yes \
-    --decrypt \
-    --passphrase="${PASSCODE}" \
-    --output "${credsfile}" \
-    "${gpgfile}"
-
-tar xvvf "${credsfile}" --directory "${credspath}"
-rm -rvf "${gpgfile}"
-rm -rvf "${credsfile}"
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,9 +2,14 @@ name: Build and test GAM

 on:
  push:
+    paths-ignore:
+      - 'wiki/**'
  pull_request:
+    paths-ignore:
+      - 'wiki/**'
  schedule:
    - cron: '37 22 * * *'
+  workflow_dispatch:

 permissions:
  contents: read
@@ -17,12 +22,14 @@ defaults:
    working-directory: src

 env:
-  SCRATCH_COUNTER: 1
+  SCRATCH_COUNTER: 14
  OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
  OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
  OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
  PYTHON_INSTALL_PATH: ${{ github.workspace }}/bin/python
  PYTHON_SOURCE_PATH: ${{ github.workspace }}/src/cpython
+  CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY: 1
+  CRYPTOGRAPHY_OPENSSL_NO_LEGACY: 1

 jobs:
  build:
@@ -34,65 +41,69 @@ jobs:
          - os: ubuntu-22.04
            jid: 1
            goal: build
-            arch: x86_64
-            openssl_archs: linux-x86_64
-          - os: ubuntu-20.04
+            name: Build Intel Ubuntu Jammy
+          - os: ubuntu-24.04
            jid: 2
            goal: build
-            arch: x86_64
-            openssl_archs: linux-x86_64
-          - os: [self-hosted, linux, arm64]
+            name: Build Intel Ubuntu Noble
+          - os: ubuntu-24.04-arm
            jid: 3
            goal: build
-            arch: aarch64
-            openssl_archs: linux-aarch64
-          - os: ubuntu-20.04
+            name: Build Arm Ubuntu Noble
+          - os: ubuntu-22.04-arm
            jid: 4
            goal: build
-            arch: x86_64
-            openssl_archs: linux-x86_64
-            staticx: yes
-          - os: [self-hosted, linux, arm64]
+            name: Build Arm Ubuntu Jammy
+          - os: ubuntu-22.04
            jid: 5
            goal: build
-            arch: aarch64
-            openssl_archs: linux-aarch64
            staticx: yes
-          - os: macos-13
+            name: Build Intel StaticX Legacy
+          - os: ubuntu-22.04-arm
            jid: 6
            goal: build
-            arch: x86_64
-            openssl_archs: darwin64-x86_64
-          - os: macos-14
+            staticx: yes
+            name: Build Arm StaticX Legacy
+          - os: macos-13
            jid: 7
            goal: build
-            arch: aarch64
-            openssl_archs: darwin64-arm64
-          - os: windows-2022
+            name: Build Intel MacOS
+          - os: macos-14
+            jid: 8
+            goal: build
+            name: Build Arm MacOS 14
+          - os: macos-15
            jid: 9
            goal: build
-            arch: Win64
-            openssl_archs: VC-WIN64A
-          - os: ubuntu-22.04
-            goal: test
-            python: "3.13"
+            name: Build Arm MacOS 15
+          - os: windows-2022
            jid: 10
-            arch: x86_64
-          - os: ubuntu-22.04
-            goal: test
-            python: "3.9"
+            goal: build
+            name: Build Intel Windows
+          - os: windows-11-arm
            jid: 11
-            arch: x86_64
-          - os: ubuntu-22.04
+            goal: build
+            name: Build Arm Windows
+          - os: ubuntu-24.04
            goal: test
            python: "3.10"
            jid: 12
-            arch: x86_64
-          - os: ubuntu-22.04
+            name: Test Python 3.10
+          - os: ubuntu-24.04
            goal: test
            python: "3.11"
-            jid: 8
-            arch: x86_64
+            jid: 13
+            name: Test Python 3.11
+          - os: ubuntu-24.04
+            goal: test
+            python: "3.12"
+            jid: 14
+            name: Test Python 3.12
+          - os: ubuntu-24.04
+            goal: test
+            python: "3.14-dev"
+            jid: 15
+            name: Test Python 3.14-dev

    steps:

@@ -115,7 +126,7 @@ jobs:
        with:
          path: |
            cache.tar.xz
-          key: gam-${{ matrix.jid }}-20240930
+          key: gam-${{ matrix.jid }}-20250422

      - name: Untar Cache archive
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -129,15 +140,25 @@ jobs:
        with:
          python-version: ${{ matrix.python }}
          allow-prereleases: true
+          check-latest: true

      - name: common variables for all runs
        env:
-          arch: ${{ matrix.arch }}
          JID: ${{ matrix.jid }}
          ACTIONS_CACHE: ${{ steps.cache-python-ssl.outputs.cache-hit }}
          ACTIONS_GOAL: ${{ matrix.goal }}
        run: |
-          echo "arch=${arch}" >> $GITHUB_ENV
+          case $RUNNER_ARCH in
+            X64)
+              echo "arch=x86_64" >> $GITHUB_ENV
+              ;;
+            ARM64)
+              echo "arch=arm64" >> $GITHUB_ENV
+              ;;
+            *)
+              echo "arch=${RUNNER_ARCH}" >> $GITHUB_ENV
+              ;;
+          esac 
          echo "JID=${JID}" >> $GITHUB_ENV
          echo "ACTIONS_CACHE=${ACTIONS_CACHE}" >> $GITHUB_ENV
          echo "ACTIONS_GOAL=${ACTIONS_GOAL}" >> $GITHUB_ENV
@@ -151,20 +172,12 @@ jobs:
          echo "curl_retry=${curl_retry}" >> $GITHUB_ENV
          # GAMCFGDIR should be recreated on every run
          GAMCFGDIR="${RUNNER_TEMP}/.gam"
-          if [ "$arch" == "Win64" ]; then
+          if [ "$RUNNER_OS" == "Windows" ]; then
            GAMCFGDIR=$(cygpath -u "$GAMCFGDIR")
          fi
          echo "GAMCFGDIR=${GAMCFGDIR}" >> $GITHUB_ENV
          echo "GAMCFGDIR is: ${GAMCFGDIR}"
-          if [[ "${RUNNER_OS}" == "macOS" ]]; then
-            GAMOS="macos"
-          elif [[ "${RUNNER_OS}" == "Linux" ]]; then
-            GAMOS="linux"
-          elif [[ "${RUNNER_OS}" == "Windows" ]]; then
-            GAMOS="windows"
-          else
-           GAMOS='unknown'
-          fi
+          export GAMOS=$(echo "$RUNNER_OS" | tr '[:upper:]' '[:lower:]')
          echo "GAMOS=${GAMOS}" >> $GITHUB_ENV
          echo "GAMOS is: ${GAMOS}"

@@ -182,11 +195,11 @@ jobs:
          echo "gampath=${gampath}" >> $GITHUB_ENV

      - name: Install necessary Github-hosted Linux packages
-        if: runner.os == 'Linux' && runner.arch == 'X64'
+        if: runner.os == 'Linux'
        run: |
          echo "RUNNING: apt update..."
          sudo apt-get -qq --yes update
-          sudo apt-get -qq --yes install swig libpcsclite-dev libxslt1-dev
+          sudo apt-get -qq --yes install swig libpcsclite-dev libxslt1-dev libsqlite3-dev libffi-dev pkg-config

      - name: MacOS install tools
        if: runner.os == 'macOS'
@@ -213,23 +226,15 @@ jobs:
        uses: ilammy/msvc-dev-cmd@v1
        if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        with:
-          arch: ${{ matrix.arch }}
+          arch: ${{ runner.arch }}

      - name: Set Env Variables for build
        if: matrix.goal == 'build'
        env:
-          openssl_archs: ${{ matrix.openssl_archs }}
          staticx: ${{ matrix.staticx }}
        run: |
          echo "We are running on ${RUNNER_OS}"
          LD_LIBRARY_PATH="${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib:/usr/local/lib"
-          if [[ "${arch}" == "Win64" ]]; then
-            PYEXTERNALS_PATH="amd64"
-            PYBUILDRELEASE_ARCH="x64"
-            GAM_ARCHIVE_ARCH="x86_64"
-            WIX_ARCH="x64"
-            CHOC_OPS=""
-          fi
          if [[ "${RUNNER_OS}" == "macOS" ]]; then
            MAKE=make
            MAKEOPT="-j$(sysctl -n hw.logicalcpu)"
@@ -247,9 +252,17 @@ jobs:
            MAKE=nmake
            MAKEOPT=""
            PERL="c:\strawberry\perl\bin\perl.exe"
+            if [[ "$RUNNER_ARCH" == "ARM64" ]]; then
+              PYEXTERNALS_PATH="arm64"
+              WIX_ARCH="arm64"
+              CHOC_OPS=""
+            elif [[ "$RUNNER_ARCH" == "X64" ]]; then
+              PYEXTERNALS_PATH="amd64"
+              WIX_ARCH="x64"
+              CHOC_OPS=""
+            fi
            LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}"
            echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}/python.exe" >> $GITHUB_ENV
-            echo "GAM_ARCHIVE_ARCH=${GAM_ARCHIVE_ARCH}" >> $GITHUB_ENV
            echo "WIX_ARCH=${WIX_ARCH}" >> $GITHUB_ENV
          fi
          echo "We'll run make with: ${MAKEOPT}"
@@ -259,8 +272,6 @@ jobs:
          echo "MAKEOPT=${MAKEOPT}" >> $GITHUB_ENV
          echo "PERL=${PERL}" >> $GITHUB_ENV
          echo "PYEXTERNALS_PATH=${PYEXTERNALS_PATH}" >> $GITHUB_ENV
-          echo "PYBUILDRELEASE_ARCH=${PYBUILDRELEASE_ARCH}" >> $GITHUB_ENV
-          echo "openssl_archs=${openssl_archs}" >> $GITHUB_ENV

      - name: Get latest stable OpenSSL source
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -274,29 +285,21 @@ jobs:
          git checkout "${LATEST_STABLE_TAG}"
          export COMPILED_OPENSSL_VERSION=${LATEST_STABLE_TAG:8} # Trim the openssl- prefix
          echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            for openssl_arch in $openssl_archs; do
-              ssldir="${OPENSSL_SOURCE_PATH}-${openssl_arch}"
-              mkdir -v "${ssldir}"
-              cp -vrf ${OPENSSL_SOURCE_PATH}/* "${ssldir}/"
-            done
-            rm -vrf "${OPENSSL_SOURCE_PATH}"
-          else
-            mv -v "${OPENSSL_SOURCE_PATH}" "${OPENSSL_SOURCE_PATH}-${openssl_archs}"
-          fi

      - name: Windows NASM Install
        uses: ilammy/setup-nasm@v1
-        if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
+        if: matrix.goal == 'build' && runner.os == 'Windows' && runner.arch == 'X64' && steps.cache-python-ssl.outputs.cache-hit != 'true'

      - name: Config OpenSSL
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
-          for openssl_arch in $openssl_archs; do
-            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
-            # --libdir=lib is needed so Python can find OpenSSL libraries
-            "${PERL}" ./Configure "${openssl_arch}" --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS
-          done
+          cd "${OPENSSL_SOURCE_PATH}"
+          # TODO: remove this once https://github.com/openssl/openssl/issues/26239 is fixed.
+          if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
+            export CFLAGS=-DNO_INTERLOCKEDOR64
+          fi
+          # --libdir=lib is needed so Python can find OpenSSL libraries
+          "${PERL}" ./Configure --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS

      - name: Rename GNU link on Windows
        if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -307,53 +310,29 @@ jobs:
      - name: Make OpenSSL
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
-          for openssl_arch in $openssl_archs; do
-            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
-            $MAKE "${MAKEOPT}"
-          done
+          cd "${OPENSSL_SOURCE_PATH}"
+          # TODO: remove this once https://github.com/openssl/openssl/issues/26239 is fixed.
+          if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
+            export CFLAGS=-DNO_INTERLOCKEDOR64
+          fi
+          $MAKE "$MAKEOPT"

      - name: Install OpenSSL
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            for openssl_arch in $openssl_archs; do
-              cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
-              # install_sw saves us ages processing man pages :-)
-              $MAKE install_sw
-              mv -v "${OPENSSL_INSTALL_PATH}" "${GITHUB_WORKSPACE}/bin/ssl-${openssl_arch}"
-            done
-            mkdir -vp "${OPENSSL_INSTALL_PATH}/lib"
-            mkdir -vp "${OPENSSL_INSTALL_PATH}/bin"
-            for archlib in libcrypto.3.dylib libssl.3.dylib libcrypto.a libssl.a; do
-              lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/lib/${archlib}" \
-                           "${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/lib/${archlib}" \
-                   -output "${GITHUB_WORKSPACE}/bin/ssl/lib/${archlib}"
-            done
-            mv ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/include ${GITHUB_WORKSPACE}/bin/ssl/
-            lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/bin/openssl" \
-                         "${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/bin/openssl" \
-                 -output "${GITHUB_WORKSPACE}/bin/ssl/bin/openssl"
-            rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64
-            rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64
-          else
-            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_archs}"
-            # install_sw saves us ages processing man pages :-)
-            $MAKE install_sw
-          fi
+          cd "${OPENSSL_SOURCE_PATH}"
+          # install_sw saves us ages processing man pages :-)
+          $MAKE install_sw
          if [[ "${RUNNER_OS}" != "Windows" ]]; then
            echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
          fi
          echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
-          case $arch in
-            universal2)
-              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include -arch arm64 -arch x86_64 ${CFLAGS}" >> $GITHUB_ENV
-              echo "ARCHFLAGS=-arch x86_64 -arch arm64" >> $GITHUB_ENV
-              ;;
-            x86_64)
+          case $RUNNER_ARCH in
+            X64)
              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
              echo "ARCHFLAGS=-arch x86_64" >> $GITHUB_ENV
              ;;
-            aarch64)
+            ARM64)
              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
              echo "ARCHFLAGS=-arch arm64" >> $GITHUB_ENV
              ;;
@@ -380,18 +359,12 @@ jobs:
        if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
          cd "${PYTHON_SOURCE_PATH}"
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            extra_args=( "--enable-universalsdk" "--with-universal-archs=universal2" )
-          else
-            extra_args=( )
-          fi
          ./configure --with-openssl="${OPENSSL_INSTALL_PATH}" \
                      --prefix="${PYTHON_INSTALL_PATH}" \
                      --enable-shared \
                      --with-ensurepip=upgrade \
                      --enable-optimizations \
-                      --with-lto \
-                      "${extra_args[@]}" || : # exit 0
+                      --with-lto || : # exit 0
          cat config.log

      - name: Windows Get External Python deps
@@ -411,10 +384,15 @@ jobs:
          Remove-Item -recurse -force "${env:OPENSSL_EXT_PATH}*"
          # Emulate what this script does:
          # https://github.com/python/cpython/blob/main/PCbuild/openssl.vcxproj
-          $env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}${env:PYEXTERNALS_PATH}"
+          if (${env:RUNNER_ARCH} -eq "X64") {
+            $env:ossl_path = "amd64"
+          } elseif (${env:RUNNER_ARCH} -eq "ARM64") {
+            $env:ossl_path =  "arm64"
+          }
+          $env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}${env:ossl_path}"
          echo "Copying our OpenSSL to ${env:OPENSSL_EXT_TARGET_PATH}"
          mkdir "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
-          Copy-Item -Path "${env:GITHUB_WORKSPACE}/src/openssl-${env:openssl_archs}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE" -Verbose
+          Copy-Item -Path "${env:OPENSSL_SOURCE_PATH}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE"
          cp -v "$env:OPENSSL_INSTALL_PATH\lib\*" "${env:OPENSSL_EXT_TARGET_PATH}"
          cp -v "$env:OPENSSL_INSTALL_PATH\bin\*" "${env:OPENSSL_EXT_TARGET_PATH}"
          cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\*" "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
@@ -435,8 +413,15 @@ jobs:
          cd "${env:PYTHON_SOURCE_PATH}"
          # We need out custom openssl.props which uses OpenSSL 3 DLL names
          Copy-Item -Path "${env:GITHUB_WORKSPACE}\src\tools\openssl.props" -Destination PCBuild\ -Verbose
-          echo "Building for ${env:PYBUILDRELEASE_ARCH}..."
-          PCBuild\build.bat -m --pgo -c Release -p "${env:PYBUILDRELEASE_ARCH}"
+          if (${env:RUNNER_ARCH} -eq "X64") {
+            $env:arch = "x64"
+            PCBuild\build.bat -c Release -p $env:arch --pgo
+          } elseif (${env:RUNNER_ARCH} -eq "ARM64") {
+            $env:arch =  "ARM64"
+            # TODO: figure out why Windows ARM64 isn't compat with PGO optimiazation
+            # causes 10-20% slowdown in Python
+            PCBuild\build.bat -c Release -p $env:arch
+          }

      - name: Mac/Linux Build Python
        if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -463,46 +448,43 @@ jobs:
      - name: Upgrade pip, wheel, etc
        run: |
          curl $curl_retry -O https://bootstrap.pypa.io/get-pip.py
-          "${PYTHON}" get-pip.py
-          "${PYTHON}" -m pip install --upgrade pip
-          "${PYTHON}" -m pip install --upgrade wheel
-          "${PYTHON}" -m pip install --upgrade setuptools
+          "$PYTHON" get-pip.py
+          "$PYTHON" -m pip install --upgrade pip
+          "$PYTHON" -m pip install --upgrade wheel
+          "$PYTHON" -m pip install --upgrade setuptools
+          "$PYTHON" -m pip install --upgrade importlib-metadata
+          "$PYTHON" -m pip install --upgrade setuptools-scm
+          "$PYTHON" -m pip list
+
+      - name: Custom wheels for Win arm64
+        if: runner.os == 'Windows' && runner.arch == 'ARM64'
+        run: |
+          latest_lxml_whl=$(curl https://api.github.com/repos/GAM-team/lxml-wheel/releases/latest -s | jq -r .assets.[0].browser_download_url)
+          echo "Downloading ${latest_lxml_whl}..."
+          curl -O -L "$latest_lxml_whl"
+          "$PYTHON" -m pip install lxml*.whl
+          latest_crypt_whl=$(curl https://api.github.com/repos/jay0lee/cryptography/releases/latest -s | jq -r .assets.[0].browser_download_url)
+          echo "Downloading ${latest_crypt_whl}..."
+          curl -O -L "$latest_crypt_whl"
+          "$PYTHON" -m pip install cryptography*.whl
+
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+
+     # - name: Compile cryptography from source (no legacy)
+     #   if: runner.os != 'Windows' || runner.arch != 'ARM64'
+     #   run: |
+     #     pip install --no-binary ":all:" --force cryptography

      - name: Install pip requirements
        run: |
          echo "before anything..."
-          "${PYTHON}" -m pip list
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            # cffi is a dep of cryptography and doesn't ship
-            # a universal2 wheel so we must build one ourself :-/
-            export CFLAGS="-arch x86_64 -arch arm64"
-            export ARCHFLAGS="-arch x86_64 -arch arm64"
-            "${PYTHON}" -m pip install --upgrade --force-reinstall --no-binary :all: \
-                              --no-cache-dir --no-deps --use-pep517 \
-                              --use-feature=no-binary-enable-wheel-cache \
-                              cffi 
-            echo "before cryptography..."
-            "${PYTHON}" -m pip list
-            # cryptography has a universal2 wheel but getting it installed
-            # on x86-64 MacOS is a royal pain in the keester.
-            "${PYTHON}" -m pip download --only-binary :all: \
-                                          --dest . \
-                                          --no-cache \
-                                          --no-deps \
-                                          --platform macosx_10_15_universal2 \
-                                          cryptography
-            "${PYTHON}" -m pip install --force-reinstall --no-deps cryptography*.whl
-            echo "after cryptography..."
-            "${PYTHON}" -m pip list
-            "${PYTHON}" -m pip install --upgrade --no-binary :all: -r requirements.txt
-          else
-            "${PYTHON}" -m pip install --upgrade -r requirements.txt
-            echo "after requirements..."
-            "${PYTHON}" -m pip list
-            "${PYTHON}" -m pip install --force-reinstall --no-deps --upgrade cryptography
-          fi
+          "$PYTHON" -m pip list
+          "$PYTHON" -m pip install --upgrade -r requirements.txt
+          echo "after requirements..."
+          "$PYTHON" -m pip list
+          #"$PYTHON" -m pip install --force-reinstall --no-deps --upgrade cryptography
          echo "after everything..."
-          "${PYTHON}" -m pip list
+          "$PYTHON" -m pip list

      - name: Install PyInstaller
        if: matrix.goal == 'build'
@@ -510,19 +492,12 @@ jobs:
          git clone https://github.com/pyinstaller/pyinstaller.git
          cd pyinstaller
          export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1)
-          # git checkout "${latest_release}"
-          git checkout "v6.9.0"
+          git checkout "${latest_release}"
+          # git checkout "v6.9.0"
          # remove pre-compiled bootloaders so we fail if bootloader compile fails
          rm -rvf PyInstaller/bootloader/*-*/*
          cd bootloader
-          export PYINSTALLER_BUILD_ARGS=""
-          case "${arch}" in
-            "Win64")
-              export PYINSTALLER_BUILD_ARGS="--target-arch=64bit"
-              ;;
-          esac
-          echo "PyInstaller build arguments: ${PYINSTALLER_BUILD_ARGS}"
-          "${PYTHON}" ./waf all $PYINSTALLER_BUILD_ARGS
+          "${PYTHON}" ./waf all
          cd ..
          echo "---- Installing PyInstaller ----"
          "${PYTHON}" -m pip install .
@@ -543,7 +518,7 @@ jobs:
            # https://github.com/pyinstaller/pyinstaller/issues/7102
            export PATH="$(dirname ${PYTHON}):/usr/bin"
          fi
-          if ([ "${staticx}" != "yes" ] && [ "$RUNNER_OS" != "Windows" ]); then
+          if [[ "$staticx" != "yes" ]]; then
            export PYINSTALLER_BUILD_ONEDIR=yes
          fi
          "${PYTHON}" -m PyInstaller --clean --noconfirm --distpath="${distpath}" gam.spec
@@ -588,10 +563,15 @@ jobs:
      - name: Install StaticX
        if: matrix.staticx == 'yes'
        run: |
+          sudo apt-get -qq --yes update
+          # arm64 needs to build a wheel and needs scons to build
+          sudo apt-get -qq --yes install scons
          "${PYTHON}" -m pip install --upgrade patchelf-wrapper
-          "${PYTHON}" -m pip install --upgrade staticx
+          # "${PYTHON}" -m pip install --upgrade staticx
+          # install latest github src for staticx
+          "${PYTHON}" -m pip install --upgrade "git+https://github.com/JonathonReinhart/staticx"

-      - name: Make StaticX
+      - name: Make StaticX GAM build
        if: matrix.staticx == 'yes'
        run: |
          case $RUNNER_ARCH in
@@ -628,14 +608,12 @@ jobs:
          echo "GAM Version ${GAMVERSION}"
          echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV

-      - name: Configure service account auth
+      - name: Configure user and service account auth
        id: configserviceaccount
        env:
-          PASSCODE: ${{ secrets.PASSCODE }}
+          oa2: ${{ secrets[format('GAM_GHA_{0}', matrix.jid)] }}
        run: |
-          source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz "${GAMCFGDIR}"
-          mv -v "${GAMCFGDIR}/oauth2.txt-gam-gha-${JID}" "${GAMCFGDIR}/oauth2.txt"
-          rm -v $GAMCFGDIR/oauth2.txt-gam*
+          ../.github/actions/decrypt.sh "${GAMCFGDIR}"
          $gam create signjwtserviceaccount

      - name: Upload gam.exe Windows for signing
@@ -676,33 +654,46 @@ jobs:
        if: runner.os != 'Windows' && matrix.goal == 'build'
        run: |
          if [[ "${RUNNER_OS}" == "macOS" ]]; then
-              GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-macos-${arch}.tar.xz"
+              GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-macos${MACOSX_DEPLOYMENT_TARGET}-${arch}.tar.xz"
          elif [[ "${RUNNER_OS}" == "Linux" ]]; then
            if [[ "${staticx}" == "yes" ]]; then
              libver="legacy"
            else
              libver="glibc$(ldd --version | awk '/ldd/{print $NF}')"
            fi
-            GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-linux-$(arch)-${libver}.tar.xz"
+            GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-linux-${arch}-${libver}.tar.xz"
          fi
          echo "GAM Archive ${GAM_ARCHIVE}"
          tar -C "${gampath}/.." --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam7

-      - name: Windows package
+      - name: Install Wix on Win ARM64
+        if: runner.os == 'Windows' && runner.arch == 'ARM64'
+        run: |
+          choco install wixtoolset
+
+      - name: Windows package zip
        if: runner.os == 'Windows' && matrix.goal != 'test'
        run: |
+          echo "started in $(pwd)"
          cd "${gampath}/.."
-          GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.zip"
+          echo "moved to $(pwd)"
+          GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${arch}.zip"
          /c/Program\ Files/7-Zip/7z.exe a -tzip "$GAM_ARCHIVE" gam7 "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3
-          cd ..
-          export MSI_FILENAME="gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.msi"
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/candle.exe -arch "${WIX_ARCH}" gam.wxs
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/light.exe -ext /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/WixUIExtension.dll gam.wixobj -o "$MSI_FILENAME" || true;
+
+      - name: Windows package MSI
+        if: runner.os == 'Windows' && matrix.goal != 'test'
+        run: |
+          export MSI_FILENAME="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${arch}.msi"
+          # auto-generate a lib.wxs based on the files PyInstaller created for the lib/ directory
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/heat.exe dir "${gampath}/lib" -ke -srd -cg Lib -gg -dr lib -directoryid lib -out lib.wxs
+          $PYTHON tools/gen-wix-xml-filelist.py lib.wxs
+          echo "-- begin lib.wxs --"
+          cat lib.wxs
+          echo "-- end lib.wxs --"
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/candle.exe -arch "${WIX_ARCH}" gam.wxs lib.wxs
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/light.exe -ext /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/WixUIExtension.dll gam.wixobj lib.wixobj -b "${gampath}/lib" -o "$MSI_FILENAME" || true;
          rm -v -f *.wixpdb
-          export folder_number=$(date +%s)
-          export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
-          $gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$MSI_FILENAME" parentid "$folder_id"
-          $gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
+          rm -v -f *.wixobj
          echo "MSI_FILENAME=${MSI_FILENAME}" >> $GITHUB_ENV

      - name: Upload gam MSI Windows for signing
@@ -726,15 +717,14 @@ jobs:
            sleep 10
          done
          # download signed package
-          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name = '$MSI_FILENAME'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$GITHUB_WORKSPACE" targetname "$MSI_FILENAME" overwrite true acknowledgeabuse true
-          # delete signed folder from drive
+          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name contains '.msi'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$GITHUB_WORKSPACE" targetname "$MSI_FILENAME" overwrite true acknowledgeabuse true
          # delete signed folder on drive
          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
          #"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$MSI_FILENAME"

      - name: Attest that gam package files were generated from this Action
        uses: actions/attest-build-provenance@v1
-        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal == 'build'
+        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal == 'build'
        with:
          subject-path: |
            gam*.tar.xz
@@ -743,7 +733,7 @@ jobs:

      - name: Archive production artifacts
        uses: actions/upload-artifact@v4
-        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal != 'test'
+        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal != 'test'
        with:
          name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
          path: |
@@ -771,8 +761,8 @@ jobs:
          fi
          echo "We successfully compiled Python ${this_python} and OpenSSL ${this_openssl}"

-      - name: Live API tests push only
-        if: (github.event_name == 'push' || github.event_name == 'schedule')
+      - name: Live API tests
+        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
        run: |
          export gam_user="gam-gha-${JID}@pdl.jaylee.us"
          echo "gam_user=${gam_user}" >> $GITHUB_ENV
@@ -798,7 +788,10 @@ jobs:
          
          # cleanup old runs
          $gam config enable_dasa false save
-          $gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print vaultholds || if [ $? != 55 ]; then exit $?; fi | $gam csv - gam delete vaulthold "id:~~holdId~~" matter "id:~~matterId~~"
+          $gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print vaultholds | $gam csv - gam delete vaulthold "id:~~holdId~~" matter "id:~~matterId~~" || if [ $? != 55 ]; then exit $?; fi 
+          $gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print vaultmatters matterstate OPEN | $gam csv - gam update vaultmatter "id:~~matterId~~" action close
+          $gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print vaultmatters matterstate CLOSED | $gam csv - gam update vaultmatter "id:~~matterId~~" action delete
+          $gam config csv_output_row_filter "Emails.1.address:regex:^gha_test-${JID}_" print contacts | $gam csv - gam delete contact ~ContactID
          $gam config enable_dasa true save
          $gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print features | $gam csv - gam delete feature ~name
          $gam config csv_output_row_filter "name:regex:^gha_test_${JID}_" user $gam_user print shareddrives asadmin | $gam csv - gam user $gam_user delete shareddrive ~id nukefromorbit
@@ -807,7 +800,6 @@ jobs:
          $gam config csv_output_row_filter "email:regex:^gha_test_${JID}_" print cigroups | $gam csv - gam delete cigroup ~email
          $gam config csv_output_row_filter "resourceId:regex:^gha_test_${JID}_" print resources | $gam csv - gam delete resource ~resourceId
          $gam config csv_output_row_filter "buildingId:regex:^gha_test_${JID}_" print buildings | $gam csv - gam delete building ~buildingId
-          $gam config csv_output_row_filter "Emails.1.address:regex:^gha_test-${JID}_" print contacts | $gam csv - gam delete contact ~ContactID

          echo "Creating OrgUnit ${newou}"
          $gam create ou "${newou}"
@@ -818,19 +810,19 @@ jobs:
          done
          driveid=$($gam user $gam_user add shareddrive "${newbase}" returnidonly)
          echo "Created shared drive ${driveid}"
-          # 9/17/24 - temp create in root due to Google API issues creating users in new OUs
-          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- # ou "${newou}"
+          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- ou "${newou}"
+          $gam user $newuser add license workspaceenterpriseplus
          $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
          $gam user $newuser get photo
          $gam user $newuser delete photo
          $gam create alias $newalias user $newuser
          $gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
-          $gam user $gam_user sendemail recipient $newuser subject "test message $newbase" message "GHA test message"
-          $gam user $gam_user sendemail recipient exchange@pdl.jaylee.us subject "test ${tstamp}" message "test message"
+          $gam user $gam_user sendemail recipient dev-null@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
          $gam config enable_dasa false save
+          # don't expose policy output
+          $gam show policies > policies.csv
          $gam create contact firstname GHA lastname "$JID" email work "${newbase}@example.com" primary
          $gam print contacts
-          $gam user $newuser add license workspaceenterpriseplus
          $gam print privileges
          $gam config enable_dasa true save
          $gam update cigroup $newgroup security memberrestriction 'member.type == 1 || member.customer_id == groupCustomerId()'
@@ -849,18 +841,18 @@ jobs:
          $gam csv sample.csv gam update user ~~email~~ recoveryphone "" recoveryemail ""
          $gam config enable_dasa false save
          $gam csv sample.csv gam user ~email add license workspaceenterpriseplus
+          #$gam user $newuser add contactdelegate "${newbase}-bulkuser-1"
+          #$gam user $newuser print contactdelegates
          $gam config enable_dasa true save
          $gam csv sample.csv gam user $gam_user sendemail recipient ~~email~~@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
          $gam csv sample.csv gam update group $newgroup add member ~email
          $gam info group $newgroup
          $gam info cigroup $newgroup membertree
          # confirm mailbox is provisoned before continuing
-          $gam user $newuser waitformailbox retries 20
+          $gam user $newuser waitformailbox retries 50
          $gam user $newuser imap on
          $gam user $newuser show imap
          $gam user $newuser show delegates
-          #$gam user $newuser add contactdelegate "${newbase}-bulkuser-1"
-          #$gam user $newuser print contactdelegates
          export biohazard=$(echo -e '\xe2\x98\xa3')
          $gam user $newuser label "$biohazard unicode biohazard $biohazard"
          $gam user $newuser show labels
@@ -892,7 +884,7 @@ jobs:
          $gam calendar $gam_user addevent summary "GHA test event" start +1h end +2h attendee $newgroup hangoutsmeet guestscanmodify true sendupdates all
          $gam calendar $gam_user printevents after -0d
          $gam config enable_dasa false save
-          matterid=uid:$($gam create vaultmatter name "GHA matter $newbase" description "test matter" collaborators $newuser returnidonly)
+          matterid=uid:$($gam create vaultmatter name "GHA matter $newbase" description "test matter" returnidonly)
          $gam create vaulthold matter $matterid name "GHA hold $newbase" corpus mail accounts $newuser
          $gam print vaultmatters matterstate open
          $gam print vaultholds matter $matterid
@@ -926,9 +918,9 @@ jobs:
          $gam user $newuser show holds || if [ $? != 55 ]; then exit $?; fi # expect a 55 return code
          export sn="$JID$JID$JID$JID-$(openssl rand -base64 32 | sed 's/[^a-zA-Z0-9]//g')"
          $gam create device serialnumber $sn devicetype android
+          $gam delete contacts emailmatchpattern "^${newbase}@example.com$"
          $gam config enable_dasa true save
          $gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail  || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (vault hold on user)
-          $gam delete contacts emailmatchpattern "^${newbase}@example.com$"
          $gam print mobile
          $gam print devices
          $gam print browsers
@@ -980,8 +972,8 @@ jobs:
          tar cJvvf cache.tar.xz $tar_folders

  merge:
-    if: (github.event_name == 'push' || github.event_name == 'schedule')
-    runs-on: ubuntu-latest
+    if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
+    runs-on: ubuntu-24.04
    needs: build
    permissions:
      contents: write
@@ -994,8 +986,8 @@ jobs:
          pattern: gam-binaries-*

  publish:
-    if: github.event_name == 'push'
-    runs-on: ubuntu-latest
+    if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
+    runs-on: ubuntu-24.04
    needs: merge
    permissions:
      contents: write
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -13,10 +13,11 @@ name: "CodeQL"

 on:
  push:
-    branches: [ main ]
+    paths-ignore:
+      - 'wiki/**'
  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
+    paths-ignore:
+      - 'wiki/**'
  schedule:
    - cron: '25 10 * * 1'

--- a/.github/workflows/get-cacerts.yml
+++ b/.github/workflows/get-cacerts.yml
@@ -2,7 +2,11 @@ name: Check for Google Root CA Updates

 on:
  push:
+    paths-ignore:
+      - 'wiki/**'
  pull_request:
+    paths-ignore:
+      - 'wiki/**'
  schedule:
    - cron: '23 23 * * *'

@@ -20,8 +24,24 @@ jobs:
          persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
          fetch-depth: 0 # otherwise, you will failed to push refs to dest repo

-      - name: Check for updates
-        run: curl -o ./cacerts.pem -vvvv https://pki.goog/roots.pem
+      - name: Get Current cacerts.pem hash
+        run: |
+          export CURRENT_HASH=$(sha256sum ./cacerts.pem)
+          echo "Current hash is: ${CURRENT_HASH}"
+          echo "CURRENT_HASH=${CURRENT_HASH}" >> $GITHUB_ENV
+
+      - name: Get latest cacerts.pem file from Google
+        run: |
+          curl -o ./cacerts.pem -vvvv https://pki.goog/roots.pem
+
+      - name: Compare hashes
+        run: |
+          export NEW_HASH=$(sha256sum ./cacerts.pem)
+          if [ "$NEW_HASH" == "$CURRENT_HASH" ]; then
+            echo "Same file."
+          else
+            echo "New file content. Was ${CURRENT_HASH} and now is ${NEW_HASH}"
+          fi

      - name: Commit file
        run: |
--- a/.github/workflows/pushwiki.yml
+++ b/.github/workflows/pushwiki.yml
@@ -0,0 +1,41 @@
+name: Push wiki
+permissions:
+  contents: write
+on:
+  push:
+    paths:
+      - 'wiki/**'
+jobs:
+  pushwiki:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout GAM source
+        run: |
+          # checkout via normal shell here
+          # so we're not authorized to actually make any changes
+          git clone https://github.com/GAM-team/GAM
+
+      - name: Checkout Wiki source
+        uses: actions/checkout@master
+        with:
+          path: GAM.wiki
+          repository: GAM-team/GAM.wiki
+          persist-credentials: true
+          fetch-depth: 0
+
+      - name: Overwrite all Wiki repo files with /wiki from main git
+        run: |
+          # remove all wiki repo files so deletes work
+          rm -fv GAM.wiki/*.md
+          # copy all files from main GAM repo wiki folder
+          cp -fv GAM/wiki/*.md GAM.wiki/
+
+      - name: Commit Wiki changes
+        run: |
+          cd GAM.wiki
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git add *.md
+          git commit -m "[no ci] Push Wiki changes"
+          git status
+          git push
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -0,0 +1,35 @@
+name: build and publish releases to PyPi
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+  workflow_dispatch:
+
+jobs:
+  pypi:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/gam7
+    permissions:
+      id-token: write
+    steps:
+
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Install required packages to publish
+        run: |
+          python3 -m pip install --upgrade build
+
+      - name: Build packages
+        run: |
+          python -m build
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestation: true
--- a/docs/Administrators.md
+++ b/docs/Administrators.md
@@ -1,913 +0,0 @@
-# Administrators
- [Administrator roles documentation](#administrator-roles-documentation)
- [API documentation](#api-documentation)
- [Definitions](#definitions)
- [Display administrative privileges](#display-administrative-privileges)
- [Manage administrative roles](#manage-administrative-roles)
- [Display administrative roles](#display-administrative-roles)
- [Create an administrator](#create-an-administrator)
- [Delete an administrator](#delete-an-administrator)
- [Display administrators](#display-administrators)
- [Copy roles from one administrator to another](#copy-roles-from-one-administrator-to-another)
-
-## Administrator roles documentation
-* https://support.google.com/a/answer/33325?ref_topic=4514341
-
-## API documentation
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/privileges
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/roles
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/roleAssignments
-
-## Definitions
-```
-<DomainName> ::= <String>(.<String>)+
-<EmailAddress> ::= <String>@<DomainName>
-<GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
-<OrgUnitID> ::= id:<String>
-<OrgUnitPath> ::= /|(/<String)+
-<OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
-<Privilege> ::= <String>
-<PrivilegeList> ::= "<Privilege>(,<Privilege)*"
-<RoleAssignmentID> ::= <String>
-<RoleItem> ::= id:<String>|uid:<String>|<String>
-<UniqueID> ::= id:<String>
-<UserItem> ::= <EmailAddress>|<UniqueID>|<String>
-```
-## Display administrative privileges
-```
-gam print privileges [todrive <ToDriveAttribute>*]
-gam show privileges
-```
-
-Here is the output from `gam show privileges`; use this to find `<Privilege>`.
-```
-Show 91 Privileges
-  Privilege: MANAGE_CSE_SETTINGS (1/91)
-    serviceId: 02pta16n4hxgyp2
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_PLAY_FOR_WORK_STORE (2/91)
-    serviceId: 00tyjcwt49hs5nq
-    serviceName: play_for_work
-    isOuScopable: False
-  Privilege: MANAGE_ENTERPRISE_PRIVATE_APPS (3/91)
-    serviceId: 00tyjcwt49hs5nq
-    serviceName: play_for_work
-    isOuScopable: False
-  Privilege: MANAGE_EXTERNALLY_HOSTED_APK_UPLOAD_IN_PLAY (4/91)
-    serviceId: 00tyjcwt49hs5nq
-    serviceName: play_for_work
-    isOuScopable: False
-  Privilege: MANAGE_PLAY_FOR_WORK_STORE (5/91)
-    serviceId: 02w5ecyt3pkeyqi
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_ENTERPRISE_PRIVATE_APPS (6/91)
-    serviceId: 02w5ecyt3pkeyqi
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_EXTERNALLY_HOSTED_APK_UPLOAD_IN_PLAY (7/91)
-    serviceId: 02w5ecyt3pkeyqi
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (8/91)
-    serviceId: 01ci93xb43sd8me
-    serviceName: Unknown
-    isOuScopable: True
-    childPrivileges: 2
-      Privilege: DELEGATES_READ (1/2)
-        serviceId: 01ci93xb43sd8me
-        serviceName: Unknown
-        isOuScopable: True
-      Privilege: DELEGATES_WRITE (2/2)
-        serviceId: 01ci93xb43sd8me
-        serviceName: Unknown
-        isOuScopable: True
-  Privilege: APP_ADMIN (9/91)
-    serviceId: 03cqmetx3hnlpuf
-    serviceName: gplus
-    isOuScopable: False
-  Privilege: GPLUS_SQUARE_BATCH_ADD (10/91)
-    serviceId: 03cqmetx3hnlpuf
-    serviceName: gplus
-    isOuScopable: False
-  Privilege: GPLUS_CONTENT_MANAGER_PRIVILEGE (11/91)
-    serviceId: 03cqmetx3hnlpuf
-    serviceName: gplus
-    isOuScopable: False
-  Privilege: APP_ADMIN (12/91)
-    serviceId: 039kk8xu49mji9t
-    serviceName: gmail
-    isOuScopable: False
-  Privilege: ACCESS_EMAIL_LOG_SEARCH (13/91)
-    serviceId: 039kk8xu49mji9t
-    serviceName: gmail
-    isOuScopable: False
-  Privilege: ACCESS_ADMIN_QUARANTINE (14/91)
-    serviceId: 039kk8xu49mji9t
-    serviceName: gmail
-    isOuScopable: False
-  Privilege: ACCESS_RESTRICTED_QUARANTINE (15/91)
-    serviceId: 039kk8xu49mji9t
-    serviceName: gmail
-    isOuScopable: False
-  Privilege: APP_ADMIN (16/91)
-    serviceId: 01tuee744837sjz
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_COURSE_SETTINGS (17/91)
-    serviceId: 037m2jsg4g9nirj
-    serviceName: Unknown
-    isOuScopable: True
-  Privilege: MANAGE_LTI_CREDENTIAL_MANAGEMENT_MODE (18/91)
-    serviceId: 037m2jsg4g9nirj
-    serviceName: Unknown
-    isOuScopable: True
-  Privilege: APP_ADMIN (19/91)
-    serviceId: 01baon6m1wv6b0p
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (20/91)
-    serviceId: 01yyy98l4k9lq4l
-    serviceName: directory
-    isOuScopable: False
-    childPrivileges: 3
-      Privilege: DIRECTORY_SETTINGS_READONLY (1/3)
-        serviceId: 01yyy98l4k9lq4l
-        serviceName: directory
-        isOuScopable: False
-        childPrivileges: 2
-          Privilege: PROFILE_EDITABILITY_READONLY (1/2)
-            serviceId: 01yyy98l4k9lq4l
-            serviceName: directory
-            isOuScopable: False
-          Privilege: CUSTOM_DIRECTORY_READONLY (2/2)
-            serviceId: 01yyy98l4k9lq4l
-            serviceName: directory
-            isOuScopable: False
-      Privilege: PROFILE_EDITABILITY_READWRITE (2/3)
-        serviceId: 01yyy98l4k9lq4l
-        serviceName: directory
-        isOuScopable: False
-      Privilege: CUSTOM_DIRECTORY_READWRITE (3/3)
-        serviceId: 01yyy98l4k9lq4l
-        serviceName: directory
-        isOuScopable: False
-  Privilege: LDAP_MANAGER (21/91)
-    serviceId: 02lwamvv18la4iw
-    serviceName: ldap
-    isOuScopable: False
-  Privilege: LDAP_PASSWORD_REBIND (22/91)
-    serviceId: 02lwamvv18la4iw
-    serviceName: ldap
-    isOuScopable: True
-    childPrivileges: 1
-      Privilege: LDAP_PASSWORD_REBIND_READONLY
-        serviceId: 02lwamvv18la4iw
-        serviceName: ldap
-        isOuScopable: True
-  Privilege: APP_ADMIN (23/91)
-    serviceId: 0319y80a15kueje
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (24/91)
-    serviceId: 044sinio4cntx2o
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (25/91)
-    serviceId: 01ksv4uv2d2noaq
-    serviceName: sites
-    isOuScopable: False
-  Privilege: ADMIN_DASHBOARD (26/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: True
-  Privilege: SERVICES (27/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: SECURITY_SETTINGS (28/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: SUPPORT (29/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: ADMIN_DOMAIN_SETTINGS (30/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: REPORTS (31/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: ADMIN_DASHBOARD (32/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: True
-  Privilege: SERVICES (33/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: SUPPORT (34/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: REPORTS (35/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: APP_ADMIN (36/91)
-    serviceId: 03fwokq01e2ht7x
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: UDM_NETWORK_ADMIN
-        serviceId: 03fwokq01e2ht7x
-        serviceName: Unknown
-        isOuScopable: True
-  Privilege: ADMIN_MATTER (37/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: True
-  Privilege: REMOVE_HOLD (38/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: True
-  Privilege: MANAGE_SEARCHES (39/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: True
-  Privilege: MANAGE_EXPORTS (40/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: True
-  Privilege: MANAGE_RETENTION_POLICY (41/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: VIEW_RETENTION_POLICY
-        serviceId: 03l18frh45c63dw
-        serviceName: vault
-        isOuScopable: False
-  Privilege: AUDIT_SYSTEM (42/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: False
-  Privilege: ACCESS_ALL_MATTERS (43/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: False
-  Privilege: APP_ADMIN (44/91)
-    serviceId: 02afmg282jiquyg
-    serviceName: device_management
-    isOuScopable: False
-  Privilege: APP_ADMIN (45/91)
-    serviceId: 037m2jsg3ckz96v
-    serviceName: calendar
-    isOuScopable: False
-    childPrivileges: 2
-      Privilege: CALENDAR_SETTINGS (1/2)
-        serviceId: 037m2jsg3ckz96v
-        serviceName: calendar
-        isOuScopable: False
-        childPrivileges: 1
-          Privilege: CALENDAR_SETTINGS_READ
-            serviceId: 037m2jsg3ckz96v
-            serviceName: calendar
-            isOuScopable: False
-      Privilege: CALENDAR_RESOURCE (2/2)
-        serviceId: 037m2jsg3ckz96v
-        serviceName: calendar
-        isOuScopable: False
-        childPrivileges: 2
-          Privilege: ROOM_INSIGHTS_DASHBOARD_ACCESS (1/2)
-            serviceId: 037m2jsg3ckz96v
-            serviceName: calendar
-            isOuScopable: False
-          Privilege: CALENDAR_RESOURCE_MANAGE (2/2)
-            serviceId: 037m2jsg3ckz96v
-            serviceName: calendar
-            isOuScopable: False
-            childPrivileges: 1
-              Privilege: CALENDAR_RESOURCE_READ
-                serviceId: 037m2jsg3ckz96v
-                serviceName: calendar
-                isOuScopable: False
-  Privilege: APP_ADMIN (46/91)
-    serviceId: 03dy6vkm2sk0pzo
-    serviceName: docs
-    isOuScopable: False
-    childPrivileges: 5
-      Privilege: DOCS_TEMPLATE_ADMIN (1/5)
-        serviceId: 03dy6vkm2sk0pzo
-        serviceName: docs
-        isOuScopable: False
-      Privilege: MIGRATE_TO_TEAM_DRIVE (2/5)
-        serviceId: 03dy6vkm2sk0pzo
-        serviceName: docs
-        isOuScopable: False
-      Privilege: WRITE_APPS_METADATA_SCHEMAS (3/5)
-        serviceId: 03dy6vkm2sk0pzo
-        serviceName: docs
-        isOuScopable: False
-      Privilege: VIEW_SITE_DETAILS (4/5)
-        serviceId: 03dy6vkm2sk0pzo
-        serviceName: docs
-        isOuScopable: False
-      Privilege: MANAGE_CLASSIC_GOOGLE_SITES (5/5)
-        serviceId: 03dy6vkm2sk0pzo
-        serviceName: docs
-        isOuScopable: False
-  Privilege: APP_ACCESS (47/91)
-    serviceId: 03cqmetx1vygwki
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: ORGANIZATION_UNITS_ALL (48/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: True
-    childPrivileges: 4
-      Privilege: ORGANIZATION_UNITS_CREATE (1/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: ORGANIZATION_UNITS_RETRIEVE (2/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: ORGANIZATION_UNITS_UPDATE (3/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: ORGANIZATION_UNITS_DELETE (4/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-  Privilege: USERS_ALL (49/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: True
-    childPrivileges: 5
-      Privilege: USERS_CREATE (1/5)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: USERS_RETRIEVE (2/5)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: USERS_UPDATE (3/5)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-        childPrivileges: 6
-          Privilege: USERS_ALIAS (1/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-          Privilege: USERS_MOVE (2/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-          Privilege: USERS_RESET_PASSWORD (3/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-          Privilege: USERS_FORCE_PASSWORD_CHANGE (4/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-          Privilege: USERS_ADD_NICKNAME (5/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-          Privilege: USERS_SUSPEND (6/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-      Privilege: USERS_UPDATE_CUSTOM_ATTRIBUTES_USER_PRIVILEGE_GROUP (4/5)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: USERS_DELETE (5/5)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-  Privilege: GROUPS_ALL (50/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 4
-      Privilege: GROUPS_CREATE (1/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-      Privilege: GROUPS_RETRIEVE (2/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-      Privilege: GROUPS_UPDATE (3/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-      Privilege: GROUPS_DELETE (4/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: USER_SECURITY_ALL (51/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: True
-  Privilege: DATATRANSFER_API_PRIVILEGE_GROUP (52/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: DOMAIN_REGISTRATION_MANAGEMENT (53/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: SCHEMA_MANAGEMENT (54/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: SCHEMA_RETRIEVE
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: LICENSING (55/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: LICENSING_READ
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: BILLING (56/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: BILLING_READ
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: SAML2_SERVICE_PROVIDER (57/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: DOMAIN_MANAGEMENT (58/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: UPGRADE_CONSUMER_CONVERSION (59/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: TRUSTED_DOMAIN_WHITELIST_WRITE (60/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: TRUSTED_DOMAIN_WHITELIST_READ
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: FULL_MIGRATION_ACCESS (61/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: EXECUTE_MIGRATION
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-        childPrivileges: 1
-          Privilege: MODIFY_MIGRATION
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: False
-            childPrivileges: 1
-              Privilege: VIEW_MIGRATION
-                serviceId: 00haapch16h1ysv
-                serviceName: admin_apis
-                isOuScopable: False
-  Privilege: GROUPS_MANAGE_SECURITY_LABEL (62/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: GROUPS_MANAGE_LOCKED_LABEL (63/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: ADMIN_REPORTING_ACCESS (64/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: REPORTING_AUDIT_ACCESS
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: SUPPORT_PRIVILEGE_GROUP (65/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: APPS_INCIDENTS_FULL_ACCESS (66/91)
-    serviceId: 02pta16n3efhw69
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 2
-      Privilege: APPS_INCIDENTS_READONLY (1/2)
-        serviceId: 02pta16n3efhw69
-        serviceName: Unknown
-        isOuScopable: False
-      Privilege: APPS_INCIDENTS_VIEW_VIRUSTOTAL_REPORTS (2/2)
-        serviceId: 02pta16n3efhw69
-        serviceName: Unknown
-        isOuScopable: False
-  Privilege: APP_ADMIN (67/91)
-    serviceId: 019c6y1840fzfkt
-    serviceName: classroom
-    isOuScopable: True
-  Privilege: ADMIN_OVERSIGHT_MANAGE_CLASSES (68/91)
-    serviceId: 019c6y1840fzfkt
-    serviceName: classroom
-    isOuScopable: True
-  Privilege: EDU_ANALYTICS_DATA_ACCESS (69/91)
-    serviceId: 019c6y1840fzfkt
-    serviceName: classroom
-    isOuScopable: True
-  Privilege: APP_ADMIN (70/91)
-    serviceId: 037m2jsg46www3g
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_DYNAMITE_SETTINGS (71/91)
-    serviceId: 03whwml44f3n4vd
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MODERATE_DYNAMITE_REPORT (72/91)
-    serviceId: 03whwml44f3n4vd
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_DYNAMITE_SPACES (73/91)
-    serviceId: 03whwml44f3n4vd
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (74/91)
-    serviceId: 03hv69ve4bjwe54
-    serviceName: Unknown
-    isOuScopable: True
-    childPrivileges: 6
-      Privilege: MANAGE_CHROME_USER_SETTINGS (1/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-        childPrivileges: 2
-          Privilege: MANAGE_CHROME_APPLICATION_SETTINGS (1/2)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-          Privilege: MANAGE_CHROME_WEB_SETTINGS (2/2)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-      Privilege: MANAGE_CHROME_BROWSERS (2/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-        childPrivileges: 1
-          Privilege: MANAGED_CHROME_BROWSERS_READ_ONLY
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-      Privilege: VIEW_CHROME_REPORTS (3/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-        childPrivileges: 4
-          Privilege: VIEW_CHROME_EXTENSIONS_REPORT (1/4)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-          Privilege: VIEW_CHROME_VERSION_REPORT (2/4)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-          Privilege: VIEW_CHROME_INSIGHTS_REPORT (3/4)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-          Privilege: VIEW_CHROME_PRINTERS_REPORT (4/4)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-      Privilege: MANAGE_PRINTERS (4/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-      Privilege: MANAGE_DEVICES (5/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-        childPrivileges: 2
-          Privilege: MANAGE_DEVICES_READ_ONLY (1/2)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-            childPrivileges: 1
-              Privilege: TELEMETRY_API
-                serviceId: 03hv69ve4bjwe54
-                serviceName: Unknown
-                isOuScopable: True
-                childPrivileges: 19
-                  Privilege: TELEMETRY_API_DEVICE (1/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_USER (2/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_AUDIO_REPORT (3/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_BUS_DEVICE_INFO (4/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_OS_REPORT (5/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_CPU_INFO (6/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_CPU_REPORT (7/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_MEMORY_INFO (8/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_MEMORY_REPORT (9/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_GRAPHICS_INFO (10/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_GRAPHICS_REPORT (11/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_BATTERY_INFO (12/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_BATTERY_REPORT (13/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_STORAGE_INFO (14/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_STORAGE_REPORT (15/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_NETWORK_INFO (16/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_NETWORK_REPORT (17/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_DEVICE_ACTIVITY_REPORT (18/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_PERIPHERALS_REPORT (19/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-          Privilege: DEVICE_ACTION_CRD (2/2)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-      Privilege: MANAGE_DEVICE_SETTINGS (6/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-  Privilege: SERVICE_DATA_DOWNLOADER (75/91)
-    serviceId: 03hv69ve4bjwe54
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_DIRECTORY_SYNC_SETTINGS (76/91)
-    serviceId: 0147n2zr1ynkkmf
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: READ_DIRECTORY_SYNC_SETTINGS
-        serviceId: 0147n2zr1ynkkmf
-        serviceName: Unknown
-        isOuScopable: False
-  Privilege: APP_ADMIN (77/91)
-    serviceId: 0279ka651l5iy5q
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: ADMIN_QUALITY_DASHBOARD_ACCESS
-        serviceId: 0279ka651l5iy5q
-        serviceName: Unknown
-        isOuScopable: False
-  Privilege: SECURITY_SETTINGS (78/91)
-    serviceId: 00vx122734tbite
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: INBOUND_SSO_SETTINGS
-        serviceId: 00vx122734tbite
-        serviceName: Unknown
-        isOuScopable: False
-  Privilege: VIEW_DLP_RULE (79/91)
-    serviceId: 02250f4o3hg8pg8
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_DLP_RULE (80/91)
-    serviceId: 02250f4o3hg8pg8
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (81/91)
-    serviceId: 00nmf14n14wtgcf
-    serviceName: app_maker
-    isOuScopable: False
-  Privilege: VIEW_ALL_PROJECTS (82/91)
-    serviceId: 00nmf14n14wtgcf
-    serviceName: app_maker
-    isOuScopable: False
-  Privilege: APP_ADMIN (83/91)
-    serviceId: 02zbgiuw2wdxo5p
-    serviceName: youtube
-    isOuScopable: False
-  Privilege: APP_ADMIN (84/91)
-    serviceId: 03as4poj2zjehv7
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (85/91)
-    serviceId: 02afmg283v5nmx6
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: ADMIN_QUALITY_DASHBOARD_ACCESS
-        serviceId: 02afmg283v5nmx6
-        serviceName: Unknown
-        isOuScopable: False
-  Privilege: APP_ADMIN (86/91)
-    serviceId: 00upglbi0qz687j
-    serviceName: takeout
-    isOuScopable: False
-  Privilege: CLOUD_PRINT_MANAGER (87/91)
-    serviceId: 02bn6wsx379ol8g
-    serviceName: cloud_print
-    isOuScopable: False
-  Privilege: MANAGE_AGE_BASED_ACCESS_SETTINGS_AGE_LABEL (88/91)
-    serviceId: 046r0co22dnadsi
-    serviceName: Unknown
-    isOuScopable: True
-    childPrivileges: 1
-      Privilege: AGE_BASED_ACCESS_SETTINGS_AGE_LABEL_READ
-        serviceId: 046r0co22dnadsi
-        serviceName: Unknown
-        isOuScopable: True
-  Privilege: LOGO_PRIVILEGE_GROUP (89/91)
-    serviceId: 03j2qqm31d4j55e
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (90/91)
-    serviceId: 04f1mdlm0ki64aw
-    serviceName: cros
-    isOuScopable: True
-    childPrivileges: 7
-      Privilege: MANAGE_DEVICES (1/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-      Privilege: MANAGE_USER_SETTINGS (2/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-        childPrivileges: 1
-          Privilege: MANAGE_APPLICATION_SETTINGS
-            serviceId: 04f1mdlm0ki64aw
-            serviceName: cros
-            isOuScopable: True
-      Privilege: MANAGE_DEVICE_SETTINGS (3/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-      Privilege: MANAGE_BROWSERS (4/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-      Privilege: VIEW_EXTENSIONS_REPORT (5/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-      Privilege: VIEW_VERSION_REPORT (6/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-      Privilege: MANAGE_PRINTERS (7/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-  Privilege: APP_ADMIN (91/91)
-    serviceId: 02et92p02l9sq0n
-    serviceName: Unknown
-    isOuScopable: True
-```
-
-## Manage administrative roles
-```
-gam create adminrole <String> privileges all|all_ou|<PrivilegeList> [description <String>]
-gam update adminrole <RoleItem> [name <String>] [privileges all|all_ou|<PrivilegeList>] [description <String>]
-gam delete adminrole <RoleItem>
-```
-* `privileges all` - All defined privileges
-* `privileges all_ou` - All defined privileges than can be scoped to an OU
-* `privileges <PrivilegeList>` - A specific list of privileges
-
-## Display administrative roles
-```
-gam info adminrole <RoleItem> [privileges]
-gam print adminroles|roles [todrive <ToDriveAttribute>*]
-        [privileges] [oneitemperrow]
-gam show adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
-```
-* `privileges` - Display privileges associated with each role
-
-By default, all privileges for a role are shown on one row as a repeating item.
-When `oneitemperrow` is specified, each privilege is output on a separate row/line with the other role fields.
-
-## Create an administrator
-Add an administrator role to an administrator.
-```
-gam create admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <OrgUnitItem>)
-        [condition securitygroup|nonsecuritygroup]
-```
-* `customer` - The administrator can manage all organization units
-* `org_unit <OrgUnitItem>` - The administrator can manage the specified organization unit
-
-The option `condition` limits the conditions for delegate admin access. This currently only works with the _GROUPS_EDITOR_ROLE and _GROUPS_READER_ROLE roles.
-* `condition securitygroup` - limit the delegated admin to managing security groups
-* `condition nonsecuritygroup` - limit the delegated admin to managing non-security groups
-
-## Delete an administrator
-Remove an administrator role from an administrator.
-```
-gam delete admin <RoleAssignmentId>
-```
-## Display administrators
-```
-gam print admins [todrive <ToDriveAttribute>*]
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
-        [privileges] [oneitemperrow]
-gam show admins
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
-```
-By default, all administrators and roles are displayed; choose from the following
-options to limit the display:
-* `user <UserItem>` -  Display only this administrator
-* `role <RoleItem>` - Display only administrators with this role
-
-* `condition` - Display any conditions associated with a role assignment
-* `privileges` - Display privileges associated with each role assignment
-
-By default, all role privileges for an admin are shown on one row as a repeating item.
-When `oneitemperrow` is specified, each role privilege is output on a separate row/line with the other admin fields.
-
-In versions prior to 6.07.01, specification of both `user <UserItem>`
-and `role <RoleItem>` generated no output due to an undocumented API rule that disallows both.
-
-## Copy roles from one administrator to another
-Get roles for current admin.
-```
-gam redirect csv ./CurrentAdminRoles.csv print admins user currentadmin@domain.com
-```
-Add roles to new admin.
-```
-gam config csv_input_row_filter "scopeType:regex:CUSTOMER" redirect stdout ./UpdateNewAdminCustomerRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" customer
-gam config csv_input_row_filter "scopeType:regex:ORG_UNIT" redirect stdout ./UpdateNewAdminOrgUnitRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" org_unit "id:~~orgUnitId~~"
-```
-
--- a/docs/Downloads-Installs.md
+++ b/docs/Downloads-Installs.md
@@ -1,64 +0,0 @@
-# Downloads-Installs
-You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/taers232c/GAMADV-XTD3/releases) page. Choose one of the following:
-
-* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
-  - Start a terminal session and execute one of the following commands:
-  - New install, default path `$HOME/bin`
-    - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh)`
-  - New install, specify a path
-    - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -d <Path>`
-  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
-    - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -l`
-  - Update to latest version, do not create project or authorizations, specify a path
-    - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -l -d <Path>`
-
-By default, a folder, `gamadv-xtd3`, is created in the default or specified path and the files are downloaded into that folder.
-Add the `-s` option to the end of the above commands to suppress creating the `gamadv-xtd3` folder; the files are downloaded directly into the default or specified path.
-
-* Executable Archive, Manual, Linux/Google Cloud Shell
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.35.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.31.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.27.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.23.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.19.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-x86_64-legacy.tar.xz`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session.
-
-* Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
-  - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.31.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.27.tar.xz`
-  - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.23.tar.xz`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session.
-
-* Executable Archive, Manual, Mac OS versions Big Sur, Monterey, Ventura - M1/M2
-  - `gamadv-xtd3-6.wx.yz-macos-arm64.tar.xz`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session.
-
-* Executable Archive, Manual, Mac OS, versions Big Sur, Monterey, Ventura - Intel
-  - `gamadv-xtd3-6.wx.yz-macos-x86_64.tar.xz`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session.
-
-* Executable Archive, Manual, Windows 64 bit
-  - `gamadv-xtd3-6.wx.yz-windows-x86_64.zip`
-  - Download the archive, extract the contents into some directory.
-  - Start a Command Prompt/PowerShell session.
-
-* Executable Installer, Manual, Windows 64 bit
-  - `gamadv-xtd3-6.wx.yz-windows-x86_64.msi`
-  - Download the installer and run it.
-  - Start a Command Prompt/PowerShell session.
-
-* Winget
-  - `winget install taers232c.GAMADV-XTD3 --location C:\GAMADV-XTD3`
-  - Specify an alternate location if desired
-  - Start a Command Prompt/PowerShell session.
-  
-* Source, all platforms
-  - `Source code(zip)`
-  - `Source code(tar.gz)`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal/Command Prompt/PowerShell session.
--- a/docs/GAMADV-XTD3-on-Android-Devices.md
+++ b/docs/GAMADV-XTD3-on-Android-Devices.md
@@ -1,16 +0,0 @@
-# GAMADV-XTD3 on Android Devices
-GAMADV-XTD3 now runs on 64-bit Android devices such as Google's Pixel phones. The installation requires an app that adds the Linux environment to Android such as [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US).
-
-_Note: Chromebooks / Chrome OS devices should install GAMADV-XTD3 using [these instructions](GAMADV-XTD3-on-Chrome-OS-Devices)._
-
-1. Install the [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US) app.
-2. Click Debian to install a Debian environment.
-3. Set a username and password.
-4. Choose SSH for connection type.
-5. Once setup, login with the password to get to a Linux shell.
-6. Run the following commands to install prerequisites:
-```
-    sudo apt update
-    sudo apt install curl python3
-```
-7. [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
--- a/docs/GAMADV-XTD3-on-Chrome-OS-Devices.md
+++ b/docs/GAMADV-XTD3-on-Chrome-OS-Devices.md
@@ -1,14 +0,0 @@
-# GAMADV-XTD3 on Chrome OS Devices
-Chrome OS devices that [support Linux apps](https://support.google.com/chromebook/answer/9145439?hl=en) can run GAMADV-XTD3. This includes Intel/AMD x86_64 Chromebooks as well as ARM-based Chromebooks with Mediatek or Rockchip 64-bit CPUs.
-
-1. [Set up Linux on your Chromebook](https://support.google.com/chromebook/answer/9145439?hl=en).
-1. From the Terminal app, run the following commands:
-```
-    sudo apt update
-    sudo apt install xz-utils
-```
-3. [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
-
-# Google cloud shell
-
-Note that from a Chrome OS device, it might be just as easy to use [Google Cloud Shell](https://cloud.google.com/shell). Especially if you are concerned about network connectivity and/or bandwidth, using a shell instance within Google's server infrastructure is always going to be less resource intensive than sending data back and forth between a Google API and your local machine on your local network.
--- a/docs/Home.md
+++ b/docs/Home.md
@@ -1,61 +0,0 @@
- [Introduction](#introduction)
- [Requirements](#requirements)
- [Installation - First time GAM7 installation](#installation---first-time-gam7-installation)
- [Installation - Upgrading from Legacy GAM](#installation---upgrading-from-legacy-gam)
-
-# Introduction
-GAM7 is a free, open source command line tool for Google Workspace Administrators to manage domain and user settings quickly and easily.
-
-This page provides simple instructions for downloading, installing and starting to use GAM7.
-
-GAM7 requires paid, or Education/Non-profit, editions of Google Workspace. G Suite Legacy Free Edition has limited API support and not all GAM commands work.
-
-GAM7 is a rewrite/extension of Jay Lee's [Legacy GAM], without his efforts, this version wouldn't exist.
-
-GAM7 is backwards compatible with [Legacy GAM], meaning that if your command works with Legacy GAM, it will also work with GAM7. There may be differences in output, but the syntax is compatible.
-
-# Documentation
-Documentation for GAM7 is hosted in the [GitHub GAM7 Wiki] and in Gam*.txt files.
-Legacy GAM documentation is hosted in the [GitHub Legacy Wiki].
-
-# Mailing List / Discussion group
-The GAM mailing list / discussion group is hosted on [Google Groups].  You can join the list and interact via email, or just post from the web itself.
-
-# Source Repository
-The official GAM7 source repository is on [GitHub] in the master branch.
-
-# Author
-GAM7 is maintained by <a href="mailto:ross.scroggs@gmail.com">Ross Scroggs</a>.
-
-# Requirements
-To run all commands properly, GAM7 requires three things:
-* An API project which identifies your install of GAM7 to Google and keeps track of API quotas.
-* Authorization to act as your Google Workspace Administrator in order to perform management functions like add users, modify group settings and membership and pull domain reports.
-* A special service account that is authorized to act on behalf of your users in order to modify user-specific settings and data such as Drive files, Calendars and Gmail messages and settings like signatures.
-
-# Installation - First time GAM7 installation
-Use these steps if you have never used any version of GAM in your domain. They will create a GAM project
-and all necessary authentications.
-
-* Download: [Downloads-Installs](Downloads-Installs)
-* Configuration: [GAM7 Configuration](gam.cfg)
-* Install: [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
-
-# Installation - Upgrading from Legacy GAM
-Use these steps if you have used any version of Legacy GAM in your domain. They will update your GAM project
-and all necessary authentications.
-
-* Download: [Downloads-Installs](Downloads-Installs)
-* Configuration: [GAM7 Configuration](gam.cfg)
-* Upgrade: [How to Upgrade from Legacy GAM](How-to-Upgrade-from-Legacy-GAM)
-
-You can install multiple versions of GAM and GAM7 in different parallel directories.
-
-[Legacy GAM]: https://github.com/GAM-team/GAM/releases?q=6.58&expanded=true
-[GAM7]: https://github.com/GAM-team/GAM
-[GitHub Releases]: https://github.com/GAM-team/GAM/releases
-[GitHub]: https://github.com/GAM-team/GAM/tree/master
-[GitHub Legacy Wiki]: https://github.com/GAM-team/GAM/wiki/
-[GitHub GAM7 Wiki]: https://github.com/taers232c/GAMADV-XTD3/wiki/
-[Google Groups]: https://groups.google.com/group/google-apps-manager
-[GAM Updates]: https://github.com/taers232c/GAMADV-XTD3/wiki/GamUpdates
--- a/docs/How-to-Install-Advanced-Gam.md
+++ b/docs/How-to-Install-Advanced-Gam.md
@@ -1,938 +0,0 @@
-# Installing GAMADV-XTD3
-Use these steps if you have never used any version of GAM in your domain. They will create your GAM project
-and all necessary authentications.
-
- [Downloads-Installs](Downloads-Installs)
- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
- [Windows](#windows)
- [GAM Configuration](gam.cfg)
-
-## Linux and MacOS and Google Cloud Shell
-
-In these examples, your Google Super admin is shown as admin@domain.com; replace with the
-actual email adddress.
-
-In these examples, the user home folder is shown as /Users/admin; adjust according to your
-specific situation; e.g., /home/administrator.
-
-This example assumes that GAMADV-XTD3 has been installed in /Users/admin/bin/gamadv-xtd3.
-If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions.
-
-### Set a configuration directory
-
-The default GAM configuration directory is /Users/admin/.gam; for more flexibility you
-probably want to select a non-hidden location. This example assumes that the GAM
-configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
-substitute that value in the directions.
-
-Make the directory:
-```
-mkdir -p /Users/admin/GAMConfig
-```
-
-Add the following line:
-```
-export GAMCFGDIR="/Users/admin/GAMConfig"
-```
-to one of these files based on your shell:
-```
-~/.bash_profile
-~/.bashrc
-~/.zshrc
-~/.profile
-```
-
-Issue the following command replacing `<Filename>` with the name of the file you edited:
-```
-source <Filename>
-```
-
-You need to make sure the GAM configuration directory actually exists. Test that like this:
-```
-ls -l $GAMCFGDIR
-```
-
-### Set a working directory
-
-You should establish a GAM working directory; you will store your GAM related
-data in this folder and execute GAM commands from this folder. You should not use
-/Users/admin/bin/gamadv-xtd3 or /Users/admin/GAMConfig for this purpose.
-This example assumes that the GAM working directory will be /Users/admin/GAMWork; If you've chosen
-another directory, substitute that value in the directions.
-
-Make the directory:
-```
-mkdir -p /Users/admin/GAMWork
-```
-
-### Set an alias
-You should set an alias to point to /Users/admin/bin/gamadv-xtd3/gam so you can operate from the /Users/admin/GAMWork directory.
-Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
-
-Add the following line:
-```
-alias gam="/Users/admin/bin/gamadv-xtd3/gam"
-```
-to one of these files based on your shell:
-```
-~/.bash_aliases
-~/.bash_profile
-~/.bashrc
-~/.zshrc
-~/.profile
-```
-
-Issue the following command replacing `<Filename>` with the name of the file you edited:
-```
-source <Filename>
-```
-
-### Set a symlink
-Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
-```
-ln -s "/Users/admin/bin/gamadv-xtd3/gam" /usr/local/bin/gam
-```
-
-### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
-```
-admin@server:/Users/admin$ gam config drive_dir /Users/admin/GAMWork verify
-Created: /Users/admin/GAMConfig
-Created: /Users/admin/GAMConfig/gamcache
-Config File: /Users/admin/GAMConfig/gam.cfg, Initialized
-Section: DEFAULT
-  ...
-  cache_dir = /Users/admin/GAMConfig/gamcache
-  ...
-  config_dir = /Users/admin/GAMConfig
-  ...
-  drive_dir = /Users/admin/GAMWork
-  ...
-
-admin@server:/Users/admin$
-```
-### Verify initialization, this was a successful installation.
-```
-admin@server:/Users/admin$ ls -l $GAMCFGDIR
-total 48
-rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
-drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
-rw-rw-rw-+ 1 admin  staff     0 Mar  3 09:23 oauth2.txt.lock
-admin@server:/Users/admin$ 
-```
-### Create your project with local browser
-```
-admin@server:/Users/admin$ gam create project
-WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
-WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?client_id=CLI...response_type=code
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-Creating project "GAM Project"...
-Checking project status...
-Project: gam-project-abc-def-ghi, Enable 23 APIs
-  API: admin.googleapis.com, Enabled (1/23)
-  API: alertcenter.googleapis.com, Enabled (2/23)
-  API: appsactivity.googleapis.com, Enabled (3/23)
-  API: audit.googleapis.com, Enabled (4/23)
-  API: calendar-json.googleapis.com, Enabled (5/23)
-  API: chat.googleapis.com, Enabled (6/23)
-  API: classroom.googleapis.com, Enabled (7/23)
-  API: contacts.googleapis.com, Enabled (8/23)
-  API: drive.googleapis.com, Enabled (9/23)
-  API: driveactivity.googleapis.com, Enabled (10/23)
-  API: gmail.googleapis.com, Enabled (11/23)
-  API: groupsmigration.googleapis.com, Enabled (12/23)
-  API: groupssettings.googleapis.com, Enabled (13/23)
-  API: iam.googleapis.com, Enabled (14/23)
-  API: iap.googleapis.com, Enabled (15/23)
-  API: licensing.googleapis.com, Enabled (16/23)
-  API: people.googleapis.com, Enabled (17/23)
-  API: pubsub.googleapis.com, Enabled (18/23)
-  API: reseller.googleapis.com, Enabled (19/23)
-  API: sheets.googleapis.com, Enabled (20/23)
-  API: siteverification.googleapis.com, Enabled (21/23)
-  API: storage-api.googleapis.com, Enabled (22/23)
-  API: vault.googleapis.com, Enabled (23/23)
-Setting GAM project consent screen...
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
-Service Account OAuth2 File: /Users/admin/GAMConfig/oauth2service.json, Service Account Key: SVCACCTKEY, Updated
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
-Please go to:
-
-https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
-
-1. Choose "Desktop App" or "Other" for "Application type".
-2. Enter "GAM" or another desired value for "Name".
-3. Click the blue "Create" button.
-4. Copy your "client ID" value that shows on the next page.
-
-Enter your Client ID: CLIENTID
-
-5. Go back to your browser and copy your "client secret" value.
-Enter your Client Secret: CLIENTSECRET
-6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
-That's it! Your GAM Project is created and ready to use.
-
-admin@server:/Users/admin$ 
-```
-### Create your project without local browser (Google Cloud Shell for instance)
-```
-admin@server:/Users/admin$ gam config no_browser true save
-admin@server:/Users/admin$ gam create project
-WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
-WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
-
-Go to the following link in a browser on other computer:
-
-    https://accounts.google.com/o/oauth2/v2/auth?re... m&prompt=consent
-
-Enter verification code: abc...xyz
-
-Authentication successful.
-Creating project "GAM Project"...
-Checking project status...
-Project: gam-project-abc-def-ghi, Enable 23 APIs
-  API: admin.googleapis.com, Enabled (1/23)
-  API: alertcenter.googleapis.com, Enabled (2/23)
-  API: appsactivity.googleapis.com, Enabled (3/23)
-  API: audit.googleapis.com, Enabled (4/23)
-  API: calendar-json.googleapis.com, Enabled (5/23)
-  API: chat.googleapis.com, Enabled (6/23)
-  API: classroom.googleapis.com, Enabled (7/23)
-  API: contacts.googleapis.com, Enabled (8/23)
-  API: drive.googleapis.com, Enabled (9/23)
-  API: driveactivity.googleapis.com, Enabled (10/23)
-  API: gmail.googleapis.com, Enabled (11/23)
-  API: groupsmigration.googleapis.com, Enabled (12/23)
-  API: groupssettings.googleapis.com, Enabled (13/23)
-  API: iam.googleapis.com, Enabled (14/23)
-  API: iap.googleapis.com, Enabled (15/23)
-  API: licensing.googleapis.com, Enabled (16/23)
-  API: people.googleapis.com, Enabled (17/23)
-  API: pubsub.googleapis.com, Enabled (18/23)
-  API: reseller.googleapis.com, Enabled (19/23)
-  API: sheets.googleapis.com, Enabled (20/23)
-  API: siteverification.googleapis.com, Enabled (21/23)
-  API: storage-api.googleapis.com, Enabled (22/23)
-  API: vault.googleapis.com, Enabled (23/23)
-Setting GAM project consent screen...
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
-Service Account OAuth2 File: /Users/admin/GAMConfig/oauth2service.json, Service Account Key: SVCACCTKEY, Updated
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
-Please go to:
-
-https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
-
-1. Choose "Desktop App" or "Other" for "Application type".
-2. Enter "GAM" or another desired value for "Name".
-3. Click the blue "Create" button.
-4. Copy your "client ID" value that shows on the next page.
-
-Enter your Client ID: CLIENTID
-
-5. Go back to your browser and copy your "client secret" value.
-Enter your Client Secret: CLIENTSECRET
-6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
-That's it! Your GAM Project is created and ready to use.
-
-admin@server:/Users/admin$ 
-```
-### Enable GAMADV-XTD3 client access
-
-You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
-writes the credentials into the file oauth2.txt.
-
-```
-admin@server:/Users/admin$ gam oauth create
-
-[*]  0)  Calendar API (supports readonly)
-[*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - AppDetails read only
-[*]  3)  Chrome Management API - Telemetry read only
-[*]  4)  Chrome Management API - read only
-[*]  5)  Chrome Policy API (supports readonly)
-[*]  6)  Chrome Printer Management API (supports readonly)
-[*]  7)  Chrome Version History API
-[*]  8)  Classroom API - Course Announcements (supports readonly)
-[*]  9)  Classroom API - Course Topics (supports readonly)
-[*] 10)  Classroom API - Course Work/Materials (supports readonly)
-[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 12)  Classroom API - Courses (supports readonly)
-[*] 13)  Classroom API - Profile Emails
-[*] 14)  Classroom API - Profile Photos
-[*] 15)  Classroom API - Rosters (supports readonly)
-[*] 16)  Classroom API - Student Guardians (supports readonly)
-[ ] 17)  Cloud Channel API (supports readonly)
-[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
-[*] 19)  Cloud Identity Groups API (supports readonly)
-[*] 20)  Cloud Identity OrgUnits API (supports readonly)
-[*] 21)  Cloud Identity User Invitations API (supports readonly)
-[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
-[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
-[*] 24)  Contact Delegation API (supports readonly)
-[*] 25)  Contacts API - Domain Shared Contacts and GAL
-[*] 26)  Data Transfer API (supports readonly)
-[*] 27)  Directory API - Chrome OS Devices (supports readonly)
-[*] 28)  Directory API - Customers (supports readonly)
-[*] 29)  Directory API - Domains (supports readonly)
-[*] 30)  Directory API - Groups (supports readonly)
-[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 32)  Directory API - Organizational Units (supports readonly)
-[*] 33)  Directory API - Resource Calendars (supports readonly)
-[*] 34)  Directory API - Roles (supports readonly)
-[*] 35)  Directory API - User Schemas (supports readonly)
-[*] 36)  Directory API - User Security
-[*] 37)  Directory API - Users (supports readonly)
-[ ] 38)  Email Audit API
-[*] 39)  Groups Migration API
-[*] 40)  Groups Settings API
-[*] 41)  License Manager API
-[*] 42)  People API (supports readonly)
-[*] 43)  People Directory API - read only
-[ ] 44)  Pub / Sub API
-[*] 45)  Reports API - Audit Reports
-[*] 46)  Reports API - Usage Reports
-[ ] 47)  Reseller API
-[*] 48)  Site Verification API
-[ ] 49)  Sites API
-[*] 50)  Vault API (supports readonly)
-
-Select an unselected scope [ ] by entering a number; yields [*]
-For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
-For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
-Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
-Unselect a selected scope [*] by entering a number; yields [ ]
-Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
-Unselect all scopes by entering a 'u'; yields [ ] for all scopes
-Exit without changes/authorization by entering an 'e'
-Continue to authorization by entering a 'c'
-  Note, if all scopes are selected, Google will probably generate an authorization error
-
-Please enter 0-50[a|r] or s|u|e|c: c
-
-Enter your Google Workspace admin email address? admin@domain.com
-
-Go to the following link in a browser on this computer or on another computer:
-
-    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
-
-If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
-click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
-
-Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
-
-The authentication flow has completed.
-Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
-
-admin@server:/Users/admin$ 
-```
-
-If clicking on the link in the instructions does not work (i.e. you get a 404 or 400 error message, instead of something about 'unable to connect') the URL in the link is too long. Most likely, you have selected all scopes. Try again with fewer scopes until it works. (there is no harm in repeatedly trying)
-
-### Enable GAMADV-XTD3 service account access.
-```
-admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
-$ gam user admin@domain.com check serviceaccount
-System time status
-  Your system time differs from www.googleapis.com by less than 1 second    PASS
-Service Account Private Key Authentication
-  Authentication                                                            PASS
-Service Account Private Key age; Google recommends rotating keys on a routine basis
-  Service Account Private Key age: 0 days                                   PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-Some scopes FAILED!
-To authorize them, please go to:
-
-    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.go...huser=admin@domain.com
-
-You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
-The "Add a new Client ID" box will open
-Make sure that "Overwrite existing client ID" is checked
-Click AUTHORIZE
-When the box closes you're done
-After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
-
-admin@server:/Users/admin$
-```
-The link shown in the error message should take you directly to the authorization screen.
-If not, make sure that you are logged in as a domain admin, then re-enter the link.
-
-### Verify GAMADV-XTD3 service account access.
-
-Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
-for the authorization to complete.
-```
-admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
-System time status:
-  Your system time differs from www.googleapis.com by less than 1 second    PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
-  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-All scopes PASSED!
-
-Service Account Client name: SVCACCTID is fully authorized.
-
-admin@server:/Users/admin$ 
-```
-### Update gam.cfg with some basic values
-* `customer_id` - Having this data keeps Gam from having to make extra API calls
-* `domain` - This allows you to omit the domain portion of email addresses
-* `timezone local` - Gam will convert all UTC times to your local timezone
-```
-admin@server:/Users/admin$ gam info domain
-Customer ID: C01234567
-Primary Domain: domain.com
-Customer Creation Time: 2007-06-06T15:47:55.444Z
-Primary Domain Verified: True
-Default Language: en
-...
-
-admin@server:/Users/admin$ gam config customer_id C01234567 domain domain.com timezone local save verify
-Config File: /Users/admin/GAMConfig/gam.cfg, Saved
-Section: DEFAULT
-  ...
-  customer_id = C01234567
-  ...
-  domain = domain.com
-  ...
-  timezone = local
-  ...
-
-admin@server:/Users/admin$
-```
-
-## Windows
-
-In these examples, your Google Super admin is shown as admin@domain.com; replace with the
-actual email adddress.
-
-This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3; if you've installed
-GAMADV-XTD3 in another directory, substitute that value in the directions.
-
-These steps assume Command Prompt, adjust if you're using PowerShell.
-
-### Set a configuration directory
-
-The default GAM configuration directory is C:\Users\<UserName>\.gam; for more flexibility you
-probably want to select a non user-specific location. This example assumes that the GAM
-configuration directory will be C:\GAMConfig; If you've chosen another directory,
-substitute that value in the directions.
-* Make the C:\GAMConfig directory before proceeding.
-
-### Set a working directory
-
-You should extablish a GAM working directory; you will store your GAM related
-data in this folder and execute GAM commands from this folder. You should not use
-C:\GAMADV-XTD3 or C:\GAMConfig for this purpose.
-This example assumes that the GAM working directory will be C:\GAMWork; If you've chosen
-another directory, substitute that value in the directions.
-* Make the C:\GAMWork directory before proceeding.
-
-### Set system path and GAM configuration directory
-You should set the system path to point to C:\GAMADV-XTD3 so you can operate from the C:\GAMWork directory.
-```
-Start Control Panel
-Click System
-Click Advanced system settings
-Click Environment Variables...
-Click Path under System variables
-Click Edit...
-If C:\GAMADV-XTD3 is already on the Path, skip the next three steps
-  Click New
-  Enter C:\GAMADV-XTD3
-  Click OK
-Click New
-Set Variable name: GAMCFGDIR
-Set Variable value: C:\GAMConfig
-Click OK
-Click OK
-Click OK
-Exit Control Panel
-```
-
-At this point, you should restart Command Prompt so that it has the updated path and environment variables.
-
-### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
-```
-C:\>gam config drive_dir C:\GAMWork verify
-Created: C:\GAMConfig
-Created: C:\GAMConfig\gamcache
-Config File: C:\GAMConfig\gam.cfg, Initialized
-Section: DEFAULT
-  ...
-  cache_dir = C:\GAMConfig\gamcache
-  ...
-  config_dir = C:\GAMConfig
-  ...
-  drive_dir = C:\GAMWork
-  ...
-
-C:\>
-```
-### Verify initialization, this was a successful installation.
-```
-C:\>dir %GAMCFGDIR%
- Volume in drive C has no label.
- Volume Serial Number is 663F-DA8B
-
- Directory of C:\GAMConfig
-
-03/03/2017  10:16 AM    <DIR>          .
-03/03/2017  10:16 AM    <DIR>          ..
-03/03/2017  10:15 AM             1,125 gam.cfg
-03/03/2017  10:15 AM    <DIR>          gamcache
-03/03/2017  10:15 AM                 0 oauth2.txt.lock
-               2 File(s)         15,769 bytes
-               3 Dir(s)  110,532,562,944 bytes free
-C:\>
-```
-
-### Create your project with local browser
-```
-C:\>gam create project
-WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
-WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oaut...pe=code
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-Creating project "GAM Project"...
-Checking project status...
-Project: gam-project-abc-def-ghi, Enable 23 APIs
-  API: admin.googleapis.com, Enabled (1/23)
-  API: alertcenter.googleapis.com, Enabled (2/23)
-  API: appsactivity.googleapis.com, Enabled (3/23)
-  API: audit.googleapis.com, Enabled (4/23)
-  API: calendar-json.googleapis.com, Enabled (5/23)
-  API: chat.googleapis.com, Enabled (6/23)
-  API: classroom.googleapis.com, Enabled (7/23)
-  API: contacts.googleapis.com, Enabled (8/23)
-  API: drive.googleapis.com, Enabled (9/23)
-  API: driveactivity.googleapis.com, Enabled (10/23)
-  API: gmail.googleapis.com, Enabled (11/23)
-  API: groupsmigration.googleapis.com, Enabled (12/23)
-  API: groupssettings.googleapis.com, Enabled (13/23)
-  API: iam.googleapis.com, Enabled (14/23)
-  API: iap.googleapis.com, Enabled (15/23)
-  API: licensing.googleapis.com, Enabled (16/23)
-  API: people.googleapis.com, Enabled (17/23)
-  API: pubsub.googleapis.com, Enabled (18/23)
-  API: reseller.googleapis.com, Enabled (19/23)
-  API: sheets.googleapis.com, Enabled (20/23)
-  API: siteverification.googleapis.com, Enabled (21/23)
-  API: storage-api.googleapis.com, Enabled (22/23)
-  API: vault.googleapis.com, Enabled (23/23)
-Setting GAM project consent screen...
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
-Service Account OAuth2 File: C:\GAMConfig\oauth2service.json, Service Account Key: SVCACCTKEY, Updated
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
-Please go to:
-
-https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
-
-1. Choose "Desktop App" or "Other" for "Application type".
-2. Enter "GAM" or another desired value for "Name".
-3. Click the blue "Create" button.
-4. Copy your "client ID" value that shows on the next page.
-
-Enter your Client ID: CLIENTID
-
-5. Go back to your browser and copy your "client secret" value.
-Enter your Client Secret: CLIENTSECRET
-6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
-That's it! Your GAM Project is created and ready to use.
-
-C:\>
-```
-### Create your project without local browser (headless server for instance)
-```
-C:\>gam config no_browser true save
-C:\>gam create project
-WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
-WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
-
-Go to the following link in a browser on other computer:
-
-    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
-
-Enter verification code: abc...xyz
-
-Authentication successful.
-Creating project "GAM Project"...
-Checking project status...
-Project: gam-project-abc-def-ghi, Enable 23 APIs
-  API: admin.googleapis.com, Enabled (1/23)
-  API: alertcenter.googleapis.com, Enabled (2/23)
-  API: appsactivity.googleapis.com, Enabled (3/23)
-  API: audit.googleapis.com, Enabled (4/23)
-  API: calendar-json.googleapis.com, Enabled (5/23)
-  API: chat.googleapis.com, Enabled (6/23)
-  API: classroom.googleapis.com, Enabled (7/23)
-  API: contacts.googleapis.com, Enabled (8/23)
-  API: drive.googleapis.com, Enabled (9/23)
-  API: driveactivity.googleapis.com, Enabled (10/23)
-  API: gmail.googleapis.com, Enabled (11/23)
-  API: groupsmigration.googleapis.com, Enabled (12/23)
-  API: groupssettings.googleapis.com, Enabled (13/23)
-  API: iam.googleapis.com, Enabled (14/23)
-  API: iap.googleapis.com, Enabled (15/23)
-  API: licensing.googleapis.com, Enabled (16/23)
-  API: people.googleapis.com, Enabled (17/23)
-  API: pubsub.googleapis.com, Enabled (18/23)
-  API: reseller.googleapis.com, Enabled (19/23)
-  API: sheets.googleapis.com, Enabled (20/23)
-  API: siteverification.googleapis.com, Enabled (21/23)
-  API: storage-api.googleapis.com, Enabled (22/23)
-  API: vault.googleapis.com, Enabled (23/23)
-Setting GAM project consent screen...
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
-Service Account OAuth2 File: C:\GAMConfig\oauth2service.json, Service Account Key: SVCACCTKEY, Updated
-Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
-Please go to:
-
-https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
-
-1. Choose "Desktop App" or "Other" for "Application type".
-2. Enter "GAM" or another desired value for "Name".
-3. Click the blue "Create" button.
-4. Copy your "client ID" value that shows on the next page.
-
-Enter your Client ID: CLIENTID
-
-5. Go back to your browser and copy your "client secret" value.
-Enter your Client Secret: CLIENTSECRET
-6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
-That's it! Your GAM Project is created and ready to use.
-
-C:\>
-```
-### Enable GAMADV-XTD3 client access
-
-You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
-writes the credentials into the file oauth2.txt.
-
-```
-C:\>gam oauth create
-
-[*]  0)  Calendar API (supports readonly)
-[*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - AppDetails read only
-[*]  3)  Chrome Management API - Telemetry read only
-[*]  4)  Chrome Management API - read only
-[*]  5)  Chrome Policy API (supports readonly)
-[*]  6)  Chrome Printer Management API (supports readonly)
-[*]  7)  Chrome Version History API
-[*]  8)  Classroom API - Course Announcements (supports readonly)
-[*]  9)  Classroom API - Course Topics (supports readonly)
-[*] 10)  Classroom API - Course Work/Materials (supports readonly)
-[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 12)  Classroom API - Courses (supports readonly)
-[*] 13)  Classroom API - Profile Emails
-[*] 14)  Classroom API - Profile Photos
-[*] 15)  Classroom API - Rosters (supports readonly)
-[*] 16)  Classroom API - Student Guardians (supports readonly)
-[ ] 17)  Cloud Channel API (supports readonly)
-[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
-[*] 19)  Cloud Identity Groups API (supports readonly)
-[*] 20)  Cloud Identity OrgUnits API (supports readonly)
-[*] 21)  Cloud Identity User Invitations API (supports readonly)
-[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
-[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
-[*] 24)  Contact Delegation API (supports readonly)
-[*] 25)  Contacts API - Domain Shared Contacts and GAL
-[*] 26)  Data Transfer API (supports readonly)
-[*] 27)  Directory API - Chrome OS Devices (supports readonly)
-[*] 28)  Directory API - Customers (supports readonly)
-[*] 29)  Directory API - Domains (supports readonly)
-[*] 30)  Directory API - Groups (supports readonly)
-[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 32)  Directory API - Organizational Units (supports readonly)
-[*] 33)  Directory API - Resource Calendars (supports readonly)
-[*] 34)  Directory API - Roles (supports readonly)
-[*] 35)  Directory API - User Schemas (supports readonly)
-[*] 36)  Directory API - User Security
-[*] 37)  Directory API - Users (supports readonly)
-[ ] 38)  Email Audit API
-[*] 39)  Groups Migration API
-[*] 40)  Groups Settings API
-[*] 41)  License Manager API
-[*] 42)  People API (supports readonly)
-[*] 43)  People Directory API - read only
-[ ] 44)  Pub / Sub API
-[*] 45)  Reports API - Audit Reports
-[*] 46)  Reports API - Usage Reports
-[ ] 47)  Reseller API
-[*] 48)  Site Verification API
-[ ] 49)  Sites API
-[*] 50)  Vault API (supports readonly)
-
-Select an unselected scope [ ] by entering a number; yields [*]
-For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
-For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
-Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
-Unselect a selected scope [*] by entering a number; yields [ ]
-Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
-Unselect all scopes by entering a 'u'; yields [ ] for all scopes
-Exit without changes/authorization by entering an 'e'
-Continue to authorization by entering a 'c'
-  Note, if all scopes are selected, Google will probably generate an authorization error
-
-Please enter 0-50[a|r] or s|u|e|c: c
-
-Enter your Google Workspace admin email address? admin@domain.com
-
-Go to the following link in a browser on this computer or on another computer:
-
-    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
-
-If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
-click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
-
-Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
-
-The authentication flow has completed.
-Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
-
-C:\>
-```
-### Enable GAMADV-XTD3 service account access.
-```
-C:\>gam user admin@domain.com check serviceaccount
-System time status
-  Your system time differs from www.googleapis.com by less than 1 second    PASS
-Service Account Private Key Authentication
-  Authentication                                                            PASS
-Service Account Private Key age; Google recommends rotating keys on a routine basis
-  Service Account Private Key age: 0 days                                   PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-Some scopes FAILED!
-To authorize them, please go to:
-
-    https://admin.google.com/ac/owl/domainwide...thuser=admin@domain.com
-
-You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
-The "Add a new Client ID" box will open
-Make sure that "Overwrite existing client ID" is checked
-Click AUTHORIZE
-When the box closes you're done
-After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
-
-C:\>
-```
-The link shown in the error message should take you directly to the authorization screen.
-If not, make sure that you are logged in as a domain admin, then re-enter the link.
-
-### Verify GAMADV-XTD3 service account access.
-
-Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
-for the authorization to complete.
-```
-C:\>gam user admin@domain.com check serviceaccount
-System time status:
-  Your system time differs from www.googleapis.com by less than 1 second    PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
-  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-All scopes PASSED!
-
-Service Account Client name: SVCACCTID is fully authorized.
-
-C:\>
-```
-### Update gam.cfg with some basic values
-* `customer_id` - Having this data keeps Gam from having to make extra API calls
-* `domain` - This allows you to omit the domain portion of email addresses
-* `timezone local` - Gam will convert all UTC times to your local timezone
-```
-C:\>gam info domain
-Customer ID: C01234567
-Primary Domain: domain.com
-Customer Creation Time: 2007-06-06T15:47:55.444Z
-Primary Domain Verified: True
-Default Language: en
-...
-
-C:\>gam config customer_id C01234567 domain domain.com timezone local save verify
-Config File: C:\GAMConfig\gam.cfg, Saved
-Section: DEFAULT
-  ...
-  customer_id = C01234567
-  ...
-  domain = domain.com
-  ...
-  timezone = local
-  ...
-
-C:\>
-```
--- a/docs/How-to-Uninstall-Advanced-Gam.md
+++ b/docs/How-to-Uninstall-Advanced-Gam.md
@@ -1,127 +0,0 @@
-# Uninstalling GAMADV-XTD3
-
- [Get Project Info](#get-project-info)
- [Remove Client API access](#remove-client-api-access)
- [Remove Service Account API access](#remove-service-account-api-access)
- [Delete GAM Project](#delete-gam-project)
- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
- [Windows](#windows)
-
-## Get Project Info
-```
-gam version
-```
-
-Note the `Config File:` path to `gam.cfg`. In that folder will be a file `oauth2service.json`; look at its contents.
-You want these two lines:
-```
-"client_id": "123691089974044844789"
-"project_id": "gam-project-123-456-789"
-```
-
-## Remove Client API access
-```
-gam oauth delete
-```
-
-## Remove Service Account API access
-In a browser, go to `https://admin.google.com`, login and go to the Security/API Controls/Domain-wide Delegation page.
-Find the `Client ID` that matches the `client_id` value from `oauth2service.json`, hover over it and click `Delete`.	
-
-## Delete GAM Project
-In a browser, go to `https://console.cloud.google.com/cloud-resource-manager`, login. Find the `ID` that matches
-the `project_id` value from `oauth2service.json`; click the three dots at the right end of the line and click `Delete`.
-In the box that pops up, put the `project_id` value in ther `Project ID*` field and click `SHUT DOWN`
-
-## Linux and MacOS and Google Cloud Shell
-
-In these examples, the user home folder is shown as /Users/admin; adjust according to your
-specific situation; e.g., /home/administrator.
-
-This example assumes that GAMADV-XTD3 has been installed in /Users/admin/bin/gamadv-xtd3.
-If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions.
-
-### Delete executable directory
-
-```
-rm -fr /Users/admin/bin/gamadv-xtd3
-```
-
-### Delete configuration directory
-
-The default GAM configuration directory is /Users/admin/.gam; for more flexibility you
-probably want to select a non-hidden location. This example assumes that the GAM
-configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
-substitute that value in the directions.
-```
-rm -fr /Users/admin/GAMConfig
-```
-
-### Delete  working directory
-
-This example assumes that the GAM working directory is be /Users/admin/GAMWork; If you've chosen
-another directory, substitute that value in the directions.
-```
-rm -fr /Users/admin/GAMConfig
-```
-
-### Remove executable alias and GAM configuration export
-
-Remove the following line:
-```
-alias gam="/Users/admin/bin/gamadv-xtd3/gam"
-export GAMCFGDIR="/Users/admin/GAMConfig"
-```
-from these files based on your shell:
-```
-~/.bash_profile
-~/.bashrc
-~/.zshrc
-~/.profile
-```
-
-## Windows
-
-This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3; if you've installed
-GAMADV-XTD3 in another directory, substitute that value in the directions.
-
-### Delete executable directory
-
-In File Explorer, delete the `C:\GAMADV-XTD3` folder.
-
-### Delete configuration directory
-
-The default GAM configuration directory is C:\Users\<UserName>\.gam; for more flexibility you
-probably want to select a non user-specific location. This example assumes that the GAM
-configuration directory will be C:\GAMConfig; If you've chosen another directory,
-substitute that value in the directions.
-
-In File Explorer, delete the `C:\GAMConfig` folder.
-
-### Delete working directory
-
-This example assumes that the GAM working directory will be C:\GAMWork; If you've chosen
-another directory, substitute that value in the directions.
-
-In File Explorer, delete the `C:\GAMWork` folder.
-
-### Reset system path and GAM configuration directory
-```
-Start Control Panel
-Click System
-Click Advanced system settings
-Click Environment Variables...
-Click Path under System variables
-Click Edit...
-If C:\GAMADV-XTD3 is not on the Path, click Cancel and skip the next three steps
-  Click C:\GAMADV-XTD3
-  Click Delete
-  Click OK
-If GAMCFGDIR is not in System variables, skip the next two steps
-  Click GAMCFGDIR
-  Click Delete
-Click OK
-Click OK
-Exit Control Panel
-```
-
--- a/docs/How-to-Update-Advanced-GAM-to-GAM7.md
+++ b/docs/How-to-Update-Advanced-GAM-to-GAM7.md
@@ -1,120 +0,0 @@
-# Installation - Update Advanced GAM to GAM7
-
- [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
- [Windows](#windows)
-
-## Linux and MacOS and Google Cloud Shell
-
-This example assumes that GAMADV-XTD3 was installed in /Users/admin/bin/gamadv-xtd3.
-If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
-
-Rename install directory.
-```
-mv /Users/admin/bin/gamadv-xtd3 /Users/admin/bin/gam7
-```
-
-See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
-
-You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page. Choose one of the following:
-
-* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
-  - Start a terminal session and execute one of the following commands:
-  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
-    - `bash <(curl -s -S -L https://git.io/gam-install) -l`
-  - Update to latest version, do not create project or authorizations, specify a path
-    - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
-
-In these examples, the user home folder is shown as /Users/admin; adjust according to your
-specific situation; e.g., /home/administrator.
-
-### Update gam  alias
-You should set an alias to point to /Users/admin/bin/gam/gam so you can operate from the /Users/admin/GAMWork directory.
-Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
-
-Change the following line:
-```
-alias gam="/Users/admin/bin/gamadv-xtd3/gam"
-```
-to
-```
-alias gam="/Users/admin/bin/gam7/gam"
-```
-in one of these files based on your shell:
-```
-~/.bash_aliases
-~/.bash_profile
-~/.bashrc
-~/.zshrc
-~/.profile
-```
-
-Issue the following command replacing `<Filename>` with the name of the file you edited:
-```
-source <Filename>
-```
-
-### Set a symlink if desired
-Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
-```
-ln -s "/Users/admin/bin/gam7/gam" /usr/local/bin/gam
-```
-
-### Test
-```
-gam version
-```
-
-## Windows
-
-You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
-
-This example assumes that GAMADV-XTD3 was installed in C:\GAMADV-XTD3.
-If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
-
-These steps assume Command Prompt, adjust if you're using PowerShell.
-
-Rename install directory.
-```
-ren C:\GAMADV-STD3 C:\GAM7
-```
-
-See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
-
-* Executable Archive, Manual, Windows 64 bit
-  - `gam-7.wx.yz-windows-x86_64.zip`
-  - Download the archive, extract the contents into C:\GAM7.
-  - Start a Command Prompt/PowerShell session.
-
-* Executable Installer, Manual, Windows 64 bit
-  - `gam-7.wx.yz-windows-x86_64.msi`
-  - Download the installer and run it.
-  - Start a Command Prompt/PowerShell session.
-
-### Update system path
-You should set the system path to point to C:\GAM7 so you can operate from the C:\GAMWork directory.
-```
-Start Control Panel
-Click System
-Click Advanced system settings
-Click Environment Variables...
-Click Path under System variables
-Click Edit...
-If you have an existing entry referencing GAMADV-XTD3:
-  Click that entry
-  Click Delete
-If C:\GAM7 is already on the Path, skip the next three steps
-  Click New
-  Enter C:\GAM7
-  Click OK
-Click OK
-Click OK
-Exit Control Panel
-```
-
-At this point, you should restart Command Prompt so that it has the updated path and environment variables.
-
-### Test
-```
-gam version
-```
--- a/docs/How-to-Update-Advanced-Gam.md
+++ b/docs/How-to-Update-Advanced-Gam.md
@@ -1,581 +0,0 @@
-# Updating GAMADV-XTD3
-Use these steps to update your version of GAMADV-XTD3.
-
- [Downloads-Installs](Downloads-Installs)
- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
- [Windows](#windows)
- [GAM Configuration](gam.cfg)
-
-## Linux and MacOS and Google Cloud Shell
-
-### Download the latest version
-
-This example assumes that GAMADV-XTD3 has been installed in /Users/admin/bin/gamadv-xtd3.
-If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions when downloading.
-
-See: [Downloads-Installs](Downloads-Installs)
-
-In these examples, your Google Super admin is shown as admin@domain.com; replace with the
-actual email adddress.
-
-In these examples, the user home folder is shown as /Users/admin; adjust according to your
-specific situation; e.g., /home/administrator.
-
-### Update your project with local browser to include the additional APIs that GAMADV-XTD3 uses.
-This step may be omitted if you are updating from a recent version.
-```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-123-xyz? admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-API: admin.googleapis.com, already enabled...
-API: appsactivity.googleapis.com, already enabled...
-API: calendar-json.googleapis.com, already enabled...
-API: classroom.googleapis.com, already enabled...
-API: contacts.googleapis.com, already enabled...
-API: drive.googleapis.com, already enabled...
-API: gmail.googleapis.com, already enabled...
-API: groupssettings.googleapis.com, already enabled...
-API: licensing.googleapis.com, already enabled...
-API: plus.googleapis.com, already enabled...
-API: reseller.googleapis.com, already enabled...
-API: siteverification.googleapis.com, already enabled...
-API: vault.googleapis.com, already enabled...
-Enable 3 APIs
-  API: audit.googleapis.com, Enabled (1/3)
-  API: groupsmigration.googleapis.com, Enabled (2/3)
-  API: sheets.googleapis.com, Enabled (3/3)
-
-admin@server:/Users/admin/bin/gamadv-xtd3$
-```
-### Update your project without local browser (Google Cloud Shell for instance) to include the additional APIs that GAMADV-XTD3 uses
-This step may be omitted if you are updating from a recent version.
-```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam config no_browser true save
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-123-xyz? admin@domain.com
-
-Go to the following link in a browser on other computer:
-
-    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
-
-Enter verification code: abc...xyz
-
-Authentication successful.
-API: admin.googleapis.com, already enabled...
-API: appsactivity.googleapis.com, already enabled...
-API: calendar-json.googleapis.com, already enabled...
-API: classroom.googleapis.com, already enabled...
-API: contacts.googleapis.com, already enabled...
-API: drive.googleapis.com, already enabled...
-API: gmail.googleapis.com, already enabled...
-API: groupssettings.googleapis.com, already enabled...
-API: licensing.googleapis.com, already enabled...
-API: plus.googleapis.com, already enabled...
-API: reseller.googleapis.com, already enabled...
-API: siteverification.googleapis.com, already enabled...
-API: vault.googleapis.com, already enabled...
-Enable 3 APIs
-  API: audit.googleapis.com, Enabled (1/3)
-  API: groupsmigration.googleapis.com, Enabled (2/3)
-  API: sheets.googleapis.com, Enabled (3/3)
-
-admin@server:/Users/admin/bin/gamadv-xtd3$
-```
-### Update GAMADV-XTD3 client access
-
-You select a list of scopes, GAMADV-XTD3 uses a browser to get final authorization from Google for these scopes and
-writes the credentials into the file oauth2.txt.
-
-```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
-
-[*]  0)  Calendar API (supports readonly)
-[*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - AppDetails read only
-[*]  3)  Chrome Management API - Telemetry read only
-[*]  4)  Chrome Management API - read only
-[*]  5)  Chrome Policy API (supports readonly)
-[*]  6)  Chrome Printer Management API (supports readonly)
-[*]  7)  Chrome Version History API
-[*]  8)  Classroom API - Course Announcements (supports readonly)
-[*]  9)  Classroom API - Course Topics (supports readonly)
-[*] 10)  Classroom API - Course Work/Materials (supports readonly)
-[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 12)  Classroom API - Courses (supports readonly)
-[*] 13)  Classroom API - Profile Emails
-[*] 14)  Classroom API - Profile Photos
-[*] 15)  Classroom API - Rosters (supports readonly)
-[*] 16)  Classroom API - Student Guardians (supports readonly)
-[ ] 17)  Cloud Channel API (supports readonly)
-[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
-[*] 19)  Cloud Identity Groups API (supports readonly)
-[*] 20)  Cloud Identity OrgUnits API (supports readonly)
-[*] 21)  Cloud Identity User Invitations API (supports readonly)
-[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
-[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
-[*] 24)  Contact Delegation API (supports readonly)
-[*] 25)  Contacts API - Domain Shared Contacts and GAL
-[*] 26)  Data Transfer API (supports readonly)
-[*] 27)  Directory API - Chrome OS Devices (supports readonly)
-[*] 28)  Directory API - Customers (supports readonly)
-[*] 29)  Directory API - Domains (supports readonly)
-[*] 30)  Directory API - Groups (supports readonly)
-[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 32)  Directory API - Organizational Units (supports readonly)
-[*] 33)  Directory API - Resource Calendars (supports readonly)
-[*] 34)  Directory API - Roles (supports readonly)
-[*] 35)  Directory API - User Schemas (supports readonly)
-[*] 36)  Directory API - User Security
-[*] 37)  Directory API - Users (supports readonly)
-[ ] 38)  Email Audit API
-[*] 39)  Groups Migration API
-[*] 40)  Groups Settings API
-[*] 41)  License Manager API
-[*] 42)  People API (supports readonly)
-[*] 43)  People Directory API - read only
-[ ] 44)  Pub / Sub API
-[*] 45)  Reports API - Audit Reports
-[*] 46)  Reports API - Usage Reports
-[ ] 47)  Reseller API
-[*] 48)  Site Verification API
-[ ] 49)  Sites API
-[*] 50)  Vault API (supports readonly)
-
-Select an unselected scope [ ] by entering a number; yields [*]
-For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
-For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
-Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
-Unselect a selected scope [*] by entering a number; yields [ ]
-Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
-Unselect all scopes by entering a 'u'; yields [ ] for all scopes
-Exit without changes/authorization by entering an 'e'
-Continue to authorization by entering a 'c'
-  Note, if all scopes are selected, Google will probably generate an authorization error
-
-Please enter 0-50[a|r] or s|u|e|c: c
-
-Enter your Google Workspace admin email address? admin@domain.com
-
-Go to the following link in a browser on this computer or on another computer:
-
-    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
-
-If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
-click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
-
-Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
-
-The authentication flow has completed.
-Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
-
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
-```
-### Update GAMADV-XTD3 service account access.
-```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
-$ gam user admin@domain.com check serviceaccount
-System time status
-  Your system time differs from www.googleapis.com by less than 1 second    PASS
-Service Account Private Key Authentication
-  Authentication                                                            PASS
-Service Account Private Key age; Google recommends rotating keys on a routine basis
-  Service Account Private Key age: 0 days                                   PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-Some scopes FAILED!
-To authorize them, please go to:
-
-    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.courseworkmaterials,https://www.googleapis.com/auth/classroom.profile.emails,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloud-identity,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/datastudio,https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/keep,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/tasks,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email&clientIdToAdd=SVCACCTID&overwriteClientId=true&dn=domain.com&authuser=admin@domain.com
-
-You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
-The "Add a new Client ID" box will open
-Make sure that "Overwrite existing client ID" is checked
-Click AUTHORIZE
-When the box closes you're done
-After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
-
-admin@server:/Users/admin/bin/gamadv-xtd3$
-```
-The link shown in the error message should take you directly to the authorization screen.
-If not, make sure that you are logged in as a domain admin, then re-enter the link.
-
-### Verify GAMADV-XTD3 service account access.
-
-Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
-for the authorization to complete.
-```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
-System time status:
-  Your system time differs from www.googleapis.com by less than 1 second    PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
-  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-All scopes PASSED!
-
-Service Account Client name: SVCACCTID is fully authorized.
-
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
-```
-
-## Windows
-
-### Download the latest version
-
-This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3.
-If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions when downloading.
-
-See: [Downloads-Installs](Downloads-Installs)
-
-In these examples, your Google Super admin is shown as admin@domain.com; replace with the
-actual email adddress.
-
-This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3; if you've installed
-GAMADV-XTD3 in another directory, substitute that value in the directions.
-
-These steps assume Command Prompt, adjust if you're using PowerShell.
-
-### Update your project with local browser to include the additional APIs that GAMADV-XTD3 uses.
-This step may be omitted if you are updating from a recent version.
-```
-C:\GAMADV-XTD3>gam update project
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
-
-Authentication successful.
-API: admin.googleapis.com, already enabled...
-API: appsactivity.googleapis.com, already enabled...
-API: calendar-json.googleapis.com, already enabled...
-API: classroom.googleapis.com, already enabled...
-API: contacts.googleapis.com, already enabled...
-API: drive.googleapis.com, already enabled...
-API: gmail.googleapis.com, already enabled...
-API: groupssettings.googleapis.com, already enabled...
-API: licensing.googleapis.com, already enabled...
-API: plus.googleapis.com, already enabled...
-API: reseller.googleapis.com, already enabled...
-API: siteverification.googleapis.com, already enabled...
-API: vault.googleapis.com, already enabled...
-Enable 3 APIs
-  API: audit.googleapis.com, Enabled (1/3)
-  API: groupsmigration.googleapis.com, Enabled (2/3)
-  API: sheets.googleapis.com, Enabled (3/3)
-
-C:\GAMADV-XTD3>
-```
-### Update your project without local browser (headless server for instance) to include the additional APIs that GAMADV-XTD3 uses
-This step may be omitted if you are updating from a recent version.
-```
-C:\GAMADV-XTD3>gam config no_browser true save
-C:\GAMADV-XTD3>gam update project
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
-
-Go to the following link in a browser on other computer:
-
-    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
-
-Enter verification code: abc...xyz
-
-Authentication successful.
-API: admin.googleapis.com, already enabled...
-API: appsactivity.googleapis.com, already enabled...
-API: calendar-json.googleapis.com, already enabled...
-API: classroom.googleapis.com, already enabled...
-API: contacts.googleapis.com, already enabled...
-API: drive.googleapis.com, already enabled...
-API: gmail.googleapis.com, already enabled...
-API: groupssettings.googleapis.com, already enabled...
-API: licensing.googleapis.com, already enabled...
-API: plus.googleapis.com, already enabled...
-API: reseller.googleapis.com, already enabled...
-API: siteverification.googleapis.com, already enabled...
-API: vault.googleapis.com, already enabled...
-Enable 3 APIs
-  API: audit.googleapis.com, Enabled (1/3)
-  API: groupsmigration.googleapis.com, Enabled (2/3)
-  API: sheets.googleapis.com, Enabled (3/3)
-
-C:\GAMADV-XTD3>
-```
-### Update GAMADV-XTD3 client access
-
-You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
-writes the credentials into the file oauth2.txt.
-
-```
-C:\GAMADV-XTD3>gam oauth create
-
-[*]  0)  Calendar API (supports readonly)
-[*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - AppDetails read only
-[*]  3)  Chrome Management API - Telemetry read only
-[*]  4)  Chrome Management API - read only
-[*]  5)  Chrome Policy API (supports readonly)
-[*]  6)  Chrome Printer Management API (supports readonly)
-[*]  7)  Chrome Version History API
-[*]  8)  Classroom API - Course Announcements (supports readonly)
-[*]  9)  Classroom API - Course Topics (supports readonly)
-[*] 10)  Classroom API - Course Work/Materials (supports readonly)
-[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 12)  Classroom API - Courses (supports readonly)
-[*] 13)  Classroom API - Profile Emails
-[*] 14)  Classroom API - Profile Photos
-[*] 15)  Classroom API - Rosters (supports readonly)
-[*] 16)  Classroom API - Student Guardians (supports readonly)
-[ ] 17)  Cloud Channel API (supports readonly)
-[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
-[*] 19)  Cloud Identity Groups API (supports readonly)
-[*] 20)  Cloud Identity OrgUnits API (supports readonly)
-[*] 21)  Cloud Identity User Invitations API (supports readonly)
-[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
-[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
-[*] 24)  Contact Delegation API (supports readonly)
-[*] 25)  Contacts API - Domain Shared Contacts and GAL
-[*] 26)  Data Transfer API (supports readonly)
-[*] 27)  Directory API - Chrome OS Devices (supports readonly)
-[*] 28)  Directory API - Customers (supports readonly)
-[*] 29)  Directory API - Domains (supports readonly)
-[*] 30)  Directory API - Groups (supports readonly)
-[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 32)  Directory API - Organizational Units (supports readonly)
-[*] 33)  Directory API - Resource Calendars (supports readonly)
-[*] 34)  Directory API - Roles (supports readonly)
-[*] 35)  Directory API - User Schemas (supports readonly)
-[*] 36)  Directory API - User Security
-[*] 37)  Directory API - Users (supports readonly)
-[ ] 38)  Email Audit API
-[*] 39)  Groups Migration API
-[*] 40)  Groups Settings API
-[*] 41)  License Manager API
-[*] 42)  People API (supports readonly)
-[*] 43)  People Directory API - read only
-[ ] 44)  Pub / Sub API
-[*] 45)  Reports API - Audit Reports
-[*] 46)  Reports API - Usage Reports
-[ ] 47)  Reseller API
-[*] 48)  Site Verification API
-[ ] 49)  Sites API
-[*] 50)  Vault API (supports readonly)
-
-Select an unselected scope [ ] by entering a number; yields [*]
-For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
-For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
-Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
-Unselect a selected scope [*] by entering a number; yields [ ]
-Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
-Unselect all scopes by entering a 'u'; yields [ ] for all scopes
-Exit without changes/authorization by entering an 'e'
-Continue to authorization by entering a 'c'
-  Note, if all scopes are selected, Google will probably generate an authorization error
-
-Please enter 0-50[a|r] or s|u|e|c: c
-
-Enter your Google Workspace admin email address? admin@domain.com
-
-Go to the following link in a browser on this computer or on another computer:
-
-    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
-
-If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
-click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
-
-Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
-
-The authentication flow has completed.
-Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
-
-C:\GAMADV-XTD3>
-```
-### Update GAMADV-XTD3 service account access.
-```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
-System time status
-  Your system time differs from www.googleapis.com by less than 1 second    PASS
-Service Account Private Key Authentication
-  Authentication                                                            PASS
-Service Account Private Key age; Google recommends rotating keys on a routine basis
-  Service Account Private Key age: 0 days                                   PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-Some scopes FAILED!
-To authorize them, please go to:
-
-    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.courseworkmaterials,https://www.googleapis.com/auth/classroom.profile.emails,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloud-identity,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/datastudio,https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/keep,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/tasks,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email&clientIdToAdd=SVCACCTID&overwriteClientId=true&dn=domain.com&authuser=admin@domain.com
-
-You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
-The "Add a new Client ID" box will open
-Make sure that "Overwrite existing client ID" is checked
-Click AUTHORIZE
-When the box closes you're done
-After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
-
-C:\GAMADV-XTD3>
-```
-The link shown in the error message should take you directly to the authorization screen.
-If not, make sure that you are logged in as a domain admin, then re-enter the link.
-
-### Verify GAMADV-XTD3 service account access.
-
-Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
-for the authorization to complete.
-```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
-System time status:
-  Your system time differs from www.googleapis.com by less than 1 second    PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
-  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-All scopes PASSED!
-
-Service Account Client name: SVCACCTID is fully authorized.
-
-C:\GAMADV-XTD3>
-```
--- a/docs/How-to-Upgrade-from-GAMADV-X-or-GAMADV-XTD.md
+++ b/docs/How-to-Upgrade-from-GAMADV-X-or-GAMADV-XTD.md
@@ -1,551 +0,0 @@
-# Installation - Upgrading from a prior version of GAMADV-X or GAMADV-XTD
-Use these steps if you have used any version of GAMADV-X or GAMADV-XTD in your domain.
-They will update your GAM project and all necessary authentications.
-
- [Downloads-Installs](Downloads-Installs)
- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
- [Windows](#windows)
- [GAM Configuration](gam.cfg)
-
-## Linux and MacOS and Google Cloud Shell
-
-In these examples, your Google Super admin is shown as admin@domain.com; replace with the
-actual email adddress.
-
-In these examples, the user home folder is shown as /Users/admin; adjust according to your
-specific situation; e.g., /home/administrator.
-
-This example assumes that GAMADV-XTD3 has been installed in /Users/admin/bin/gamadv-xtd3.
-If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions.
-
-GAMADV-XTD3 uses the same configuration directory and gam.cfg file as GAMADV-X and GAMADV-XTD.
-
-### Update your alias
-You should update your alias to point to /Users/admin/bin/gamadv-xtd3/gam.
-
-Add/edit the following line:
-```
-alias gam="/Users/admin/bin/gamadv-xtd3/gam"
-```
-to one of these files based on your shell:
-```
-~/.bash_aliases
-~/.bash_profile
-~/.bashrc
-~/.zshrc
-~/.profile
-```
-
-Issue the following command replacing `<Filename>` with the name of the file you edited:
-```
-source <Filename>
-```
-
-### Do you have a browser?
-If your computer doesn't support a browser, Google Cloud Shell for instance, execute this command:
-```
-admin@server:/Users/admin$ gam config no_browser true save
-```
-### Update your project to include the additional APIs that GAMADV-XTD3 uses.
-```
-admin@server:/Users/admin$ gam update project
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-API: admin.googleapis.com, already enabled...
-API: appsactivity.googleapis.com, already enabled...
-API: calendar-json.googleapis.com, already enabled...
-API: classroom.googleapis.com, already enabled...
-API: contacts.googleapis.com, already enabled...
-API: drive.googleapis.com, already enabled...
-API: gmail.googleapis.com, already enabled...
-API: groupssettings.googleapis.com, already enabled...
-API: licensing.googleapis.com, already enabled...
-API: plus.googleapis.com, already enabled...
-API: reseller.googleapis.com, already enabled...
-API: siteverification.googleapis.com, already enabled...
-API: vault.googleapis.com, already enabled...
-Enable 3 APIs
-  API: audit.googleapis.com, Enabled (1/3)
-  API: groupsmigration.googleapis.com, Enabled (2/3)
-  API: sheets.googleapis.com, Enabled (3/3)
-
-admin@server:/Users/admin$
-```
-### Update GAMADV-XTD3 client access.
-
-Update oauth2.txt; it must be updated to reflect the additional capabilites of GAMADV-XTD3.
-
-You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
-writes the credentials into the file oauth2.txt.
-
-If the computer on which you are running GAM does not have access to a browser, issue this command:
-```
-gam config no_browser true oauth update
-```
-You will be given instructions on how to get the authorization on another computer and apply it locally.
-```
-admin@server:/Users/admin$ gam oauth update
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
-[*]  0)  Calendar API (supports readonly)
-[*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - AppDetails read only
-[*]  3)  Chrome Management API - Telemetry read only
-[*]  4)  Chrome Management API - read only
-[*]  5)  Chrome Policy API (supports readonly)
-[*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
-[*]  8)  Classroom API - Course Announcements (supports readonly)
-[*]  9)  Classroom API - Course Topics (supports readonly)
-[*] 10)  Classroom API - Course Work/Materials (supports readonly)
-[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 12)  Classroom API - Courses (supports readonly)
-[*] 13)  Classroom API - Profile Emails
-[*] 14)  Classroom API - Profile Photos
-[*] 15)  Classroom API - Rosters (supports readonly)
-[*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
-[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
-[*] 19)  Cloud Identity Groups API (supports readonly)
-[*] 20)  Cloud Identity OrgUnits API (supports readonly)
-[*] 21)  Cloud Identity User Invitations API (supports readonly)
-[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
-[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
-[*] 24)  Contact Delegation API (supports readonly)
-[*] 25)  Contacts API - Domain Shared Contacts and GAL
-[*] 26)  Data Transfer API (supports readonly)
-[*] 27)  Directory API - Chrome OS Devices (supports readonly)
-[*] 28)  Directory API - Customers (supports readonly)
-[*] 29)  Directory API - Domains (supports readonly)
-[*] 30)  Directory API - Groups (supports readonly)
-[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 32)  Directory API - Organizational Units (supports readonly)
-[*] 33)  Directory API - Resource Calendars (supports readonly)
-[*] 34)  Directory API - Roles (supports readonly)
-[*] 35)  Directory API - User Schemas (supports readonly)
-[*] 36)  Directory API - User Security
-[*] 37)  Directory API - Users (supports readonly)
-[ ] 38)  Email Audit API
-[*] 39)  Groups Migration API
-[*] 40)  Groups Settings API
-[*] 41)  License Manager API
-[*] 42)  People API (supports readonly)
-[*] 43)  People Directory API - read only
-[ ] 44)  Pub / Sub API
-[*] 45)  Reports API - Audit Reports
-[*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
-[*] 48)  Site Verification API
-[ ] 49)  Sites API
-[*] 50)  Vault API (supports readonly)
-
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-50[a|r] or s|u|e|c: c
-
-Enter your Google Workspace admin email address?admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?client_id=CLIENTID&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.courses+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.announcements+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.coursework.students+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.guardianlinks.students+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.profile.emails+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.profile.photos+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.rosters+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloudprint+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.read_only+https%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.datatransfer+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.device.chromeos+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.customer+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.domain+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.group+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.device.mobile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.orgunit+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.resource.calendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.rolemanagement+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.userschema+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.user.security+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.user+https%3A%2F%2Fapps-apis.google.com%2Fa%2Ffeeds%2Fcompliance%2Faudit%2F+https%3A%2F%2Fapps-apis.google.com%2Fa%2Ffeeds%2Femailsettings%2F2.0%2F+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.groups.migration+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.groups.settings+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.licensing+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.reports.audit.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.reports.usage.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.order+https%3A%2F%2Fsites.google.com%2Ffeeds+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fediscovery&login_hint=admin%40domain.com&access_type=offline&response_type=code
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Updated
-
-admin@server:/Users/admin$
-```
-### Update GAMADV-XTD3 service account access.
-```
-admin@server:/Users/admin$ gam user user@domain.com check serviceaccount
-System time status:
-  Your system time differs by less than 1 second from Google                PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-Some scopes FAILED! Please go to:
-
-https://admin.google.com/domain.com/ManageOauthClients?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.google.com/m8/feeds,https://www.googleapis.com/auth/activity,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloudprint,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/iam,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/userinfo.email&clientNameToAdd=SVCACCTID
-
-You will be directed to the Google Workspace admin console. The Client Name and API
-Scopes fields will be pre-populated. Please click Authorize to allow these
-scopes access. After authorizing it may take some time for this test to pass so
-wait a few moments and then try this command again.
-
-admin@server:/Users/admin$
-```
-The link shown in the error message should take you directly to the authorization screen.
-If not, make sure that you are logged in as a domain admin, then re-enter the link.
-
-### Verify GAMADV-XTD3 service account access.
-
-Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
-for the authorization to complete.
-```
-admin@server:/Users/admin$ gam user user@domain.com check serviceaccount
-System time status:
-  Your system time differs by less than 1 second from Google                PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
-  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-All scopes PASSED!
-Service Account Client name: SVCACCTID is fully authorized.
-
-admin@server:/Users/admin$
-```
-
-## Windows
-
-In these examples, your Google Super admin is shown as admin@domain.com; replace with the
-actual email adddress.
-
-This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3; if you've installed
-GAMADV-XTD3 in another directory, substitute that value in the directions.
-
-GAMADV-XTD3 uses the same configuration directory and gam.cfg file as GAMADV-X and GAMADV-XTD.
-
-### Update system path
-You should update the system path to point to C:\GAMADV-XTD3.
-```
-Start Control Panel
-Click System
-Click Advanced system settings
-Click Environment Variables...
-Click Path under System variables
-Click Edit...
-If you have an existing entry referencing GAMADV-X or GAMADV-XTD:
-  Click that entry
-  Click Delete
-If C:\GAMADV-XTD3 is already on the Path, skip the next three steps
-  Click New
-  Enter C:\GAMADV-XTD3
-  Click OK
-Click OK
-Click OK
-Exit Control Panel
-```
-
-At this point, you should restart Command Prompt so that it has the updated path and environment variables.
-
-### Do you have a compatible browser?
-If the computer on which you are running GAM does not have access to a browser or
-your default browser is Internet Explorer or Edge, issue this command:
-```
-C:\>gam config no_browser true save
-```
-### Update your project to include the additional APIs that GAMADV-XTD3 uses.
-```
-C:\>gam update project
-
-Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-API: admin.googleapis.com, already enabled...
-API: appsactivity.googleapis.com, already enabled...
-API: calendar-json.googleapis.com, already enabled...
-API: classroom.googleapis.com, already enabled...
-API: contacts.googleapis.com, already enabled...
-API: drive.googleapis.com, already enabled...
-API: gmail.googleapis.com, already enabled...
-API: groupssettings.googleapis.com, already enabled...
-API: licensing.googleapis.com, already enabled...
-API: plus.googleapis.com, already enabled...
-API: reseller.googleapis.com, already enabled...
-API: siteverification.googleapis.com, already enabled...
-API: vault.googleapis.com, already enabled...
-Enable 3 APIs
-  API: audit.googleapis.com, Enabled (1/3)
-  API: groupsmigration.googleapis.com, Enabled (2/3)
-  API: sheets.googleapis.com, Enabled (3/3)
-
-C:\>
-```
-### Update GAMADV-XTD3 client access.
-
-Update oauth2.txt; it must be updated to reflect the additional capabilites of GAMADV-XTD3.
-
-If the PC on which you are running GAM does not have access to a browser or if
-your default browser is Internet Explorer or Edge, issue this command:
-```
-gam config no_browser true oauth update
-```
-You will be given instructions on how to get the authorization; this involves a long URL that must be copied/pasted.
-Older versions of Command Prompt and PowerShell (Windows 7/8, Server 2008) can't properly copy/paste multi line strings;
-GAM writes the long URL into the file `gamoauthurl.txt` in the folder with the GAM executable.
-You can open the file with Notepad/Wordpad, do a control-A to select the text, control-C to copy the text,
-start a browser and paste the URL (control-V) into the address bar. Authenticate and copy the Verification code
-back to your Command Prompt/PowerShell window.
-```
-C:\>gam oauth update
-
-Select the authorized scopes by entering a number.
-Append an 'r' to grant read-only access or an 'a' to grant action-only access.
-
-[*]  0)  Calendar API (supports readonly)
-[*]  1)  Chrome Browser Cloud Management API (supports readonly)
-[*]  2)  Chrome Management API - AppDetails read only
-[*]  3)  Chrome Management API - Telemetry read only
-[*]  4)  Chrome Management API - read only
-[*]  5)  Chrome Policy API (supports readonly)
-[*]  6)  Chrome Printer Management API (supports readonly)
-[ ]  7)  Chrome Version History API
-[*]  8)  Classroom API - Course Announcements (supports readonly)
-[*]  9)  Classroom API - Course Topics (supports readonly)
-[*] 10)  Classroom API - Course Work/Materials (supports readonly)
-[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
-[*] 12)  Classroom API - Courses (supports readonly)
-[*] 13)  Classroom API - Profile Emails
-[*] 14)  Classroom API - Profile Photos
-[*] 15)  Classroom API - Rosters (supports readonly)
-[*] 16)  Classroom API - Student Guardians (supports readonly)
-[*] 17)  Cloud Channel API (supports readonly)
-[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
-[*] 19)  Cloud Identity Groups API (supports readonly)
-[*] 20)  Cloud Identity OrgUnits API (supports readonly)
-[*] 21)  Cloud Identity User Invitations API (supports readonly)
-[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
-[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
-[*] 24)  Contact Delegation API (supports readonly)
-[*] 25)  Contacts API - Domain Shared Contacts and GAL
-[*] 26)  Data Transfer API (supports readonly)
-[*] 27)  Directory API - Chrome OS Devices (supports readonly)
-[*] 28)  Directory API - Customers (supports readonly)
-[*] 29)  Directory API - Domains (supports readonly)
-[*] 30)  Directory API - Groups (supports readonly)
-[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
-[*] 32)  Directory API - Organizational Units (supports readonly)
-[*] 33)  Directory API - Resource Calendars (supports readonly)
-[*] 34)  Directory API - Roles (supports readonly)
-[*] 35)  Directory API - User Schemas (supports readonly)
-[*] 36)  Directory API - User Security
-[*] 37)  Directory API - Users (supports readonly)
-[ ] 38)  Email Audit API
-[*] 39)  Groups Migration API
-[*] 40)  Groups Settings API
-[*] 41)  License Manager API
-[*] 42)  People API (supports readonly)
-[*] 43)  People Directory API - read only
-[ ] 44)  Pub / Sub API
-[*] 45)  Reports API - Audit Reports
-[*] 46)  Reports API - Usage Reports
-[*] 47)  Reseller API
-[*] 48)  Site Verification API
-[ ] 49)  Sites API
-[*] 50)  Vault API (supports readonly)
-
-     s)  Select all scopes
-     u)  Unselect all scopes
-     e)  Exit without changes
-     c)  Continue to authorization
-Please enter 0-50[a|r] or s|u|e|c: c
-
-Enter your Google Workspace admin email address? admin@domain.com
-
-Your browser has been opened to visit:
-
-    https://accounts.google.com/o/oauth2/v2/auth?client_id=CLIENTID&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.courses+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.announcements+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.coursework.students+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.guardianlinks.students+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.profile.emails+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.profile.photos+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fclassroom.rosters+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloudprint+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdevstorage.read_only+https%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.datatransfer+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.device.chromeos+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.customer+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.domain+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.group+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.device.mobile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.orgunit+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.resource.calendar+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.rolemanagement+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.userschema+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.user.security+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.user+https%3A%2F%2Fapps-apis.google.com%2Fa%2Ffeeds%2Fcompliance%2Faudit%2F+https%3A%2F%2Fapps-apis.google.com%2Fa%2Ffeeds%2Femailsettings%2F2.0%2F+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.groups.migration+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.groups.settings+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.licensing+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.reports.audit.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.reports.usage.readonly+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fapps.order+https%3A%2F%2Fsites.google.com%2Ffeeds+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fediscovery&login_hint=admin%40domain.com&access_type=offline&response_type=code
-
-If your browser is on a different machine then press CTRL+C,
-set no_browser = true in gam.cfg and re-run this command.
-
-Authentication successful.
-Client OAuth2 File: C:\GAMConfig\oauth2.txt, Updated
-
-C:\>
-```
-### Enable GAMADV-XTD3 service account access.
-```
-C:\>gam user user@domain.com check serviceaccount
-System time status:
-  Your system time differs by less than 1 second from Google                PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
-  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-Some scopes FAILED! Please go to:
-
-https://admin.google.com/domain.com/ManageOauthClients?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.google.com/m8/feeds,https://www.googleapis.com/auth/activity,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloudprint,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/iam,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/userinfo.email&clientNameToAdd=SVCACCTID
-
-You will be directed to the Google Workspace admin console. The Client Name and API
-Scopes fields will be pre-populated. Please click Authorize to allow these
-scopes access. After authorizing it may take some time for this test to pass so
-wait a few moments and then try this command again.
-
-C:\>
-```
-The link shown in the error message should take you directly to the authorization screen.
-If not, make sure that you are logged in as a domain admin, then re-enter the link.
-
-### Verify GAMADV-XTD3 service account access.
-
-Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
-for the authorization to complete.
-```
-C:\>gam user user@domain.com check serviceaccount
-System time status:
-  Your system time differs by less than 1 second from Google                PASS
-Service Account Private Key Authentication:
-  Authentication                                                            PASS
-Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
-  https://mail.google.com/                                                  PASS (1/34)
-  https://sites.google.com/feeds                                            PASS (2/34)
-  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
-  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
-  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
-  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
-  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
-  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
-  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
-  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
-  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
-  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
-  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
-  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
-  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
-  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
-  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
-  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
-  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
-  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
-  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
-  https://www.googleapis.com/auth/documents                                 PASS (22/34)
-  https://www.googleapis.com/auth/drive                                     PASS (23/34)
-  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
-  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
-  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
-  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
-  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
-  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
-  https://www.googleapis.com/auth/keep                                      PASS (30/34)
-  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
-  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
-  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
-  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
-All scopes PASSED!
-Service Account Client name: SVCACCTID is fully authorized.
-
-C:\>
-```
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,73 +0,0 @@
-# Introduction
-GAMADV-XTD3 is a free, open source command line tool for Google Workspace (formerly G Suite) Administrators to manage domain and user settings quickly and easily.
-
-GAMADV-XTD3 is built with Python 3.
-
-This page provides simple instructions for downloading, installing and starting to use GAMADV-XTD3.
-
-GAMADV-XTD3 runs on all versions of Google Workspace; Google Apps Free Edition has limited API support and not all GAM commands work.
-
-GAMADV-XTD3 is a rewrite/extension of Jay Lee's [GAM], without his efforts, this version wouldn't exist.
-
-GAMADV-XTD3 is backwards compatible with [GAM], meaning that if your command works with regular GAM, it will also work with GAMADV-XTD3. There may be differences in output, but the syntax is compatible.
-
-# Documentation
-Documentation for GAMADV-XTD3 is hosted in the [GitHub GAMADV-XTD3 Wiki] and in Gam*.txt files.
-
-# Mailing List / Discussion group
-The GAM mailing list / discussion group is hosted on [Google Groups].  You can join the list and interact via email, or just post from the web itself.
-
-# Source Repository
-The official GAMADV-XTD3 source repository is on [GitHub] in the master branch.
-
-# Author
-GAMADV-XTD3 is maintained by <a href="mailto:ross.scroggs@gmail.com">Ross Scroggs</a>.
-
-# Requirements
-To run all commands properly, GAMADV-XTD3 requires three things:
-* An API project which identifies your install of GAMADV-XTD3 to Google and keeps track of API quotas.
-* Authorization to act as your G Suite Administrator in order to perform management functions like add users, modify group settings and membership and pull domain reports.
-* A special service account that is authorized to act on behalf of your users in order to modify user-specific settings and data such as Drive files, Calendars and Gmail messages and settings like signatures.
-
-# Installation - First time GAM installation
-Use these steps if you have never used any version of GAM in your domain. They will create a GAM project
-and all necessary authentications.
-
-| [Downloads] | [Configuration] | [Install] |
-|    :---:    |      :---:      |   :---:   |
-
-# Installation - Update Advanced GAM
-Use these steps to update your version of GAMADV-XTD3.
-
-| [Downloads] | [Configuration] | [UpdateAdvanced] |
-|    :---:    |      :---:      |      :---:       |
-
-# Installation - Upgrading from Standard GAM
-Use these steps if you have used any version of Standard GAM in your domain. They will update your GAM project
-and all necessary authentications.
-
-| [Downloads] | [Configuration] | [UpgradeFromStandard] |
-|    :---:    |      :---:      |         :---:         |
-
-# Installation - Upgrading from a prior version of GAMADV-X or GAMADV-XTD
-Use these steps if you already use GAMADV-X or GAMADV-XTD. The updates may tell you to update your GAM project
-or authentications because new features have been included.
-
-| [Updates]  | [Downloads] | [UpgradeFromAdvanced] |
-|   :---:    |    :---:    |         :---:         |
-
-# Multiple Versions
-You can install multiple versions of GAM and GAMADV-XTD3 in different parallel directories.
-
-[GAM]: https://github.com/GAM-team/GAM
-[GitHub Releases]: https://github.com/taers232c/GAMADV-XTD3/releases
-[GitHub]: https://github.com/taers232c/GAMADV-XTD3/tree/master
-[GitHub GAMADV-XTD3 Wiki]: https://github.com/taers232c/GAMADV-XTD3/wiki
-[Google Groups]: https://groups.google.com/group/google-apps-manager
-[Downloads]: https://github.com/taers232c/GAMADV-XTD3/wiki/Downloads
-[Configuration]: https://github.com/taers232c/GAMADV-XTD3/wiki/gam.cfg
-[Install]: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Install-Advanced-GAM
-[UpdateAdvanced]: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Update-Advanced-GAM
-[UpgradeFromStandard]: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Upgrade-from-Standard-GAM
-[Updates]: https://github.com/taers232c/GAMADV-XTD3/wiki/GAM-Updates
-[UpgradeFromAdvanced]: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Upgrade-from-GAMADV-X-or-GAMADV-XTD
--- a/docs/Running-GAMADV-XTD3-securely-on-a-Google-Compute-Engine.md
+++ b/docs/Running-GAMADV-XTD3-securely-on-a-Google-Compute-Engine.md
@@ -1,76 +0,0 @@
-# Running GAMADV-XTD3 securely on a Google Compute Engine
- [thanks](#thanks)
- [Introduction](#introduction)
- [Setup Steps](#setup-steps)
-
-## Thanks
-
-Thanks to Jay Lee for the original version of this document.
-
-## Introduction
-GAMADV-XTD3 can run on a Linux or Windows Google Compute Engine (GCE) VM and use the attached service account to access Google Workspace APIs. The advantage of this configuration is that no service account private key is accessible to GAMADV-XTD3 directly and there is no risk of the key being stolen/lost.
-
-GAMADV-XTD3 version 6.50.00 or higher is required.
-
-## Setup Steps
-1. Create a [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).
-
-2. Create [a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) which will be used by GAMADV-XTD3.
-   * Enter a value in `Service account name`
-   * Enter text in `Service account description`
-   * Click `Create` and `Continue`
-   * Click `Continue` under `Grant this service account access to project`
-   * Click `Done` under `Grant users access to this service account`
- 
-3. Grant the service account rights to generate authentication tokens.
-   * Go to [console.cloud.google.com](https://console.cloud.google.com).
-   * Go to `IAM & Admin` > `Service accounts`
-   * Click on the service account you created (not the default service account).
-   * Copy the email address of your service account to the clipboard.
-   * Click on the `Permissions` tab.
-   * Click `Grant Access`.
-   * In the `New principals` text box, paste the service account email you copied.
-   * Give your service account the `Service Account Token Creator` and `View Service Accounts` roles.
-   * Click `Save`
-
-4. [Create a Windows or Linux virtual machine](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances).
-   * Scroll down and start at Create a VM and attach the service account
-   * Click `Go to VM instances`
-   * Click `Create Instance`
-   * Enter a value for `Name`
-   * Configure `Manage Tags and Labels`
-   * You can choose a region physically close to you though you may be limited in your choices if you want to use the free tier.
-   * GAMADV-XTD3 can run on the minimal `e2-micro` [free tier VM](https://cloud.google.com/free/docs/free-cloud-features#compute) though performance may suffer. If you are performing batch operations, raising the CPU count will help performance. If you have a very large and busy Workspace instance downloading reports or Drive file lists may require more RAM.
-   * Set `Service account` under `Identity and API access/API and identity management`; choose the service account you created above.
-   * Select `Set access for each API`
-   * Enable `Cloud Platform`
-   * GAMADV-XTD3 does not use a significant amount of storage, unless you have specific storage needs the default disk size should suffice.
-   * Leave other VM instance settings at their defaults unless you know what you are doing.
-   * Click `Create`
-
-5. Install GAMADV-XTD3 on the VM
-   * See: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Install-Advanced-GAM
-
-6. Logout and log back in to the VM, you should now be able to run GAMADV-XTD3 commands like:
-```
-gam version
-```
-
-7. Create the special `oauth2service.json` file GAMADV-XTD3 will use:
-```
-gam create gcpserviceaccount
-```
-If you'd like, take a look at the generated ```oauth2service.json``` file;
-you'll notice that while the file has some fields similar to a normal service account file, there is no `private_key` attribute containing an RSA private key.
-
-8. Enable the Google APIs GAMADV-XTD3 will use:
-```
-gam enable apis
-```
-You are given the option to enable them automatically or manually. Automatic enablement will ask you to authenticate to GAMADV-XTD3. You should authenticate as a user with rights to manage project APIs, probably a project owner. If you are not the project owner you can choose manual enablement and GAMADV-XTD3 will provide two or more URLs which you can send to the project owner. When the owner opens these URLs, they'll be prompted to enable all the APIs GAMADV-XTD3 needs.
-
-9. Perform admin actions (manage users, groups, orgunits, Chrome devices, etc)
-   * [Configure delegated admin service account (DASA)](https://github.com/taers232c/GAMADV-XTD3/wiki/Using-GAMADV-XTD3-with-a-delegated-admin-service-account); start at step 4.
-
-10. Manage user data
-   * Run ```gam user user@domain.com check serviceaccount``` and follow the instructions to perform domain-wide delegation.
--- a/docs/Sites.md
+++ b/docs/Sites.md
@@ -1,81 +0,0 @@
-# Sites
- [API documentation](#api-documentation)
- [Definitions](#definitions)
- [Manage classic sites](#manage-classic-sites)
- [Display classic sites](#display-classic-sites)
- [Manage classic sites access](#manage-classic-sites-access)
- [Display classic sites access](#display-classic-sites-access)
-
-## API documentation
-* https://developers.google.com/google-apps/sites/docs/1.0/developers_guide_python
-
-## Definitions
-```
-<Date> ::=
-        <Year>-<Month>-<Day> |
-        (+|-)<Number>(d|w|y) |
-        never|
-        today
-
-<DomainName> ::= <String>(.<String>)+
-<DomainNameList> ::= "<DomainName>(,<DomainName>)*"
-<DomainNameEntity> ::=
-        <DomainNameList> | <FileSelector> | <CSVkmdSelector> |  <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
-
-<SiteName> ::= [a-z,0-9,-]+
-<SiteItem> ::= [<DomainName>/]<SiteName>
-<SiteList> ::= "<SiteItem>(,<SiteItem>)*"
-<SiteEntity> ::=
-        <SiteList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
-
-<SiteACLRole> ::= editor|owner|reader|writer
-<SiteACLRoleList> ::= "<SiteACLRole>(,<SiteACLRole>)*"
-
-<SiteAttribute> ::=
-        (categories <String>)|
-        (name <String>)|
-        (sourcelink <URI>])|
-        (summary <String>)|
-        (theme <String>)
-
-<SiteACLScope> ::=
-        <EmailAddress>|user:<EmailAdress>|group:<EmailAddress>|
-        domain:<DomainName>|domain|default
-<SiteACLScopeList> ::= "<SiteACLScope>(,<SiteACLScope>)*"
-<SiteACLScopeEntity> ::=
-        <SiteACLScopeList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
-```
-## Manage classic sites
-```
-gam [<UserTypeEntity>] create site <SiteItem> <SiteAttribute>*
-gam [<UserTypeEntity>] update sites <SiteEntity> <SiteAttribute>+
-```
-## Display classic sites
-```
-gam [<UserTypeEntity>] info sites <SiteEntity>
-        [withmappings] [role|roles all|<SiteACLRoleList>]
-gam [<UserTypeEntity>] show sites [domain|domains <DomainNameEntity>] [includeallsites]
-        [withmappings] [role|roles all|<SiteACLRoleList>] [maxresults <Number>]
-gam [<UserTypeEntity>] print sites [todrive <ToDriveAttribute>*]
-        [domain|domains <DomainNameEntity>] [includeallsites] 
-        [withmappings] [role|roles all|<SiteACLRoleList>] [maxresults <Number>]
-        [convertcrnl] [delimiter <Character>]
-
-gam [<UserTypeEntity>] print siteactivity <SiteEntity> [todrive <ToDriveAttribute>*]
-        [maxresults <Number>] [updated_min <Date>] [updated_max <Date>]
-```
-## Manage classic sites access
-```
-gam [<UserTypeEntity>] add siteacls <SiteEntity> <SiteACLRole> <SiteACLScopeEntity>
-gam [<UserTypeEntity>] update siteacls <SiteEntity> <SiteACLRole> <SiteACLScopeEntity>
-gam [<UserTypeEntity>] delete siteacls <SiteEntity> <SiteACLScopeEntity>
-```
-## Display classic sites access
-```
-gam [<UserTypeEntity>] info siteacls <SiteEntity> <SiteACLScopeEntity>
-gam [<UserTypeEntity>] show siteacls <SiteEntity>
-gam [<UserTypeEntity>] print siteacls <SiteEntity> [todrive <ToDriveAttribute>*]
-```
--- a/docs/Using-GAMADV-XTD3-with-a-YubiKey.md
+++ b/docs/Using-GAMADV-XTD3-with-a-YubiKey.md
@@ -1,72 +0,0 @@
-# Using GAMADV-XTD3 with a YubiKey
- [Thanks](#thanks)
- [Yubikey ykman PIV Commands](https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html)
- [Introduction](#introduction)
- [FAQs](#faqs)
- [Setup Steps](#setup-steps)
-
-## Thanks
-
-Thanks to Jay Lee for the original version of this document.
-
-## Introduction
-GAMADV-XTD3 supports using a [YubiKey](https://www.yubico.com/products/yubikey-5-overview/) to generate and store the service account's private RSA key. Private keys generated by the YubiKey cannot be exported even to the computer running GAMADV-XTD3. When compared to the plain text oauth2service.json file with the private key stored in text, the YubiKey offers a more secure option that prevents digital theft and copying of the private key. Instead of reading the private key from the oauth2service.json file and signing requests itself, GAMADV-XTD3 will simply send signing requests to the YubiKey and get back the signature.
-
-GAMADV-XTD3 version 6.50.01 or higher is required. Best practice is to always use the [latest version of GAMADV-XTD3](https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Update-Advanced-GAM).
-
-## FAQs
-### Can I use a Google Titan or other brand security key?
-No, while Titan keys are great as security keys / U2F / 2SV, that is not the protocol being used by GAMADV-XTD3 here. GAMADV-XTD3 uses the PIV app of YubiKeys to work with service accounts. You need to use [a genuine Yubikey.](https://yubico.com/genuine/).
-
-### Does this protect the admin credentials GAMADV-XTD3 stores in oauth2.txt?
-No, the admin credentials GAMADV-XTD3 stores in oauth2.txt are not protected by the YubiKey as they are not using RSA private keys. Only the service account credentials normally stored in oauth2service.json are protected. The service account credentials are used for domain-wide delegation operations like managing Workspace user data in Drive, Gmail and Calendar. Note that GAMADV-XTD3 also has the ability to perform admin actions as a delegated admin service account (DASA). See [instructions for setting up DASA](https://github.com/taers232c/GAMADV-XTD3/wiki/Using-GAMADV-XTD3-with-a-delegated-admin-service-account.md). When DASA is setup, GAMADV-XTD3 will use the service account to authenticate which can be protected by the YubiKey.
-
-### What if someone physically steals the YubiKey?
-The YubiKey can be configured with a PIN that must be entered in order for it to sign data with the private key. GAMADV-XTD3 stores this PIN string in the oauth2service.json file so it can use it as needed. What this means is that an attacker would need to steal *both* the physical YubiKey and the PIN stored in oauth2service.json. The recommendation is to store oauth2service.json and the rest of the GAM directory on an encrypted partition. The YubiKey itself should also be kept in a secure location.
-
-### Can I require a physical touch of the YubiKey before the private key can be used?
-Yes but in practice this does not work very well with GAMADV-XTD3. The YubiKey will need to be touched every time there is a GAMADV-XTD3 command running which for batch or cron jobs may be constant. GAMADV-XTD3 can use a PIN configured on the YubiKey in order to offer an additional layer of protection.
-
-### If I use a YubiKey, do I need to rotate the private key regularly?
-No, because the YubiKey generated the private key it cannot be digitally exported from the YubiKey so there is no chance for it to be copied and stolen. Instead you should physically secure the YubiKey from theft.
-
-### What data does the service account private key have access to?
-When using domain-wide delegation with GAMADV-XTD3, the service account and anyone possessing the service account private key oauth2service.json file has access to the Gmail, Drive and Calendar data of ALL Workspace users in your domain. For this reason, whether using a YubiKey or not, you should take strong measures to protect the service account private key.
-
-## Setup Steps
-1. Upgrade to at least GAMADV-XTD3 6.50.01.
-2. **If you are using a new YubiKey or don't care about the PIV app data on the YubiKey**
-    1. Tell GAMADV-XTD3 to reset and configure the PIV app data on the YubiKey. This wipes all existing keys and configuration and then configures a private key and PIN for GAMADV-XTD3.
-      * Single YubiKey - `gam yubikey reset_piv`
-      * Multiple YubiKeys - `gam yubikey reset_piv yubikeyserialnumber <Number>`
-    2. During the PIV reset, GAMADV-XTD3 will print out a PIN for the private key, record this key.
-4. **If you are already using the YubiKey and wish to preserve the PIV app data and keys**
-    1. You need to configure one of the PIV slots for a private key GAMADV-XTD3 can use.
-      * [ykman piv keys generate](https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html#ykman-piv-keys-options-command-args)
-        `ykman piv keys generate -P <Text> --pin-policy ALWAYS --touch-policy NEVER --algorithm RSA2048 9a new_pubkey.txt`
-      * Use `9a` for the `AUTHENTICATION` slot, `9c` for the `SIGNATURE` slot
-    2. You need to generate a certificate for that slot.
-      * [ykman piv certificates generate](https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html#ykman-piv-certificates-generate-options-slot-public-key)
-        `ykman piv certificates generate -P <Text> --subject "GAM Service Account" -d 36500 9a new_pubkey.txt`
-      * Use `9a` for the `AUTHENTICATION` slot, `9c` for the `SIGNATURE` slot
-
-5. Now that you have a private key on your YubiKey, tell GAMADV-XTD3 to use that instead of the private_key stored in oauth2service.json. We can do that by rotating the key:
-```
-copy oauth2service.json to oauth2service.save
-gam create sakey yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
-```
-The yubikey argument tells GAMADV-XTD3 to use a private key on a plugged in YubiKey. The yubikey_pin argument tells GAMADV-XTD3 to prompt you to input the PIN that was set in the previous step. The yubikey_slot argument tells GAMADV-XTD3 which PIV slot to use on the YubiKey.
-
-If there are problems, you can go back to the original oauth2service.json.
-```
-copy oauth2service.json to oauth2service.yk
-copy oauth2service.save to oauth2service.json
-```
-
-6. Now you should be able to run GAMADV-XTD3 commands like:
-```
-gam user admin@example.com check serviceaccount
-```
-and see the YubiKey lights flash as the YubiKey interacts with GAMADV-XTD3 to sign the GAMADV-XTD3 authentication requests. If you look at the oauth2service.json file, you'll see it contains some new fields like yubikey_serial and yubikey_pin but no longer contains the private_key field where GAMADV-XTD3 would normally store the private key data.
-
-7. As a last step, since YubiKey-stored private keys do not need to be and should not be rotated, you can remove the service account's permissions to change it's own key. Navigate to the [Cloud Console](https://console.cloud.google.com/iam-admin/serviceaccounts) select the correct project and service account and on the Permissions tab, edit and remove the "Service Account Key Admin" permission that the service account has to itself.
--- a/docs/_Footer.md
+++ b/docs/_Footer.md
@@ -1 +0,0 @@
-Need more help? Ask on the [GAM Discussion Group](https://groups.google.com/forum/#!forum/google-apps-manager)
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -0,0 +1,65 @@
+[project]
+name = "gam7"
+dynamic = [
+    "version",
+]
+authors = [
+    { name="Jay Lee", email="jay0lee@gmail.com" },
+    { name="Ross Scroggs", email="Ross.Scroggs@gmail.com" },
+]
+# # The following files should be edited to match: setup.cfg, requirements.txt
+dependencies = [
+    "chardet>=5.2.0",
+    "cryptography>=44.0.2",
+    "distro; sys_platform=='linux'",
+    "filelock>=3.18.0",
+    "google-api-python-client>=2.167.0",
+    "google-auth-httplib2>=0.2.0",
+    "google-auth-oauthlib>=1.2.2",
+    "google-auth>=2.39.0",
+    "httplib2>=0.22.0",
+    "lxml>=5.4.0",
+    "passlib>=1.7.4",
+    "pathvalidate>=3.2.3",
+    "pyscard==2.2.1",
+    "python-dateutil",
+]
+description = "CLI tool to manage Google Workspace"
+readme = "README.md"
+requires-python = ">=3.9"
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3 :: Only",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Operating System :: OS Independent",
+]
+license = {text = "Apache License (2.0)"}
+license-files = ["LICEN[CS]E*"]
+
+[project.optional-dependencies]
+yubikey = ["yubikey-manager>=5.6.1"]
+
+[project.scripts]
+gam = "gam.__main__:main"
+
+[project.urls]
+Homepage = "https://github.com/GAM-team/GAM"
+Issues = "https://github.com/GAM-team/GAM/issues"
+Discussion = "https://groups.google.com/group/google-apps-manager"
+Chat = "https://git.io/gam-chat"
+
+[tool.hatch.version]
+path = "src/gam/__init__.py"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/gam"]
+
+[build-system]
+requires = [
+    "hatchling",
+]
+build-backend = "hatchling.build"
--- a/src/GamCommands.txt
+++ b/src/GamCommands.txt
--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -1,3 +1,894 @@
+7.07.01
+
+Fixed bug in `gam print|show chromepolicies` that caused a trap. Made additional
+updates to handle changes in the Chrome Policy API.
+
+7.07.00
+
+As of mid-October 2024, Google deprecated the API that retrieved the Global Address List.
+
+The following commands have been eliminated.
+```
+gam info gal
+gam print gal
+gam show gal
+```
+
+These commands are a work-around for `gam print gal`.
+```
+gam config csv_output_row_filter "includeInGlobalAddressList:boolean:true" redirect csv ./UserGAL.csv print users fields name,gal
+gam config csv_output_row_filter "includeInGlobalAddressList:boolean:true" batch_size 25 redirect csv ./GroupGAL.csv print groups fields name,gal
+```
+
+7.06.14
+
+Updated `gam create|update adminrole` to allow specifying a collection of privileges
+with `privileges select <FileSelector>|<CSVFileSelector>` which makes copying roles much simpler.
+
+Added option `role <RoleItem>` to `gam print|show adminroles` to allow display of information
+for a specific role.
+
+7.06.13
+
+Updated `gam print group-members ... recursive` and `gam print cigroup-members ... recursive`
+to expand groups representing chat spaces.
+
+7.06.12
+
+Deleted commands to display Analytic UA properties; the API has been deprecated.
+```
+gam <UserTypeEntity> print|show analyticuaproperties
+```
+
+7.06.11
+
+Improved `gam checkconn`.
+
+Updated `gam print group-members` and `gam print cigroup-members` to recognize members
+that are groups representing chat spaces. For now, these groups are not expanded when
+`recursive` is specified.
+
+7.06.10
+
+Added the following license SKU.
+```
+1010020034 - Google Workspace Frontline Plus
+```
+
+7.06.09
+
+Added `gemini` and `geminiforworkspace` to `<ActivityApplicationName>` for use in
+`gam report <ActivityApplicationName>`.
+
+7.06.08
+
+Fixed problem where Yubikeys caused a trap.
+
+7.06.07
+
+Updated private key rotation progress messages in `gam create|use|update project`
+and `gam upload sakey`.
+
+Updated `gam use project` to display the following error message when the specifed project
+already has a service account.
+```
+Re-run the command specify a new service account name with: saname <ServiceAccountName>'
+```
+
+7.06.06
+
+Native support for Windows 11 Arm-based devices.
+
+Renamed some MacOS and Linux binary installer files to align on terminology. Everything is "arm64" now, no "aarch64".
+
+7.06.05
+
+Updated code in `gam delete|update chromepolicy` to handle the `policyTargetKey[additionalTargetKeys]`
+field in a more general manner for future use.
+
+7.06.04
+
+Fixed bug in `gam report <ActivityApplictionName>` where a report with no activities
+was not displaying any output.
+
+7.06.03
+
+Fixed bug in `gam <UserTypeEntity> print|show drivelastmodification` that caused a trap
+when an empty drive was specified.
+
+7.06.02
+
+Updated `gam <UserTypeEntity> print|show filecounts ... showlastmodification` to include
+file mimetype and path information for the last modified file.
+
+Added simple commands to get information about the last modified file on a drive.
+By default, a user's My Drive is processed; optionally, a Shared Drive can be processed.
+```
+gam <UserTypeEntity> print drivelastmodification [todrive <ToDriveAttribute>*]
+        [select <SharedDriveEntity>]
+        [pathdelimiter <Character>]
+        (addcsvdata <FieldName> <String>)*
+gam <UserTypeEntity> show drivelastmodification
+        [select <SharedDriveEntity>]
+        [pathdelimiter <Character>]
+```
+
+7.06.01
+
+Updated `gam <UserTypeEntity> create|update drivefileacl ... expiration <Time>`
+to handle additional API errors.
+
+Updated to Python 3.13.3.
+
+7.06.00
+
+Upgraded to OpenSSL 3.5.0.
+
+Fixed bug in `gam print cigroups` where `createTime`, `updateTime` and `statusTime`
+were not converted according to `gam.cfg timezone`.
+
+7.05.22
+
+Updated progress messages for  `gam <UserTypeEntity> print filelist|filecounts|filesharecounts|filetree select shareddriveid <SharedDriveID>`
+to display the ID of the SharedDrive that is being accessed.
+```
+Getting all Drive Files/Folders for user@domain.com on Shared Drive ID: <SharedDriveID
+Got 33 Drive Files/Folders for user@domain.com on Shared Drive ID: <SharedDriveID>...
+```
+
+7.05.21
+
+Fixed bug in `gam update chromepolicy` that generated an error like the following
+when JSON data was read from a file.
+```
+ERROR:  JSON: {'error': {'code': 400, 'message': 'Invalid enum value: {prefix}{value} for enum type: chrome.policy.api.v1.devicepolicy.AllowNewUsersEnum', 'status': 'INVALID_ARGUMENT'}}
+```
+
+Fixed bug in `gam create chromepolicyimage` that caused a trap.
+
+7.05.20
+
+Updated code to validate both `<RegularExpression>` and `<ReplacementString>`
+in the following command line options; this will expose errors when the command
+is being parsed rather than at run-time.
+```
+replaceregex <RegularExpression> <ReplacementString>
+replacedescription <RegularExpression> <ReplacementString>
+replacefilename <RegularExpression> <ReplacementString>
+```
+
+7.05.19
+
+Added `replaceregex <RegularExpression> <ReplacementString> <Tag> <String>` to the following commands:
+```
+gam sendemail subject <String> <MessageContent>
+gam <UserTypeEntity> sendemail subject <String> <MessageContent>
+```
+
+The `<RegularExpression>` is used as a match pattern against `<String>` to produce `<ReplacementString>`.
+Instances of `{Tag}` will be replaced by `<ReplacementString>` in the message subject and body.
+
+Added `replaceregex <RegularExpression> <ReplacementString> <Tag> <UserReplacement>` to the following commands:
+```
+gam create user <NotifyMessageContent>
+gam update user <NotifyMessageContent>
+gam update users <NotifyMessageContent>
+gam <UserTypeEntity> update users <NotifyMessageContent>
+gam <UserTypeEntity> draft message <MessageContent>
+gam <UserTypeEntity> import message <MessageContent>
+gam <UserTypeEntity> insert messageo <MessageContent>
+gam <UserTypeEntity> create sendas <SendAsContent>
+gam <UserTypeEntity> update sendas <SendAsContent>
+gam <UserTypeEntity> signature <SignatureContent>
+gam <UserTypeEntity> vacation subject <String> <VacationMessageContent>
+```
+
+The `<RegularExpression>` is used as a match pattern against `<UserReplacement>` to produce `<ReplacementString>`.
+Instances of `{Tag}` will be replaced by `<ReplacementString>` in the indicated items.
+
+For example, when adding a phone number to a signature, an unformatted number can be formatted:
+```
+replaceregex "(\d{3})(\d{3})(\d{4})" "(\1) \2-\3" Phone "9876543210"
+replaces 9876543210 with (987) 654-3210
+
+replaceregex "(\+\d{2})(\d{3})(\d{3})(\d{3})" "\1 \2 \3 \4" Phone "+61987654321"
+replaces +61421221506 with +61 987 654 321
+```
+
+7.05.18
+
+Updated `gam calendars <CalendarEntity> show events` and `gam <UserTypeEntity> show events`
+to display the event description according to `show_convert_cr_nl` in `gam.cfg`;
+previously, GAM assumed `show_convert_cr_nl = true`.
+```
+show_convert_cr_nl = false
+description:
+  Line 1
+  Line 2
+  Line 3
+
+show_convert_cr_nl = true
+description: Line 1\nLine 2\nLine 3\n
+```
+
+7.05.17
+
+Updated commands that delete drive ACLs to handle the following error:
+```
+ERROR: 403: cannotDeletePermission - The authenticated user does not have the required access to delete the permission.
+```
+
+7.05.16
+
+Added option `transpose [<Boolean>]` to `redirect csv` that causes
+GAM to transpose CSV output rows and columns. This will most useful
+when a `countsonly` option is used in a `print` or `report` command.
+
+7.05.15
+
+Updated `gam <UserTypeEntity> get drivefile` and `gam <UserTypeEntity> create drivefile`
+to allow downloading and uploading of Google Apps Scripts.
+```
+$ gam user user1@domain.com get drivefile 1ZY-YkS3E0OKipALra_XzfIh9cvxoILSbb8TRdHBFCpyB_mXI_J8FmjHv format json
+User: user1@domain.com, Download 1 Drive File
+  User: user1@domain.com, Drive File: Test Project, Downloaded to: /Users/gamteam/GamWork/Test Project.json, Type: Google Doc
+$ gam user user2@domain.com create drivefile localfile "Test Project.json" mimetype application/vnd.google-apps.script+json drivefilename "Test Project"
+User: user2@domain.com, Drive File: Test Project(1Ok_svw55VTreZ5CzcViJDLfEzVRi-Un8D9eG6I5pIeVyRl2YsmNiy3C_), Created with content from: Test Project.json
+```
+
+7.05.14
+
+Added the following License SKU:
+```
+ProductId SKUId Display Name
+101039 1010390002 Assured Controls Plus
+```
+
+7.05.13
+
+Updated license product names to match Google.
+
+7.05.12
+
+Fixed bug in `gam update chromepolicy` where `appid` was misinterpreted for `chrome.devices.kiosk` policies
+and an error was generated.
+```
+ERROR: Chrome Policy Schema: customers/C123abc456/policySchemas/<Field>, Does not exist
+```
+
+7.05.11
+
+Added the following License SKUs:
+```
+ProductId SKUId Display Name
+Google-Apps 1010070001 Google Workspace for Education Fundamentals
+Google-Apps 1010070004 Google Workspace for Education Gmail Only
+101034 1010340007 Google Workspace for Education Fundamentals - Archived User
+```
+
+7.05.10
+
+Updated various chat space commands to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable
+```
+
+7.05.09
+
+Fixed bug in `gam calendars <CalendarEntity> print events matchfield attendeesstatus required accepted resource_calendar@resource.calendar.google.com`
+that caused a trap.
+
+7.05.08
+
+Added error message to `gam report` commands to indicate forbidden access;
+previously, no error message was displayed.
+```
+ERROR: Customer ID: C012abc34, Caller does not have access to the customers reporting data.
+```
+
+7.05.07
+
+Fixed bug in `gam calendars <CalendarEntity> info events` and `gam <UserTypeEntity> info events`
+where option `showdayofweek` was not recognized.
+
+7.05.06
+
+Improve message displayed when a command is issued that requires Google Chat Bot setup;
+display a link to the Wiki `Set up a Chat Bot` instructions.
+
+7.05.05
+
+Added options `password prompt` and `password uniqueprompt` to `gam create user <EmailAddress>`
+and `gam update users <UserTypeEntity>` that prompt you to enter a password from stdin.
+
+See [User Passwords](https://github.com/GAM-team/GAM/wiki/Users#passwords)
+
+7.05.04
+
+Updated `gam calendars <CalendarEntity> update events` and `gam <UserTypeEntity> update events`
+to handle the following error:
+```
+ERROR 400: malformedWorkingLocationEvent - A working location event must have a visibility setting of public.
+```
+
+7.05.03
+
+Fixed bug in `gam all users print users issuspended false allfields` that caused a trap.
+
+7.05.02
+
+Chat usage reports are now available. Added `chat` to `<CustomerServiceName>` and `<UserServiceName>`
+for use in `gam report customer|user`.
+
+* https://workspaceupdates.googleblog.com/2025/02/chat-usage-analytics-updates.html
+
+7.05.01
+
+Updated from `v1beta1` to `v1` for `Cloud Identity - Policy`.
+
+* See: https://workspaceupdates.googleblog.com/2025/02/policy-api-general-availability.html
+
+7.05.00
+
+Enabled support for Limited Access as described here:
+* https://workspaceupdates.googleblog.com/2025/02/updating-access-experience-in-google-drive.html
+
+Note that the rollout may take 15 days.
+
+Added option `inheritedpermissionsdisabled [<Boolean>]` to `<DriveFileAttribute>`; this
+attribute can be set on folders.
+
+Added `inheritedpermissionsdisabled` to `<DriveFieldName>`.
+
+Added `capabilities.candisableinheritedpermissions` and `capabilities.canenableinheritedpermissions`
+to `<DriveCapabilitiesSubfieldName>`.
+
+Added option `enforceexpansiveaccess [<Boolean>]` to all commands that delete or update
+drive file ACLs/permissions.
+```
+gam <UserTypeEntity> delete permissions
+gam <UserTypeEntity> delete drivefileacl
+gam <UserTypeEntity> update drivefileacl
+gam <UserTypeEntity> copy drivefile
+gam <UserTypeEntity> move drivefile
+gam <UserTypeEntity> transfer ownership
+gam <UserTypeEntity> claim ownership
+gam <UserTypeEntity> transfer drive
+```
+
+7.04.05
+
+Added initial support for Meet API v2beta; you must be in the Developer Preview program
+for this to be effective.
+* https://developers.google.com/meet/api/guides/beta/configuration-beta#auto-artifacts
+
+Added `meet_v2_beta` Boolean variable to `gam.cfg`. When this variable is true,
+the following options are added to `<MeetSpaceOptions>` used in `gam <UserTypeEntity> create|update meetspace`.
+```
+        moderation <Boolean> |
+        chatrestriction hostsonly|norestriction |
+        reactionrestriction hostsonly|norestriction |
+        presentrestriction hostsonly|norestriction |
+        defaultjoinasviewer <Boolean> |
+        recording <Boolean> |
+        transcription <Boolean> |
+        smartnotes <Boolean>
+```
+
+This isn't called beta for nothing, I have found problems and reported them.
+
+7.04.04
+
+Updated `gam print group-members|cigroup-members` to include the `email` column
+when `fields <MembersFieldNameList>` did not include `email`.
+
+7.04.03
+
+Added option `minimal|basic|full` to `gam print cigroup-members`:
+* `minimal` - Fields displayed: group, id, role, email
+* `basic` - Fields displayed: group, type, id, role, email
+* `full` - Fields displayed: group, type, id, role, email, createTime, updateTime; this is the default
+
+Added option `minimal|basic|full` to `gam show cigroup-members`:
+* `minimal` - Fields displayed: role, email
+* `basic` - Fields displayed: type, role, email
+* `full` - Fields displayed: type, role, email, createTime, updateTime; this is the default
+
+Upgraded `gam print cigroup-members ... recursive` to display sub-group email addresses rather than IDs.
+
+7.04.02
+
+Improved output formatting for the following commands:
+```
+gam info peoplecontact
+gam show peoplecontacts
+gam info peopleprofile
+gam show peopleprofile
+gam <UserTypeEntity> info contacts
+gam <UserTypeEntity> show contacts
+gam <UserTypeEntity> show peopleprofile
+```
+
+7.04.01
+
+Fixed bug where multiple `querytime<String>` values in a query were not properly processed;
+only the last `querytime<String>` was processed.
+```
+Command line: query "sync:#querytime1#..#querytime2# status:provisioned" querytime1 -2y querytime2 -40w
+Query: (sync:#querytime1#..2024-05-09T00:00:00 status:provisioned) Invalid
+```
+
+7.04.00
+
+The Classic Sites API no longer functions, the following commands are deprecated:
+```
+gam [<UserTypeEntity>] create site
+gam [<UserTypeEntity>] update site
+gam [<UserTypeEntity>] info site
+gam [<UserTypeEntity>] print sites
+gam [<UserTypeEntity>] show sites
+gam [<UserTypeEntity>] create siteacls
+gam [<UserTypeEntity>] update siteacls
+gam [<UserTypeEntity>] delete siteacls
+gam [<UserTypeEntity>] info siteacls
+gam [<UserTypeEntity>] show siteacls
+gam [<UserTypeEntity>] print siteacls
+gam [<UserTypeEntity>] print siteactivity
+```
+
+7.03.09
+
+Added option `maxmessagesperthread <Number>` to `gam <UserTypeEntity> print|show threads`
+that limits the number of messages displayed per thread. The default is 0, there is no limit.
+For example, this can be used if you only want to see the first message of each thread.
+```
+gam user user@domain.com print|show threads maxmessagesperthread 1
+```
+
+Fixed bug in `gam <UserTypeEntity> print filelist countsonly` where extraneous columns
+were displayed.
+
+Fixed bug in `gam <UserTypeEntity> print filelist countsonly showsize` where sizes were
+all shown as 0 unless`sizefield size` was specified.
+
+7.03.08
+
+Improved pip install.
+
+Yubikey as optional should now be working also. So:
+
+pip install --upgrade gam7
+
+skips Yubikey.
+
+To install with yubikey support (assuming you have installed the necessary swig and libpcsclite-dev packages already) run:
+
+pip install --upgrade gam7[yubikey]
+
+7.03.07
+
+Updated `gam create vaultexport` to include `corpus gemini`.
+
+* See: https://workspaceupdates.googleblog.com/2025/02/google-vault-now-supports-gemini.html
+
+7.03.06
+
+Added option `rawfields "<BrowserFieldNameList>"` to `gam info|print|show browsers` that allows
+specification of complex field lists with selected subfields.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Browser-Cloud-Management#raw-fields
+
+7.03.05
+
+Make GAM pip-installable: "pip install gam7"
+
+7.03.04
+
+Added option `security` to `gam create cigroup` that allows creation of a security group
+in a single command.
+
+Updated to Python 3.13.2.
+
+7.03.03
+
+Fixed bug in `gam update resoldcustomer` that caused the following error:
+```
+ERROR: Got an unexpected keyword argument customerAuthToken
+```
+
+7.03.02
+
+Updated `gam <UserTypeEntity> show labels nested` to properly display label nesting
+when labels have embedded `/` characters in their names.
+
+7.03.01
+
+Updated `gam create project` to retry the following unexpected error:
+```
+ERROR: 400 - invalidArgument - Service account gam-project-a1b2c@gam-project-a1b2c.iam.gserviceaccount.com does not exist.
+```
+
+7.03.00
+
+Updated `gam create|use project` to discontinue use of the `Identity-Aware Proxy (IAP) OAuth Admin APIs`
+that are being deprecated by Google. You will see a set of instructions detailing how to
+configure the Oauth Consent screen and create the Oauth client.
+
+Added options `copypermissionroles <DriveFileACLRoleList>` and `copypermissiontypes <DriveFileACLTypeList>`
+to `gam <UserTypeEntity> copy drivefile` that provide more control over what permissions are copied
+from the source files/folders to the destination files/folders.
+
+7.02.11
+
+Updated `gam report <ActivityApplicationName>` to display `id:<actor.profileId>` in the `emailAddress` column
+when `actor.email` is empty. This typically occurs when the actor is not in your workspace.
+
+Updated `gam <UserTypeEntity> copy drivefile` to ignore ACLs referencing deleted user/groups.
+
+7.02.10
+
+Added option `bydate` to `gam report <ActivityApplicationName> ... countsonly` that provides an additional display option.
+* `countsonly` - Display a row per user across all dates with all event counts on one row
+* `countsonly bydate` - Display a row per user per date for all dates with any events with all events counts on the row
+* `countsonly summary` - Display a row per event with counts for each event summarized across users and dates
+
+7.02.09
+
+Added option `clearresources` to `<EventUpdateAttribute>` for use in `gam <UserTypeEntity> update events`
+that allows clearing all resources from a user's calendar events. For example, to clear all resources from a user's future events:
+```
+gam user user@domain.com update events primary matchfield attendeespattern @resource.calendar.google.com after now clearresources
+```
+
+Added option `resource <ResourceID>` to `<EventAttribute>` for use in `gam <UserTypeEntity> create|update events`
+that adds a resource to an event.
+
+Added option `removeresource <ResourceID>` to `<EventUpdateAttribute>` for use in `gam <UserTypeEntity> update events`
+that removes a resource from an event.
+
+7.02.08
+
+Fixed bug in `gam print|show chromepolicies` that caused a trap when neither
+`ou|orgunit <OrgUnitItem>` nor `group <GroupItem>` was specified.
+
+7.02.07
+
+Updated `gam delete|update chromepolicy` to display the `<AppID>` or `<PrinterID>` (if specified)
+in the command status messages.
+
+7.02.06
+
+Added option `<JSONData>` to `gam <UserTypeEntity> create|update form` that allows for
+creation/modification of all fields in a form. `<JSONData>` is a list of form update requests.
+
+* See: https://developers.google.com/forms/api/reference/rest/v1/forms/batchUpdate
+
+7.02.05
+
+Updated `gam [<UserTypeEntity>] show shareddriveacls ... formatjson` to not display this line
+which interferes with the JSON output.
+```
+User: user@domain.com, Show N Shared Drives
+```
+
+7.02.04
+
+Updated code to eliminate trap caused by bug introduced in 7.02.00 that occurs when an invalid domain or OU is specified.
+
+7.02.03
+
+Added option `archive` to `gam <UserTypeEntity> update license <NewSKUID> from <OldSKUID>` that causes GAM
+to archive `<UserTypeEntity>` after updating their license to `<NewSKUID>`. This will be used when you want to
+archive a user with a non-archivable license. The `<NewSKUID>` license is assigned to the user and it then converts
+to the equivalent Archived User license when the user is archived.
+
+`<NewSKUID>` must be one of the following SKUs:
+```
+Google-Apps-Unlimited - G Suite Business
+1010020020 - Google Workspace Enterprise Plus
+1010020025 - Google Workspace Business Plus
+1010020026 - Google Workspace Enterprise Standard
+1010020027 - Google Workspace Business Starter
+1010020028 - Google Workspace Business Standard
+```
+
+7.02.02
+
+Updated `gam <UserTypeEntity> archive messages <GroupItem>` to retry the following unexpected error
+that occurs after many messages have been successfully archived.
+`ERROR: 404: notFound - Unable to lookup group`
+
+7.02.01
+
+Added options `locked` and `unlocked` to `gam update cigroups` that allow locking/unlocking groups.
+
+* See: https://workspaceupdates.googleblog.com/2024/12/locked-groups-open-beta.html
+
+You'll have to do a `gam oauth create` and enable the following scope to use these options:
+```
+[*] 22)  Cloud Identity Groups API Beta (Enables group locking/unlocking)
+```
+
+7.02.00
+
+Improved the error message displayed for user service account access commands when:
+* The API is not enabled
+* The user does not exist
+* The user exists but is in a OU where the service is disabled
+
+7.01.04
+
+Admin role assignments are now in the v1 stable API, use that and remove custom local workaround for the beta. #1724
+
+Remove duplicate local JSON discovery files. #1724
+
+Suppress "UserWarning: Attribute's length must be..." messages on service accounts with long emails. #1725
+
+Added options `internal`, `internaldomains <DomainNameList>` and `external` to these commands
+that expand the options for viewing group members:
+```
+gam info group
+gam print groups
+gam print|show group-members
+gam info cigroup
+gam print cigroups
+gam print|show cigroup-members
+```
+By default, when listing group members, GAM does not take the domain of the member into account.
+* `internal internaldomains <DomainNameList>` - Display members whose domain is in `<DomainNameList>`
+* `external internaldomains <DomainNameList>` - Display members whose domain is not in `<DomainNameList>`
+* `internal external internaldomains <DomainNameList>` - Display all members, indicate their category: internal or external
+* `internaldomains <DomainNameList>` - Defaults to value of `domain` in `gam.cfg`
+
+Members without an email address, e.g. `customer`, `chromeosdevice` and `cbcmbrowser` are considered internal.
+
+Updated to Python 3.13.1.
+
+7.01.03
+
+Fixed bug in `gam update cigroups <GroupEntity> delete|sync|update` where `cbcmbrowser` and `chromeosdevice`
+addresses were not properly handled.
+
+7.01.02
+
+Added option `positivecountsonly` to `gam <UserTypeEntity> print|show filecomments` that causes
+GAM to display the number of comments and replies only for files that have comments.
+
+Added `my_commentable_items` to `<DriveFileQueryShortcut>` that can be used with
+`gam <UserTypeEntity> print|show filecomments my_commentable_items` to speed up processing.
+
+Updated code that uses the Domain Shared Contacts API with an HTTPS proxy to avoid a trap:
+```
+Traceback (most recent call last):
+...
+File "atom/http.py", line 250, in _prepare_connection
+AttributeError: module 'ssl' has no attribute 'wrap_socket'
+```
+
+7.01.01
+
+Fixed bug in `gam <UserTypeEntity> print|show filetree` where no error message was generated
+if a user had Drive disabled.
+
+7.01.00
+
+Fixed bug in `gam update chromepolicy` that caused some policy updates to fail.
+
+Added option `showhtml` to `gam <UserTypeEntity> print|show messages` that, when used with `showbody`,
+will display message body content of type HTML.
+
+Added support for managing/displaying Chrome profiles.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Profile-Management
+
+7.00.40
+
+Updated `gam <UserTypeEntity> update serviceaccount` to properly set the readonly scope
+for `[R] 35)  Meet API (supports readonly)` as it is a special case.
+
+7.00.39
+
+Supported MacOS versions are now in the download filename.
+
+Minor code fixes.
+
+7.00.38
+
+Fixed logic flaw in `gam print|show policies` where non-matching policies were displayed.
+
+7.00.37
+
+Added options `group <RegularExpression>` and `ou|org|orgunit <RegularExpression>`
+to `gam print|show policies` that causes GAM to only display policies whose group email address
+or OU path match the `<RegularExpression>`.
+
+Updated `gam get|update|delete contactphotos` to use the People API for domain shared contact photos
+as Google has deprecated the Domain Shared Contacts API for these commands. Unfortunately,
+the People API fails with `gam update|delete contactphotos`.
+
+7.00.36
+
+Updated `gam print chromeapps` to correct a trap caused by an API change.
+
+7.00.35
+
+Classification labels are now available for Gmail in addition to Drive.
+
+* See: https://workspaceupdates.googleblog.com/2024/11/open-beta-data-classification-labels-gmail.html
+
+The following command synonyms are available, there is no change in functionality:
+```
+gam [<UserTypeEntity>] info classificationlabels|drivelabels
+gam [<UserTypeEntity>] print classificationlabels|drivelabels
+gam [<UserTypeEntity>] show classificationlabels|drivelabels
+gam [<UserTypeEntity>] create classificationlabelpermission|drivelabelpermission
+gam [<UserTypeEntity>] delete classificationlabelpermission|drivelabelpermission
+gam [<UserTypeEntity>] remove classificationlabelpermission|drivelabelpermission
+gam [<UserTypeEntity>] print classificationlabelpermissions|drivelabelpermission
+gam [<UserTypeEntity>] show classificationlabelpermissions|drivelabelpermission
+```
+
+7.00.34
+
+Fixed bug introduced in 7.00.33 in `gam print group-members` that caused a trap.
+
+7.00.33
+
+Fixed bug in `gam print group-members ... cachememberinfo` that caused a trap.
+
+7.00.32
+
+Updated `gam info policies` to accept different policy specifications:
+* `polices/<String>` - A policy name, `policies/ahv4hg7qc24kvaghb7zihwf4riid4`
+* `settings/<String>` - A policy setting type, `settings/workspace_marketplace.apps_allowlist`
+* `<String>` - A policy setting type, `workspace_marketplace.apps_allowlist`
+
+7.00.31
+
+Updated `gam info|print|show policies` to make additional API calls for `settings/workspace_marketplace.apps_allowlist`
+to get the application name for the application ID. Use option `noappnames` to suppress these calls.
+
+7.00.30
+
+Added command to display selected Cloud Identity policies.
+```
+gam info policies <CIPolicyNameEntity>
+        [nowarnings]
+        [formatjson]
+```
+
+Removed option `name <CIPolicyName>` from `gam print|show policies`; use `info policies`.
+
+7.00.29
+
+Added option `name <CIPolicyName>` to `gam print|show policies` that displays
+information about a specific policy.
+
+7.00.28
+
+Fixed issue that caused `gam print/show policies` to fail on some group policies.
+
+7.00.27
+
+Updated `gam <UserTypeEntity> collect orphans` and all commands that print file paths to recognize
+that a file owned by a user that has no parents is not an orphan if `sharedWithMeTime` is set.
+This occurs when user A creates a file in a shared folder owned by user B and user B then removes
+user A's access to the folder.
+
+Added commands to display Cloud Identity policies.
+```
+gam print policies [todrive <ToDriveAttribute>*]
+        (filter <String>) [nowarnings]
+        [formatjson [quotechar <Character>]]
+gam show policies (filter <String>) [nowarnings]
+        [formatjson]
+```
+
+7.00.26
+
+Updated `drive_dir` in `gam.cfg` to allow the value `.` that causes `redirect csv|stdout|stderr <FileName>`
+to write `<FileName>` in the current directory without having to prefix `<FileName>` with `./`.
+
+Upgraded to OpenSSL 3.4.0 where possible.
+
+7.00.25
+
+Updated authentication process for `gam print|show projects`.
+
+7.00.24
+
+Updated `gam print|show projects ... showiampolicies 0|1|3` to use non-service account authentication.
+
+7.00.23
+
+Updated `gam <UserTypeEntity> create|delete chatmember` to accept external (non-domain) email addresses.
+
+7.00.22
+
+Fixed bug in `gam create vaultmatter ... showdetails` that caused a trap.
+
+7.00.21
+
+Added `csv_output_header_order` variable to `gam.cfg` that is a list of `<Strings>`
+that are used to specify the order of column headers in the CSV file written by a gam print command.
+Any headers in the file but not in the list will appear after the headers in the list.
+
+This might be used when the CSV file data is to be processed by another program
+that requires that the headers be in a particular order.
+
+7.00.20
+
+Fix Windows MSI installer issues on version upgrade. If you are having issues upgrading from a version older than 7.00.20 to this version or newer you may need to do a one time uninstall of GAM7 and then reinstall the new version.
+No configuration files will be lost during the uninstall / reinstall.
+
+7.00.19
+
+Updated `gam update shareddrive <SharedDriveEntity> ou <OrgUnitItem>` to handle the following error
+that occurs when an invalid `<SharedDriveEntity>` is specified.
+```
+ERROR: 400: invalidArgument - Invalid org membership name 0AJ3b2FTPakToUk9PVAxx.~
+```
+
+Updated `gam print browsers` to properly format the time field `deviceIdentifiersHistory.records.0.firstRecordTime`.
+
+7.00.18
+
+Updated `gam create project` to use a default project name of `gam-project-a1b2c` (`a1b2c` is a random string of 5 characters)
+instead of `gam-project-abc-123-xyz` to avoid the following warning:
+```
+Project: gam-project-abc-123-xyz, Service Account: gam-project-abc-123-xyz@gam-project-abc-123-xyz.iam.gserviceaccount.com, Extracting public certificate
+init.py:12382: UserWarning: Attribute's length must be >= 1 and <= 64, but it was 70
+init.py:12383: UserWarning: Attribute's length must be >= 1 and <= 64, but it was 70
+Project: gam-project-abc-123-xyz, Service Account: gam-project-abc-123-xyz@gam-project-abc-123-xyz.iam.gserviceaccount.com, Done generating private key and public certificate
+```
+
+7.00.17
+
+Update all user calendar commands to disable falling back to client access if service account
+authorization has never been performed. Previously, in this circumstance, the admin's calendars
+rather than the user's calendars were processed.
+
+7.00.16
+
+Updated `gam <UserTypeEntity> claim|transfer ownership` to show `Got N Drive Files/Folders that matched query` messages
+as files/folders are being identified for processing.
+
+Added option `<JSONData>` to `gam create|update caalevel`.
+
+Updated to Python 3.13.0.
+
+7.00.15
+
+Added options `timestamp [<Boolean>]` and `timeformat <String>` to `gam <UserTypeEntity> create|update drivefile` that allow
+adding a timestamp to a created/updated file name.
+
+7.00.14
+
+Retry the following unexpected errors in `gam print users`.
+```
+ERROR: 400: failedPrecondition - Precondition check failed.
+ERROR: 500: unknownError - Unknown Error.
+```
+
+7.00.13
+
+Version bump in order to confirm MSI installs are operating properly
+
+7.00.12
+
+Updated option `showlastmodification` to `gam <UserTypeEntity> print|show filecounts` to handle
+the case where all users owning files are suspended. In this case the `lastModifyingUser` column
+will show the user's display name as the API doesn't return the user's email address.
+
+Updated support for `Folders with limited access`; this is a work in progress.
+
+Windows builds now use PyInstaller's onedir config for improved performance. You may notice a lib
+folder now exists underneath the GAM install path. GAM commands should start significantly faster.
+
+7.00.11
+
+Updated to Python 3.12.7 where possible.
+
 7.00.10

 Handled the following error that occurs when `gam create user` is immediateley followed by `gam update user`.
@@ -1122,7 +2013,7 @@ Batch processing will suspend for `<Integer>` seconds before the next command li

 Added the following options to `<PermissionMatch>` that allow more powerful matching.
 ```
-nottype	<DriveFileACLType>
+nottype <DriveFileACLType>
 typelist <DriveFileACLTypeList>
 nottypelist <DriveFileACLTypeList>
 rolelist <DriveFileACLRoleList>
--- a/src/admin-directory_v1.1beta1.json
+++ b/src/admin-directory_v1.1beta1.json
--- a/src/cacerts.pem
+++ b/src/cacerts.pem
@@ -273,257 +273,6 @@ r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
 gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
 -----END CERTIFICATE-----

-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
-# Subject: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
-# Label: "Entrust Root Certification Authority"
-# Serial: 1164660820
-# MD5 Fingerprint: d6:a5:c3:ed:5d:dd:3e:00:c1:3d:87:92:1f:1d:3f:e4
-# SHA1 Fingerprint: b3:1e:b1:b7:40:e3:6c:84:02:da:dc:37:d4:4d:f5:d4:67:49:52:f9
-# SHA256 Fingerprint: 73:c1:76:43:4f:1b:c6:d5:ad:f4:5b:0e:76:e7:27:28:7c:8d:e5:76:16:c1:e6:e6:14:1a:2b:2c:bc:7d:8e:4c
-----BEGIN CERTIFICATE-----
-MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
-VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
-Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
-KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl
-cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0MloXDTI2MTEyNzIw
-NTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkw
-NwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSBy
-ZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNV
-BAMTJEVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALaVtkNC+sZtKm9I35RMOVcF7sN5EUFo
-Nu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYszA9u3g3s+IIRe7bJWKKf4
-4LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOwwCj0Yzfv9
-KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGI
-rb68j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi
-94DkZfs0Nw4pgHBNrziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOB
-sDCBrTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAi
-gA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1MzQyWjAfBgNVHSMEGDAWgBRo
-kORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DHhmak8fdLQ/uE
-vW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
-A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9t
-O1KzKtvn1ISMY/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6Zua
-AGAT/3B+XxFNSRuzFVJ7yVTav52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP
-9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTSW3iDVuycNsMm4hH2Z0kdkquM++v/
-eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m
-0vdXcDazv/wor3ElhVsT/h5/WrQ8
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust Root Certification Authority - EC1 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2012 Entrust, Inc. - for authorized use only
-# Subject: CN=Entrust Root Certification Authority - EC1 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2012 Entrust, Inc. - for authorized use only
-# Label: "Entrust Root Certification Authority - EC1"
-# Serial: 51543124481930649114116133369
-# MD5 Fingerprint: b6:7e:1d:f0:58:c5:49:6c:24:3b:3d:ed:98:18:ed:bc
-# SHA1 Fingerprint: 20:d8:06:40:df:9b:25:f5:12:25:3a:11:ea:f7:59:8a:eb:14:b5:47
-# SHA256 Fingerprint: 02:ed:0e:b2:8c:14:da:45:16:5c:56:67:91:70:0d:64:51:d7:fb:56:f0:b2:ab:1d:3b:8e:b0:70:e5:6e:df:f5
-----BEGIN CERTIFICATE-----
-MIIC+TCCAoCgAwIBAgINAKaLeSkAAAAAUNCR+TAKBggqhkjOPQQDAzCBvzELMAkG
-A1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3
-d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVu
-dHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEGA1UEAxMq
-RW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMB4XDTEy
-MTIxODE1MjUzNloXDTM3MTIxODE1NTUzNlowgb8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0
-L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0g
-Zm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMzAxBgNVBAMTKkVudHJ1c3QgUm9vdCBD
-ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEVDMTB2MBAGByqGSM49AgEGBSuBBAAi
-A2IABIQTydC6bUF74mzQ61VfZgIaJPRbiWlH47jCffHyAsWfoPZb1YsGGYZPUxBt
-ByQnoaD41UcZYUx9ypMn6nQM72+WCf5j7HBdNq1nd67JnXxVRDqiY1Ef9eNi1KlH
-Bz7MIKNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
-BBYEFLdj5xrdjekIplWDpOBqUEFlEUJJMAoGCCqGSM49BAMDA2cAMGQCMGF52OVC
-R98crlOZF7ZvHH3hvxGU0QOIdeSNiaSKd0bebWHvAvX7td/M/k7//qnmpwIwW5nX
-hTcGtXsI/esni0qU+eH6p44mCOh8kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust Root Certification Authority - G2 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2009 Entrust, Inc. - for authorized use only
-# Subject: CN=Entrust Root Certification Authority - G2 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2009 Entrust, Inc. - for authorized use only
-# Label: "Entrust Root Certification Authority - G2"
-# Serial: 1246989352
-# MD5 Fingerprint: 4b:e2:c9:91:96:65:0c:f4:0e:5a:93:92:a0:0a:fe:b2
-# SHA1 Fingerprint: 8c:f4:27:fd:79:0c:3a:d1:66:06:8d:e8:1e:57:ef:bb:93:22:72:d4
-# SHA256 Fingerprint: 43:df:57:74:b0:3e:7f:ef:5f:e4:0d:93:1a:7b:ed:f1:bb:2e:6b:42:73:8c:4e:6d:38:41:10:3d:3a:a7:f3:39
-----BEGIN CERTIFICATE-----
-MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
-VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
-cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
-IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
-dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
-NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
-dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
-dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
-aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
-RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
-cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
-wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
-U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
-jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
-BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
-BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
-jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
-Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
-1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
-nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
-VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust.net Certification Authority (2048) O=Entrust.net OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
-# Subject: CN=Entrust.net Certification Authority (2048) O=Entrust.net OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
-# Label: "Entrust.net Premium 2048 Secure Server CA"
-# Serial: 946069240
-# MD5 Fingerprint: ee:29:31:bc:32:7e:9a:e6:e8:b5:f7:51:b4:34:71:90
-# SHA1 Fingerprint: 50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31
-# SHA256 Fingerprint: 6d:c4:71:72:e0:1c:bc:b0:bf:62:58:0d:89:5f:e2:b8:ac:9a:d4:f8:73:80:1e:0c:10:b9:c8:37:d2:1e:b1:77
-----BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
-RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
-bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
-IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
-ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3
-MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
-LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
-YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
-A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
-K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
-sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
-MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
-XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
-HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
-4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
-HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub
-j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo
-U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
-zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b
-u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
-bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
-fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Commercial O=AffirmTrust
-# Subject: CN=AffirmTrust Commercial O=AffirmTrust
-# Label: "AffirmTrust Commercial"
-# Serial: 8608355977964138876
-# MD5 Fingerprint: 82:92:ba:5b:ef:cd:8a:6f:a6:3d:55:f9:84:f6:d6:b7
-# SHA1 Fingerprint: f9:b5:b6:32:45:5f:9c:be:ec:57:5f:80:dc:e9:6e:2c:c7:b2:78:b7
-# SHA256 Fingerprint: 03:76:ab:1d:54:c5:f9:80:3c:e4:b2:e2:01:a0:ee:7e:ef:7b:57:b6:36:e8:a9:3c:9b:8d:48:60:c9:6f:5f:a7
-----BEGIN CERTIFICATE-----
-MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
-dCBDb21tZXJjaWFsMB4XDTEwMDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDEL
-MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
-cm1UcnVzdCBDb21tZXJjaWFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEA9htPZwcroRX1BiLLHwGy43NFBkRJLLtJJRTWzsO3qyxPxkEylFf6EqdbDuKP
-Hx6GGaeqtS25Xw2Kwq+FNXkyLbscYjfysVtKPcrNcV/pQr6U6Mje+SJIZMblq8Yr
-ba0F8PrVC8+a5fBQpIs7R6UjW3p6+DM/uO+Zl+MgwdYoic+U+7lF7eNAFxHUdPAL
-MeIrJmqbTFeurCA+ukV6BfO9m2kVrn1OIGPENXY6BwLJN/3HR+7o8XYdcxXyl6S1
-yHp52UKqK39c/s4mT6NmgTWvRLpUHhwwMmWd5jyTXlBOeuM61G7MGvv50jeuJCqr
-VwMiKA1JdX+3KNp1v47j3A55MQIDAQABo0IwQDAdBgNVHQ4EFgQUnZPGU4teyq8/
-nx4P5ZmVvCT2lI8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
-KoZIhvcNAQELBQADggEBAFis9AQOzcAN/wr91LoWXym9e2iZWEnStB03TX8nfUYG
-XUPGhi4+c7ImfU+TqbbEKpqrIZcUsd6M06uJFdhrJNTxFq7YpFzUf1GO7RgBsZNj
-vbz4YYCanrHOQnDiqX0GJX0nof5v7LMeJNrjS1UaADs1tDvZ110w/YETifLCBivt
-Z8SOyUOyXGsViQK8YvxO8rUzqrJv0wqiUOP2O+guRMLbZjipM1ZI8W0bM40NjD9g
-N53Tym1+NH4Nn3J2ixufcv1SNUFFApYvHLKac0khsUlHRUe072o0EclNmsxZt9YC
-nlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8=
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Networking O=AffirmTrust
-# Subject: CN=AffirmTrust Networking O=AffirmTrust
-# Label: "AffirmTrust Networking"
-# Serial: 8957382827206547757
-# MD5 Fingerprint: 42:65:ca:be:01:9a:9a:4c:a9:8c:41:49:cd:c0:d5:7f
-# SHA1 Fingerprint: 29:36:21:02:8b:20:ed:02:f5:66:c5:32:d1:d6:ed:90:9f:45:00:2f
-# SHA256 Fingerprint: 0a:81:ec:5a:92:97:77:f1:45:90:4a:f3:8d:5d:50:9f:66:b5:e2:c5:8f:cd:b5:31:05:8b:0e:17:f3:f0:b4:1b
-----BEGIN CERTIFICATE-----
-MIIDTDCCAjSgAwIBAgIIfE8EORzUmS0wDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
-dCBOZXR3b3JraW5nMB4XDTEwMDEyOTE0MDgyNFoXDTMwMTIzMTE0MDgyNFowRDEL
-MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
-cm1UcnVzdCBOZXR3b3JraW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAtITMMxcua5Rsa2FSoOujz3mUTOWUgJnLVWREZY9nZOIG41w3SfYvm4SEHi3y
-YJ0wTsyEheIszx6e/jarM3c1RNg1lho9Nuh6DtjVR6FqaYvZ/Ls6rnla1fTWcbua
-kCNrmreIdIcMHl+5ni36q1Mr3Lt2PpNMCAiMHqIjHNRqrSK6mQEubWXLviRmVSRL
-QESxG9fhwoXA3hA/Pe24/PHxI1Pcv2WXb9n5QHGNfb2V1M6+oF4nI979ptAmDgAp
-6zxG8D1gvz9Q0twmQVGeFDdCBKNwV6gbh+0t+nvujArjqWaJGctB+d1ENmHP4ndG
-yH329JKBNv3bNPFyfvMMFr20FQIDAQABo0IwQDAdBgNVHQ4EFgQUBx/S55zawm6i
-QLSwelAQUHTEyL0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
-KoZIhvcNAQEFBQADggEBAIlXshZ6qML91tmbmzTCnLQyFE2npN/svqe++EPbkTfO
-tDIuUFUaNU52Q3Eg75N3ThVwLofDwR1t3Mu1J9QsVtFSUzpE0nPIxBsFZVpikpzu
-QY0x2+c06lkh1QF612S4ZDnNye2v7UsDSKegmQGA3GWjNq5lWUhPgkvIZfFXHeVZ
-Lgo/bNjR9eUJtGxUAArgFU2HdW23WJZa3W3SAKD0m0i+wzekujbgfIeFlxoVot4u
-olu9rxj5kFDNcFn4J2dHy8egBzp90SxdbBk6ZrV9/ZFvgrG+CJPbFEfxojfHRZ48
-x3evZKiT3/Zpg4Jg8klCNO1aAFSFHBY2kgxc+qatv9s=
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Premium O=AffirmTrust
-# Subject: CN=AffirmTrust Premium O=AffirmTrust
-# Label: "AffirmTrust Premium"
-# Serial: 7893706540734352110
-# MD5 Fingerprint: c4:5d:0e:48:b6:ac:28:30:4e:0a:bc:f9:38:16:87:57
-# SHA1 Fingerprint: d8:a6:33:2c:e0:03:6f:b1:85:f6:63:4f:7d:6a:06:65:26:32:28:27
-# SHA256 Fingerprint: 70:a7:3f:7f:37:6b:60:07:42:48:90:45:34:b1:14:82:d5:bf:0e:69:8e:cc:49:8d:f5:25:77:eb:f2:e9:3b:9a
-----BEGIN CERTIFICATE-----
-MIIFRjCCAy6gAwIBAgIIbYwURrGmCu4wDQYJKoZIhvcNAQEMBQAwQTELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVz
-dCBQcmVtaXVtMB4XDTEwMDEyOTE0MTAzNloXDTQwMTIzMTE0MTAzNlowQTELMAkG
-A1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1U
-cnVzdCBQcmVtaXVtMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxBLf
-qV/+Qd3d9Z+K4/as4Tx4mrzY8H96oDMq3I0gW64tb+eT2TZwamjPjlGjhVtnBKAQ
-JG9dKILBl1fYSCkTtuG+kU3fhQxTGJoeJKJPj/CihQvL9Cl/0qRY7iZNyaqoe5rZ
-+jjeRFcV5fiMyNlI4g0WJx0eyIOFJbe6qlVBzAMiSy2RjYvmia9mx+n/K+k8rNrS
-s8PhaJyJ+HoAVt70VZVs+7pk3WKL3wt3MutizCaam7uqYoNMtAZ6MMgpv+0GTZe5
-HMQxK9VfvFMSF5yZVylmd2EhMQcuJUmdGPLu8ytxjLW6OQdJd/zvLpKQBY0tL3d7
-70O/Nbua2Plzpyzy0FfuKE4mX4+QaAkvuPjcBukumj5Rp9EixAqnOEhss/n/fauG
-V+O61oV4d7pD6kh/9ti+I20ev9E2bFhc8e6kGVQa9QPSdubhjL08s9NIS+LI+H+S
-qHZGnEJlPqQewQcDWkYtuJfzt9WyVSHvutxMAJf7FJUnM7/oQ0dG0giZFmA7mn7S
-5u046uwBHjxIVkkJx0w3AJ6IDsBz4W9m6XJHMD4Q5QsDyZpCAGzFlH5hxIrff4Ia
-C1nEWTJ3s7xgaVY5/bQGeyzWZDbZvUjthB9+pSKPKrhC9IK31FOQeE4tGv2Bb0TX
-OwF0lkLgAOIua+rF7nKsu7/+6qqo+Nz2snmKtmcCAwEAAaNCMEAwHQYDVR0OBBYE
-FJ3AZ6YMItkm9UWrpmVSESfYRaxjMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
-BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByvMiPIs0laUZx2
-KI15qldGF9X1Uva3ROgIRL8YhNILgM3FEv0AVQVhh0HctSSePMTYyPtwni94loMg
-Nt58D2kTiKV1NpgIpsbfrM7jWNa3Pt668+s0QNiigfV4Py/VpfzZotReBA4Xrf5B
-8OWycvpEgjNC6C1Y91aMYj+6QrCcDFx+LmUmXFNPALJ4fqENmS2NuB2OosSw/WDQ
-MKSOyARiqcTtNd56l+0OOF6SL5Nwpamcb6d9Ex1+xghIsV5n61EIJenmJWtSKZGc
-0jlzCFfemQa0W50QBuHCAKi4HEoCChTQwUHK+4w1IX2COPKpVJEZNZOUbWo6xbLQ
-u4mGk+ibyQ86p3q4ofB4Rvr8Ny/lioTz3/4E2aFooC8k4gmVBtWVyuEklut89pMF
-u+1z6S3RdTnX5yTb2E5fQ4+e0BQ5v1VwSJlXMbSc7kqYA5YwH2AG7hsj/oFgIxpH
-YoWlzBk0gG+zrBrjn/B7SK3VAdlntqlyk+otZrWyuOQ9PLLvTIzq6we/qzWaVYa8
-GKa1qF60g2xraUDTn9zxw2lrueFtCfTxqlB2Cnp9ehehVZZCmTEJ3WARjQUwfuaO
-RtGdFNrHF+QFlozEJLUbzxQHskD4o55BhrwE0GuWyCqANP2/7waj3VjFhT0+j/6e
-KeC2uAloGRwYQw==
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Premium ECC O=AffirmTrust
-# Subject: CN=AffirmTrust Premium ECC O=AffirmTrust
-# Label: "AffirmTrust Premium ECC"
-# Serial: 8401224907861490260
-# MD5 Fingerprint: 64:b0:09:55:cf:b1:d5:99:e2:be:13:ab:a6:5d:ea:4d
-# SHA1 Fingerprint: b8:23:6b:00:2f:1d:16:86:53:01:55:6c:11:a4:37:ca:eb:ff:c3:bb
-# SHA256 Fingerprint: bd:71:fd:f6:da:97:e4:cf:62:d1:64:7a:dd:25:81:b0:7d:79:ad:f8:39:7e:b4:ec:ba:9c:5e:84:88:82:14:23
-----BEGIN CERTIFICATE-----
-MIIB/jCCAYWgAwIBAgIIdJclisc/elQwCgYIKoZIzj0EAwMwRTELMAkGA1UEBhMC
-VVMxFDASBgNVBAoMC0FmZmlybVRydXN0MSAwHgYDVQQDDBdBZmZpcm1UcnVzdCBQ
-cmVtaXVtIEVDQzAeFw0xMDAxMjkxNDIwMjRaFw00MDEyMzExNDIwMjRaMEUxCzAJ
-BgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJt
-VHJ1c3QgUHJlbWl1bSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNMF4bFZ0D
-0KF5Nbc6PJJ6yhUczWLznCZcBz3lVPqj1swS6vQUX+iOGasvLkjmrBhDeKzQN8O9
-ss0s5kfiGuZjuD0uL3jET9v0D6RoTFVya5UdThhClXjMNzyR4ptlKymjQjBAMB0G
-A1UdDgQWBBSaryl6wBE1NSZRMADDav5A1a7WPDAPBgNVHRMBAf8EBTADAQH/MA4G
-A1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjAXCfOHiFBar8jAQr9HX/Vs
-aobgxCd05DhT1wV/GzTjxi+zygk8N53X57hG8f2h4nECMEJZh0PUUd+60wkyWs6I
-flc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKMeQ==
-----END CERTIFICATE-----
-
 # Operating CA: GlobalSign
 # Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
 # Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
--- a/src/cbcm-v1.1beta1.json
+++ b/src/cbcm-v1.1beta1.json
@@ -1,594 +0,0 @@
-{
-  "auth": {
-    "oauth2": {
-      "scopes": {
-        "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers": {
-          "description": "View and manage your Chrome browsers registered with Cloud Management"
-        },
-        "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly": {
-          "description": "View your Chrome browsers registered with Cloud Management"
-        }
-      }
-    }
-  },
-  "basePath": "",
-  "baseUrl": "https://admin.googleapis.com/admin/directory/v1.1beta1/customer/",
-  "batchPath": "batch",
-  "canonicalName": "cbcm",
-  "discoveryVersion": "v1",
-  "documentationLink": "https://support.google.com/chrome/a/answer/9681204",
-  "fullyEncodeReservedExpansion": true,
-  "icons": {
-    "x16": "http://www.google.com/images/icons/product/search-16.gif",
-    "x32": "http://www.google.com/images/icons/product/search-32.gif"
-  },
-  "id": "cbcm:v1.1beta1",
-  "kind": "discovery#restDescription",
-  "mtlsRootUrl": "https://admin.mtls.googleapis.com/",
-  "name": "cbcm",
-  "ownerDomain": "google.com",
-  "ownerName": "Jay Lee",
-  "packagePath": "cbcm",
-  "parameters": {
-    "$.xgafv": {
-      "description": "V1 error format.",
-      "enum": [
-        "1",
-        "2"
-      ],
-      "enumDescriptions": [
-        "v1 error format",
-        "v2 error format"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "access_token": {
-      "description": "OAuth access token.",
-      "location": "query",
-      "type": "string"
-    },
-    "alt": {
-      "default": "json",
-      "description": "Data format for response.",
-      "enum": [
-        "json",
-        "media",
-        "proto"
-      ],
-      "enumDescriptions": [
-        "Responses with Content-Type of application/json",
-        "Media download with context-dependent Content-Type",
-        "Responses with Content-Type of application/x-protobuf"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "callback": {
-      "description": "JSONP",
-      "location": "query",
-      "type": "string"
-    },
-    "fields": {
-      "description": "Selector specifying which fields to include in a partial response.",
-      "location": "query",
-      "type": "string"
-    },
-    "key": {
-      "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.",
-      "location": "query",
-      "type": "string"
-    },
-    "oauth_token": {
-      "description": "OAuth 2.0 token for the current user.",
-      "location": "query",
-      "type": "string"
-    },
-    "prettyPrint": {
-      "default": "true",
-      "description": "Returns response with indentations and line breaks.",
-      "location": "query",
-      "type": "boolean"
-    },
-    "quotaUser": {
-      "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.",
-      "location": "query",
-      "type": "string"
-    },
-    "uploadType": {
-      "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    },
-    "upload_protocol": {
-      "description": "Upload protocol for media (e.g. \"raw\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    }
-  },
-  "protocol": "rest",
-  "resources": {
-    "chromebrowsers": {
-      "methods": {
-        "delete": {
-          "description": "Deletes a browser.",
-          "flatPath": "{customer}/devices/chromebrowsers/{deviceId}",
-          "httpMethod": "DELETE",
-          "id": "cbcm.chromebrowsers.delete",
-          "parameterOrder": [
-            "customer",
-            "deviceId"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "deviceId": {
-              "description": "Immutable ID of the browser.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "{customer}/devices/chromebrowsers/{deviceId}",
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
-          ]
-        },
-        "get": {
-          "description": "Retrieves a browser.",
-          "flatPath": "{customer}/devices/chromebrowsers/{deviceId}",
-          "httpMethod": "GET",
-          "id": "cbcm.chromebrowsers.get",
-          "parameterOrder": [
-            "customer",
-            "deviceId"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "deviceId": {
-              "description": "Immutable ID of the browser.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "projection": {
-              "description": "Restrict information returned to a set of selected fields. FULL or BASIC.",
-              "location": "query",
-              "type": "string"
-            }
-          },
-          "path": "{customer}/devices/chromebrowsers/{deviceId}",
-          "response": {
-            "$ref": "ChromeBrowser"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers",
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly"
-          ]
-        },
-        "list": {
-          "description": "Retrieves a paginated list of all the browsers in a domain.",
-          "flatPath": "{customer}/devices/chromebrowsers",
-          "httpMethod": "GET",
-          "id": "cbcm.chromebrowsers.list",
-          "parameterOrder": [
-            "customer"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "maxResults": {
-              "description": "Maximum number of results to return.",
-              "format": "int32",
-              "location": "query",
-              "maximum": "100",
-              "minimum": "1",
-              "type": "integer"
-            },
-            "orderBy": {
-              "description": "property to use for sorting results.",
-              "location": "query",
-              "type": "string"
-            },
-            "orgUnitPath": {
-              "description": "The full path of the organizational unit or its unique ID.",
-              "location": "query",
-              "type": "string"
-            },
-            "pageToken": {
-              "description": "Token to specify the next page in the list.",
-              "location": "query",
-              "type": "string"
-            },
-            "projection": {
-              "description": "Restrict information returned to a set of selected fields. FULL or BASIC.",
-              "location": "query",
-              "type": "string"
-            },
-            "query": {
-              "description": "Search string using the list page query language.",
-              "location": "query",
-              "type": "string"
-            },
-            "sortOrder": {
-              "description": "Whether to return results in ascending or descending order. Must be used with the orderBy parameter.",
-              "location": "query",
-              "type": "string"
-            }
-          },
-          "path": "{customer}/devices/chromebrowsers",
-          "response": {
-            "$ref": "ChromeBrowsers"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers",
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly"
-          ]
-        },
-        "moveChromeBrowsersToOu": {
-          "description": "Move Chrome Browsers Device between Organization Units",
-          "flatPath": "{customer}/devices/chromebrowsers/moveChromeBrowsersToOu",
-          "httpMethod": "POST",
-          "id": "cbcm.chromebrowsers.moveChromeBrowsersToOu",
-          "parameterOrder": [
-            "customer"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "{customer}/devices/chromebrowsers/moveChromeBrowsersToOu",
-          "request": {
-            "$ref": "MoveChromeBrowsersRequest"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
-          ]
-        },
-        "update": {
-          "description": "Updates a browser.",
-          "flatPath": "{customer}/devices/chromebrowsers/{deviceId}",
-          "httpMethod": "PUT",
-          "id": "cbcm.chromebrowsers.update",
-          "parameterOrder": [
-            "customer",
-            "deviceId"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "deviceId": {
-              "description": "Immutable ID of the browser.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "projection": {
-              "description": "BASIC or FULL",
-              "location": "query",
-              "type": "string"
-            }
-          },
-          "path": "{customer}/devices/chromebrowsers/{deviceId}",
-          "request": {
-            "$ref": "ChromeBrowser"
-          },
-          "response": {
-            "$ref": "ChromeBrowser"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
-          ]
-        }
-      }
-    },
-    "enrollmentTokens": {
-      "methods": {
-        "list": {
-          "description": "Retrieves a paginated list of all the browser entollment tokens in a domain.",
-          "flatPath": "{customer}/chrome/enrollmentTokens",
-          "httpMethod": "GET",
-          "id": "cbcm.enrollmentTokens.list",
-          "parameterOrder": [
-            "customer"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "pageSize": {
-              "description": "Maximum number of results to return.",
-              "format": "int32",
-              "location": "query",
-              "maximum": "100",
-              "minimum": "1",
-              "type": "integer"
-            },
-            "orgUnitPath": {
-              "description": "The full path of the organizational unit or its unique ID.",
-              "location": "query",
-              "type": "string"
-            },
-            "pageToken": {
-              "description": "Token to specify the next page in the list.",
-              "location": "query",
-              "type": "string"
-            },
-            "query": {
-              "description": "Search string using the list page query language.",
-              "location": "query",
-              "type": "string"
-            }
-          },
-          "path": "{customer}/chrome/enrollmentTokens",
-          "response": {
-            "$ref": "EnrollmentTokens"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers",
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly"
-          ]
-        },
-        "create": {
-          "description": "Creates a browser enrollment token in a domain.",
-          "flatPath": "{customer}/chrome/enrollmentTokens",
-          "httpMethod": "POST",
-          "id": "cbcm.enrollmentTokens.create",
-          "parameterOrder": [
-            "customer"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "{customer}/chrome/enrollmentTokens",
-          "request": {
-            "$ref": "CreateEnrollmentTokenRequest"
-          },
-          "response": {
-            "$ref": "EnrollmentToken"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
-          ]
-        },
-        "revoke": {
-          "description": "Revokes a browser enrollment token in a domain.",
-          "flatPath": "{customer}/chrome/enrollmentTokens/{tokenPermanentId}:revoke",
-          "httpMethod": "POST",
-          "id": "cbcm.enrollmentTokens.revoke",
-          "parameterOrder": [
-            "customer",
-            "tokenPermanentId"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "tokenPermanentId": {
-              "description": "Unique identifier for an enrollment token.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "{customer}/chrome/enrollmentTokens/{tokenPermanentId}:revoke",
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
-          ]
-        }
-      }
-    }
-  },
-  "revision": "20201203",
-  "rootUrl": "https://admin.googleapis.com/admin/directory/v1.1beta1/customer/",
-  "schemas": {
-    "ChromeBrowser": {
-      "id": "ChromeBrowser",
-      "properties": {
-        "annotatedAssetId": {
-          "description": "Asset identifier as annotated by the administrator or specified during enrollment.",
-          "type": "string"
-        },
-        "annotatedLocation": {
-          "description": "Address or location of the device as annotated by the administrator.",
-          "type": "string"
-        },
-        "annotatedNotes": {
-          "description": "Notes about this device as annotated by the administrator",
-          "type": "string"
-        },
-        "annotatedUser": {
-          "description": "User of the device as annotated by the administrator.",
-          "type": "string"
-        },
-        "deviceId": {
-          "annotations": {
-            "required": [
-              "cbcm.chromebrowsers.update"
-            ]
-          },
-          "description": "The unique ID of the device.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "ChromeBrowsers": {
-      "id": "ChromeBrowsers",
-      "properties": {
-        "browsers": {
-          "description": "List of Chrome browser objects.",
-          "items": {
-            "$ref": "ChromeBrowser"
-          },
-          "type": "array"
-        },
-        "etag": {
-          "description": "ETag of the resource.",
-          "type": "string"
-        },
-        "kind": {
-          "default": "admin#directory#chromeosdevices",
-          "description": "Kind of resource this is.",
-          "type": "string"
-        },
-        "nextPageToken": {
-          "description": "Token used to access the next page of this result. To access the next page, use this token's value in the `pageToken` query string of this request.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "EnrollmentToken": {
-      "id": "EnrollmentToken",
-      "properties": {
-        "kind": {
-          "default": "admin#directory#chromeEnrollmentToken",
-          "description": "Kind of resource this is.",
-          "type": "string"
-        },
-        "tokenId": {
-          "description": "Enrollment Token ID.",
-          "type": "string"
-        },
-        "tokenPermanentId": {
-          "description": "Enrollment Token Permanent ID.",
-          "type": "string"
-        },
-        "customerId": {
-          "description": "Immutable ID of the G Suite account.",
-          "type": "string"
-        },
-        "orgUnitPath": {
-          "description": "The full path of the organizational unit or its unique ID.",
-          "type": "string"
-        },
-        "creatorId": {
-          "description": "Creator ID.",
-          "type": "string"
-        },
-        "createTime": {
-          "description": "Creation Time.",
-          "type": "string"
-        },
-        "revokerId": {
-          "description": "Revoker ID.",
-          "type": "string"
-        },
-        "revokeTime": {
-          "description": "Revoke Time",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "EnrollmentTokens": {
-      "id": "EnrollmentTokens",
-      "properties": {
-        "chrome_enrollment_tokens": {
-          "description": "List of Chrome browser enrollment token objects.",
-          "items": {
-            "$ref": "EnrollmentToken"
-          },
-          "type": "array"
-        },
-        "kind": {
-          "default": "admin#directory#chromeEnrollmentTokens",
-          "description": "Kind of resource this is.",
-          "type": "string"
-        },
-        "nextPageToken": {
-          "description": "Token used to access the next page of this result. To access the next page, use this token's value in the `pageToken` query string of this request.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "CreateEnrollmentTokenRequest": {
-      "id": "CreateEnrollmentTokenRequest",
-      "type": "object",
-      "properties": {
-        "org_unit_path": {
-          "description": "The full path of the organizational unit or its unique ID.",
-          "type": "string"
-        },
-        "expire_time": {
-          "description": "Expiration Time.",
-          "type": "string"
-        },
-        "token_type": {
-          "id": "token_type",
-          "annotations": {
-            "required": [
-              "cbcm.enrollmentTokens.create"
-            ]
-          },
-          "description": "CHROME_BROWSER.",
-          "type": "string"
-        }
-      }
-    },
-    "MoveChromeBrowsersRequest": {
-      "id": "MoveChromeBrowsersRequest",
-      "type": "object",
-      "properties": {
-        "org_unit_path": {
-          "annotations": {
-            "required": [
-              "cbcm.chromebrowsers.moveChromeBrowsersToOu"
-            ]
-          },
-          "description": "Destination organization unit to move devices to. Full path of the organizational unit or its ID prefixed with id:",
-          "type": "string"
-        },
-        "resource_ids": {
-          "annotations": {
-            "required": [
-              "cbcm.chromebrowsers.moveChromeBrowsersToOu"
-            ]
-          },
-          "description": "List of unique device IDs of Chrome Browser Devices to move. A maximum of 600 browsers may be moved per request.",
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        }
-      }
-    }
-  },
-  "servicePath": "",
-  "title": "Admin SDK API",
-  "version": "cbcm_v1.1beta1"
-}
--- a/src/contactdelegation-v1.json
+++ b/src/contactdelegation-v1.json
@@ -1,249 +0,0 @@
-{
-  "auth": {
-    "oauth2": {
-      "scopes": {
-        "https://www.googleapis.com/auth/admin.contact.delegation": {
-          "description": "View and manage your Contact Delegation"
-        },
-        "https://www.googleapis.com/auth/admin.contact.delegation.readonly": {
-          "description": "View your Contact Delegation"
-        }
-      }
-    }
-  },
-  "basePath": "",
-  "baseUrl": "https://admin.googleapis.com/admin/contacts/v1/",
-  "batchPath": "batch",
-  "canonicalName": "contactdelegation",
-  "description": "The Contact Delegation API allows Admins to delegate access of one user's, called the delegator, contacts to another user, called the delegate.",
-  "discoveryVersion": "v1",
-  "documentationLink": "https://developers.google.com/admin-sdk/contact-delegation",
-  "fullyEncodeReservedExpansion": true,
-  "icons": {
-    "x16": "http://www.google.com/images/icons/product/search-16.gif",
-    "x32": "http://www.google.com/images/icons/product/search-32.gif"
-  },
-  "id": "contactdelegation:v1",
-  "kind": "discovery#restDescription",
-  "name": "contactdelegation",
-  "ownerDomain": "google.com",
-  "ownerName": "Google",
-  "packagePath": "admin",
-  "parameters": {
-    "$.xgafv": {
-      "description": "V1 error format.",
-      "enum": [
-        "1",
-        "2"
-      ],
-      "enumDescriptions": [
-        "v1 error format",
-        "v2 error format"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "access_token": {
-      "description": "OAuth access token.",
-      "location": "query",
-      "type": "string"
-    },
-    "alt": {
-      "default": "json",
-      "description": "Data format for response.",
-      "enum": [
-        "json",
-        "media",
-        "proto"
-      ],
-      "enumDescriptions": [
-        "Responses with Content-Type of application/json",
-        "Media download with context-dependent Content-Type",
-        "Responses with Content-Type of application/x-protobuf"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "callback": {
-      "description": "JSONP",
-      "location": "query",
-      "type": "string"
-    },
-    "fields": {
-      "description": "Selector specifying which fields to include in a partial response.",
-      "location": "query",
-      "type": "string"
-    },
-    "key": {
-      "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.",
-      "location": "query",
-      "type": "string"
-    },
-    "oauth_token": {
-      "description": "OAuth 2.0 token for the current user.",
-      "location": "query",
-      "type": "string"
-    },
-    "prettyPrint": {
-      "default": "true",
-      "description": "Returns response with indentations and line breaks.",
-      "location": "query",
-      "type": "boolean"
-    },
-    "quotaUser": {
-      "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.",
-      "location": "query",
-      "type": "string"
-    },
-    "uploadType": {
-      "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    },
-    "upload_protocol": {
-      "description": "Upload protocol for media (e.g. \"raw\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    }
-  },
-  "protocol": "rest",
-  "resources": {
-    "delegates": {
-      "methods": {
-        "create": {
-          "description": "Creates a contact delegations",
-          "flatPath": "users/{user}/delegates",
-          "httpMethod": "POST",
-          "id": "contactdelegations.delegates.create",
-          "parameterOrder": [
-            "user"
-          ],
-          "parameters": {
-            "user": {
-              "description": "Email address of the delegator.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "users/{user}/delegates/{delegate}",
-          "request": {
-            "$ref": "Delegate"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.contact.delegation"
-          ]
-        },
-        "delete": {
-          "description": "Deletes a contact delegation.",
-          "flatPath": "users/{user}/delegates/{delegate}",
-          "httpMethod": "DELETE",
-          "id": "contactdelegations.delegates.delete",
-          "parameterOrder": [
-            "user",
-            "delegate"
-          ],
-          "parameters": {
-            "delegate": {
-              "description": "Email address of the delegate",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "user": {
-              "description": "Email address of the delegator.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "users/{user}/delegates/{delegate}",
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.contact.delegation"
-          ]
-        },
-        "list": {
-          "description": "Lists contact delegates for a user",
-          "flatPath": "users/{user}/delegates",
-          "httpMethod": "GET",
-          "id": "contactdelegations.delegates.list",
-          "parameterOrder": [
-            "user"
-          ],
-          "parameters": {
-            "pageSize": {
-              "description": "Determines how many delegates are returned in each response. ",
-              "format": "int32",
-              "location": "query",
-              "minimum": "1",
-              "type": "integer"
-            },
-            "pageToken": {
-              "description": "Token to specify the next page in the list.",
-              "location": "query",
-              "type": "string"
-            },
-            "user": {
-              "description": "Email address of the delegator.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "users/{user}/delegates",
-          "response": {
-            "$ref": "Delegates"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.contact.delegation",
-            "https://www.googleapis.com/auth/admin.contact.delegation.readonly"
-          ]
-        }
-      }
-    }
-  },
-  "rootUrl": "https://admin.googleapis.com/admin/contacts/v1/",
-  "schemas": {
-    "Delegate": {
-      "description": "JSON template for a delegate.",
-      "id": "Delegate",
-      "properties": {
-        "email": {
-          "description": "Email of the delegate.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "Delegates": {
-      "id": "Delegates",
-      "properties": {
-        "delegates": {
-          "description": "List of delegates.",
-          "items": {
-            "$ref": "Delegate"
-          },
-          "type": "array"
-        },
-        "etag": {
-          "description": "ETag of the resource.",
-          "type": "string"
-        },
-        "kind": {
-          "default": "",
-          "description": "Kind of resource this is.",
-          "type": "string"
-        },
-        "nextPageToken": {
-          "description": "Token used to access the next page of this result. To access the next page, use this token's value in the `pageToken` query string of this request.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    }
-  },
-  "servicePath": "",
-  "title": "Contact Delegation API",
-  "version": "v1",
-  "version_module": true
-}
--- a/src/datastudio-v1.json
+++ b/src/datastudio-v1.json
@@ -1,486 +0,0 @@
-{
-  "basePath": "",
-  "discoveryVersion": "v1",
-  "documentationLink": "https://support.google.com/datastudio",
-  "canonicalName": "Data Studio",
-  "id": "datastudio:v1",
-  "ownerName": "Google",
-  "description": "Allows programmatic viewing and editing of Data Studio assets.",
-  "rootUrl": "https://datastudio.googleapis.com/",
-  "ownerDomain": "google.com",
-  "mtlsRootUrl": "https://datastudio.mtls.googleapis.com/",
-  "batchPath": "batch",
-  "version_module": true,
-  "version": "v1",
-  "schemas": {
-    "Asset": {
-      "id": "Asset",
-      "properties": {
-        "title": {
-          "description": "The title of the asset.",
-          "type": "string"
-        },
-        "createTime": {
-          "format": "google-datetime",
-          "description": "Date the asset was created.",
-          "type": "string"
-        },
-        "lastViewByMeTime": {
-          "type": "string",
-          "description": "Date the asset was last viewed by me.",
-          "format": "google-datetime"
-        },
-        "owner": {
-          "type": "string",
-          "description": "The owner of the asset."
-        },
-        "name": {
-          "type": "string",
-          "description": "The name of the asset."
-        },
-        "trashed": {
-          "type": "boolean",
-          "description": "Value indicating if the asset is in the trash."
-        },
-        "updateTime": {
-          "format": "google-datetime",
-          "description": "Date the asset was last modified.",
-          "type": "string"
-        },
-        "updateByMeTime": {
-          "description": "Date the asset was last modified by me.",
-          "type": "string",
-          "format": "google-datetime"
-        },
-        "assetType": {
-          "enumDescriptions": [
-            "Asset type not specified.",
-            "A report asset.",
-            "A data Source asset."
-          ],
-          "enum": [
-            "ASSET_TYPE_UNSPECIFIED",
-            "REPORT",
-            "DATA_SOURCE"
-          ],
-          "description": "The type of the asset.",
-          "type": "string"
-        }
-      },
-      "description": "A Data Studio asset.",
-      "type": "object"
-    },
-    "SearchAssetsResponse": {
-      "id": "SearchAssetsResponse",
-      "properties": {
-        "assets": {
-          "items": {
-            "$ref": "Asset"
-          },
-          "type": "array",
-          "description": "The list of assets."
-        },
-        "nextPageToken": {
-          "type": "string",
-          "description": "A token to retrieve next page of results. Pass this value in the SearchAssetsRequest.page_token field in the subsequent call to `SearchAssets` method to retrieve the next page of results."
-        }
-      },
-      "description": "Response message for DataStudioService.SearchAssets",
-      "type": "object"
-    },
-    "UpdatePermissionsRequest": {
-      "description": "Request message for DataStudioService.UpdatePermissions",
-      "properties": {
-        "updateMask": {
-          "description": "The list of fields to be updated. Currently not supported.",
-          "type": "string",
-          "format": "google-fieldmask"
-        },
-        "permissions": {
-          "description": "The permissions object to update.",
-          "$ref": "Permissions"
-        }
-      },
-      "id": "UpdatePermissionsRequest",
-      "type": "object"
-    },
-    "AddMembersRequest": {
-      "properties": {
-        "members": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "Required. The members to add to the role. The format of a member is one of - user:alice@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-app@appspot.gserviceaccount.com"
-        },
-        "role": {
-          "type": "string",
-          "enumDescriptions": [
-            "Role not specified.",
-            "A viewer.",
-            "An editor.",
-            "An owner.",
-            "Link shared viewer.",
-            "Link shared editor."
-          ],
-          "enum": [
-            "ROLE_UNSPECIFIED",
-            "VIEWER",
-            "EDITOR",
-            "OWNER",
-            "LINK_VIEWER",
-            "LINK_EDITOR"
-          ],
-          "description": "Required. The role to add members to."
-        }
-      },
-      "type": "object",
-      "id": "AddMembersRequest",
-      "description": "Request message for DataStudioService.AddMembers"
-    },
-    "Permissions": {
-      "type": "object",
-      "id": "Permissions",
-      "description": "A Data Studio asset's Permissions.",
-      "properties": {
-        "permissions": {
-          "description": "A map from a Role to a list of members. Role is a string representation of the Role enum. One of: - OWNER - EDITOR - VIEWER",
-          "additionalProperties": {
-            "$ref": "Members"
-          },
-          "type": "object"
-        },
-        "etag": {
-          "format": "byte",
-          "description": "etag to detect and fail concurrent modifications",
-          "type": "string"
-        }
-      }
-    },
-    "RevokeAllPermissionsRequest": {
-      "description": "Request message for DataStudioService.RevokeAllPermissions",
-      "id": "RevokeAllPermissionsRequest",
-      "type": "object",
-      "properties": {
-        "members": {
-          "description": "Required. The members that are having their access revoked. The format of a member is one of - user:alice@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-app@appspot.gserviceaccount.com",
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      }
-    },
-    "Members": {
-      "description": "A wrapper message for a list of members.",
-      "properties": {
-        "members": {
-          "description": "Format of string is one of - user:alice@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-app@appspot.gserviceaccount.com",
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      },
-      "type": "object",
-      "id": "Members"
-    }
-  },
-  "name": "datastudio",
-  "protocol": "rest",
-  "baseUrl": "https://datastudio.googleapis.com/",
-  "title": "Data Studio API",
-  "revision": "20210412",
-  "fullyEncodeReservedExpansion": true,
-  "icons": {
-    "x32": "http://www.google.com/images/icons/product/search-32.gif",
-    "x16": "http://www.google.com/images/icons/product/search-16.gif"
-  },
-  "parameters": {
-    "quotaUser": {
-      "location": "query",
-      "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.",
-      "type": "string"
-    },
-    "prettyPrint": {
-      "location": "query",
-      "type": "boolean",
-      "description": "Returns response with indentations and line breaks.",
-      "default": "true"
-    },
-    "callback": {
-      "location": "query",
-      "type": "string",
-      "description": "JSONP"
-    },
-    "uploadType": {
-      "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
-      "type": "string",
-      "location": "query"
-    },
-    "upload_protocol": {
-      "type": "string",
-      "location": "query",
-      "description": "Upload protocol for media (e.g. \"raw\", \"multipart\")."
-    },
-    "$.xgafv": {
-      "enumDescriptions": [
-        "v1 error format",
-        "v2 error format"
-      ],
-      "description": "V1 error format.",
-      "location": "query",
-      "type": "string",
-      "enum": [
-        "1",
-        "2"
-      ]
-    },
-    "oauth_token": {
-      "type": "string",
-      "location": "query",
-      "description": "OAuth 2.0 token for the current user."
-    },
-    "alt": {
-      "type": "string",
-      "enum": [
-        "json",
-        "media",
-        "proto"
-      ],
-      "location": "query",
-      "description": "Data format for response.",
-      "enumDescriptions": [
-        "Responses with Content-Type of application/json",
-        "Media download with context-dependent Content-Type",
-        "Responses with Content-Type of application/x-protobuf"
-      ],
-      "default": "json"
-    },
-    "fields": {
-      "description": "Selector specifying which fields to include in a partial response.",
-      "location": "query",
-      "type": "string"
-    },
-    "access_token": {
-      "type": "string",
-      "description": "OAuth access token.",
-      "location": "query"
-    },
-    "key": {
-      "type": "string",
-      "location": "query",
-      "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token."
-    }
-  },
-  "servicePath": "",
-  "kind": "discovery#restDescription",
-  "resources": {
-    "assets": {
-      "methods": {
-        "getPermissions": {
-          "parameters": {
-            "name": {
-              "type": "string",
-              "location": "path",
-              "description": "Required. The name of the asset.",
-              "required": true
-            },
-            "role": {
-              "enumDescriptions": [
-                "Role not specified.",
-                "A viewer.",
-                "An editor.",
-                "An owner.",
-                "Link shared viewer.",
-                "Link shared editor."
-              ],
-              "type": "string",
-              "location": "query",
-              "description": "The role of the permssion.",
-              "enum": [
-                "ROLE_UNSPECIFIED",
-                "VIEWER",
-                "EDITOR",
-                "OWNER",
-                "LINK_VIEWER",
-                "LINK_EDITOR"
-              ]
-            }
-          },
-          "id": "datastudio.assets.getPermissions",
-          "response": {
-            "$ref": "Permissions"
-          },
-          "flatPath": "v1/assets/{name}/permissions",
-          "path": "v1/assets/{name}/permissions",
-          "description": "Gets the asset's permission for a given role.",
-          "parameterOrder": [
-            "name"
-          ],
-          "httpMethod": "GET"
-        },
-        "updatePermissions": {
-          "id": "datastudio.assets.updatePermissions",
-          "parameterOrder": [
-            "name"
-          ],
-          "flatPath": "v1/assets/{name}/permissions",
-          "description": "Updates a permission.",
-          "request": {
-            "$ref": "UpdatePermissionsRequest"
-          },
-          "path": "v1/assets/{name}/permissions",
-          "parameters": {
-            "name": {
-              "description": "Required. The name of the asset.",
-              "location": "path",
-              "type": "string",
-              "required": true
-            }
-          },
-          "response": {
-            "$ref": "Permissions"
-          },
-          "httpMethod": "PATCH"
-        },
-        "get": {
-          "path": "v1/{+name}",
-          "id": "datastudio.assets.get",
-          "parameterOrder": [
-            "name"
-          ],
-          "description": "Gets the asset by name.",
-          "parameters": {
-            "name": {
-              "description": "Required. The name of the asset. Format: assets/{asset}",
-              "location": "path",
-              "required": true,
-              "pattern": "^assets/[^/]+$",
-              "type": "string"
-            }
-          },
-          "flatPath": "v1/assets/{assetsId}",
-          "response": {
-            "$ref": "Asset"
-          },
-          "httpMethod": "GET"
-        },
-        "search": {
-          "response": {
-            "$ref": "SearchAssetsResponse"
-          },
-          "path": "v1/assets:search",
-          "parameters": {
-            "pageToken": {
-              "type": "string",
-              "location": "query",
-              "description": "A token identifying a page of results the server should return. Use the value of SearchAssetsResponse.next_page_token returned from the previous call to `SearchAssets` method."
-            },
-            "assetTypes": {
-              "type": "string",
-              "repeated": true,
-              "description": "Exactly one AssetType must be specified.",
-              "enumDescriptions": [
-                "Asset type not specified.",
-                "A report asset.",
-                "A data Source asset."
-              ],
-              "location": "query",
-              "enum": [
-                "ASSET_TYPE_UNSPECIFIED",
-                "REPORT",
-                "DATA_SOURCE"
-              ]
-            },
-            "title": {
-              "description": "The title of assets to include. Not an exact match, works the same as search from the UI.",
-              "location": "query",
-              "type": "string"
-            },
-            "owner": {
-              "type": "string",
-              "location": "query",
-              "description": "The email of the owner of the asset."
-            },
-            "pageSize": {
-              "description": "Requested page size. If unspecified, server will pick an appropriate default.",
-              "location": "query",
-              "type": "integer",
-              "format": "int32"
-            },
-            "orderBy": {
-              "location": "query",
-              "description": "How the results should be ordered. Valid options are: - title",
-              "type": "string"
-            },
-            "includeTrashed": {
-              "location": "query",
-              "type": "boolean",
-              "description": "Value indicating if assets in trash should be included."
-            }
-          },
-          "flatPath": "v1/assets:search",
-          "httpMethod": "GET",
-          "description": "Searches assets.",
-          "id": "datastudio.assets.search",
-          "parameterOrder": []
-        }
-      },
-      "resources": {
-        "permissions": {
-          "methods": {
-            "revokeAllPermissions": {
-              "path": "v1/assets/{name}/permissions:revokeAllPermissions",
-              "response": {
-                "$ref": "Permissions"
-              },
-              "flatPath": "v1/assets/{name}/permissions:revokeAllPermissions",
-              "id": "datastudio.assets.permissions.revokeAllPermissions",
-              "description": "Revokes one or more members' access to an asset.",
-              "parameters": {
-                "name": {
-                  "required": true,
-                  "type": "string",
-                  "location": "path",
-                  "description": "Required. The name of the asset."
-                }
-              },
-              "parameterOrder": [
-                "name"
-              ],
-              "httpMethod": "POST",
-              "request": {
-                "$ref": "RevokeAllPermissionsRequest"
-              }
-            },
-            "addMembers": {
-              "path": "v1/assets/{name}/permissions:addMembers",
-              "parameters": {
-                "name": {
-                  "required": true,
-                  "location": "path",
-                  "type": "string",
-                  "description": "Required. The name of the asset."
-                }
-              },
-              "httpMethod": "POST",
-              "parameterOrder": [
-                "name"
-              ],
-              "response": {
-                "$ref": "Permissions"
-              },
-              "id": "datastudio.assets.permissions.addMembers",
-              "request": {
-                "$ref": "AddMembersRequest"
-              },
-              "description": "Adds one or more members to a role.",
-              "flatPath": "v1/assets/{name}/permissions:addMembers"
-            }
-          }
-        }
-      }
-    }
-  }
-}
--- a/src/drive-v3beta.json
+++ b/src/drive-v3beta.json
--- a/src/gam-install.sh
+++ b/src/gam-install.sh
@@ -8,7 +8,7 @@ GAM installation script.
 OPTIONS:
   -h      show help.
   -d      Directory where gam folder will be installed. Default is \$HOME/bin/
-   -a      Architecture to install (i386, x86_64, x86_64_legacy, arm, arm64). Default is to detect your arch with "uname -m".
+   -a      Architecture to install (x86_64, arm64). Default is to detect your arch with "uname -m".
   -o      OS we are running (linux, macos). Default is to detect your OS with "uname -s".
   -b      OS version. Default is to detect on MacOS and Linux.
   -l      Just upgrade GAM to latest version. Skips project creation and auth.
@@ -21,7 +21,7 @@ EOF
 }

 target_dir="$HOME/bin"
-target_gam="gam7/gam"
+target_folder="$target_dir/gam7"
 gamarch=$(uname -m)
 gamos=$(uname -s)
 osversion=""
@@ -30,15 +30,13 @@ upgrade_only=false
 gamversion="latest"
 adminuser=""
 regularuser=""
-gam_x86_64_glibc_vers="2.35 2.31"
-gam_arm64_glibc_vers="2.31"
 strip_gam="--strip-components 0"

 while getopts "hd:a:o:b:lp:u:r:v:s" OPTION
 do
     case $OPTION in
         h) usage; exit;;
-         d) target_dir="$OPTARG";;
+         d) target_dir="${OPTARG%/}"; target_folder="$target_dir/gam7";;
         a) gamarch="$OPTARG";;
         o) gamos="$OPTARG";;
         b) osversion="$OPTARG";;
@@ -47,13 +45,11 @@ do
         u) adminuser="$OPTARG";;
         r) regularuser="$OPTARG";;
         v) gamversion="$OPTARG";;
-         s) strip_gam="--strip-components 1"; target_gam="gam";;
+         s) strip_gam="--strip-components 1"; target_folder="$target_dir";;
         ?) usage; exit;;
     esac
 done
-
-# remove possible / from end of target_dir
-target_dir=${target_dir%/}
+target_gam="$target_folder/gam"

 update_profile() {
        [ "$2" -eq 1 ] || [ -f "$1" ] || return 1
@@ -90,7 +86,6 @@ version_gt()
 # MacOS < 10.13 doesn't support sort -V
 echo "" | sort -V > /dev/null 2>&1
 vsort_failed=$?
-echo "Check:${2}"
 if [ "${1}" = "${2}" ]; then
  true
 elif (( $vsort_failed != 0 )); then
@@ -100,81 +95,6 @@ else
 fi
 }

-case $gamos in
-  [lL]inux)
-    gamos="linux"
-    if [ "$osversion" == "" ]; then
-      this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
-    else
-      this_glibc_ver=$osversion
-    fi
-    echo "This Linux distribution uses glibc $this_glibc_ver"
-    case $gamarch in
-      x86_64)
-        useglibc="legacy"
-        for gam_glibc_ver in $gam_x86_64_glibc_vers; do
-          if version_gt $this_glibc_ver $gam_glibc_ver; then
-            useglibc="glibc$gam_glibc_ver"
-            echo_green "Using GAM compiled against $useglibc"
-            break
-          fi
-        done
-        gamfile="linux-x86_64-$useglibc.tar.xz";;
-      arm|arm64|aarch64)
-        useglibc=""
-        for gam_glibc_ver in $gam_arm64_glibc_vers; do
-          if version_gt $this_glibc_ver $gam_glibc_ver; then
-            useglibc="glibc$gam_glibc_ver"
-            echo_green "Using GAM compiled against $useglibc"
-            break
-          fi
-        done
-        if [ "$useglibc" == "" ]; then
-          echo_red "Sorry, you need to be running at least glibc $useglibc to run GAM"
-          exit
-        fi
-        gamfile="linux-aarch64-$useglibc.tar.xz";;
-      *)
-        echo_red "ERROR: this installer currently only supports x86_64 and arm64 Linux. Looks like you're running on $gamarch. Exiting."
-        exit
-    esac
-    ;;
-  [Mm]ac[Oo][sS]|[Dd]arwin)
-    gamos="macos"
-    fullversion=$(sw_vers -productVersion)
-    osversion=${fullversion:0:2}
-    case $gamarch in
-      x86_64)
-        gamfile="macos-x86_64.tar.xz"
-	minimum_version=13
-        ;;
-      arm|arm64|aarch64)
-        gamfile="macos-aarch64.tar.xz"
-	minimum_version=14
-        ;;
-      *)
-        echo_red "ERROR: this installer currently only supports x86_64 and arm64 MacOS. Looks like you're running on $gamarch. Exiting."
-        exit
-	;;
-    esac
-    if [[ "$osversion" -ge "$minimum_version" ]]; then
-      echo_green "You are running MacOS ${fullversion}, good. Using GAM with ${gamfile}."
-    else
-      echo_red "Sorry, you are running MacOS ${fullversion} but GAM on ${gamarch} requires MacOS ${minimum_version}. Exiting."
-      exit
-    fi
-    ;;
-  MINGW64_NT*)
-    gamos="windows"
-    echo "You are running Windows"
-    gamfile="-windows-x86_64.zip"
-    ;;
-  *)
-    echo_red "Sorry, this installer currently only supports Linux and MacOS. Looks like you're running on $gamos. Exiting."
-    exit
-    ;;
-esac
-
 if [ "$gamversion" == "latest" ]; then
  release_url="https://api.github.com/repos/GAM-team/GAM/releases/latest"
 elif [ "$gamversion" == "prerelease" -o "$gamversion" == "draft" ]; then
@@ -185,15 +105,34 @@ fi

 if [ -z ${GHCLIENT+x} ]; then
  check_type="unauthenticated"
-  echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
-  release_json=$(curl -s "$release_url" 2>&1 /dev/null)
+  curl_opts=( )
 else
  check_type="authenticated"
-  echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
-  release_json=$(curl -s "$GHCLIENT" "$release_url" 2>&1 /dev/null)
+  curl_opts=( "$GHCLIENT" )
+fi
+curl_ver=$(curl --version|head -1|cut -d " " -f 2)
+if [[ "${curl_ver:0:4}" < "7.76" ]]; then
+  curl_fail=( )
+else
+  curl_fail=( "--fail-with-body" )
+fi
+echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
+release_json=$(curl \
+	--silent \
+	"${curl_opts[@]}" \
+	-H "Accept: application/vnd.github+json" \
+	-H "X-GitHub-Api-Version: 2022-11-28" \
+	"$release_url" \
+	"${curl_fail[@]}")
+curl_exit_code=$?
+if [ $curl_exit_code -ne 0 ]; then
+  echo_red "ERROR retrieving URL: ${release_json}"
+  exit
+else
+  echo_green "done"
 fi

-echo_yellow "Getting file and download URL..."
+echo_yellow "Calculating download URL for this device..."
 # Python is sadly the nearest to universal way to safely handle JSON with Bash
 # At least this code should be compatible with just about any Python version ever
 # unlike GAM itself. If some users don't have Python we can try grep / sed / etc
@@ -215,11 +154,9 @@ if type(release) is list:
    break
 try:
  for asset in release['assets']:
-    if asset[attrib].endswith('$gamfile'):
-      print(asset[attrib])
-      break
-  else:
-    print('ERROR: Attribute: {0} for $gamfile version {1} not found'.format(attrib, gamversion))
+    print(asset[attrib])
+  #else:
+  #  print('ERROR: Attribute: {0} for version {1} not found'.format(attrib, gamversion))
 except KeyError:
  print('ERROR: assets value not found in JSON value of:\n\n%s' % release)"

@@ -245,41 +182,161 @@ if (( $rc != 0 )); then
  echo_red "ERROR: No version of python installed."
  exit
 fi
+# also sort the URLs once so we're evaluating newest OS version first
+download_urls=$(echo "$release_json" | \
+	        $pycmd -c "$pycode" browser_download_url "$gamversion" | \
+	        sort --version-sort --reverse)
+if [[ ${download_urls:0:5} = "ERROR" ]]; then
+  echo_red "${download_urls}"
+  exit
+fi
+
+case $gamos in
+  [lL]inux)
+    gamos="linux"
+    download_urls=$(echo -e "$download_urls" | grep -e "-linux-")
+    if [ "$osversion" == "" ]; then
+      this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
+    else
+      this_glibc_ver=$osversion
+    fi
+    echo "This Linux distribution uses glibc $this_glibc_ver"
+    case $gamarch in
+      x86_64)
+	download_urls=$(echo -e "$download_urls" | grep -e "-x86_64-")
+	gam_x86_64_glibc_vers=$(echo -e "$download_urls" | \
+		grep --only-matching 'glibc[0-9\.]*\.tar\.xz$' \
+	        | cut -c 6-9 )
+	useglibc="legacy"
+        for gam_glibc_ver in $gam_x86_64_glibc_vers; do
+	  if version_gt $this_glibc_ver $gam_glibc_ver; then
+            useglibc="glibc$gam_glibc_ver"
+            echo_green "Using GAM compiled against $useglibc"
+            break
+          fi
+        done
+        download_url=$(echo -e "$download_urls" | grep "$useglibc")
+	;;
+      arm|arm64|aarch64)
+        download_urls=$(echo -e "$download_urls" | grep -e "-arm64-\|-aarch64-")
+        gam_arm64_glibc_vers=$(echo -e "$download_urls" | \
+                grep --only-matching 'glibc[0-9\.]*\.tar\.xz$' | \
+                cut -c 6-9)
+        useglibc="legacy"
+        for gam_glibc_ver in $gam_arm64_glibc_vers; do
+          if version_gt $this_glibc_ver $gam_glibc_ver; then
+            useglibc="glibc$gam_glibc_ver"
+            echo_green "Using GAM compiled against $useglibc"
+            break
+          fi
+        done
+        download_url=$(echo -e "$download_urls" | grep "$useglibc")
+	;;
+      *)
+        echo_red "ERROR: this installer currently only supports x86_64 and arm64 Linux. Looks like you're running on $gamarch. Exiting."
+        exit
+    esac
+    ;;
+  [Mm]ac[Oo][sS]|[Dd]arwin)
+    gamos="macos"
+    currentversion=$(sw_vers -productVersion | awk -F '.' '{print $1 "." $2}')
+    # override osversion only if it wasn't set by cli arguments
+    osversion=${osversion:-${currentversion}}
+    # override osversion only if it wasn't set by cli arguments
+    download_urls=$(echo -e "$download_urls" | grep -e "-macos")
+    case $gamarch in
+      x86_64)
+        archgrep="-x86_64"
+	;;
+      arm|arm64|aarch64)
+        archgrep="-arm64\|-aarch64"
+        ;;
+      *)
+        echo_red "ERROR: this installer currently only supports x86_64 and arm64 MacOS. Looks like you're running on ${gamarch}. Exiting."
+        exit
+	;;
+    esac
+    gam_macos_urls=$(echo -e "$download_urls" | \
+                     grep -e $archgrep)
+    versionless_urls=$(echo -e "$gam_macos_urls" | \
+                       grep -e "-macos-")
+    if [ "$versionless_urls" == "" ]; then
+        # versions after 7.00.38 include MacOS version info
+        gam_macos_vers=$(echo -e "$gam_macos_urls" | \
+                         grep --only-matching -e '-macos[0-9\.]*' | \
+                         cut -c 7-10)
+        for gam_mac_ver in $gam_macos_vers; do
+            if version_gt $currentversion $gam_mac_ver; then
+                download_url=$(echo -e "$gam_macos_urls" | grep "$gam_mac_ver")
+                echo_green "You are running MacOS ${currentversion} Using GAM compiled against ${gam_mac_ver}"
+                break
+            fi
+            done
+        if [ -z ${download_url+x} ]; then
+	    echo_red "Sorry, you are running MacOS ${osversion} but GAM on ${gamarch} requires MacOS ${gam_mac_ver} or newer. Exiting."
+            exit
+	fi
+    else
+        # versions 7.00.38 and older don't include version info
+        case $gamarch in
+            x86_64)
+	        minimum_version=13
+                ;;
+            arm|arm64|aarch64)
+	        minimum_version=14
+                ;;
+        esac
+        download_url=$(echo -e "$download_urls" | grep -e $archgrep)
+        if version_gt "$osversion" "$minimum_version"; then
+            echo_green "You are running MacOS ${osversion}, good. Downloading GAM from ${download_url}."
+        else
+          echo_red "Sorry, you are running MacOS ${osversion} but GAM on ${gamarch} requires MacOS ${minimum_version}. Exiting."
+          exit
+        fi 
+        if [ -z ${download_url+x} ]; then
+          echo_red "Sorry, you are running MacOS ${currentversion} but GAM on ${gamarch} requires MacOS ${minimum_version}. Exiting."
+          exit
+        fi
+    fi
+    ;;
+  MINGW64_NT*)
+    gamos="windows"
+    echo "You are running Windows"
+    download_url=$(echo -e "$download_urls" | \
+                   grep -e "-windows-" | \
+                   grep ".zip")
+    ;;
+  *)
+    echo_red "Sorry, this installer currently only supports Linux and MacOS. Looks like you're running on ${gamos}. Exiting."
+    exit
+    ;;
+esac

-browser_download_url=$(echo "$release_json" | $pycmd -c "$pycode" browser_download_url "$gamversion")
-if [[ ${browser_download_url:0:5} = "ERROR" ]]; then
-  echo_red "${browser_download_url}"
-  exit
-fi
-name=$(echo "$release_json" | $pycmd -c "$pycode" name "$gamversion")
-if [[ ${name:0:5} = "ERROR" ]]; then
-  echo_red "${name}"
-  exit
-fi
 # Temp dir for archive
-#temp_archive_dir=$(mktemp -d)
 temp_archive_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')

 # Clean up after ourselves even if we are killed with CTRL-C
 trap "rm -rf $temp_archive_dir" EXIT

-echo_yellow "Downloading file $name from $browser_download_url to $temp_archive_dir ($check_type)..."
-# Save archive to temp w/o losing our path
-if [ -z ${GHCLIENT+x} ]; then
-  (cd "$temp_archive_dir" && curl -O -L $browser_download_url)
-else
-  (cd "$temp_archive_dir" && curl -O -L $GHCLIENT $browser_download_url)
-fi
+# hack to grab the end of the URL which should be the filename.
+name=$(echo -e "$download_url" | rev | cut -f1 -d "/" | rev)

-mkdir -p "$target_dir"
+echo_yellow "Downloading ${download_url} to $temp_archive_dir ($check_type)..."
+# Save archive to temp w/o losing our path
+(cd "$temp_archive_dir" && curl -O -L -s "${curl_opts[@]}" "$download_url")
+
+mkdir -p "$target_folder"
+echo_yellow "Deleting contents of $target_folder/lib"
+rm -frv "$target_folder/lib"

 echo_yellow "Extracting archive to $target_dir"
-if [[ "${name}" == *.tar.xz ]]; then
-  tar $strip_gam -xf "$temp_archive_dir"/"$name" -C "$target_dir"
-elif [[ "${name}" == *.tar ]]; then
+if [[ "$name" =~ tar.xz|tar.gz|tar ]]; then
  tar $strip_gam -xf "$temp_archive_dir"/"$name" -C "$target_dir"
+elif [[ "$name" == *.zip ]]; then
+  unzip -o "${temp_archive_dir}/${name}" -d "${target_dir}"
 else
-  unzip "${temp_archive_dir}/${name}" -d "${target_dir}"
+  echo "I don't know what to do with files like ${name}. Giving up."
+  exit 1
 fi
 rc=$?
 if (( $rc != 0 )); then
@@ -291,7 +348,7 @@ fi

 # Update profile to add gam command
 if [ "$update_profile" = true ]; then
-  alias_line="alias gam=\"${target_dir// /\\ }/$target_gam\""
+  alias_line="alias gam=\"$target_gam\""
  if [ "$gamos" == "linux" ]; then
    update_profile "$HOME/.bash_aliases" 0 || update_profile "$HOME/.bash_profile" 0 || update_profile "$HOME/.bashrc" 0
    update_profile "$HOME/.zshrc" 0
@@ -305,7 +362,7 @@ fi

 if [ "$upgrade_only" = true ]; then
  echo_green "Here's information about your GAM upgrade:"
-  "$target_dir/$target_gam" version extended
+  "$target_gam" version extended
  rc=$?
  if (( $rc != 0 )); then
    echo_red "ERROR: Failed running GAM for the first time with return code $rc. Please report this error to GAM mailing list. Exiting."
@@ -327,7 +384,7 @@ while true; do
      ;;
    [Nn]*)
 #      config_cmd="config no_browser true"
-      touch "$target_dir/gam/nobrowser.txt" > /dev/null 2>&1
+      touch "$target_folder/nobrowser.txt" > /dev/null 2>&1
      break
      ;;
    *)
@@ -345,8 +402,8 @@ while true; do
      if [ "$adminuser" == "" ]; then
        read -p "Please enter your Google Workspace admin email address: " adminuser
      fi
-#      "$target_dir/$target_gam" $config_cmd create project $adminuser
-      "$target_dir/$target_gam" create project $adminuser
+#      "$target_gam" $config_cmd create project $adminuser
+      "$target_gam" create project $adminuser
      rc=$?
      if (( $rc == 0 )); then
        echo_green "Project creation complete."
@@ -371,8 +428,8 @@ while $project_created; do
  read -p "Are you ready to authorize GAM to perform Google Workspace management operations as your admin account? (yes or no) " yn
  case $yn in
    [Yy]*)
-#      "$target_dir/$target_gam" $config_cmd oauth create $adminuser
-      "$target_dir/$target_gam" oauth create $adminuser
+#      "$target_gam" $config_cmd oauth create $adminuser
+      "$target_gam" oauth create $adminuser
      rc=$?
      if (( $rc == 0 )); then
        echo_green "Admin authorization complete."
@@ -401,8 +458,8 @@ while $admin_authorized; do
        read -p "Please enter the email address of a regular Google Workspace user: " regularuser
      fi
      echo_yellow "Great! Checking service account scopes.This will fail the first time. Follow the steps to authorize and retry. It can take a few minutes for scopes to PASS after they've been authorized in the admin console."
-#      "$target_dir/$target_gam" $config_cmd user $regularuser check serviceaccount
-      "$target_dir/$target_gam" user $regularuser check serviceaccount
+#      "$target_gam" $config_cmd user $regularuser check serviceaccount
+      "$target_gam" user $regularuser check serviceaccount
      rc=$?
      if (( $rc == 0 )); then
        echo_green "Service account authorization complete."
@@ -423,8 +480,8 @@ while $admin_authorized; do
 done

 echo_green "Here's information about your new GAM installation:"
-#"$target_dir/$target_gam" $config_cmd save version extended
-"$target_dir/$target_gam" version extended
+#"$target_gam" $config_cmd save version extended
+"$target_gam" version extended
 rc=$?
 if (( $rc != 0 )); then
  echo_red "ERROR: Failed running GAM for the first time with $rc. Please report this error to GAM mailing list. Exiting."
--- a/src/gam.exe.manifest
+++ b/src/gam.exe.manifest
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
+<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
+    <application> 
+        <!-- Windows 8.1 / Server 2012 R2 -->
+        <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
+        <!-- Windows 10+ / Server 2016+ -->
+        <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
+    </application> 
+</compatibility>
+</assembly>
--- a/src/gam.spec
+++ b/src/gam.spec
@@ -1,21 +1,38 @@
 # -*- mode: python ; coding: utf-8 -*-
 from os import getenv
-from re import search
+import re
 from sys import platform

 from PyInstaller.utils.hooks import copy_metadata

 from gam.gamlib.glverlibs import GAM_VER_LIBS

+
+with open("gam/__init__.py") as f:
+    version_file = f.read()
+version = re.search(r"^__version__ = ['\"]([^'\"]*)['\"]", version_file, re.M).group(1)
+version_list = [int(i) for i in version.split('.')]
+while len(version_list) < 4:
+  version_list.append(0)
+version_tuple = tuple(version_list)
+version_str = str(version_tuple)
+with open("version_info.txt.in") as f:
+    version_info = f.read()
+version_info = version_info.replace("{VERSION}", version).replace(
+    "{VERSION_TUPLE}", version_str
+)
+with open("version_info.txt", "w") as f:
+    f.write(version_info)
+print(version_info)
+
 datas = []
 for pkg in GAM_VER_LIBS:
    datas += copy_metadata(pkg, recursive=True)
-datas += [('admin-directory_v1.1beta1.json', '.')]
-datas += [('cbcm-v1.1beta1.json', '.')]
-datas += [('contactdelegation-v1.json', '.')]
-datas += [('datastudio-v1.json', '.')]
-datas += [('drive-v3beta.json', '.')]
-datas += [('serviceaccountlookup-v1.json', '.')]
+datas += [('gam/cbcm-v1.1beta1.json', '.')]
+datas += [('gam/contactdelegation-v1.json', '.')]
+datas += [('gam/datastudio-v1.json', '.')]
+datas += [('gam/meet-v2beta.json', '.')]
+datas += [('gam/serviceaccountlookup-v1.json', '.')]
 datas += [('cacerts.pem', '.')]
 hiddenimports = [
     'gam.gamlib.yubikey',
@@ -51,6 +68,8 @@ pyz = PYZ(a.pure,
 target_arch = None
 codesign_identity = None
 entitlements_file = None
+manifest = None
+version = 'version_info.txt'
 match platform:
    case "darwin":
        if getenv('arch') == 'universal2':
@@ -63,6 +82,7 @@ match platform:
    case "win32":
        target_arch = None
        strip = False
+        manifest = 'gam.exe.manifest'
    case _:
        target_arch = None
        strip = True
@@ -84,6 +104,7 @@ if getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
              debug=debug,
              bootloader_ignore_signals=bootloader_ignore_signals,
              strip=strip,
+              manifest=manifest,
              upx=upx,
              console=console,
              # put most everyting under a lib/ subfolder
@@ -93,6 +114,7 @@ if getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
              target_arch=target_arch,
              codesign_identity=codesign_identity,
              entitlements_file=entitlements_file,
+              version=version,
              )
    coll = COLLECT(
        exe,
@@ -116,6 +138,7 @@ else:
              name=name,
              debug=debug,
              bootloader_ignore_signals=bootloader_ignore_signals,
+              manifest=manifest,
              strip=strip,
              upx=upx,
              console=console,
@@ -124,5 +147,6 @@ else:
              target_arch=target_arch,
              codesign_identity=codesign_identity,
              entitlements_file=entitlements_file,
+              version=version,
              )

--- a/src/gam.wxs
+++ b/src/gam.wxs
@@ -32,8 +32,11 @@
    <SetDirectory Id="WINDOWSVOLUME" Value="[WindowsVolume]"/>
    <Directory Id="TARGETDIR" Name="SourceDir">
      <Directory Id="WINDOWSVOLUME">
-          <Directory Id="INSTALLFOLDER" Name="GAM7" />
-        </Directory>
+        <Directory Id="INSTALLFOLDER" Name="GAM7">
+          <Directory Id="lib" Name="lib">
+	  </Directory>
+	</Directory>
+      </Directory>
    </Directory>
  </Fragment>

@@ -42,7 +45,7 @@
    <ComponentGroup
        Id="ProductComponents"
        Directory="INSTALLFOLDER"
-        Source="dist/gam7">
+	Source="dist/gam/gam7">
      <Component Id="gam_exe" Guid="d046ea24-c9f8-40ca-84db-70b0119933ff">
        <File Name="gam.exe" KeyPath="yes" />
        <Environment Id="PATH" Name="PATH" Value="[INSTALLFOLDER]" Permanent="yes" Part="last" Action="set" System="yes" />
@@ -62,6 +65,7 @@
      <Component Id="cacerts_pem" Guid="61fe2b2d-1646-4bed-b844-193965e97727">
        <File Name="cacerts.pem" KeyPath="yes" />
      </Component>
+      <ComponentGroupRef Id="Lib" />
    </ComponentGroup>
  </Fragment>

--- a/src/gam.wxs.template
+++ b/src/gam.wxs.template
@@ -1,56 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi" >
-  <Product
-      Id="*"
-      Name="GAM7"
-      Language="1033"
-      Version="$(env.GAMVERSION)"
-      Manufacturer="GAM Team - google-apps-manager@googlegroups.com"
-      UpgradeCode="D86B52B2-EFE9-4F9D-8BA3-9D84B9B2D319">
-    <Package
-        InstallerVersion="200" Compressed="yes" InstallScope="perMachine" />
-
-    <MajorUpgrade
-        DowngradeErrorMessage=
-            "A newer version of [ProductName] is already installed."
-        Schedule="afterInstallExecute" />
-    <MediaTemplate EmbedCab="yes" />
-
-    <Property Id="WIXUI_INSTALLDIR" Value="INSTALLFOLDER" />
-    <WixVariable Id="WixUILicenseRtf" Value="LICENSE.rtf" />
-    <UIRef Id="WixUI_InstallDir" />
-
-    <Feature
-        Id="gam"
-        Title="GAM7"
-        Level="1">
-      <ComponentGroupRef Id="ProductComponents" />
-    </Feature>
-  </Product>
-
-  <Fragment>
-    <SetDirectory Id="WINDOWSVOLUME" Value="[WindowsVolume]"/>
-    <Directory Id="TARGETDIR" Name="SourceDir">
-      <Directory Id="WINDOWSVOLUME">
-          <Directory Id="INSTALLFOLDER" Name="GAM7" />
-        </Directory>
-    </Directory>
-  </Fragment>
-
-  <Fragment>
-    <!-- Group of components that are our main application items -->
-    <ComponentGroup
-        Id="ProductComponents"
-        Directory="INSTALLFOLDER"
-        Source="dist/gam7">
-REPLACE_ME_WITH_FILE_COMPONENTS
-    </ComponentGroup>
-  </Fragment>
-
-  <Fragment>
-    <InstallUISequence>
-      <ExecuteAction />
-      <Show Dialog="WelcomeDlg" Before="ProgressDlg" />
-    </InstallUISequence>
-  </Fragment>
-</Wix>
--- a/src/gam/init.py
+++ b/src/gam/init.py
--- a/src/gam/admin-directory_v1.1beta1.json
+++ b/src/gam/admin-directory_v1.1beta1.json
--- a/src/gam/atom/http.py
+++ b/src/gam/atom/http.py
@@ -247,7 +247,9 @@ class ProxiedHttpClient(HttpClient):
                # Trivial setup for ssl socket.
                sslobj = None
                if ssl_imported:
-                    sslobj = ssl.wrap_socket(p_sock, None, None)
+                    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+                    context.minimum_version = ssl.TLSVersion.TLSv1_2
+                    sslobj = context.wrap_socket(p_sock, server_hostname=url.host)
                else:
                    sock_ssl = socket.ssl(p_sock, None, None)
                    sslobj = http.client.FakeSocket(p_sock, sock_ssl)
--- a/src/gam/atom/http_core.py
+++ b/src/gam/atom/http_core.py
@@ -564,9 +564,11 @@ class ProxiedHttpClient(HttpClient):
            # Trivial setup for ssl socket.
            sslobj = None
            if ssl is not None:
-                sslobj = ssl.wrap_socket(p_sock, None, None)
+                context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+                context.minimum_version = ssl.TLSVersion.TLSv1_2
+                sslobj = context.wrap_socket(p_sock, server_hostname=uri.host)
            else:
-                sock_ssl = socket.ssl(p_sock, None, Nonesock_)
+                sock_ssl = socket.ssl(p_sock, None, None)
                sslobj = http.client.FakeSocket(p_sock, sock_ssl)
            # Initalize httplib and replace with the proxy socket.
            connection = http.client.HTTPConnection(proxy_uri.host)
--- a/src/gam/atom/mock_http.py
+++ b/src/gam/atom/mock_http.py
@@ -108,7 +108,7 @@ class MockHttpClient(atom.http_interface.GenericHttpClient):
            for recording in self.recordings:
                if recording[0].operation == operation and recording[0].url == url:
                    return recording[1]
-            raise NoRecordingFound('No recodings found for %s %s' % (
+            raise NoRecordingFound('No recordings found for %s %s' % (
                operation, url))
        else:
            # There is a real HTTP client, so make the request, and record the
--- a/src/gam/drive-v3beta.json
+++ b/src/gam/drive-v3beta.json
--- a/src/gam/gamlib/glaction.py
+++ b/src/gam/gamlib/glaction.py
@@ -38,8 +38,8 @@ class GamAction():
  CLAIM_OWNERSHIP = 'clow'
  CLEAR = 'clea'
  CLOSE = 'clos'
-  COLLECT = 'collect'
-  COMMENT = 'comment'
+  COLLECT = 'coll'
+  COMMENT = 'comm'
  COPY = 'copy'
  COPY_MERGE = 'copm'
  CREATE = 'crea'
--- a/src/gam/gamlib/glapi.py
+++ b/src/gam/gamlib/glapi.py
@@ -22,7 +22,6 @@
 # APIs
 ACCESSCONTEXTMANAGER = 'accesscontextmanager'
 ALERTCENTER = 'alertcenter'
-ANALYTICS = 'analytics'
 ANALYTICS_ADMIN = 'analyticsadmin'
 CALENDAR = 'calendar'
 CBCM = 'cbcm'
@@ -37,6 +36,7 @@ CHAT_SPACES_DELETE = 'chatspacesdelete'
 CHAT_SPACES_DELETE_ADMIN = 'chatspacesdeleteadmin'
 CHROMEMANAGEMENT = 'chromemanagement'
 CHROMEMANAGEMENT_APPDETAILS = 'chromemanagementappdetails'
+CHROMEMANAGEMENT_CHROMEPROFILES = 'chromemanagementchromeprofiles'
 CHROMEMANAGEMENT_TELEMETRY = 'chromemanagementtelemetry'
 CHROMEPOLICY = 'chromepolicy'
 CHROMEVERSIONHISTORY = 'versionhistory'
@@ -44,21 +44,20 @@ CLASSROOM = 'classroom'
 CLOUDCHANNEL = 'cloudchannel'
 CLOUDIDENTITY_DEVICES = 'cloudidentitydevices'
 CLOUDIDENTITY_GROUPS = 'cloudidentitygroups'
+CLOUDIDENTITY_GROUPS_BETA = 'cloudidentitygroupsbeta'
 CLOUDIDENTITY_INBOUND_SSO = 'cloudidentityinboundsso'
 CLOUDIDENTITY_ORGUNITS = 'cloudidentityorgunits'
 CLOUDIDENTITY_ORGUNITS_BETA = 'cloudidentityorgunitsbeta'
+CLOUDIDENTITY_POLICY = 'cloudidentitypolicy'
 CLOUDIDENTITY_USERINVITATIONS = 'cloudidentityuserinvitations'
 CLOUDRESOURCEMANAGER = 'cloudresourcemanager'
-CLOUDRESOURCEMANAGER_V1 = 'cloudresourcemanager1'
 CONTACTS = 'contacts'
 CONTACTDELEGATION = 'contactdelegation'
 DATATRANSFER = 'datatransfer'
 DIRECTORY = 'directory'
-DIRECTORY_BETA = 'directory_beta'
 DOCS = 'docs'
 DRIVE2 = 'drive2'
 DRIVE3 = 'drive3'
-DRIVE3B = 'drive3b'
 DRIVETD = 'drivetd'
 DRIVEACTIVITY = 'driveactivity'
 DRIVELABELS = 'drivelabels'
@@ -71,11 +70,11 @@ GROUPSMIGRATION = 'groupsmigration'
 GROUPSSETTINGS = 'groupssettings'
 IAM = 'iam'
 IAM_CREDENTIALS = 'iamcredentials'
-IAP = 'iap'
 KEEP = 'keep'
 LICENSING = 'licensing'
 LOOKERSTUDIO = 'datastudio'
 MEET = 'meet'
+MEET_BETA = 'meetbeta'
 OAUTH2 = 'oauth2'
 ORGPOLICY = 'orgpolicy'
 PEOPLE = 'people'
@@ -90,7 +89,6 @@ SERVICEMANAGEMENT = 'servicemanagement'
 SERVICEUSAGE = 'serviceusage'
 SHEETS = 'sheets'
 SHEETSTD = 'sheetstd'
-SITES = 'sites'
 SITEVERIFICATION = 'siteVerification'
 STORAGE = 'storage'
 STORAGEREAD = 'storageread'
@@ -163,7 +161,6 @@ PROJECT_APIS = [
  'accesscontextmanager.googleapis.com',
  'admin.googleapis.com',
  'alertcenter.googleapis.com',
-  'analytics.googleapis.com',
  'analyticsadmin.googleapis.com',
 #  'audit.googleapis.com',
  'calendar-json.googleapis.com',
@@ -185,7 +182,6 @@ PROJECT_APIS = [
  'groupsmigration.googleapis.com',
  'groupssettings.googleapis.com',
  'iam.googleapis.com',
-  'iap.googleapis.com',
  'keep.googleapis.com',
  'licensing.googleapis.com',
  'meet.googleapis.com',
@@ -203,7 +199,6 @@ PROJECT_APIS = [
 _INFO = {
  ACCESSCONTEXTMANAGER: {'name': 'Access Context Manager API', 'version': 'v1', 'v2discovery': True},
  ALERTCENTER: {'name': 'AlertCenter API', 'version': 'v1beta1', 'v2discovery': True},
-  ANALYTICS: {'name': 'Analytics API', 'version': 'v3', 'v2discovery': False},
  ANALYTICS_ADMIN: {'name': 'Analytics Admin API', 'version': 'v1beta', 'v2discovery': True},
  CALENDAR: {'name': 'Calendar API', 'version': 'v3', 'v2discovery': True, 'mappedAPI': 'calendar-json'},
  CBCM: {'name': 'Chrome Browser Cloud Management API', 'version': 'v1.1beta1', 'v2discovery': True, 'localjson': True},
@@ -225,36 +220,36 @@ _INFO = {
  CLOUDCHANNEL: {'name': 'Channel Channel API', 'version': 'v1', 'v2discovery': True},
  CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity Devices API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity Groups API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_GROUPS_BETA: {'name': 'Cloud Identity Groups API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity Inbound SSO API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity Policy API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity User Invitations API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDRESOURCEMANAGER: {'name': 'Cloud Resource Manager API v3', 'version': 'v3', 'v2discovery': True},
  CONTACTS: {'name': 'Contacts API', 'version': 'v3', 'v2discovery': False},
  CONTACTDELEGATION: {'name': 'Contact Delegation API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
  DATATRANSFER: {'name': 'Data Transfer API', 'version': 'datatransfer_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
  DIRECTORY: {'name': 'Directory API', 'version': 'directory_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
-  DIRECTORY_BETA: {'name': 'Directory API', 'version': 'directory_v1.1beta1', 'v2discovery': True, 'mappedAPI': 'admin', 'localjson': True},
  DOCS: {'name': 'Docs API', 'version': 'v1', 'v2discovery': True},
  DRIVE2: {'name': 'Drive API v2', 'version': 'v2', 'v2discovery': False, 'mappedAPI': 'drive'},
  DRIVE3: {'name': 'Drive API v3', 'version': 'v3', 'v2discovery': False, 'mappedAPI': 'drive'},
-  DRIVE3B: {'name': 'Drive API v3beta', 'version': 'v3beta', 'v2discovery': False, 'mappedAPI': 'drive', 'localjson': True},
  DRIVETD: {'name': 'Drive API v3 - todrive', 'version': 'v3', 'v2discovery': False, 'mappedAPI': 'drive'},
  DRIVEACTIVITY: {'name': 'Drive Activity API v2', 'version': 'v2', 'v2discovery': True},
-  DRIVELABELS_ADMIN: {'name': 'Drive Labels API v2beta - Admin', 'version': 'v2beta', 'v2discovery': True, 'mappedAPI': DRIVELABELS},
-  DRIVELABELS_USER: {'name': 'Drive Labels API v2beta - User', 'version': 'v2beta', 'v2discovery': True, 'mappedAPI': DRIVELABELS},
+  DRIVELABELS_ADMIN: {'name': 'Drive Labels API - Admin', 'version': 'v2', 'v2discovery': True, 'mappedAPI': DRIVELABELS},
+  DRIVELABELS_USER: {'name': 'Drive Labels API - User', 'version': 'v2', 'v2discovery': True, 'mappedAPI': DRIVELABELS},
  EMAIL_AUDIT: {'name': 'Email Audit API', 'version': 'v1', 'v2discovery': False},
  FORMS: {'name': 'Forms API', 'version': 'v1', 'v2discovery': True},
  GMAIL: {'name': 'Gmail API', 'version': 'v1', 'v2discovery': True},
-  GROUPSMIGRATION: {'name': 'Groups Migration API', 'version': 'v1', 'v2discovery': False},
+  GROUPSMIGRATION: {'name': 'Groups Migration API', 'version': 'v1', 'v2discovery': True},
  GROUPSSETTINGS: {'name': 'Groups Settings API', 'version': 'v1', 'v2discovery': True},
  IAM: {'name': 'Identity and Access Management API', 'version': 'v1', 'v2discovery': True},
  IAM_CREDENTIALS: {'name': 'Identity and Access Management Credentials API', 'version': 'v1', 'v2discovery': True},
-  IAP: {'name': 'Cloud Identity-Aware Proxy API', 'version': 'v1', 'v2discovery': True},
  KEEP: {'name': 'Keep API', 'version': 'v1', 'v2discovery': True},
  LICENSING: {'name': 'License Manager API', 'version': 'v1', 'v2discovery': True},
  LOOKERSTUDIO: {'name': 'Looker Studio API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
  MEET: {'name': 'Meet API', 'version': 'v2', 'v2discovery': True},
+  MEET_BETA: {'name': 'Meet API', 'version': 'v2beta', 'v2discovery': True, 'localjson': True, 'mappedAPI': MEET},
  OAUTH2: {'name': 'OAuth2 API', 'version': 'v2', 'v2discovery': False},
  ORGPOLICY: {'name': 'Organization Policy API', 'version': 'v2', 'v2discovery': True},
  PEOPLE: {'name': 'People API', 'version': 'v1', 'v2discovery': True},
@@ -269,7 +264,6 @@ _INFO = {
  SERVICEUSAGE: {'name': 'Service Usage API', 'version': 'v1', 'v2discovery': True},
  SHEETS: {'name': 'Sheets API', 'version': 'v4', 'v2discovery': True},
  SHEETSTD: {'name': 'Sheets API - todrive', 'version': 'v4', 'v2discovery': True, 'mappedAPI': SHEETS},
-  SITES: {'name': 'Sites API', 'version': 'v1', 'v2discovery': False},
  SITEVERIFICATION: {'name': 'Site Verification API', 'version': 'v1', 'v2discovery': True},
  STORAGE: {'name': 'Cloud Storage API', 'version': 'v1', 'v2discovery': True},
  STORAGEREAD: {'name': 'Cloud Storage API - Read', 'version': 'v1', 'v2discovery': True, 'mappedAPI': STORAGE},
@@ -298,6 +292,10 @@ _CLIENT_SCOPES = [
   'api': CHROMEMANAGEMENT_APPDETAILS,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/chrome.management.appdetails.readonly'},
+  {'name': 'Chrome Management API - Profiles',
+   'api': CHROMEMANAGEMENT_CHROMEPROFILES,
+   'subscopes': READONLY,
+   'scope': 'https://www.googleapis.com/auth/chrome.management.profiles'},
  {'name': 'Chrome Management API - Telemetry read only',
   'api': CHROMEMANAGEMENT_TELEMETRY,
   'subscopes': [],
@@ -359,6 +357,10 @@ _CLIENT_SCOPES = [
   'api': CLOUDIDENTITY_GROUPS,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
+  {'name': 'Cloud Identity Groups API Beta (Enables group locking/unlocking)',
+   'api': CLOUDIDENTITY_GROUPS_BETA,
+   'subscopes': [],
+   'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
  {'name': 'Cloud Identity - Inbound SSO Settings',
   'api': CLOUDIDENTITY_INBOUND_SSO,
   'subscopes': READONLY,
@@ -367,6 +369,12 @@ _CLIENT_SCOPES = [
   'api': CLOUDIDENTITY_ORGUNITS_BETA,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.orgunits'},
+  {'name': 'Cloud Identity - Policy',
+   'api': CLOUDIDENTITY_POLICY,
+   'subscopes': READONLY,
+   'roByDefault': True,
+   'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'
+  },
  {'name': 'Cloud Identity User Invitations API',
   'api': CLOUDIDENTITY_USERINVITATIONS,
   'subscopes': READONLY,
@@ -487,12 +495,8 @@ _CLIENT_SCOPES = [
  {'name': 'Site Verification API',
   'api': SITEVERIFICATION,
   'subscopes': [],
-   'scope': 'https://www.googleapis.com/auth/siteverification'},
-  {'name': 'Sites API',
-   'api': SITES,
-   'subscopes': [],
   'offByDefault': True,
-   'scope': 'https://sites.google.com/feeds'},
+   'scope': 'https://www.googleapis.com/auth/siteverification'},
  {'name': 'Vault API',
   'api': VAULT,
   'subscopes': READONLY,
@@ -525,10 +529,6 @@ _SVCACCT_SCOPES = [
   'api': ALERTCENTER,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/apps.alerts'},
-  {'name': 'Analytics API - read only',
-   'api': ANALYTICS,
-   'subscopes': [],
-   'scope': 'https://www.googleapis.com/auth/analytics.readonly'},
  {'name': 'Analytics Admin API - read only',
   'api': ANALYTICS_ADMIN,
   'subscopes': [],
@@ -613,11 +613,11 @@ _SVCACCT_SCOPES = [
   'api': DRIVEACTIVITY,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/drive.activity'},
-  {'name': 'Drive Labels API v2beta - Admin',
+  {'name': 'Drive Labels API - Admin',
   'api': DRIVELABELS_ADMIN,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/drive.admin.labels'},
-  {'name': 'Drive Labels API v2beta - User',
+  {'name': 'Drive Labels API - User',
   'api': DRIVELABELS_USER,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/drive.labels'},
@@ -660,7 +660,8 @@ _SVCACCT_SCOPES = [
  {'name': 'Meet API',
   'api': MEET,
   'subscopes': READONLY,
-   'scope': 'https://www.googleapis.com/auth/meetings.space.created'},
+   'scope': 'https://www.googleapis.com/auth/meetings.space.created',
+   'roscope': 'https://www.googleapis.com/auth/meetings.space.readonly'},
  {'name': 'OAuth2 API',
   'api': OAUTH2,
   'subscopes': [],
@@ -681,10 +682,6 @@ _SVCACCT_SCOPES = [
   'api': SHEETS,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/spreadsheets'},
-  {'name': 'Sites API',
-   'api': SITES,
-   'subscopes': [],
-   'scope': 'https://sites.google.com/feeds'},
  {'name': 'Tasks API',
   'api': TASKS,
   'subscopes': READONLY,
@@ -697,10 +694,6 @@ _SVCACCT_SCOPES = [
  ]

 _SVCACCT_SPECIAL_SCOPES = [
-  {'name': 'Cloud Resource Manager API v3',
-   'api': CLOUDRESOURCEMANAGER,
-   'subscopes': [],
-   'scope': CLOUD_PLATFORM_SCOPE},
  {'name': 'Drive API - todrive',
   'api': DRIVETD,
   'subscopes': [],
--- a/src/gam/gamlib/glcfg.py
+++ b/src/gam/gamlib/glcfg.py
@@ -117,6 +117,8 @@ CSV_OUTPUT_HEADER_FILTER = 'csv_output_header_filter'
 CSV_OUTPUT_HEADER_DROP_FILTER = 'csv_output_header_drop_filter'
 # Force output column headers
 CSV_OUTPUT_HEADER_FORCE = 'csv_output_header_force'
+# Orde output column headers
+CSV_OUTPUT_HEADER_ORDER = 'csv_output_header_order'
 # Line terminator in CSV output file
 CSV_OUTPUT_LINE_TERMINATOR = 'csv_output_line_terminator'
 # Quote character in CSV output file
@@ -175,8 +177,14 @@ INTER_BATCH_WAIT = 'inter_batch_wait'
 LICENSE_MAX_RESULTS = 'license_max_results'
 # License SKUs to process
 LICENSE_SKUS = 'license_skus'
+# Use Meet V2 beta
+MEET_V2_BETA = 'meet_v2_beta'
 # When retrieving lists of Google Group members from API, how many should be retrieved in each chunk
 MEMBER_MAX_RESULTS = 'member_max_results'
+# CI API Group members max page size when view=BASIC
+MEMBER_MAX_RESULTS_CI_BASIC = 'member_max_results_ci_basic'
+# CI API Group members max page size when view=FULL
+MEMBER_MAX_RESULTS_CI_FULL = 'member_max_results_ci_full'
 # When deleting or modifying Gmail messages, how many should be processed in each batch
 MESSAGE_BATCH_SIZE = 'message_batch_size'
 # When retrieving lists of Gmail messages from API, how many should be retrieved in each chunk
@@ -309,7 +317,8 @@ CSV_INPUT_ROW_FILTER_ITEMS = {CSV_INPUT_ROW_FILTER, CSV_INPUT_ROW_FILTER_MODE,
                              CSV_INPUT_ROW_DROP_FILTER, CSV_INPUT_ROW_DROP_FILTER_MODE,
                              CSV_INPUT_ROW_LIMIT}

-CSV_OUTPUT_ROW_FILTER_ITEMS = {CSV_OUTPUT_HEADER_FILTER, CSV_OUTPUT_HEADER_DROP_FILTER, CSV_OUTPUT_HEADER_FORCE,
+CSV_OUTPUT_ROW_FILTER_ITEMS = {CSV_OUTPUT_HEADER_FILTER, CSV_OUTPUT_HEADER_DROP_FILTER,
+                               CSV_OUTPUT_HEADER_FORCE, CSV_OUTPUT_HEADER_ORDER,
                               CSV_OUTPUT_ROW_FILTER, CSV_OUTPUT_ROW_FILTER_MODE,
                               CSV_OUTPUT_ROW_DROP_FILTER, CSV_OUTPUT_ROW_DROP_FILTER_MODE,
                               CSV_OUTPUT_ROW_LIMIT}
@@ -351,6 +360,7 @@ Defaults = {
  CSV_OUTPUT_HEADER_FILTER: '',
  CSV_OUTPUT_HEADER_DROP_FILTER: '',
  CSV_OUTPUT_HEADER_FORCE: '',
+  CSV_OUTPUT_HEADER_ORDER: '',
  CSV_OUTPUT_LINE_TERMINATOR: 'lf',
  CSV_OUTPUT_QUOTE_CHAR: '\'"\'',
  CSV_OUTPUT_ROW_FILTER: '',
@@ -380,7 +390,10 @@ Defaults = {
  INTER_BATCH_WAIT: '0',
  LICENSE_MAX_RESULTS: '100',
  LICENSE_SKUS: '',
+  MEET_V2_BETA: FALSE,
  MEMBER_MAX_RESULTS: '200',
+  MEMBER_MAX_RESULTS_CI_BASIC: '1000',
+  MEMBER_MAX_RESULTS_CI_FULL: '500',
  MESSAGE_BATCH_SIZE: '50',
  MESSAGE_MAX_RESULTS: '500',
  MOBILE_MAX_RESULTS: '100',
@@ -460,6 +473,7 @@ TYPE_FILE = 'file'
 TYPE_FLOAT = 'floa'
 TYPE_HEADERFILTER = 'heaf'
 TYPE_HEADERFORCE = 'hefo'
+TYPE_HEADERORDER = 'heor'
 TYPE_INTEGER = 'inte'
 TYPE_LANGUAGE = 'lang'
 TYPE_LOCALE = 'locl'
@@ -514,6 +528,7 @@ VAR_INFO = {
  CSV_OUTPUT_HEADER_FILTER: {VAR_TYPE: TYPE_HEADERFILTER},
  CSV_OUTPUT_HEADER_DROP_FILTER: {VAR_TYPE: TYPE_HEADERFILTER},
  CSV_OUTPUT_HEADER_FORCE: {VAR_TYPE: TYPE_HEADERFORCE},
+  CSV_OUTPUT_HEADER_ORDER: {VAR_TYPE: TYPE_HEADERORDER},
  CSV_OUTPUT_LINE_TERMINATOR: {VAR_TYPE: TYPE_CHOICE, VAR_CHOICES: {'cr': '\r', 'lf': '\n', 'crlf': '\r\n'}},
  CSV_OUTPUT_QUOTE_CHAR: {VAR_TYPE: TYPE_CHARACTER},
  CSV_OUTPUT_ROW_FILTER: {VAR_TYPE: TYPE_ROWFILTER},
@@ -543,7 +558,10 @@ VAR_INFO = {
  INTER_BATCH_WAIT: {VAR_TYPE: TYPE_FLOAT, VAR_LIMITS: (0.0, 60.0)},
  LICENSE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (10, 1000)},
  LICENSE_SKUS: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
+  MEET_V2_BETA: {VAR_TYPE: TYPE_BOOLEAN},
  MEMBER_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
+  MEMBER_MAX_RESULTS_CI_BASIC: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
+  MEMBER_MAX_RESULTS_CI_FULL: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 500)},
  MESSAGE_BATCH_SIZE: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
  MESSAGE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 10000)},
  MOBILE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 100)},
--- a/src/gam/gamlib/glclargs.py
+++ b/src/gam/gamlib/glclargs.py
@@ -423,8 +423,6 @@ class GamCLArgs():
  ARG_ANALYTICDATASTREAMS = 'analyticdatastreams'
  ARG_ANALYTICPROPERTY = 'analyticproperty'
  ARG_ANALYTICPROPERTIES = 'analyticproperties'
-  ARG_ANALYTICUAPROPERTY = 'analyticuaproperty'
-  ARG_ANALYTICUAPROPERTIES = 'analyticuaproperties'
  ARG_API = 'api'
  ARG_APIS = 'apis'
  ARG_APIPROJECT = 'apiproject'
@@ -483,6 +481,8 @@ class GamCLArgs():
  ARG_CHROMEPOLICYIMAGE = 'chromepolicyimage'
  ARG_CHROMEPOLICY = 'chromepolicy'
  ARG_CHROMEPOLICIES = 'chromepolicies'
+  ARG_CHROMEPROFILE = 'chromeprofile'
+  ARG_CHROMEPROFILES = 'chromeprofiles'
  ARG_CHROMESCHEMA = 'chromeschema'
  ARG_CHROMESCHEMAS = 'chromeschemas'
  ARG_CHROMESNVALIDITY = 'chromesnvalidity'
@@ -493,6 +493,12 @@ class GamCLArgs():
  ARG_CIGROUPSMEMBERS = 'cigroupsmembers'
  ARG_CIMEMBER = 'cimember'
  ARG_CIMEMBERS = 'cimembers'
+  ARG_CIPOLICY = 'policy'
+  ARG_CIPOLICIES = 'policies'
+  ARG_CLASSIFICATIONLABEL = 'classificationlabel'
+  ARG_CLASSIFICATIONLABELS = 'classificationlabels'
+  ARG_CLASSIFICATIONLABELPERMISSION = 'classificationlabelpermission'
+  ARG_CLASSIFICATIONLABELPERMISSIONS = 'classificationlabelpermissions'
  ARG_CLASS = 'class'
  ARG_CLASSES = 'classes'
  ARG_CLASSPARTICIPANTS = 'classparticipants'
@@ -571,6 +577,8 @@ class GamCLArgs():
  ARG_DRIVELABELS = 'drivelabels'
  ARG_DRIVELABELPERMISSION = 'drivelabelpermission'
  ARG_DRIVELABELPERMISSIONS = 'drivelabelpermissions'
+  ARG_DRIVELASTMODIFICATION = 'drivelastmodification'
+  ARG_DRIVELASTMODIFICATIONS = 'drivelastmodifications'
  ARG_DRIVESETTINGS = 'drivesettings'
  ARG_DRIVETRASH = 'drivetrash'
  ARG_EMPTYDRIVEFOLDERS = 'emptydrivefolders'
@@ -608,7 +616,6 @@ class GamCLArgs():
  ARG_FORWARDS = 'forwards'
  ARG_FORWARDINGADDRESS = 'forwardingaddress'
  ARG_FORWARDINGADDRESSES = 'forwardingaddresses'
-  ARG_GAL = 'gal'
  ARG_GCPFOLDER = 'gcpfolder'
  ARG_GCPSERVICEACCOUNT = 'gcpserviceaccount'
  ARG_GMAIL = 'gmail'
@@ -840,9 +847,16 @@ class GamCLArgs():
  OB_CHAT_MESSAGE_ID = 'ChatMessageID'
  OB_CHAT_SPACE = 'ChatSpace'
  OB_CHAT_THREAD = 'ChatThread'
+  OB_CHROMEPROFILE_ID = 'ChromeProfileId'
  OB_CHROME_VERSION = 'ChromeVersion'
  OB_CIDR_NETMASK = 'CIDRnetmask'
  OB_CIGROUP_ALIAS_LIST = "CIGroupAliasList"
+  OB_CIPOLICY_NAME_ENTITY = 'CIPolicyNameEntity'
+  OB_CLASSIFICATION_LABEL_ID = 'ClassificationLabelID'
+  OB_CLASSIFICATION_LABEL_NAME = 'ClassificationLabelName'
+  OB_CLASSIFICATION_LABEL_PERMISSION_NAME = 'ClassificationLabelPermissionName'
+  OB_CLASSIFICATION_LABEL_FIELD_ID = 'ClassificationLabelFieldID'
+  OB_CLASSIFICATION_LABEL_SELECTION_ID_LIST = 'ClassificationLabelSelectionIDList'
  OB_CLASSROOM_INVITATION_ID_ENTITY = 'ClassroomInvitationIDEntity'
  OB_CLIENT_ID = 'ClientID'
  OB_COLLABORATOR_ITEM = 'CollaboratorItem'
@@ -896,11 +910,6 @@ class GamCLArgs():
  OB_DRIVE_FOLDER_NAME = 'DriveFolderName'
  OB_DRIVE_FOLDER_NAME_LIST = 'DriveFolderNameList'
  OB_DRIVE_FOLDER_PATH = 'DriveFolderPath'
-  OB_DRIVE_LABEL_ID = 'DriveLabelID'
-  OB_DRIVE_LABEL_NAME = 'DriveLabelName'
-  OB_DRIVE_LABEL_PERMISSION_NAME = 'DriveLabelPermissionName'
-  OB_DRIVE_LABEL_FIELD_ID = 'DriveLabelFieldID'
-  OB_DRIVE_LABEL_SELECTION_ID_LIST = 'DriveLabelSelectionIDList'
  OB_EMAIL_ADDRESS = 'EmailAddress'
  OB_EMAIL_ADDRESS_ENTITY = 'EmailAddressEntity'
  OB_EMAIL_ADDRESS_LIST = 'EmailAddressList'
@@ -914,6 +923,7 @@ class GamCLArgs():
  OB_EXPORT_ITEM = 'ExportItem'
  OB_FIELD_NAME = 'FieldName'
  OB_FIELD_NAME_LIST = "FieldNameList"
+  OB_FIELDS = 'Fields'
  OB_FILE_NAME = 'FileName'
  OB_FILE_NAME_FIELD_NAME = OB_FILE_NAME+'(:'+OB_FIELD_NAME+')+'
  OB_FILE_NAME_OR_URL = 'FileName|URL'
@@ -941,7 +951,6 @@ class GamCLArgs():
  OB_LABEL_ID_LIST = 'LabelIDLIst'
  OB_LABEL_NAME = 'LabelName'
  OB_LABEL_NAME_LIST = 'LabelNameList'
-  OB_LABEL_REPLACEMENT = 'LabelReplacement'
  OB_LANGUAGE_LIST = 'LanguageList'
  OB_LOOKERSTUDIO_PERMISSION_ENTITY = 'LookerStudioPermissionEntity'
  OB_MATTER_ITEM = 'MatterItem'
@@ -980,6 +989,7 @@ class GamCLArgs():
  OB_RESOURCE_ENTITY = 'ResourceEntity'
  OB_RESOURCE_ID = 'ResourceID'
  OB_RE_PATTERN = 'REPattern'
+  OB_RE_SUBSTITUTION = 'RESubstitution'
  OB_ROLE_ASSIGNMENT_ID = 'RoleAssignmentID'
  OB_ROLE_ITEM = 'RoleItem'
  OB_ROLE_LIST = 'RoleList'
@@ -1139,6 +1149,10 @@ class GamCLArgs():
      return f'Command: {self.QuotedArgumentList(self.argv[:self.argvI])} >>>{self.QuotedArgumentList([self.argv[self.argvI]])}<<< {self.QuotedArgumentList(self.argv[self.argvI+1:])}\n'
    return f'Command: {self.QuotedArgumentList(self.argv)} >>><<<\n'

+# Deprecated command
+  def CommandDeprecated(self):
+    return f'{self.QuotedArgumentList(self.argv)}\n'
+
 # Peek to see if next argument is in choices
  def PeekArgumentPresent(self, choices):
    if self.ArgumentsRemaining():
--- a/src/gam/gamlib/glentity.py
+++ b/src/gam/gamlib/glentity.py
@@ -25,14 +25,16 @@ class GamEntity():
  ROLE_MANAGER = 'MANAGER'
  ROLE_MEMBER = 'MEMBER'
  ROLE_OWNER = 'OWNER'
+  ROLE_LIST = [ROLE_MANAGER, ROLE_MEMBER, ROLE_OWNER]
  ROLE_USER = 'USER'
  ROLE_MANAGER_MEMBER = ','.join([ROLE_MANAGER, ROLE_MEMBER])
  ROLE_MANAGER_OWNER = ','.join([ROLE_MANAGER, ROLE_OWNER])
  ROLE_MEMBER_OWNER = ','.join([ROLE_MEMBER, ROLE_OWNER])
-  ROLE_MANAGER_MEMBER_OWNER = ','.join([ROLE_MANAGER, ROLE_MEMBER, ROLE_OWNER])
+  ROLE_MANAGER_MEMBER_OWNER = ','.join(ROLE_LIST)
  ROLE_PUBLIC = 'PUBLIC'
  ROLE_ALL = ROLE_MANAGER_MEMBER_OWNER

+  TYPE_CBCM_BROWSER = 'CBCM_BROWSER'
  TYPE_CUSTOMER = 'CUSTOMER'
  TYPE_EXTERNAL = 'EXTERNAL'
  TYPE_OTHER = 'OTHER'
@@ -59,7 +61,6 @@ class GamEntity():
  ANALYTIC_ACCOUNT_SUMMARY = 'anas'
  ANALYTIC_DATASTREAM = 'anad'
  ANALYTIC_PROPERTY = 'anap'
-  ANALYTIC_UA_PROPERTY = 'anau'
  API = 'api '
  APP_ACCESS_SETTINGS = 'apps'
  APP_ID = 'appi'
@@ -108,8 +109,15 @@ class GamEntity():
  CHROME_POLICY = 'cpol'
  CHROME_POLICY_IMAGE = 'cpim'
  CHROME_POLICY_SCHEMA = 'cpsc'
+  CHROME_PROFILE = 'cpro'
  CHROME_RELEASE = 'crel'
  CHROME_VERSION = 'cver'
+  CLASSIFICATION_LABEL = 'dlab'
+  CLASSIFICATION_LABEL_FIELD_ID = 'dlfi'
+  CLASSIFICATION_LABEL_ID = 'dlid'
+  CLASSIFICATION_LABEL_NAME = 'dlna'
+  CLASSIFICATION_LABEL_PERMISSION = 'dlpe'
+  CLASSIFICATION_LABEL_PERMISSION_NAME = 'dlpn'
  CLASSROOM_INVITATION = 'clai'
  CLASSROOM_INVITATION_OWNER = 'clio'
  CLASSROOM_INVITATION_STUDENT = 'clis'
@@ -193,12 +201,6 @@ class GamEntity():
  DRIVE_FOLDER_PATH = 'folp'
  DRIVE_FOLDER_RENAMED = 'forn'
  DRIVE_FOLDER_SHORTCUT = 'fols'
-  DRIVE_LABEL = 'dlab'
-  DRIVE_LABEL_FIELD_ID = 'dlfi'
-  DRIVE_LABEL_ID = 'dlid'
-  DRIVE_LABEL_NAME = 'dlna'
-  DRIVE_LABEL_PERMISSION = 'dlpe'
-  DRIVE_LABEL_PERMISSION_NAME = 'dlpn'
  DRIVE_ORPHAN_FILE_OR_FOLDER = 'orph'
  DRIVE_PARENT_FOLDER = 'fipf'
  DRIVE_PARENT_FOLDER_ID = 'fipi'
@@ -302,6 +304,7 @@ class GamEntity():
  PERMITTEE = 'prmt'
  PERSONAL_DEVICE = 'pedv'
  PHOTO = 'phot'
+  POLICY = 'poli'
  POP_ENABLED = 'popa'
  PRESENTATION = 'pres'
  PRINTER = 'prin'
@@ -338,8 +341,6 @@ class GamEntity():
  SHEET = 'shet'
  SHEET_ID = 'shti'
  SIGNATURE = 'sign'
-  SITE = 'site'
-  SITE_ACL = 'sacl'
  SIZE = 'size'
  SKU = 'sku '
  SMIME_ID = 'smid'
@@ -410,7 +411,6 @@ class GamEntity():
    ANALYTIC_ACCOUNT_SUMMARY: ['Analytic Account Summaries', 'Analytic Account Summary'],
    ANALYTIC_DATASTREAM: ['Analytic Datastreams', 'Analytic Datastream'],
    ANALYTIC_PROPERTY: ['Analytic GA4 Properties', 'Analytic GA4 Property'],
-    ANALYTIC_UA_PROPERTY: ['Analytic UA Properties', 'Analytic UA Property'],
    API: ['APIs', 'API'],
    APP_ACCESS_SETTINGS: ['Application Access Settings', 'Application Access Settings'],
    APP_ID: ['Application IDs', 'Application ID'],
@@ -459,8 +459,15 @@ class GamEntity():
    CHROME_POLICY: ['Chrome Policies', 'Chrome Policy'],
    CHROME_POLICY_IMAGE: ['Chrome Policy Images', 'Chrome Policy Image'],
    CHROME_POLICY_SCHEMA: ['Chrome Policy Schemas', 'Chrome Policy Schema'],
+    CHROME_PROFILE: ['Chrome Profiles', 'Chrome Profile'],
    CHROME_RELEASE: ['Chrome Releases', 'Chrome Release'],
    CHROME_VERSION: ['Chrome Versions', 'Chrome Version'],
+    CLASSIFICATION_LABEL: ['Classification Labels', 'Classification Label'],
+    CLASSIFICATION_LABEL_FIELD_ID: ['Classification Label Field IDs', 'Classification Label Field ID'],
+    CLASSIFICATION_LABEL_ID: ['Classification Label IDs', 'Classification Label ID'],
+    CLASSIFICATION_LABEL_NAME: ['Classification Label Names', 'Classification Label Name'],
+    CLASSIFICATION_LABEL_PERMISSION: ['Classification Label Permissions', 'Classification Label Permission'],
+    CLASSIFICATION_LABEL_PERMISSION_NAME: ['Classification Label Permission Names', 'Classification Label Permission Name'],
    CLASSROOM_INVITATION: ['Classroom Invitations', 'Classroom Invitation'],
    CLASSROOM_INVITATION_OWNER: ['Classroom Owner Invitations', 'Classroom Owner Invitation'],
    CLASSROOM_INVITATION_STUDENT: ['Classroom Student Invitations', 'Classroom Student Invitation'],
@@ -544,12 +551,6 @@ class GamEntity():
    DRIVE_FOLDER_PATH: ['Drive Folder Paths', 'Drive Folder Path'],
    DRIVE_FOLDER_RENAMED: ['Drive Folders Renamed', 'Drive Folder Renamed'],
    DRIVE_FOLDER_SHORTCUT: ['Drive Folder Shortcuts', 'Drive Folder Shortcut'],
-    DRIVE_LABEL: ['Drive Labels', 'Drive Label'],
-    DRIVE_LABEL_FIELD_ID: ['Drive Label Field IDs', 'Drive Label Field ID'],
-    DRIVE_LABEL_ID: ['Drive Label IDs', 'Drive Label ID'],
-    DRIVE_LABEL_NAME: ['Drive Label Names', 'Drive Label Name'],
-    DRIVE_LABEL_PERMISSION: ['Drive Label Permissions', 'Drive Label Permission'],
-    DRIVE_LABEL_PERMISSION_NAME: ['Drive Label Permission Names', 'Drive Label Permission Name'],
    DRIVE_ORPHAN_FILE_OR_FOLDER: ['Drive Orphan Files/Folders', 'Drive Orphan File/Folder'],
    DRIVE_PARENT_FOLDER: ['Drive Parent Folders', 'Drive Parent Folder'],
    DRIVE_PARENT_FOLDER_ID: ['Drive Parent Folder IDs', 'Drive Parent Folder ID'],
@@ -653,6 +654,7 @@ class GamEntity():
    PERMITTEE: ['Permittees', 'Permittee'],
    PERSONAL_DEVICE: ['Personal Devices', 'Personal Device'],
    PHOTO: ['Photos', 'Photo'],
+    POLICY: ['Policies', 'Policy'],
    POP_ENABLED: ['POP Enabled', 'POP Enabled'],
    PRESENTATION: ['Presentations', 'Presentation'],
    PRINTER: ['Printers', 'Printer'],
@@ -689,8 +691,6 @@ class GamEntity():
    SHEET: ['Sheets', 'Sheet'],
    SHEET_ID: ['Sheet IDs', 'Sheet ID'],
    SIGNATURE: ['Signatures', 'Signature'],
-    SITE: ['Sites', 'Site'],
-    SITE_ACL: ['Site ACLs', 'Site ACL'],
    SIZE: ['Sizes', 'Size'],
    SKU: ['SKUs', 'SKU'],
    SMIME_ID: ['S/MIME Certificate IDs', 'S/MIME Certificate ID'],
--- a/src/gam/gamlib/glgapi.py
+++ b/src/gam/gamlib/glgapi.py
@@ -37,6 +37,7 @@ CANNOT_CHANGE_OWNER_ACL = 'cannotChangeOwnerAcl'
 CANNOT_CHANGE_OWN_PRIMARY_SUBSCRIPTION = 'cannotChangeOwnPrimarySubscription'
 CANNOT_COPY_FILE = 'cannotCopyFile'
 CANNOT_DELETE_ONLY_REVISION = 'cannotDeleteOnlyRevision'
+CANNOT_DELETE_PERMISSION = 'cannotDeletePermission'
 CANNOT_DELETE_PRIMARY_CALENDAR = 'cannotDeletePrimaryCalendar'
 CANNOT_DELETE_PRIMARY_SENDAS = 'cannotDeletePrimarySendAs'
 CANNOT_DELETE_RESOURCE_WITH_CHILDREN = 'cannotDeleteResourceWithChildren'
@@ -47,6 +48,7 @@ CANNOT_MOVE_TRASHED_ITEM_INTO_TEAMDRIVE = 'cannotMoveTrashedItemIntoTeamDrive'
 CANNOT_MOVE_TRASHED_ITEM_OUT_OF_TEAMDRIVE = 'cannotMoveTrashedItemOutOfTeamDrive'
 CANNOT_REMOVE_OWNER = 'cannotRemoveOwner'
 CANNOT_SET_EXPIRATION = 'cannotSetExpiration'
+CANNOT_SET_EXPIRATION_ON_ANYONE_OR_DOMAIN = 'cannotSetExpirationOnAnyoneOrDomain'
 CANNOT_SHARE_GROUPS_WITHLINK = 'cannotShareGroupsWithLink'
 CANNOT_SHARE_USERS_WITHLINK = 'cannotShareUsersWithLink'
 CANNOT_SHARE_TEAMDRIVE_TOPFOLDER_WITH_ANYONEORDOMAINS = 'cannotShareTeamDriveTopFolderWithAnyoneOrDomains'
@@ -70,6 +72,7 @@ DOMAIN_POLICY = 'domainPolicy'
 DOWNLOAD_QUOTA_EXCEEDED = 'downloadQuotaExceeded'
 DUPLICATE = 'duplicate'
 EVENT_DURATION_EXCEEDS_LIMIT = 'eventDurationExceedsLimit'
+EXPIRATION_DATES_MUST_BE_IN_THE_FUTURE = 'expirationDatesMustBeInTheFuture'
 EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS = 'expirationDateNotAllowedForSharedDriveMembers'
 FAILED_PRECONDITION = 'failedPrecondition'
 FIELD_IN_USE = 'fieldInUse'
@@ -184,7 +187,7 @@ DEFAULT_RETRY_REASONS = [QUOTA_EXCEEDED, RATE_LIMIT_EXCEEDED, SHARING_RATE_LIMIT
                         BACKEND_ERROR, BAD_GATEWAY, GATEWAY_TIMEOUT, INTERNAL_ERROR, TRANSIENT_ERROR]
 SERVICE_NOT_AVAILABLE_RETRY_REASONS = [SERVICE_NOT_AVAILABLE]
 ACTIVITY_THROW_REASONS = [SERVICE_NOT_AVAILABLE, BAD_REQUEST]
-ALERT_THROW_REASONS = [SERVICE_NOT_AVAILABLE, AUTH_ERROR]
+ALERT_THROW_REASONS = [SERVICE_NOT_AVAILABLE, AUTH_ERROR, PERMISSION_DENIED]
 CALENDAR_THROW_REASONS = [SERVICE_NOT_AVAILABLE, AUTH_ERROR, NOT_A_CALENDAR_USER]
 CIGROUP_CREATE_THROW_REASONS = [SERVICE_NOT_AVAILABLE, ALREADY_EXISTS, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, FORBIDDEN, INVALID, INVALID_ARGUMENT, PERMISSION_DENIED, FAILED_PRECONDITION]
 CIGROUP_GET_THROW_REASONS = [SERVICE_NOT_AVAILABLE, NOT_FOUND, GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, FORBIDDEN, BAD_REQUEST, INVALID, SYSTEM_ERROR, PERMISSION_DENIED]
@@ -210,7 +213,8 @@ DRIVE_COPY_THROW_REASONS = DRIVE_ACCESS_THROW_REASONS+[CANNOT_COPY_FILE, BAD_REQ
                                                       STORAGE_QUOTA_EXCEEDED, TEAMDRIVE_FILE_LIMIT_EXCEEDED, TEAMDRIVE_HIERARCHY_TOO_DEEP]
 DRIVE_GET_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, DOWNLOAD_QUOTA_EXCEEDED]
 DRIVE3_CREATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID, INVALID_SHARING_REQUEST, OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED,
-                                   CANNOT_SET_EXPIRATION, EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS,
+                                   CANNOT_SET_EXPIRATION, CANNOT_SET_EXPIRATION_ON_ANYONE_OR_DOMAIN,
+                                   EXPIRATION_DATES_MUST_BE_IN_THE_FUTURE, EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS,
                                   NOT_FOUND, TEAMDRIVE_DOMAIN_USERS_ONLY_RESTRICTION, TEAMDRIVE_TEAM_MEMBERS_ONLY_RESTRICTION,
                                   TARGET_USER_ROLE_LIMITED_BY_LICENSE_RESTRICTION, INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
                                   PUBLISH_OUT_NOT_PERMITTED, SHARE_IN_NOT_PERMITTED, SHARE_OUT_NOT_PERMITTED, SHARE_OUT_NOT_PERMITTED_TO_USER,
@@ -227,7 +231,8 @@ DRIVE3_GET_ACL_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, FORBIDDEN, IN
                                                   INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, INSUFFICIENT_FILE_PERMISSIONS,
                                                   UNKNOWN_ERROR, INVALID]
 DRIVE3_UPDATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID_OWNERSHIP_TRANSFER, CANNOT_REMOVE_OWNER,
-                                   CANNOT_SET_EXPIRATION, EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS,
+                                   CANNOT_SET_EXPIRATION, CANNOT_SET_EXPIRATION_ON_ANYONE_OR_DOMAIN,
+                                   EXPIRATION_DATES_MUST_BE_IN_THE_FUTURE, EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS,
                                   OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED,
                                   NOT_FOUND, TEAMDRIVE_DOMAIN_USERS_ONLY_RESTRICTION, TEAMDRIVE_TEAM_MEMBERS_ONLY_RESTRICTION,
                                   TARGET_USER_ROLE_LIMITED_BY_LICENSE_RESTRICTION, INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
@@ -246,7 +251,7 @@ DRIVE3_UPDATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID_OWNERSHIP_TRANSFER, CANN
 DRIVE3_DELETE_ACL_THROW_REASONS = [BAD_REQUEST, CANNOT_REMOVE_OWNER,
                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION,
                                   INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
-                                   NOT_FOUND, PERMISSION_NOT_FOUND]
+                                   NOT_FOUND, PERMISSION_NOT_FOUND, CANNOT_DELETE_PERMISSION]
 DRIVE3_MODIFY_LABEL_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, NOT_FOUND, FORBIDDEN, INTERNAL_ERROR,
                                                              FILE_NEVER_WRITABLE, APPLY_LABEL_FORBIDDEN,
                                                              INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, INSUFFICIENT_FILE_PERMISSIONS,
@@ -268,17 +273,17 @@ GROUP_SETTINGS_THROW_REASONS = [NOT_FOUND, GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DO
 GROUP_SETTINGS_RETRY_REASONS = [INVALID, SERVICE_LIMIT, SERVICE_NOT_AVAILABLE]
 GROUP_LIST_THROW_REASONS = [RESOURCE_NOT_FOUND, DOMAIN_NOT_FOUND, FORBIDDEN, BAD_REQUEST]
 GROUP_LIST_USERKEY_THROW_REASONS = GROUP_LIST_THROW_REASONS+[INVALID_MEMBER, INVALID_INPUT]
-KEEP_THROW_REASONS = [SERVICE_NOT_AVAILABLE, BAD_REQUEST, PERMISSION_DENIED, INVALID_ARGUMENT, NOT_FOUND]
+KEEP_THROW_REASONS = [AUTH_ERROR, BAD_REQUEST, PERMISSION_DENIED, INVALID_ARGUMENT, NOT_FOUND]
 LOOKERSTUDIO_THROW_REASONS = [INVALID_ARGUMENT, SERVICE_NOT_AVAILABLE, BAD_REQUEST, NOT_FOUND, PERMISSION_DENIED, INTERNAL_ERROR]
 MEMBERS_THROW_REASONS = [GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, INVALID, FORBIDDEN, SERVICE_NOT_AVAILABLE]
 MEMBERS_RETRY_REASONS = [SYSTEM_ERROR, SERVICE_NOT_AVAILABLE]
 ORGUNIT_GET_THROW_REASONS = [INVALID_ORGUNIT, ORGUNIT_NOT_FOUND, BACKEND_ERROR, BAD_REQUEST, INVALID_CUSTOMER_ID, LOGIN_REQUIRED]
-PEOPLE_ACCESS_THROW_REASONS = [SERVICE_NOT_AVAILABLE, FORBIDDEN, PERMISSION_DENIED]
+PEOPLE_ACCESS_THROW_REASONS = [SERVICE_NOT_AVAILABLE, FORBIDDEN, PERMISSION_DENIED, FAILED_PRECONDITION]
 RESELLER_THROW_REASONS = [BAD_REQUEST, RESOURCE_NOT_FOUND, FORBIDDEN, INVALID]
 SHEETS_ACCESS_THROW_REASONS = DRIVE_USER_THROW_REASONS+[NOT_FOUND, PERMISSION_DENIED, FORBIDDEN, INTERNAL_ERROR, INSUFFICIENT_FILE_PERMISSIONS,
                                                        BAD_REQUEST, INVALID, INVALID_ARGUMENT, FAILED_PRECONDITION]
-TASK_THROW_REASONS = [SERVICE_NOT_AVAILABLE, BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
-TASKLIST_THROW_REASONS = [SERVICE_NOT_AVAILABLE, BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
+TASK_THROW_REASONS = [BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
+TASKLIST_THROW_REASONS = [BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
 USER_GET_THROW_REASONS = [USER_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, FORBIDDEN, BAD_REQUEST, SYSTEM_ERROR]
 YOUTUBE_THROW_REASONS = [SERVICE_NOT_AVAILABLE, AUTH_ERROR, UNSUPPORTED_SUPERVISED_ACCOUNT, UNSUPPORTED_LANGUAGE_CODE, CONTENT_OWNER_ACCOUNT_NOT_FOUND]

@@ -299,6 +304,7 @@ REASON_MESSAGE_MAP = {
    ('userId', USER_NOT_FOUND),
    ('memberKey', INVALID_MEMBER),
    ('A system error has occurred', SYSTEM_ERROR),
+    ('Expiration dates must be in the future', EXPIRATION_DATES_MUST_BE_IN_THE_FUTURE),
    ('Invalid attribute value', INVALID_ATTRIBUTE_VALUE),
    ('Invalid Customer Id', INVALID_CUSTOMER_ID),
    ('Invalid Input: INVALID_OU_ID', INVALID_ORGUNIT),
@@ -382,6 +388,8 @@ class cannotCopyFile(Exception):
  pass
 class cannotDeleteOnlyRevision(Exception):
  pass
+class cannotDeletePermission(Exception):
+  pass
 class cannotDeletePrimaryCalendar(Exception):
  pass
 class cannotDeletePrimarySendAs(Exception):
@@ -402,6 +410,8 @@ class cannotRemoveOwner(Exception):
  pass
 class cannotSetExpiration(Exception):
  pass
+class cannotSetExpirationOnAnyoneOrDomain(Exception):
+  pass
 class cannotShareGroupsWithLink(Exception):
  pass
 class cannotShareUsersWithLink(Exception):
@@ -446,6 +456,8 @@ class duplicate(Exception):
  pass
 class eventDurationExceedsLimit(Exception):
  pass
+class expirationDatesMustBeInTheFuture(Exception):
+  pass
 class expirationDateNotAllowedForSharedDriveMembers(Exception):
  pass
 class failedPrecondition(Exception):
@@ -676,6 +688,7 @@ REASON_EXCEPTION_MAP = {
  CANNOT_CHANGE_OWN_PRIMARY_SUBSCRIPTION: cannotChangeOwnPrimarySubscription,
  CANNOT_COPY_FILE: cannotCopyFile,
  CANNOT_DELETE_ONLY_REVISION: cannotDeleteOnlyRevision,
+  CANNOT_DELETE_PERMISSION: cannotDeletePermission,
  CANNOT_DELETE_PRIMARY_CALENDAR: cannotDeletePrimaryCalendar,
  CANNOT_DELETE_PRIMARY_SENDAS: cannotDeletePrimarySendAs,
  CANNOT_DELETE_RESOURCE_WITH_CHILDREN: cannotDeleteResourceWithChildren,
@@ -686,6 +699,7 @@ REASON_EXCEPTION_MAP = {
  CANNOT_MOVE_TRASHED_ITEM_OUT_OF_TEAMDRIVE: cannotMoveTrashedItemOutOfTeamDrive,
  CANNOT_REMOVE_OWNER: cannotRemoveOwner,
  CANNOT_SET_EXPIRATION: cannotSetExpiration,
+  CANNOT_SET_EXPIRATION_ON_ANYONE_OR_DOMAIN: cannotSetExpirationOnAnyoneOrDomain,
  CANNOT_SHARE_GROUPS_WITHLINK: cannotShareGroupsWithLink,
  CANNOT_SHARE_USERS_WITHLINK: cannotShareUsersWithLink,
  CANNOT_SHARE_TEAMDRIVE_TOPFOLDER_WITH_ANYONEORDOMAINS: cannotShareTeamDriveTopFolderWithAnyoneOrDomains,
@@ -708,6 +722,7 @@ REASON_EXCEPTION_MAP = {
  DOWNLOAD_QUOTA_EXCEEDED: downloadQuotaExceeded,
  DUPLICATE: duplicate,
  EVENT_DURATION_EXCEEDS_LIMIT: eventDurationExceedsLimit,
+  EXPIRATION_DATES_MUST_BE_IN_THE_FUTURE: expirationDatesMustBeInTheFuture,
  EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS: expirationDateNotAllowedForSharedDriveMembers,
  FAILED_PRECONDITION: failedPrecondition,
  FIELD_IN_USE: fieldInUse,
--- a/src/gam/gamlib/glglobals.py
+++ b/src/gam/gamlib/glglobals.py
@@ -23,8 +23,10 @@
 # The following GM_XXX constants are arbitrary but must be unique
 # Most errors print a message and bail out with a return code
 # Some commands want to set a non-zero return code but not bail
-# GAM admin user
-ADMIN = 'admin'
+# GAM admin user from oauth2.txt or oauth2service.json
+ADMIN = 'admn'
+# Drive service for admin; used to look up Shared Drive Names
+ADMIN_DRIVE = 'addr'
 # Number/length of API call retries
 API_CALLS_RETRY_DATA = 'rtry'
 # GAM cache directory. If no_cache is True, this variable will be set to None
@@ -65,6 +67,8 @@ CSV_OUTPUT_HEADER_DROP_FILTER = 'cohd'
 CSV_OUTPUT_HEADER_FILTER = 'cohf'
 # Force output column headers
 CSV_OUTPUT_HEADER_FORCE = 'cofh'
+# Order output column headers
+CSV_OUTPUT_HEADER_ORDER = 'coho'
 # No escape character in CSV output file
 CSV_OUTPUT_NO_ESCAPE_CHAR = 'cone'
 # Quote character in CSV output file
@@ -80,7 +84,9 @@ CSV_OUTPUT_ROW_FILTER_MODE = 'corm'
 # Limit number of output rows
 CSV_OUTPUT_ROW_LIMIT = 'corl'
 # Add timestamp column to CSV output file
-CSV_OUTPUT_TIMESTAMP_COLUMN = 'csv_output_timestamp_column'
+CSV_OUTPUT_TIMESTAMP_COLUMN = 'cotc'
+# Transpose output rows/columns
+CSV_OUTPUT_TRANSPOSE = 'cotr'
 # Output sort headers
 CSV_OUTPUT_SORT_HEADERS = 'cosh'
 # CSV todrive options
@@ -213,6 +219,7 @@ REDIRECT_QUEUE_EOF = 'eof'
 #
 Globals = {
  ADMIN: None,
+  ADMIN_DRIVE: None,
  API_CALLS_RETRY_DATA: {},
  CACHE_DIR: None,
  CACHE_DISCOVERY_ONLY: True,
@@ -235,6 +242,7 @@ Globals = {
  CSV_OUTPUT_HEADER_DROP_FILTER: [],
  CSV_OUTPUT_HEADER_FILTER: [],
  CSV_OUTPUT_HEADER_FORCE: [],
+  CSV_OUTPUT_HEADER_ORDER: [],
  CSV_OUTPUT_NO_ESCAPE_CHAR: None,
  CSV_OUTPUT_QUOTE_CHAR: None,
  CSV_OUTPUT_ROW_DROP_FILTER: [],
@@ -244,6 +252,7 @@ Globals = {
  CSV_OUTPUT_ROW_LIMIT: 0,
  CSV_OUTPUT_SORT_HEADERS: [],
  CSV_OUTPUT_TIMESTAMP_COLUMN: None,
+  CSV_OUTPUT_TRANSPOSE: False,
  CSV_TODRIVE: {},
  CURRENT_API_SERVICES: {},
  CURRENT_CLIENT_API: None,
--- a/src/gam/gamlib/glmsgs.py
+++ b/src/gam/gamlib/glmsgs.py
@@ -40,21 +40,43 @@ sign in as {0} and accept the Terms of Service (ToS). As soon as you've accepted

 PROJECT_STILL_BEING_CREATED_SLEEPING = 'Project still being created. Sleeping {0} seconds\n'
 FAILED_TO_CREATE_PROJECT = 'Failed to create project: {0}\n'
-SETTING_GAM_PROJECT_CONSENT_SCREEN = 'Setting GAM project consent screen...\n'
-CREATE_PROJECT_INSTRUCTIONS = '''
+SETTING_GAM_PROJECT_CONSENT_SCREEN_CREATING_CLIENT = 'Setting GAM project consent screen, creating client...\n'
+CREATE_CLIENT_INSTRUCTIONS = '''
 Please go to:

  {0}

-1. Choose "Desktop App" or "Other" for "Application type".
-2. Enter "GAM" or another desired value for "Name".
-3. Click the blue "Create" button.
-4. Copy your "Client ID" value that shows on the next page.
+ 1. If "+ CREATE CLIENT" is on the screen, skip to step 14
+ 2. Click "GET STARTED"
+ 3. Under "App Information", enter {1} or another value in "App name *"
+ 4. Under "App Information", enter {2} in "User support email *"
+ 5. Click "NEXT"
+ 6. Under "Audience", choose INTERNAL
+ 7. Click "NEXT"
+ 8. Under, "Contact Information", enter an email address in "Email addresses *"
+ 9. Click "NEXT"
+10. Under "Finish", click "I agree to the Google API Services: User Data Policy."
+11. Click "CONTINUE"
+12. Click "CREATE"
+13. Click "Clients" in the left-hand column
+14. Click "+ CREATE CLIENT"
+15. Choose "Desktop App" for "Application type"
+16. Enter {1} or another value in "Name *"
+17. Click "Create"
+18. Under "Name", click your client name
+19. Copy the "Client ID" value under "Additional information"
+20. Paste it at the "Enter your Client ID: " prompt in your terminal
+21. Press return/enter in your terminal
+22. Switch back to the browser
+23. Copy the "Client secret" value under "Client Secrets"
+24. Paste it at the "Enter your Client Secret: " prompt in your terminal
+25. Press return/enter in your terminal
+26. Switch back to the browser
+27. Click "OK"
+28. These steps are complete
 '''
 ENTER_YOUR_CLIENT_ID = '\nEnter your Client ID: '
-GO_BACK_TO_YOUR_BROWSER_AND_COPY_YOUR_CLIENT_SECRET_VALUE = '\n5. Go back to your browser and copy your "Client Secret" value.\n'
 ENTER_YOUR_CLIENT_SECRET = '\nEnter your Client Secret: '
-GO_BACK_TO_YOUR_BROWSER_AND_CLICK_OK_TO_CLOSE_THE_OAUTH_CLIENT_POPUP = '\n6. Go back to your browser and click OK to close the "OAuth client" popup if it\'s still open.\n'
 IS_NOT_A_VALID_CLIENT_ID = '''

 {0}
@@ -78,12 +100,12 @@ Please go to:

  https://admin.google.com/ac/owl/list?tab=configuredApps

-1. Click on: Configure new app > OAuth App Name Or Client ID.
-2. Enter the following Client ID value:
+1. Click on: Configure new app
+2. Enter the following Client ID value in Search for app:

  {1}

-3. Press Search, select the {0} app, press Select, check the box and press Select.
+3. Press Search, select the {0} app, click
 4. Keep the default scope or select a preferred scope that includes your GAM admin.
 5. Press Continue
 6. Select Trusted radio button, press Continue and Finish.
@@ -96,7 +118,7 @@ Your workspace is configured to disable service account private key uploads.

 Please go to:

-  https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#authorize-service-account-key-uploads
+  https://github.com/GAM-team/GAM/wiki/Authorization#authorize-service-account-key-uploads

 Follow the steps to allow a service account private key upload for the project ({0}) just created.
 Once those steps are completed, you can continue with your project authentication.
@@ -162,7 +184,7 @@ ALREADY_EXISTS_USE_MERGE_ARGUMENT = 'Already exists; use the "merge" argument to
 API_ACCESS_DENIED = 'API access Denied'
 API_CALLS_RETRY_DATA = 'API calls retry data\n'
 API_CHECK_CLIENT_AUTHORIZATION = 'Please make sure the Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam oauth create\n'
-API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client name: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} update serviceaccount\n'
+API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} update serviceaccount\n'
 API_ERROR_SETTINGS = 'API error, some settings not set'
 ARE_BOTH_REQUIRED = 'Arguments {0} and {1} are both required'
 ARE_MUTUALLY_EXCLUSIVE = 'Arguments {0} and {1} are mutually exclusive'
@@ -265,6 +287,7 @@ GAM_OUT_OF_MEMORY = 'GAM has run out of memory. If this is a large Google Worksp
 GENERATING_NEW_PRIVATE_KEY = 'Generating new private key'
 GETTING = 'Getting'
 GETTING_ALL = 'Getting all'
+GRANTING_RIGHTS_TO_ROTATE_ITS_OWN_PRIVATE_KEY = '{0} rights to rotate its own private key'
 GOOGLE_DELEGATION_ERROR = 'Google delegation error, delegator and delegate both exist and are valid for delegation'
 GOT = 'Got'
 GROUP_MAPS_TO_MULTIPLE_OUS = 'File: {0}, Group: {1} references multiple OUs: {2}'
@@ -272,13 +295,12 @@ GROUP_MAPS_TO_OU_INVALID_ROW = 'File: {0}, Invalid row, must contain non-blank <
 GUARDIAN_INVITATION_STATUS_NOT_PENDING = 'Guardian invitation status is not PENDING'
 HAS_CHILD_ORGS = 'Has child {0}'
 HAS_INVALID_FORMAT = '{0}: {1}, Has invalid format'
-HAS_RIGHTS_TO_ROTATE_OWN_PRIVATE_KEY = 'Giving account {0} rights to rotate {1} private key'
 HEADER_NOT_FOUND_IN_CSV_HEADERS = 'Header "{0}" not found in CSV headers of "{1}".'
 HELP_SYNTAX = 'Help: Syntax in file {0}\n'
 HELP_WIKI = 'Help: Documentation is at {0}\n'
 IGNORED = 'Ignored'
 INSTRUCTIONS_CLIENT_SECRETS_JSON = 'Please run\n\ngam create|use project\ngam oauth create\n\nto create and authorize a Client account.\n'
-INSTRUCTIONS_OAUTH2SERVICE_JSON = 'Please run\n\ngam create|use project\ngam user <user> check serviceaccount\n\nto create and authorize a Service account.\n'
+INSTRUCTIONS_OAUTH2SERVICE_JSON = 'Please run\n\ngam create|use project\ngam user <user> update serviceaccount\n\nto create and authorize a Service account.\n'
 INSUFFICIENT_PERMISSIONS_TO_PERFORM_TASK = 'Insufficient permissions to perform this task'
 INTER_BATCH_WAIT_INCREASED = 'inter_batch_wait increased to {0:.2f}'
 INVALID = 'Invalid'
@@ -300,7 +322,7 @@ INVALID_NUMBER_OF_CHAT_SPACE_MEMBERS = '{0} type {1} number of members, {2}, mus
 INVALID_ORGUNIT = 'Invalid Organizational Unit'
 INVALID_PATH = 'Invalid Path'
 INVALID_PERMISSION_ATTRIBUTE_TYPE = 'permission attribute {0} not allowed with type {1}'
-INVALID_REGION = 'See: https://github.com/taers232c/GAMADV-XTD3/wiki/Context-Aware-Access-Levels#caa-region-codes'
+INVALID_REGION = 'See: https://github.com/GAM-team/GAM/wiki/Context-Aware-Access-Levels#caa-region-codes'
 INVALID_QUERY = 'Invalid Query'
 INVALID_RE = 'Invalid RE'
 INVALID_REQUEST = 'Invalid Request'
@@ -446,6 +468,10 @@ REFUSING_TO_DEPROVISION_DEVICES = 'Refusing to deprovision {0} devices because a
 REPLY_TO_CUSTOM_REQUIRES_EMAIL_ADDRESS = 'replyto REPLY_TO_CUSTOM requires customReplyTo <EmailAddress>'
 REQUEST_COMPLETED_NO_FILES = 'Request completed but no results/files were returned, try requesting again'
 REQUEST_NOT_COMPLETE = 'Request needs to be completed before downloading, current status is: {0}'
+RERUN_THE_COMMAND_AND_SPECIFY_A_NEW_SANAME = """
+Re-run the command specify a new service account name with: saname <ServiceAccountName>
+See: https://github.com/GAM-team/GAM/wiki/Authorization#advanced-use
+"""
 RESOURCE_CAPACITY_FLOOR_REQUIRED = 'Options "capacity <Number>" (<Number> > 0) and "floor <String>" required'
 RESOURCE_FLOOR_REQUIRED = 'Option "floor <String>" required'
 RESULTS_TOO_LARGE_FOR_GOOGLE_SPREADSHEET = 'Results are too large for Google Spreadsheets. Uploading as a regular CSV file.'
@@ -457,7 +483,10 @@ SCHEMA_WOULD_HAVE_NO_FIELDS = '{0} would have no {1}'
 SELECTED = 'Selected'
 SERVICE_NOT_APPLICABLE = 'Service not applicable/Does not exist'
 SERVICE_NOT_APPLICABLE_THIS_ADDRESS = 'Service not applicable for this address: {0}'
+SERVICE_NOT_ENABLED = '{0} Service/App not enabled'
 SHORTCUT_TARGET_CAPABILITY_IS_FALSE = '{0} capability {1} is False'
+SITES_COMMAND_DEPRECATED = 'The Classic Sites API is deprecated, this command will not work:\n{0}'
+SKU_HAS_NO_MATCHING_ARCHIVED_USER_SKU = 'SKU {0} has no matching Archived User SKU'
 STARTING_THREAD = 'Starting thread'
 STATISTICS_COPY_FILE = 'Total: {0}, Copied: {1}, Shortcut created {2}, Shortcut exists {3}, Duplicate: {4}, Copy Failed: {5}, Not copyable: {6}, In skipids: {7}, Permissions Failed: {8}, Protected Ranges Failed: {9}'
 STATISTICS_COPY_FOLDER = 'Total: {0}, Copied: {1}, Shortcut created {2}, Shortcut exists {3}, Duplicate: {4}, Merged: {5}, Copy Failed: {6}, Not writable: {7}, Permissions Failed: {8}'
@@ -479,7 +508,9 @@ To set up Google Chat for your API project, please go to:

    {0}

-and complete all fields.
+and follow the instructions at:
+
+    https://github.com/GAM-team/GAM/wiki/Chat-Bot#set-up-a-chat-bot
 """
 TOTAL_ITEMS_IN_ENTITY = 'Total {0} in {1}'
 TRIMMED_MESSAGE_FROM_LENGTH_TO_MAXIMUM = 'Trimmed message of length {0} to maximum length {1}'
--- a/src/gam/gamlib/glskus.py
+++ b/src/gam/gamlib/glskus.py
@@ -22,7 +22,7 @@

 # Products/SKUs
 _PRODUCTS = {
-  '101001': 'Cloud Identity Free',
+  '101001': 'Cloud Identity',
  '101005': 'Cloud Identity Premium',
  '101031': 'Google Workspace for Education',
  '101033': 'Google Voice',
@@ -47,6 +47,10 @@ _SKUS = {
    'product': '101001', 'aliases': ['identity', 'cloudidentity'], 'displayName': 'Cloud Identity'},
  '1010050001': {
    'product': '101005', 'aliases': ['identitypremium', 'cloudidentitypremium'], 'displayName': 'Cloud Identity Premium'},
+  '1010070001': {
+    'product': 'Google-Apps', 'aliases': ['gwef', 'workspaceeducationfundamentals'], 'displayName': 'Google Workspace for Education Fundamentals'},
+  '1010070004': {
+    'product': 'Google-Apps', 'aliases': ['gwegmo', 'workspaceeducationgmailonly'], 'displayName': 'Google Workspace for Education Gmail Only'},
  '1010310002': {
    'product': '101031', 'aliases': ['gsefe', 'e4e', 'gsuiteenterpriseeducation'], 'displayName': 'Google Workspace for Education Plus - Legacy'},
  '1010310003': {
@@ -83,6 +87,8 @@ _SKUS = {
    'product': '101038', 'aliases': ['appsheetplus', 'appsheetenterpriseplus'], 'displayName': 'AppSheet Enterprise Plus'},
  '1010390001': {
    'product': '101039', 'aliases': ['assuredcontrols'], 'displayName': 'Assured Controls'},
+  '1010390002': {
+    'product': '101039', 'aliases': ['assuredcontrolsplus'], 'displayName': 'Assured Controls Plus'},
  '1010400001': {
    'product': '101040', 'aliases': ['beyondcorp', 'beyondcorpenterprise', 'bce', 'cep', 'chromeenterprisepremium'], 'displayName': 'Chrome Enterprise Premium'},
  '1010430001': {
@@ -111,6 +117,8 @@ _SKUS = {
    'product': 'Google-Apps', 'aliases': ['standard', 'free'], 'displayName': 'G Suite Legacy'},
  'Google-Apps-For-Business': {
    'product': 'Google-Apps', 'aliases': ['gafb', 'gafw', 'basic', 'gsuitebasic'], 'displayName': 'G Suite Basic'},
+  'Google-Apps-For-Education': {
+    'product': 'Google-Apps', 'aliases': ['gafe', 'gsuiteeducation', 'gsuiteedu'], 'displayName': 'Google Workspace for Education - Fundamentals'},
  'Google-Apps-For-Government': {
    'product': 'Google-Apps', 'aliases': ['gafg', 'gsuitegovernment', 'gsuitegov'], 'displayName': 'Google Workspace Government'},
  'Google-Apps-For-Postini': {
@@ -121,7 +129,7 @@ _SKUS = {
    'product': 'Google-Apps', 'aliases': ['gau', 'gsb', 'unlimited', 'gsuitebusiness'], 'displayName': 'G Suite Business'},
  '1010020020': {
    'product': 'Google-Apps', 'aliases': ['gae', 'gse', 'enterprise', 'gsuiteenterprise',
-                                          'wsentplus', 'workspaceenterpriseplus'], 'displayName': 'Google Workspace Enterprise Plus'},
+                                          'wsentplus', 'workspaceenterpriseplus'], 'displayName': 'Google Workspace Enterprise Plus (formerly G Suite Enterprise)'},
  '1010020025': {
    'product': 'Google-Apps', 'aliases': ['wsbizplus', 'workspacebusinessplus'], 'displayName': 'Google Workspace Business Plus'},
  '1010020026': {
@@ -136,6 +144,8 @@ _SKUS = {
    'product': 'Google-Apps', 'aliases': ['wsflw', 'workspacefrontline', 'workspacefrontlineworker'], 'displayName': 'Google Workspace Frontline Starter'},
  '1010020031': {
    'product': 'Google-Apps', 'aliases': ['wsflwstan', 'workspacefrontlinestan', 'workspacefrontlineworkerstan'], 'displayName': 'Google Workspace Frontline Standard'},
+  '1010020034': {
+    'product': 'Google-Apps', 'aliases': ['wsflwplus', 'workspacefrontlineplus', 'workspacefrontlineworkerplus'], 'displayName': 'Google Workspace Frontline Plus'},
  '1010340001': {
    'product': '101034', 'aliases': ['gseau', 'enterprisearchived', 'gsuiteenterprisearchived'], 'displayName': 'Google Workspace Enterprise Plus - Archived User'},
  '1010340002': {
@@ -148,14 +158,16 @@ _SKUS = {
    'product': '101034', 'aliases': ['wsbizstarterarchived', 'workspacebusinessstarterarchived'], 'displayName': 'Google Workspace Business Starter - Archived User'},
  '1010340006': {
    'product': '101034', 'aliases': ['wsbizstanarchived', 'workspacebusinessstanarchived'], 'displayName': 'Google Workspace Business Standard - Archived User'},
+  '1010340007': {
+    'product': '101034', 'aliases': ['gwefau', 'gwefarchived', 'workspaceeducationfundamentalsarchived'], 'displayName': 'Google Workspace for Education Fundamentals - Archived User'},
  '1010060001': {
    'product': '101006', 'aliases': ['gsuiteessentials', 'essentials',
                                     'd4e', 'driveenterprise', 'drive4enterprise',
-                                     'wsess', 'workspaceesentials'], 'displayName': 'Google Workspace Essentials'},
+                                     'wsess', 'workspaceesentials'], 'displayName': 'Google Workspace Essentials (formerly G Suite Essentials)'},
  '1010060003': {
    'product': 'Google-Apps', 'aliases': ['wsentess', 'workspaceenterpriseessentials'], 'displayName': 'Google Workspace Enterprise Essentials'},
  '1010060005': {
-    'product': 'Google-Apps', 'aliases': ['wsessplus', 'workspaceessentialsplus'], 'displayName': 'Google Workspace Essentials Plus'},
+    'product': 'Google-Apps', 'aliases': ['wsessplus', 'workspaceessentialsplus'], 'displayName': 'Google Workspace Enterprise Essentials Plus'},
  'Google-Drive-storage-20GB': {
    'product': 'Google-Drive-storage', 'aliases': ['drive20gb', '20gb', 'googledrivestorage20gb'], 'displayName': 'Google Drive Storage 20GB'},
  'Google-Drive-storage-50GB': {
@@ -182,6 +194,8 @@ _SKUS = {
    'product': 'Google-Chrome-Device-Management', 'aliases': ['chrome', 'cdm', 'googlechromedevicemanagement'], 'displayName': 'Google Chrome Device Management'}
  }

+ARCHIVABLE_SKUS = {'1010020020', '1010020025', '1010020026', '1010020027', '1010020028', 'Google-Apps-Unlimited'}
+
 def getProductAndSKU(sku):
  l_sku = sku.lower().replace('-', '').replace(' ', '').replace('"', '').replace("'", '').strip()
  if l_sku.startswith('nv:'):
--- a/src/gam/gamlib/glverlibs.py
+++ b/src/gam/gamlib/glverlibs.py
@@ -20,14 +20,19 @@

 """

-GAM_VER_LIBS = ['cryptography',
-                'filelock',
-                'google-api-python-client',
-                'google-auth-httplib2',
-                'google-auth-oauthlib',
-                'google-auth',
-                'httplib2',
-                'passlib',
-                'python-dateutil',
-                'yubikey-manager',
-                ]
+GAM_VER_LIBS = [
+  'chardet',
+  'cryptography',
+  'filelock',
+  'google-api-python-client',
+  'google-auth-httplib2',
+  'google-auth-oauthlib',
+  'google-auth',
+  'lxml',
+  'httplib2',
+  'passlib',
+  'pathvalidate',
+  'pyscard',
+  'python-dateutil',
+  'yubikey-manager',
+]
--- a/src/gam/gdata/apps/sites/init.py
+++ b/src/gam/gdata/apps/sites/init.py
@@ -1,283 +0,0 @@
-#!/usr/bin/env python
-#
-# Copyright 2009 Google Inc. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Data model classes for parsing and generating XML for the Sites Data API."""
-
-import atom
-import gdata
-
-# XML Namespaces used in Google Sites entities.
-SITES_NAMESPACE = 'http://schemas.google.com/sites/2008'
-SITES_TEMPLATE = '{http://schemas.google.com/sites/2008}%s'
-SPREADSHEETS_NAMESPACE = 'http://schemas.google.com/spreadsheets/2006'
-SPREADSHEETS_TEMPLATE = '{http://schemas.google.com/spreadsheets/2006}%s'
-GACL_NAMESPACE = 'http://schemas.google.com/acl/2007'
-GACL_TEMPLATE = '{http://schemas.google.com/acl/2007}%s'
-DC_TERMS_TEMPLATE = '{http://purl.org/dc/terms}%s'
-THR_TERMS_TEMPLATE = '{http://purl.org/syndication/thread/1.0}%s'
-XHTML_NAMESPACE = 'http://www.w3.org/1999/xhtml'
-XHTML_TEMPLATE = '{http://www.w3.org/1999/xhtml}%s'
-
-SITES_INVITE_LINK_REL = SITES_NAMESPACE + '#invite'
-SITES_PARENT_LINK_REL = SITES_NAMESPACE + '#parent'
-SITES_REVISION_LINK_REL = SITES_NAMESPACE + '#revision'
-SITES_SOURCE_LINK_REL = SITES_NAMESPACE + '#source'
-SITES_TEMPLATE_LINK_REL = SITES_NAMESPACE + '#template'
-
-ALTERNATE_REL = 'alternate'
-WEB_ADDRESS_MAPPING_REL = 'webAddressMapping'
-
-SITES_KIND_SCHEME = 'http://schemas.google.com/g/2005#kind'
-ANNOUNCEMENT_KIND_TERM = SITES_NAMESPACE + '#announcement'
-ANNOUNCEMENT_PAGE_KIND_TERM = SITES_NAMESPACE + '#announcementspage'
-ATTACHMENT_KIND_TERM = SITES_NAMESPACE + '#attachment'
-COMMENT_KIND_TERM = SITES_NAMESPACE + '#comment'
-FILECABINET_KIND_TERM = SITES_NAMESPACE + '#filecabinet'
-LISTITEM_KIND_TERM = SITES_NAMESPACE + '#listitem'
-LISTPAGE_KIND_TERM = SITES_NAMESPACE + '#listpage'
-WEBPAGE_KIND_TERM = SITES_NAMESPACE + '#webpage'
-WEBATTACHMENT_KIND_TERM = SITES_NAMESPACE + '#webattachment'
-FOLDER_KIND_TERM = SITES_NAMESPACE + '#folder'
-TAG_KIND_TERM = SITES_NAMESPACE + '#tag'
-
-SUPPORT_KINDS = [
-  'announcement', 'announcementspage', 'attachment', 'comment', 'filecabinet',
-  'listitem', 'listpage', 'webpage', 'webattachment', 'tag'
-  ]
-
-
-class GDataBase(atom.AtomBase):
-  """The Google Sites intermediate class from atom.AtomBase."""
-  _namespace = gdata.GDATA_NAMESPACE
-  _children = atom.AtomBase._children.copy()
-  _attributes = atom.AtomBase._attributes.copy()
-
-  def __init__(self, text=None):
-    atom.AtomBase.__init__(self, text=text)
-
-class SitesBase(GDataBase):
-  _namespace = SITES_NAMESPACE
-
-class SiteName(SitesBase):
-  """Google Sites <sites:siteName>."""
-  _tag = 'siteName'
-
-class Theme(SitesBase):
-  """Google Sites <sites:theme>."""
-  _tag = 'theme'
-
-class SiteEntry(gdata.BatchEntry):
-  """Google Sites Site Feed Entry."""
-  _tag = 'entry'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchEntry._children.copy()
-
-  _children['{%s}siteName' % SITES_NAMESPACE] = ('siteName', SiteName)
-  _children['{%s}theme' % SITES_NAMESPACE] = ('theme', Theme)
-  _attributes = gdata.BatchEntry._attributes.copy()
-  _attributes['{%s}etag' % gdata.GDATA_NAMESPACE] = 'etag'
-
-  def __init__(self, siteName=None, title=None, summary=None, theme=None, sourceSite=None, category=None, etag=None):
-    gdata.BatchEntry.__init__(self, category=category)
-    self.siteName = siteName
-    self.title = title
-    self.summary = summary
-    self.theme = theme
-    if sourceSite is not None:
-      sourceLink = atom.Link(href=sourceSite, rel=SITES_SOURCE_LINK_REL, link_type='application/atom+xml')
-      self.link.append(sourceLink)
-    self.etag = etag
-
-  def find_alternate_link(self):
-    for link in self.link:
-      if link.rel == ALTERNATE_REL and link.href:
-        return link.href
-    return None
-
-  FindAlternateLink = find_alternate_link
-
-  def find_source_link(self):
-    for link in self.link:
-      if link.rel == SITES_SOURCE_LINK_REL and link.href:
-        return link.href
-    return None
-
-  FindSourceLink = find_source_link
-
-  def find_webaddress_mappings(self):
-    mappingLinks = []
-    for link in self.link:
-      if link.rel == WEB_ADDRESS_MAPPING_REL and link.href:
-        mappingLinks.append(link.href)
-    return mappingLinks
-
-  FindWebAddressMappings = find_webaddress_mappings
-
-def SiteEntryFromString(xml_string):
-  return atom.CreateClassFromXMLString(SiteEntry, xml_string)
-
-class SiteFeed(gdata.BatchFeed, gdata.LinkFinder):
-  """A Google Sites feed flavor of an Atom Feed."""
-  _tag = 'feed'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchFeed._children.copy()
-  _children['{%s}entry' % atom.ATOM_NAMESPACE] = ('entry', [SiteEntry])
-
-  def __init__(self):
-    gdata.BatchFeed.__init__(self)
-
-def SiteFeedFromString(xml_string):
-  return atom.CreateClassFromXMLString(SiteFeed, xml_string)
-
-class AclBase(GDataBase):
-  _namespace = GACL_NAMESPACE
-
-class AclRole(AclBase):
-  """Describes the role of an entry in an access control list."""
-  _tag = 'role'
-  _children = AclBase._children.copy()
-  _attributes = AclBase._attributes.copy()
-  _attributes['value'] = 'value'
-
-  def __init__(self, value=None):
-    AclBase.__init__(self)
-    self.value = value
-
-class AclAdditionalRole(AclBase):
-  """Describes an additionalRole element."""
-  _tag = 'additionalRole'
-  _children = AclBase._children.copy()
-  _attributes = AclBase._attributes.copy()
-  _attributes['value'] = 'value'
-
-  def __init__(self, value=None):
-    AclBase.__init__(self)
-    self.value = value
-
-class AclScope(AclBase):
-  """Describes the scope of an entry in an access control list."""
-  _tag = 'scope'
-  _children = AclBase._children.copy()
-  _attributes = AclBase._attributes.copy()
-  _attributes['type'] = 'type'
-  _attributes['value'] = 'value'
-
-  def __init__(self, stype=None, value=None):
-    AclBase.__init__(self)
-    self.type = stype
-    self.value = value
-
-
-class AclWithKey(AclBase):
-  """Describes a key that can be used to access a document."""
-  _tag = 'withKey'
-  _children = AclBase._children.copy()
-  _children['{%s}role' % GACL_NAMESPACE] = ('role', AclRole)
-  _children['{%s}additionalRole' % GACL_NAMESPACE] = ('additionalRole', AclAdditionalRole)
-  _attributes = AclBase._attributes.copy()
-  _attributes['key'] = 'key'
-
-  def __init__(self, key=None, role=None, additionalRole=None):
-    AclBase.__init__(self)
-    self.key = key
-    self.role = role
-    self.additionalRole = additionalRole
-
-class AclEntry(gdata.BatchEntry):
-  """Describes an entry in a feed of an access control list (ACL)."""
-  _tag = 'entry'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchEntry._children.copy()
-
-  _children['{%s}role' % GACL_NAMESPACE] = ('role', AclRole)
-  _children['{%s}additionalRole' % GACL_NAMESPACE] = ('additionalRole', AclAdditionalRole)
-  _children['{%s}scope' % GACL_NAMESPACE] = ('scope', AclScope)
-  _children['{%s}withKey' % GACL_NAMESPACE] = ('withKey', AclWithKey)
-  _attributes = gdata.BatchEntry._attributes.copy()
-  _attributes['{%s}etag' % gdata.GDATA_NAMESPACE] = 'etag'
-
-  def __init__(self, role=None, additionalRole=None, scope=None, withKey=None, etag=None):
-    gdata.BatchEntry.__init__(self)
-    self.role = role
-    self.additionalRole = additionalRole
-    self.scope = scope
-    self.withKey = withKey
-    self.etag = etag
-
-  def find_invite_link(self):
-    for link in self.link:
-      if link.rel == SITES_INVITE_LINK_REL and link.href:
-        return link.href
-    return None
-
-  FindInviteLink = find_invite_link
-
-def AclEntryFromString(xml_string):
-  return atom.CreateClassFromXMLString(AclEntry, xml_string)
-
-class AclFeed(gdata.BatchFeed, gdata.LinkFinder):
-  """Describes a feed of an access control list (ACL)."""
-  _tag = 'feed'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchFeed._children.copy()
-  _children['{%s}entry' % atom.ATOM_NAMESPACE] = ('entry', [AclEntry])
-
-  def __init__(self):
-    gdata.BatchFeed.__init__(self)
-
-def AclFeedFromString(xml_string):
-  return atom.CreateClassFromXMLString(AclFeed, xml_string)
-
-class ActivityEntry(gdata.BatchEntry):
-  """Describes an entry in a feed of site activity (changes)."""
-  _tag = 'entry'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchEntry._children.copy()
-  _attributes = gdata.BatchEntry._attributes.copy()
-
-  def __init__(self):
-    gdata.BatchEntry.__init__(self)
-
-  def __find_category_scheme(self, scheme):
-    for category in self.category:
-      if category.scheme == scheme:
-        return category
-    return None
-
-  def kind(self):
-    kind = self.__find_category_scheme(SITES_KIND_SCHEME)
-    if kind is not None:
-      return kind.term[len(SITES_NAMESPACE) + 1:]
-    else:
-      return None
-
-  Kind = kind
-
-def ActivityEntryFromString(xml_string):
-  return atom.CreateClassFromXMLString(ActivityEntry, xml_string)
-
-class ActivityFeed(gdata.BatchFeed, gdata.LinkFinder):
-  """Describes a feed of site activity (changes)."""
-  _tag = 'feed'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchFeed._children.copy()
-  _children['{%s}entry' % atom.ATOM_NAMESPACE] = ('entry', [ActivityEntry])
-
-  def __init__(self):
-    gdata.BatchFeed.__init__(self)
-
-def ActivityFeedFromString(xml_string):
-  return atom.CreateClassFromXMLString(ActivityFeed, xml_string)
--- a/src/gam/gdata/apps/sites/service.py
+++ b/src/gam/gdata/apps/sites/service.py
@@ -1,246 +0,0 @@
-#!/usr/bin/python
-#
-# Copyright 2009 Google Inc. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""SitesService extends the GDataService for Google Sites API calls."""
-
-import gdata.apps
-import gdata.apps.service
-import gdata.service
-
-
-# Feed URI templates
-CONTENT_FEED_TEMPLATE = '/feeds/content/%s/%s/'
-REVISION_FEED_TEMPLATE = '/feeds/revision/%s/%s/'
-ACTIVITY_FEED_TEMPLATE = '/feeds/activity/%s/%s/'
-ACTIVITY_ENTRY_TEMPLATE = '/feeds/activity/%s/%s/%s'
-SITE_FEED_TEMPLATE = '/feeds/site/%s/'
-ACL_FEED_TEMPLATE = '/feeds/acl/site/%s/%s'
-ACL_ENTRY_TEMPLATE = '/feeds/acl/site/%s/%s/%s'
-
-
-class SitesService(gdata.service.GDataService):
-  """Client extension for the Google Sites API service."""
-
-  def __init__(self,
-               source=None, server='sites.google.com', additional_headers=None,
-               **kwargs):
-    """Constructs a new client for the Sites API.
-
-    Args:
-      site: string (optional) Name (webspace) of the Google Site
-      domain: string (optional) Domain of the (Google Apps hosted) Site.
-          If no domain is given, the Site is assumed to be a consumer Google
-          Site, in which case the value 'site' is used.
-      source: string (optional) The name of the user's application.
-      server: string (optional) The name of the server to which a connection
-          will be opened. Default value: 'sites..google.com'.
-      **kwargs: The other parameters to pass to gdata.service.GDataService
-          constructor.
-    """
-    if additional_headers == None:
-      additional_headers = {}
-    additional_headers['GData-Version'] = '1.4'
-    gdata.service.GDataService.__init__(self,
-                                        source=source, server=server, additional_headers=additional_headers,
-                                        **kwargs)
-    self.ssl = True
-    self.port = 443
-
-  def make_site_feed_uri(self, domain=None, site=None):
-    if not domain:
-      domain = 'site'
-    if not site:
-      return SITE_FEED_TEMPLATE % domain
-    return (SITE_FEED_TEMPLATE % domain) + site
-
-  MakeSiteFeedUri = make_site_feed_uri
-
-  def get_site_feed(self, uri=None, domain=None, site=None,
-                    extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_site_feed_uri(domain=domain, site=site)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.SiteFeedFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetSiteFeed = get_site_feed
-
-  def create_site(self, siteentry=None, uri=None, domain=None, site=None,
-                  extra_headers=None, url_params=None, escape_params=True):
-
-    if uri is None:
-      uri = self.make_site_feed_uri(domain=domain, site=site)
-    try:
-      return self.Post(siteentry, uri,
-                       url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                       converter=gdata.apps.sites.SiteEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  CreateSite = create_site
-
-  def get_site(self, uri=None, domain=None, site=None,
-               extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_site_feed_uri(domain=domain, site=site)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.SiteEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetSite = get_site
-
-  def update_site(self, siteentry=None, uri=None, domain=None, site=None,
-                  extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_site_feed_uri(domain=domain, site=site)
-    try:
-      return self.Put(siteentry, uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.SiteEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  UpdateSite = update_site
-
-  def make_acl_feed_uri(self, domain=None, site=None):
-    return ACL_FEED_TEMPLATE % (domain, site)
-
-  MakeAclFeedUri = make_acl_feed_uri
-
-  def get_acl_feed(self, uri=None, domain=None, site=None,
-                   extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_acl_feed_uri(domain=domain, site=site)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.AclFeedFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetAclFeed = get_acl_feed
-
-  def make_acl_entry_uri(self, domain=None, site=None, ruleId=None):
-    return ACL_ENTRY_TEMPLATE % (domain, site, ruleId)
-
-  MakeAclEntryUri = make_acl_entry_uri
-
-  def create_acl_entry(self, aclentry=None, uri=None, domain=None, site=None,
-                       extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_acl_feed_uri(domain=domain, site=site)
-    try:
-      return self.Post(aclentry, uri,
-                       url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                       converter=gdata.apps.sites.AclEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  CreateAclEntry = create_acl_entry
-
-  def get_acl_entry(self, uri=None, domain=None, site=None, ruleId=None,
-                    extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_acl_entry_uri(domain=domain, site=site, ruleId=ruleId)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.AclEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetAclEntry = get_acl_entry
-
-  def update_acl_entry(self, aclentry=None, uri=None, domain=None, site=None, ruleId=None,
-                       extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_acl_entry_uri(domain=domain, site=site, ruleId=ruleId)
-    try:
-      return self.Put(aclentry, uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.AclEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  UpdateAclEntry = update_acl_entry
-
-  def delete_acl_entry(self, uri=None, domain=None, site=None, ruleId=None,
-                       extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_acl_entry_uri(domain=domain, site=site, ruleId=ruleId)
-    try:
-      return self.Delete(uri,
-                         url_params=url_params, escape_params=escape_params, extra_headers=extra_headers)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  DeleteAclEntry = delete_acl_entry
-
-  def make_activity_feed_uri(self, domain=None, site=None):
-    return ACTIVITY_FEED_TEMPLATE % (domain, site)
-
-  MakeActivityFeedUri = make_activity_feed_uri
-
-  def get_activity_feed(self, uri=None, domain=None, site=None,
-                        extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_activity_feed_uri(domain=domain, site=site)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.ActivityFeedFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetActivityFeed = get_activity_feed
-
-  def make_activity_entry_uri(self, domain=None, site=None, activityId=None):
-    return ACTIVITY_ENTRY_TEMPLATE % (domain, site, activityId)
-
-  MakeActivityEntryUri = make_activity_entry_uri
-
-  def get_activity_entry(self, uri=None, domain=None, site=None, activityId=None,
-                         extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_activity_entry_uri(domain=domain, site=site, activityId=activityId)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.ActivityEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetActivityEntry = get_activity_entry
-
-class SitesQuery(gdata.service.Query):
-
-  def make_site_feed_uri(self, domain=None, site=None):
-    if not domain:
-      domain = 'site'
-    if not site:
-      return SITE_FEED_TEMPLATE % domain
-    return (SITE_FEED_TEMPLATE % domain) + site
-
-  def __init__(self, feed=None, domain=None, site=None, params=None):
-    self.feed = feed or self.make_site_feed_uri(domain=domain, site=site)
-    gdata.service.Query.__init__(self, feed=self.feed, params=params)
-
--- a/src/gam/googleapiclient/version.py
+++ b/src/gam/googleapiclient/version.py
@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-__version__ = "2.146.0"
+__version__ = "2.164.0"
--- a/src/gam/meet-v2beta.json
+++ b/src/gam/meet-v2beta.json
--- a/src/license.rtf
+++ b/src/license.rtf
--- a/src/project-apis.txt
+++ b/src/project-apis.txt
@@ -1,23 +0,0 @@
-accesscontextmanager.googleapis.com
-admin.googleapis.com
-alertcenter.googleapis.com
-calendar-json.googleapis.com
-chat.googleapis.com
-chromemanagement.googleapis.com
-chromepolicy.googleapis.com
-classroom.googleapis.com
-cloudidentity.googleapis.com
-cloudresourcemanager.googleapis.com
-contacts.googleapis.com
-drive.googleapis.com
-driveactivity.googleapis.com
-iap.googleapis.com
-gmail.googleapis.com
-groupssettings.googleapis.com
-iam.googleapis.com
-licensing.googleapis.com
-reseller.googleapis.com
-sheets.googleapis.com
-siteverification.googleapis.com
-storage-api.googleapis.com
-vault.googleapis.com
--- a/src/requirements.txt
+++ b/src/requirements.txt
@@ -1,14 +1,15 @@
-chardet
-cryptography
+chardet>=5.2.0
+cryptography>=44.0.2
 distro; sys_platform=='linux'
-filelock
-google-api-python-client>=2.1
-google-auth-httplib2
-google-auth-oauthlib>=0.4.1
-google-auth>=2.3.2
-httplib2>=0.17.0
-lxml
-passlib>=1.7.2
-pathvalidate
+filelock>=3.18.0
+google-api-python-client>=2.167.0
+google-auth-httplib2>=0.2.0
+google-auth-oauthlib>=1.2.2
+google-auth>=2.39.0
+httplib2>=0.22.0
+lxml>=5.4.0
+passlib>=1.7.4
+pathvalidate>=3.2.3
+pyscard==2.2.1
 python-dateutil
-yubikey-manager>=5.0
+yubikey-manager>=5.6.1
--- a/src/serviceaccountlookup-v1.json
+++ b/src/serviceaccountlookup-v1.json
@@ -1,141 +0,0 @@
-{
-  "basePath": "",
-  "baseUrl": "https://www.googleapis.com/service_accounts/v1",
-  "canonicalName": "serviceaccountlookup",
-  "description": "Pseudo-API to lookup public certificates for a service account anonymously",
-  "discoveryVersion": "v1",
-  "documentationLink": "https://example.com/",
-  "fullyEncodeReservedExpansion": true,
-  "icons": {
-    "x16": "http://www.google.com/images/icons/product/search-16.gif",
-    "x32": "http://www.google.com/images/icons/product/search-32.gif"
-  },
-  "id": "serviceaccountlookup:v1",
-  "kind": "discovery#restDescription",
-  "name": "serviceaccountlookup",
-  "ownerDomain": "google.com",
-  "ownerName": "Google",
-  "packagePath": "admin",
-  "parameters": {
-    "$.xgafv": {
-      "description": "V1 error format.",
-      "enum": [
-        "1",
-        "2"
-      ],
-      "enumDescriptions": [
-        "v1 error format",
-        "v2 error format"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "access_token": {
-      "description": "OAuth access token.",
-      "location": "query",
-      "type": "string"
-    },
-    "alt": {
-      "default": "json",
-      "description": "Data format for response.",
-      "enum": [
-        "json",
-        "media",
-        "proto"
-      ],
-      "enumDescriptions": [
-        "Responses with Content-Type of application/json",
-        "Media download with context-dependent Content-Type",
-        "Responses with Content-Type of application/x-protobuf"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "callback": {
-      "description": "JSONP",
-      "location": "query",
-      "type": "string"
-    },
-    "fields": {
-      "description": "Selector specifying which fields to include in a partial response.",
-      "location": "query",
-      "type": "string"
-    },
-    "key": {
-      "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.",
-      "location": "query",
-      "type": "string"
-    },
-    "oauth_token": {
-      "description": "OAuth 2.0 token for the current user.",
-      "location": "query",
-      "type": "string"
-    },
-    "prettyPrint": {
-      "default": "true",
-      "description": "Returns response with indentations and line breaks.",
-      "location": "query",
-      "type": "boolean"
-    },
-    "quotaUser": {
-      "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.",
-      "location": "query",
-      "type": "string"
-    },
-    "uploadType": {
-      "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    },
-    "upload_protocol": {
-      "description": "Upload protocol for media (e.g. \"raw\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    }
-  },
-  "protocol": "rest",
-  "resources": {
-    "serviceaccounts": {
-      "methods": {
-        "lookup": {
-          "description": "Lookup",
-          "flatPath": "metadata/x509/{account}",
-          "httpMethod": "GET",
-          "id": "serviceaccountslookup.lookup",
-          "parameterOrder": [
-            "account"
-          ],
-          "parameters": {
-            "account": {
-              "description": "Email or ID of the service account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "metadata/x509/{account}",
-	  "response": {
-            "$ref": "Certificates"
-          }
-        }
-      }
-    }
-  },
-  "rootUrl": "https://www.googleapis.com/service_accounts/v1",
-  "schemas": {
-    "Certificates": { 
-      "description": "JSON template for certificates.",
-      "id": "Certificates",
-      "properties": {
-        "email": {          "description": "Email of the delegate.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    }
-  },
-  "servicePath": "",
-  "title": "Service Account Lookup Pseudo-API",
-  "version": "v1",
-  "version_module": true
-}
--- a/src/setup.cfg
+++ b/src/setup.cfg
@@ -17,26 +17,29 @@ classifiers =
    Programming Language :: Python :: 3.10
    Programming Language :: Python :: 3.11
    Programming Language :: Python :: 3.12
+    Programming Language :: Python :: 3.13
    License :: OSI Approved :: Apache License

 [options]
 packages = find:
-python_requires = >= 3.8
+python_requires = >= 3.9
+# The following files should be edited to match: pyproject.toml, requirements.txt
 install_requires =
-    chardet
-    cryptography
+    chardet >= 5.2.0
+    cryptography >= 44.0.2
    distro; sys_platform == 'linux'
-    filelock
-    google-api-python-client >= 2.36
-    google-auth-httplib2
-    google-auth-oauthlib >= 0.4.6
-    google-auth >= 2.3.3
-    httplib2 >= 0.20.2
-    lxml
+    filelock >= 3.18.0
+    google-api-python-client >= 2.167.0
+    google-auth-httplib2 >= 0.2.0
+    google-auth-oauthlib >= 1.2.2
+    google-auth >= 2.39.0
+    httplib2 >= 0.22.0
+    lxml >= 5.4.0
    passlib >= 1.7.4
-    pathvalidate
+    pathvalidate >= 3.2.3
+    pyscard == 2.2.1
    python-dateutil
-    yubikey-manager >= 5.0
+    yubikey-manager >= 5.6.1

 [options.package_data]
 * = *.pem
--- a/src/tools/gen-wix-xml-filelist.py
+++ b/src/tools/gen-wix-xml-filelist.py
@@ -1,58 +1,23 @@
-import os
-import sys
 import uuid
+from lxml import etree
+import sys

-source_dir = sys.argv[1]
-template_file = sys.argv[2]
-target_file = sys.argv[3]
+# Hacky solution to create a Guid for all files
+# so Wix is happy and Guid is stable every time.
+# uuid5 is used for the Guid and the input is the
+# source filename so the Guid will be the same
+# every time as long as the source file name is
+# the same.

-existing_components = {
-    'gam.exe': '''      <Component Id="gam_exe" Guid="d046ea24-c9f8-40ca-84db-70b0119933ff">
-        <File Name="gam.exe" KeyPath="yes" />
-        <Environment Id="PATH" Name="PATH" Value="[INSTALLFOLDER]" Permanent="yes" Part="last" Action="set" System="yes" />
-      </Component>
-''',
-    'LICENSE': '''      <Component Id="license" Guid="c76864c5-d005-44d5-bb7c-a27e5923792d">
-        <File Name="LICENSE" KeyPath="yes" />
-      </Component>
-''',
-    'gam-setup.bat': '''      <Component Id="gam_setup_bat" Guid="5e6bbacb-d86f-4d80-a10b-89b81ee63fcb">
-        <File Name="gam-setup.bat" KeyPath="yes" />
-      </Component>
-''',
-    'GamCommands.txt': '''      <Component Id="GamCommands_txt" Guid="a2dca862-b222-469e-a637-95ea2a1c53e7">
-        <File Name="GamCommands.txt" KeyPath="yes" />
-      </Component>
-''',
-    'GamUpdate.txt': '''      <Component Id="GamUpdate_txt" Guid="1b7cdd48-0fff-4943-a219-102fcd14c755">
-        <File Name="GamUpdate.txt" KeyPath="yes" />
-      </Component>
-''',
-    'cacerts.pem': '''      <Component Id="cacerts_pem" Guid="61fe2b2d-1646-4bed-b844-193965e97727">
-        <File Name="cacerts.pem" KeyPath="yes" />
-      </Component>
-''',
-}
-
-component_xml = ''
-all_files = []
-for root, dirs, files in os.walk(source_dir):
-    for filename in files:
-        relpath = os.path.relpath(root, source_dir)
-        if relpath == '.':
-            all_files.append(filename)
-        else:
-            all_files.append(os.path.join(relpath, filename))
-all_files.sort()
-for filename in all_files:
-    component_xml += existing_components.get(filename,
-                                             f'      <Component>\n        <File Name="{filename}" KeyPath="yes"/>\n      </Component>\n')
-
-with open(template_file, 'r') as f:
-    template = f.read()
-
-full_xml = template.replace('REPLACE_ME_WITH_FILE_COMPONENTS', component_xml)
-
-with open(target_file, 'w') as f:
-    f.write(full_xml)
+rewrite_file = sys.argv[1]

+with open(rewrite_file, 'rb') as f:
+    input_xml = f.read()
+root = etree.fromstring(input_xml)
+for elem in root.getiterator():
+    if 'Guid' in elem.attrib:
+        source = elem.getchildren()[0].attrib['Source']
+        stable_uuid = str(uuid.uuid5(uuid.NAMESPACE_URL, source))
+        elem.attrib['Guid'] = stable_uuid
+with open(rewrite_file, 'w') as f:
+  f.write(etree.tostring(root).decode())
--- a/src/version_info.txt.in
+++ b/src/version_info.txt.in
@@ -0,0 +1,42 @@
+# UTF-8
+#
+# For more details about fixed file info 'ffi' see:
+# http://msdn.microsoft.com/en-us/library/ms646997.aspx
+VSVersionInfo(
+  ffi=FixedFileInfo(
+    # filevers and prodvers should be always a tuple with four items: (1, 2, 3, 4)
+    # Set not needed items to zero 0.
+    filevers={VERSION_TUPLE},
+    prodvers={VERSION_TUPLE},
+    # Contains a bitmask that specifies the valid bits 'flags'r
+    mask=0x3f,
+    # Contains a bitmask that specifies the Boolean attributes of the file.
+    flags=0x0,
+    # The operating system for which this file was designed.
+    # 0x4 - NT and there is no need to change it.
+    OS=0x4,
+    # The general type of file.
+    # 0x1 - the file is an application.
+    fileType=0x2,
+    # The function of the file.
+    # 0x0 - the function is not defined for this fileType
+    subtype=0x0,
+    # Creation date and time stamp.
+    date=(0, 0)
+    ),
+  kids=[
+    StringFileInfo(
+      [
+      StringTable(
+        '040904b0',
+        [StringStruct('CompanyName', 'GAM-team'),
+        StringStruct('FileDescription', 'CLI for Google Workspace admins'),
+        StringStruct('FileVersion', '{VERSION}'),
+        StringStruct('LegalCopyright', 'Copyright (c) 2024 GAM team'),
+        StringStruct('OriginalFilename', 'gam.exe'),
+        StringStruct('ProductName', 'GAM'),
+        StringStruct('ProductVersion', '{VERSION}')])
+      ]),
+    VarFileInfo([VarStruct('Translation', [1033, 1200])])
+  ]
+)
--- a/wiki/00scratch.md
+++ b/wiki/00scratch.md
@@ -0,0 +1,5 @@
+# Scratch Me Wiki
+editing these files shouldn't trigger a regular GitHub Action build.
+
+# Counter
+00010
--- a/wiki/Addresses.md
+++ b/wiki/Addresses.md
@@ -3,10 +3,10 @@
 - [Display addresses](#display-addresses)

 ## API documentation
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/resources.calendars
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/users
+* [Directory API - Domains](https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains)
+* [Directory API - Groups](https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups)
+* [Directory API - Resources Calendars](https://developers.google.com/admin-sdk/directory/reference/rest/v1/resources.calendars)
+* [Directory API - Users](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users)

 ## Display addresses
 Produces a three column CSV file (headers Type, Email, Target) that displays all group and user primary
--- a/wiki/Administrators.md
+++ b/wiki/Administrators.md
--- a/wiki/Alert-Center.md
+++ b/wiki/Alert-Center.md
@@ -1,5 +1,6 @@
 # Alert Center
 - [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
 - [Definitions](#definitions)
 - [Introduction](#introduction)
 - [Manage alerts](#manage-alerts)
@@ -8,9 +9,11 @@
 - [Display alert feedback](#display-alert-feedback)

 ## API documentation
-* https://developers.google.com/admin-sdk/alertcenter/reference/rest/
-* https://developers.google.com/admin-sdk/alertcenter/guides/query-filters
-* https://developers.google.com/admin-sdk/alertcenter/reference/filter-fields
+* [Alert Center API](https://developers.google.com/admin-sdk/alertcenter/reference/rest/)
+
+## Query documentation
+* [Query Filters](https://developers.google.com/admin-sdk/alertcenter/guides/query-filters)
+* [Query Fields](https://developers.google.com/admin-sdk/alertcenter/reference/filter-fields)

 ## Definitions
 ```
@@ -26,7 +29,7 @@ select alertId and feedbackId.
 To use these commands you must update your gam project and service account authorization.
 ```
 gam update project
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```
 ## Manage alerts
 ```
--- a/wiki/Aliases.md
+++ b/wiki/Aliases.md
@@ -14,11 +14,11 @@
 - [Determine if an address is a user, user alias, group or group alias](#determine-if-an-address-is-a-user-user-alias-group-or-group-alias)

 ## API documentation
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/users.aliases
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups.aliases
+* [Directory API - User Aliases](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users.aliases)
+* [Directory API - Group Aliases](https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups.aliases)

 ## Query documentation
-* https://developers.google.com/admin-sdk/directory/v1/guides/search-users
+* [Search Users](https://developers.google.com/admin-sdk/directory/v1/guides/search-users)

 ## Definitions
 See [Collections of Items](Collections-of-Items)
@@ -30,8 +30,14 @@ See [Collections of Items](Collections-of-Items)
 <EmailAddress> ::= <String>@<DomainName>
 <EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
 <EmailAddressEntity> ::= <EmailAddressList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <UniqueID> ::= id:<String>
+
+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
 ```
 ## Create an alias for a target
 ```
@@ -97,7 +103,7 @@ gam print aliases [todrive <ToDriveAttribute>*]
         [limittoou <OrgUnitItem>])
        [user|users <EmailAddressList>] [group|groups <EmailAddressList>]
        [select <UserTypeEntity>]
-        [aliasmatchpattern <RegularExpression>]
+        [aliasmatchpattern <REMatchPattern>]
        [shownoneditable] [nogroups] [nousers]
        [onerowpertarget] [delimiter <Character>]
        [suppressnoaliasrows]
@@ -111,7 +117,7 @@ By default, group and user aliases in all domains in the account are selected; t
 * `user|users <EmailAddressList>` - Print aliases for users in `<EmailAddressList`
 * `select <UserTypeEntity>` - Print aliases for users in `<UserTypeEntity>`
 * `group|groups <EmailAddressList>` - Print aliases for groups in `<EmailAddressList`
-* `aliasmatchpattern <RegularExpression>` - Print aliases that match a pattern
+* `aliasmatchpattern <REMatchPattern>` - Print aliases that match a pattern
 * `nogroups` - Print only user aliases
 * `nousers` - Print only group aliases

@@ -149,7 +155,7 @@ Alias,Target,TargetType

 ## Bulk delete aliases
 You can bulk delete aliases as follows; use `(query <QueryUser>)|(queries <QueryUserList>)` and
-`aliasmatchpattern <RegularExpression>` as desired.
+`aliasmatchpattern <REMatchPattern>` as desired.
 ```
 gam redirect csv ./OldDomainAliases.csv print aliases aliasmatchpattern ".*@olddomain.com" onerowpertarget suppressnoaliasrows
 gam redirect stdout ./DeleteAliases.txt multiprocess redirect stderr stdout csv ./OldDomainAliases.csv gam remove aliases "~Target" "~TargetType" "~Aliases"
@@ -191,4 +197,3 @@ The return code is set based on `<TypeOfEmailItem>`:
 * Group Alias - 23
 * User Invitation - 24
 * Unknown - 59
-
--- a/wiki/Authorization.md
+++ b/wiki/Authorization.md
@@ -1,7 +1,6 @@
 # Authorization
 - [Introduction](#introduction)
 - [Headless computers and Cloud Shells](#headless-computers-and-cloud-shells)
- [Version 5 Update](#version-5-update)
 - [API documentation](#api-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions)
 - [Definitions](#definitions)
@@ -46,6 +45,7 @@
  - [Install GAM on the limited users computer](#install-gam-on-the-limited-users-computer)
  - [Test Client and Service Account access on the non-administrator computer](#test-client-and-service-account-access-on-the-non-administrator-computer)
  - [Unselect limited section on your computer.](#unselect-limited-section-on-your-computer)
+- [Delete old versions of GAM from Configured Apps](#delete-old-versions-of-gam-from-configured-apps)

 ## Introduction
 GAM requires authorization to perform tasks on your domain; the tasks break down into two categories:
@@ -93,19 +93,17 @@ If you run a Google Workspace Education SKU, verify that the super admin you'll

 Based on your domain policies, you may have to mark GAM as a trusted app. These steps are performed after a project is created.
 * Access the admin console and go to Security -> Access and data control -> API controls
-* Check Trust internal, domain-owned apps
-* Click **Manage third-party app access**
-* Click Add app and select **OAuth App Name Or Client ID**
-* Paste client_id value from client_secrets.json
+* Click Manage third-party app access
+* Click Configure new app
+* Paste client_id value from client_secrets.json in Search for app
 * Click Search
-* Click Select at right end of line referencing GAM
-* Check box to the left of the line with GAM client ID
-* Click Select
-* Keep the default scope domain.com (all users) or select an org unit that includes your GAM admin
-* Click Next/Continue
+* Click the line referencing GAM
+* Keep the default scope All in domain.com (all users) or select an org unit that includes your GAM admin
+* Click Continue
 * Click Trusted: App can request access to all Google data
-* Click Next/Continue
+* Click Continue
 * Click Finish
+* Press Confirm if Confirm parental consent pops up

 Verify whether the super admin you'll be using is in an OU where reauthentication is required.
 * Access the admin console and go to Security -> Overview
@@ -114,7 +112,6 @@ Verify whether the super admin you'll be using is in an OU where reauthenticatio
 * If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
 * If that sounds unappealing, check Exempt Trusted apps
 * Click "OVERRIDE"
-* Follow the steps below to mark GAM as a trusted app

 Additional steps may be required if errors are encountered.
 * [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
@@ -127,25 +124,6 @@ as required by Google for headless computers/cloud shells; this is required as o
 * See: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html
  * OAuth out-of-band (oob) flow will be deprecated

-## Version 5 Update
-GAM version `5.00.00` replaced the deprecated `oauth2client` library with the `google-auth` library.
-This change requires a one-time update of the client access file `oauth2.txt`; GAM will continue
-to use the old version of `oauth2.txt` until you perform the update. There is a small performance
-impact until the update is performed. However, you can't use the updated version of `oauth2.txt`
-in prior versions of GAM; if you want to run GAM `5.00.00` and prior versions of GAM,
-do not perform the update until you no longer need to run the prior versions of GAM.
-
-If you are running any GAM version `4.85.00` or later, perform the following command
-after installing `5.00.00` to perform the update.
-```
-gam oauth refresh
-```
-If you are running any GAM version before `4.85.00`, perform the following command
-after installing `5.00.00` to perform the update.
-```
-gam oauth update
-```
-
 ## API documentation
 * https://cloud.google.com/resource-manager/docs/creating-managing-organization#adding_an_organization_administrator
 * https://cloud.google.com/service-usage/docs/reference/rest
@@ -168,7 +146,7 @@ gam oauth update
 <ProjectIDEntity> ::=
        current | gam | <ProjectID> | (filter <String>) |
        (select <ProjectIDList> | <FileSelector> | <CSVFileSelector>)
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <ProjectName> ::= <String>
        Must match this Python Regular Expression: [a-zA-Z0-9 '"!-]{4,30}
 <ServiceAccountName> ::= <String>
@@ -183,12 +161,11 @@ gam oauth update
 ```
 ## Manage Projects
 In all of the project commands, the Google Workspace admin/GCP project manager `<EmailAddress>` can be omitted; you will be prompted for a value.
-You must enter a full address, i.e., user@domain.com; you will be required to enter the password.
+You must enter a full address, i.e., user@domain.com; you will be required to authenticate.

-For `print|show projects`, you can eliminate the password requirement by enabling the following scope in `gam update serviceaccount`;
-GAM will then use Service Account access to display projects.
+For `print|show projects`, you can eliminate the password prompt and authentication requirement by specifying the super admin emailaddress used in `gam oauth create`.
 ```
-[*]  9)  Cloud Resource Manager API v3
+gam print projects admin admin@domain.com
 ```

 ## Authorize a super admin to create projects
@@ -198,7 +175,7 @@ perform these steps and then retry the create project command.
 * Login as an existing super admin at console.cloud.google.com
 * In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
 * Under IAM & Admin select IAM
-* Click the down arrow in the box to the right of Google Cloud
+* Click in the box to the right of Google Cloud
 * Click the three dots at the right and select IAM/Permissions
 * Now you should be at "Permissions for organization ..."
 * Click on Grant Access
@@ -207,38 +184,45 @@ perform these steps and then retry the create project command.
 * Type project creator in the Filter box
 * Click Project Creator
 * Click + Add Another Role
-* Type organization policy administrator in the Filter box
-* Click Orgainzation Policy Administrator
+* Type orgpolicy.policyAdmin in the Filter box
+* Click Organization Policy Administrator
 * Click Save

 ## Authorize Service Account Key Uploads

-If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxx`,
+If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxxxx`,
 perform these steps and then you should be able to authorize and use your project.

 * Login as an existing super admin at console.cloud.google.com
 * In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
 * Under IAM & Admin select IAM
-* Click the down arrow in the box to the right of Google Cloud
+* Click in the box to the right of Google Cloud
 * Click the three dots at the right and select IAM/Permissions
 * Now you should be at "Permissions for organization ..."
 * Click on Grant Access
 * Enter the new admin address in Principals
 * Click in the Select a role box
-* Type organization policy administrator in the Filter box
+* Type orgpolicy.policyAdmin in the Filter box
 * Click Organization Policy Administrator
 * Click Save
 * In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
 * Under IAM & Admin select IAM
-* Click the down arrow in the box to the right of Google Cloud
+* Click in the box to the right of Google Cloud
 * Click the three dots at the right and select Manage Resources
 * Click the three dots at the end of the line for the GAM project just created
 * Click Settings
 * Click Organization Policies in the left column
 * Now you should be at "Policies for Gam Project"
 * Click in the Filter box
-* Enter iam.disableServiceAccountKeyUpload
-* Click the three dots at the end of the Disable Service Account Key Upload
+* Enter iam.managed.disableServiceAccountKeyUpload
+* Click the three dots at the end of the Disable service account key upload/iam.managed.disableServiceAccountKeyUpload line
+* Choose Edit policy
+* Click Override parent's policy
+* Click Add A Rule
+* Select Enforcement/Off
+* Click Done
+* Click Set Policy
+* Click the three dots at the end of the Disable Service Account Key Upload/iam.disableServiceAccountKeyUpload line
 * Choose Edit policy
 * Click Override parent's policy
 * Click Add A Rule
@@ -293,13 +277,13 @@ You can skip these steps if you know that untrusted third-party apps are allowed

 ### Default values
 * `<AppName>` - "GAM"
-* `<ProjectID>` - "gam-project-abc-def-jki" where "abc-def-ghi" are randomly generated
+* `<ProjectID>` - "gam-project-a1b2c" where "a1b2c" are randomly generated
 * `<ProjectName>` - "GAM Project"
 * `<ServiceAccountName>` - `<ProjectID>`
 * `<ServiceAccountDisplayName>` - `<ProjectName>`
 * `<ServiceAccountDescription>` - `<ServiceAccountDisplayName>`

-### Basic
+### Basic Create
 Create a project with default values for the project and service account.
 ```
 gam create project [<EmailAddress>] [<ProjectID>]
@@ -307,7 +291,7 @@ gam create project [<EmailAddress>] [<ProjectID>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `<ProjectID>` - A new Google project ID; if omitted, a default value will be used

-### Advanced
+### Advanced Create
 Create a project with user-specified values for the project and service account.
 ```
 gam create project [admin <EmailAddress>] [project <ProjectID>]
@@ -342,7 +326,7 @@ Use an existing project to create and download two files: `client_secrets.json`
 * `<ServiceAccountDisplayName>` - `<ProjectName>`
 * `<ServiceAccountDescription>` - `<ServiceAccountDisplayName>`

-### Basic
+### Basic Use
 Use an existing uninitialized/uncredentialed project and configure it to be a GAM project; this typically used when
 the GCP  administrators have created a basic project because project creation is not available for most users.

@@ -354,12 +338,13 @@ gam use project [<EmailAddress>] [project <ProjectID>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `<ProjectID>` - An existing Google project ID; if omitted, you will be prompted for the ID

-### Advanced
+### Advanced Use
 Use an existing project with user-specified values for the service account. If the project is already
 a GAM project you must use `saname <ServiceAccountName>` as the existing service account information
 can not be re-downloaded.
 ```
 gam use project [admin <EmailAddress>] [project <ProjectID>]
+        [appname <String>] [supportemail <EmailAddress>]
        [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
        [sadescription <ServiceAccountDescription>]
        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
@@ -382,7 +367,7 @@ gam update project [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address

 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -394,7 +379,7 @@ gam delete project [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address

 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -414,7 +399,7 @@ gam show projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>]

 Use these options to select projects.
 * `all` - All projects accessible by the administrator; this is the default
-* `current` - The project referenced in `client_secret.json`
+* `current` - The project referenced in `client_secrets.json`
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -432,7 +417,7 @@ gam print projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>] [todrive <To

 Use these options to select projects.
 * `all` - All projects accessible by the administrator; this is the default
-* `current` - The project referenced in `client_secret.json`
+* `current` - The project referenced in `client_secrets.json`
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -651,8 +636,6 @@ gam select bbb oauth update
 ```

 ## Refresh Client credentials
-If necessary, update `oauth2.txt` from versions of GAM before `5.00.00`.
-
 Refresh the expiration time in `oauth2.txt`.
 ```
 gam oauth refresh
@@ -687,13 +670,9 @@ Export `oauth2.txt` in JSON form.
 ```
 gam oauth|oauth2 export [<FileName>]
 ```
-For GAM version `5.00.00` and later:
 * If `<FileName>` is omitted, the JSON data is written to `oauth2.txt`.
 * If `<FileName>` is `-`, the JSON data is written to stdout.

-For GAM versions before `5.00.00`:
-* If `<FileName>` is omitted, the JSON data is written to stdout.
-
 ## Manage Service Accounts
 In all of the service account commands, the Google Workspace admin/GCP project manager `<EmailAddress>` can be omitted; you will be prompted for a value.
 You must enter a full address, i.e., user@domain.com; you will be required to enter the password.
@@ -718,7 +697,7 @@ gam create|add svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address

 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -741,7 +720,7 @@ gam delete svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address

 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -762,7 +741,7 @@ gam print svcaccts [[admin] <EmailAddress>] [all|<ProjectIDEntity>]

 Use these options to select projects.
 * `all` - All projects accessible by the administrator; this is the default
-* `current` - The project referenced in `client_secret.json`
+* `current` - The project referenced in `client_secrets.json`
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -808,7 +787,7 @@ The `oauth2service.json` file is updated with the new private key.

 Keep a good record of where each Service Account key is used as the keys themselves do not record this information.

-The two forms of the command are equivalent; the second form is used by Basic Gam.
+The two forms of the command are equivalent; the second form is used by Legacy GAM.
 ```
 gam create sakey
        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
@@ -834,7 +813,7 @@ The `oauth2service.json` file is updated with the new private key. If you had pr
 this `oauth2service.json` file to other users, you must redistribute the updated file as the private key
 in the distributed copies has been revoked.

-The two forms of the command are equivalent; the second form is used by Basic Gam.
+The two forms of the command are equivalent; the second form is used by Legacy GAM.
 ```
 gam update sakey
        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
@@ -853,7 +832,7 @@ in the distributed copies has been revoked.

 This command can be used if your Service Account keys have been compromised; all existing private keys are revoked.

-The two forms of the command are equivalent; the second form is used by Basic Gam.
+The two forms of the command are equivalent; the second form is used by Legacy GAM.
 ```
 gam replace sakeys
        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
@@ -994,8 +973,8 @@ gam user user@domain.com update serviceaccount
 [*] 18)  Drive API (supports readonly)
 [*] 19)  Drive API - todrive
 [*] 20)  Drive Activity API v2 - must pair with Drive API
-[*] 21)  Drive Labels API v2beta - Admin (supports readonly)
-[*] 22)  Drive Labels API v2beta - User (supports readonly)
+[*] 21)  Drive Labels API - Admin (supports readonly)
+[*] 22)  Drive Labels API - User (supports readonly)
 [*] 23)  Forms API
 [*] 24)  Gmail API - Basic Settings (Filters,IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read
 [*] 25)  Gmail API - Full Access (Labels, Messages)
@@ -1236,3 +1215,22 @@ Once you have finished setting up authorizations for the limited user, you need
 gam select default save
 gam select <Section> save
 ```
+
+## Delete old versions of GAM from Configured Apps
+
+```
+In the Admin console, go to Security/Access and Data Control/API Controls/MANAGE THIRD-PARTY APP ACCESS
+Click Download list
+Select Comma-separated values (.csv)
+Click Download
+Click Download CSV
+The CSV file will be named: owl_apps.csv
+Remove the rows of apps you want to keep.
+Edit the column Access to UNCONFIGURED for those rows you want to remove.
+Click Bulk update list
+Click Attach CSV file
+Locate owl_apps.csv
+Click Upload
+Click Upload
+Click Confirm
+```
--- a/wiki/BNF-Syntax.md
+++ b/wiki/BNF-Syntax.md
--- a/wiki/Basic-Items.md
+++ b/wiki/Basic-Items.md
@@ -252,6 +252,9 @@
        now|today
 <RegularExpression> ::= <String>
        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
 <ProjectID> ::= <String>
        Must match this Python Regular Expression: [a-z][a-z0-9-]{4,28}[a-z0-9]
 <ServiceAccountName> ::= <String>
@@ -274,14 +277,20 @@
        <EmailAddress>|user:<EmailAddress>|group:<EmailAddress>|
        domain:<DomainName>|domain|default
 <CalendarItem> ::= <EmailAddress>
-<GIGroupAlias> ::= <EmailAddress>
-<GIGroupItem> ::= <EmailAddress>|<UniqueID>|groups/<String>
-<CIGroupType> ::= customer|group|other|serviceaccount|user
 <ChannelCustomerID> ::= <String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMessage> ::= spaces/<String>/messages/<String>
 <ChatSpace> ::= spaces/<String> | space <String> | space spaces/<String>
 <ChatThread> ::= spaces/<String>/threads/<String>
+<GIGroupAlias> ::= <EmailAddress>
+<GIGroupItem> ::= <EmailAddress>|<UniqueID>|groups/<String>
+<CIGroupMemberType> ::= cbcmbrowser|chromeosdevice|customer|group|other|serviceaccount|user
+<CIPolicyName> ::= policies/<String>|settings/<String>|<String>
+<ClassificationLabelID> ::= <String>
+<ClassificationLabelFieldID> ::= <String>
+<ClassificationLabelSelectionID> ::= <String>
+<ClassificationLabelName> ::= labels/<ClassificationLabelID>[@latest|@published|@<Number>]
+<ClassificationLabelPermissionName> ::= labels/<ClassificationLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
 <ClassroomInvitationID> ::= <String>
 <ClientID> ::= <String>
 <CommandID> ::= <String>
@@ -351,11 +360,6 @@
 <DriveFilePermissionID> ::= anyone|anyonewithlink|id:<String>
 <DriveFilePermissionIDorEmail> ::= <DriveFilePermissionID>|<EmailAddress>
 <DriveFileRevisionID> ::= <String>
-<DriveLabelID> ::= <String>
-<DriveLabelFieldID> ::= <String>
-<DriveLabelSelectionID> ::= <String>
-<DriveLabelName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]
-<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
 <EmailAddress> ::= <String>@<DomainName>
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <EmailReplacement> ::= <String>
@@ -371,7 +375,7 @@
 <FloorName> ::= <String>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GroupRole> ::= owner|manager|member
-<GroupType> ::= customer|group|user
+<GroupMemberType> ::= customer|group|user
 <GuardianItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GuardianInvitationID> ::= <String>
 <HoldItem> ::= <UniqueID>|<String>
@@ -533,6 +537,7 @@
        (tdnotify [<Boolean>])|
        (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
        (tdretaintitle [<Boolean>])|
+        (tdreturnidonly [<Boolean>])|
        (tdshare <EmailAddress> commenter|reader|writer)*|
        (tdsheet (id:<Number>)|<String>)|
        (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
--- a/wiki/Bulk-Processing.md
+++ b/wiki/Bulk-Processing.md
@@ -73,13 +73,13 @@ gam redirect stdout ./NewStudents.out redirect stderr ./NewStudents.err tbatch N
 ```
 gam csv <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset <Charset>] [warnifnodata]
        [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>]
-        (matchfield|skipfield <FieldName> <RegularExpression>)* [showcmds [<Boolean>]]
+        (matchfield|skipfield <FieldName> <RESearchPattern>)* [showcmds [<Boolean>]]
        [skiprows <Integer>] [maxrows <Integer>]
        gam <GAMArgumentList>

 gam loop <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset <Charset>] [warnifnodata]
        [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>]
-        (matchfield|skipfield <FieldName> <RegularExpression>)* [showcmds [<Boolean>]]
+        (matchfield|skipfield <FieldName> <RESearchPattern>)* [showcmds [<Boolean>]]
        [skiprows <Integer>] [maxrows <Integer>]
        gam <GAMArgumentList>
 ```
@@ -93,7 +93,7 @@ gam loop <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset
 * `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings.
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `showcmds` - Write `timestamp,command number/number of commands,command` to stderr when each command starts; write `timestamp, command number/numberof commands,complete` to stderr when command completes
 * `skiprows <Integer>` - Skip filtered rows from the CSV file/Google Sheet.
  * `skiprows 0` - All rows are processed, this is the default
--- a/wiki/CSV-Input-Filtering.md
+++ b/wiki/CSV-Input-Filtering.md
@@ -15,8 +15,8 @@ There are two values in `gam.cfg` that can be used to filter the input from `gam
 * `csv_input_row_filter` - A list or JSON dictionary used to include specific rows based on column values
 * `csv_input_row_drop_filter` - A list or JSON dictionary used to exclude specific rows based on column values

-These filters can be used alone or in conjunction with the `matchfield|skipfield <FieldName> <RegularExpression>` options.
-* https://github.com/taers232c/GAMADV-XTD3/wiki/Bulk-Processing#csv-files
+These filters can be used alone or in conjunction with the `matchfield|skipfield <FieldName> <REMatchPattern>` options.
+* https://github.com/GAM-team/GAM/wiki/Bulk-Processing#csv-files

 ## Definitions
 [Data Selectors](Collections-of-items)
@@ -40,8 +40,11 @@ These filters can be used alone or in conjunction with the `matchfield|skipfield
 <Operator> ::= <|<=|>=|>|=|!=
 <RegularExpression> ::= <String>
        See: https://docs.python.org/3/library/re.html>
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>

-<FieldNameFilter> :: = <RegularExpression>
+<FieldNameFilter> :: = <REMatchPattern>
 <RowValueFilter> ::=
        [(any|all):]boolean:<Boolean>|
        [(any|all):]count<Operator><Number>|
@@ -55,10 +58,10 @@ These filters can be used alone or in conjunction with the `matchfield|skipfield
        [(any|all):]lengthrange!=<Number>/<Number>|
        [(any|all):]lengthrange=<Number>/<Number>|
        [(any|all):]notdata:<DataSelector>|
-        [(any|all):]notregex:<RegularExpression>|
-        [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]notregex:<RESearchPattern>|
+        [(any|all):]notregexcs:<RESearchPattern>|
+        [(any|all):]regex:<RESearchPattern>|
+        [(any|all):]regexcs:<RESearchPattern>|
        [(any|all):]text<Operator><String>|
        [(any|all):]textrange!=<String>/<String>|
        [(any|all):]textrange=<String>/<String>|
@@ -82,8 +85,8 @@ Name:value form.
 * `<RowValueFilterList>`, even if it has one element, should be enclosed in `"`.
 * Each `<FieldNameFilter>:<RowValueFilter>` pair should be enclosed in `'`.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
-* If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
-* If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
+* If `<RESearchPattern>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
+* If `<FieldNameFilter>` or `<RESearchPattern>` in `<RowValueFilter>` contain a `\` to escape a special character
 or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,

 Examples:
@@ -186,10 +189,10 @@ These are the row value filter types:
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
  * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
 * `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
+* `notregex:<RESearchPattern>` - Used on fields with text; field value must not match `<RESearchPattern>`; case insensitive
+* `notregexcs:<RESearchPattern>` - Used on fields with text; field value must not match `<RESearchPattern>`; case sensitive
+* `regex:<RESearchPattern>` - Used on fields with text; field value must match `<RESearchPattern>`; case insensitive
+* `regexcs:<RESearchPattern>` - Used on fields with text; field value must match `<RESearchPattern>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
  * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
@@ -205,13 +208,6 @@ These are the row value filter types:
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
  * The field value must be `<` the left `<Time>` or `>` the right `<Time>`

-### **Change in behavior.**
-In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;
-in many cases this is probably not desirable; e.g., matching file names which are case insensitive.
-
-Now, `regex:<RegularExpression>` and `notregex:<RegularExpression>` are processed in a case insensitive manner.
-To get the prior case sensitive processing, use `regexcs:<RegularExpression>` and `notregexcs:<RegularExpression>`.
-
 ### Examples
 You want to process groups with 100 or more direct members.
 ```
@@ -258,7 +254,7 @@ gam selectinputfilter Filter510 csv UserInfo.csv gam user "~primaryEmail" ...
 ```

 ## Validate filters
-Version `6.30.00` added the `gam comment <String>*` command that can be used to validate input row filters.
+The `gam comment <String>*` command that can be used to validate input row filters.
 ```
 $ more Comment.csv 
 col1,col2
@@ -272,4 +268,4 @@ Col1:ccc Col2:333
 $ gam config csv_input_row_filter "col1:regex:bbb"  csv Comment.csv gam comment "Col1:~~col1~~" "Col2:~~col2~~"
 2022-12-18T09:42:26.108-08:00,0/1,Using 1 process...
 Col1:bbb Col2:222
-```
+```
--- a/wiki/CSV-Output-Filtering.md
+++ b/wiki/CSV-Output-Filtering.md
@@ -11,9 +11,11 @@
 - [Column row limiting](#column-row-limiting)
 - [Saving filters in gam.cfg](#saving-filters-in-gamcfg)

-There are five values in `gam.cfg` that can be used to filter the output from `gam print` commands.
+There are seven values in `gam.cfg` that can be used to filter the output from `gam print` commands.
 * `csv_output_header_filter` - A list of `<RegularExpressions>` used to select specific column headers to include
 * `csv_output_header_drop_filter` - A list of `<RegularExpressions>` used to select specific column headers to exclude
+* `csv_output_header_force` - A list of <Strings> used to specify the exact column headers to include
+* `csv_output_header_order` - A list of <Strings> used to specify the column header order; any headers in the file but not in the list will appear after the headers in the list.
 * `csv_output_row_filter` - A list or JSON dictionary used to include specific rows based on column values
 * `csv_output_row_drop_filter` - A list or JSON dictionary used to exclude specific rows based on column values
 * `csv_output_row_limit` - A limit on the number of rows written
@@ -44,8 +46,11 @@ on all platforms.
 <Operator> ::= <|<=|>=|>|=|!=
 <RegularExpression> ::= <String>
        See: https://docs.python.org/3/library/re.html>
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>

-<FieldNameFilter> :: = <RegularExpression>
+<FieldNameFilter> :: = <REMatchPattern>
 <ColumnFieldNameFilterList> ::= "<FieldNameFilter>(,<FieldNameFilter>)*"
 <RowValueFilter> ::=
        [(any|all):]boolean:<Boolean>|
@@ -60,10 +65,10 @@ on all platforms.
        [(any|all):]lengthrange!=<Number>/<Number>|
        [(any|all):]lengthrange=<Number>/<Number>|
        [(any|all):]notdata:<DataSelector>
-        [(any|all):]notregex:<RegularExpression>|
-        [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]notregex:<RESearchPattern>|
+        [(any|all):]notregexcs:<RESearchPattern>|
+        [(any|all):]regex:<RESearchPattern>|
+        [(any|all):]regexcs:<RESearchPattern>|
        [(any|all):]text<Operator><String>|
        [(any|all):]textrange!=<String>/<String>|
        [(any|all):]textrange=<String>/<String>|
@@ -87,8 +92,8 @@ Name:value form.
 * `<RowValueFilterList>`, even if it has one element, should be enclosed in `"`.
 * Each `<FieldNameFilter>:<RowValueFilter>` pair should be enclosed in `'`.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
-* If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
-* If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
+* If `<RESearchPattern>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
+* If `<FieldNameFilter>` or `<RESearchPattern>` in `<RowValueFilter>` contain a `\` to escape a special character
 or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,

 Examples:
@@ -241,10 +246,10 @@ These are the row value filter types:
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
  * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
 * `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
+* `notregex:<RESearchPattern>` - Used on fields with text; field value must not match `<RESearchPattern>`; case insensitive
+* `notregexcs:<RESearchPattern>` - Used on fields with text; field value must not match `<RESearchPattern>`; case sensitive
+* `regex:<RESearchPattern>` - Used on fields with text; field value must match `<RESearchPattern>`; case insensitive
+* `regexcs:<RESearchPattern>` - Used on fields with text; field value must match `<RESearchPattern>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
  * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
@@ -260,13 +265,6 @@ These are the row value filter types:
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
  * The field value must be `<` the left `<Time>` or `>` the right `<Time>`

-### **Change in behavior.**
-In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;
-in many cases this is probably not desirable; e.g., matching file names which are case insensitive.
-
-Now, `regex:<RegularExpression>` and `notregex:<RegularExpression>` are processed in a case insensitive manner.
-To get the prior case sensitive processing, use `regexcs:<RegularExpression>` and `notregexcs:<RegularExpression>`.
-
 ### Examples
 You want a list of groups with 100 or more direct members.
 ```
@@ -334,7 +332,7 @@ gam config csv_output_row_limit 10 auto_batch_min 1 redirect csv ./BigQuotaFiles
 ```

 ## Saving filters in gam.cfg
-If you define a value for `csv_output_header_filter`, `csv_output_header_drop_filter`, `csv_output_row_filter`, `csv_output_row_drop_filter` or `csv_output_row_limit` in the `[DEFAULT]` section of `gam.cfg`,
+If you define a value for `csv_output_header_filter`, `csv_output_header_drop_filter`, `csv_output_header_force`, `csv_output_header_order`, `csv_output_row_filter`, `csv_output_row_drop_filter` or `csv_output_row_limit` in the `[DEFAULT]` section of `gam.cfg`,
 it will apply to every `gam print` command which is probably not desirable. You can store them in `gam.cfg` in named sections.
 ```
 [Filter510]
--- a/wiki/CSV-Special-Characters.md
+++ b/wiki/CSV-Special-Characters.md
--- a/wiki/Calendars-Access.md
+++ b/wiki/Calendars-Access.md
@@ -21,14 +21,14 @@ Calendar ACL roles (as seen in Calendar GUI):
  * `freebusy` & `freebusyreader` - See only free/busy (hide details)

 ## API documentation
-* https://developers.google.com/calendar/v3/reference/acl
+* [Calendar API - ACLs](https://developers.google.com/google-apps/calendar/v3/reference/acl)

 ## Definitions
 ```
 <CalendarItem> ::= <EmailAddress>
 <CalendarList> ::= "<CalendarItem>(,<CalendarItem>)*"
 <CalendarEntity> ::= <CalendarList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items

 <CalendarACLRole> ::= editor|freebusy|freebusyreader|owner|reader|writer
 <CalendarACLScope> ::= <EmailAddress>|user:<EmailAdress>|group:<EmailAddress>|domain:<DomainName>|domain|default
@@ -72,7 +72,7 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

 ### Old format commands
-These commands are backwards compatible with basic GAM.
+These commands are backwards compatible with Legacy GAM.
 ```
 gam calendar <CalendarEntity> add <CalendarACLRole> ([user] <EmailAddress>)|(group <EmailAddress>)|(domain [<DomainName>])|default [sendnotifications <Boolean>]
 gam calendar <CalendarEntity> update <CalendarACLRole> ([user] <EmailAddress>)|(group <EmailAddress>)|(domain [<DomainName>])|default [sendnotifications <Boolean>]
--- a/wiki/Calendars-Events.md
+++ b/wiki/Calendars-Events.md
@@ -28,11 +28,17 @@ In general, you should use the following commands to manage user's calendars eve
 Client access works when accessing Resource calendars.

 ## API documentation:
-* https://developers.google.com/calendar/v3/reference/events
-* https://developers.google.com/calendar/v3/reference/events/import
+* [Calendar API - Events](https://developers.google.com/calendar/v3/reference/events)
+* [Calendar API - Import Events](https://developers.google.com/calendar/v3/reference/events/import)

 ## Definitions
 ```
+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
+
 <Year> ::= <Digit><Digit><Digit><Digit>
 <Month> ::= <Digit><Digit>
 <Day> ::= <Digit><Digit>
@@ -63,12 +69,15 @@ Client access works when accessing Resource calendars.
 <CalendarItem> ::= <EmailAddress>
 <CalendarList> ::= "<CalendarItem>(,<CalendarItem>)*"
 <CalendarEntity> ::= <CalendarList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <DomainName> ::= <String>(.<String>)+
 <EmailAddress> ::= <String>@<DomainName>
-<EmailAddressList> ::= "<EmailAddess>(,<EmailAddress>)*"
-<EmailAddressEntity> ::= <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+<EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
+<EmailAddressEntity> ::=
+        <EmailAddressList> | <FileSelector> | <CSVFileSelector> |
+        <CSVkmdSelector> | <CSVDataSelector>
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
+<iCalUID> ::= <String>

 <EventAttachmentsSubfieldName> ::=
        attachments.fileid|
@@ -201,26 +210,26 @@ Client access works when accessing Resource calendars.
        (matchfield attendeesonlydomainlist <DomainNameList>)|
        (matchfield attendeesdomainlist <DomainNameList>)|
        (matchfield attendeesnotdomainlist <DomainNameList>)|
-        (matchfield attendeespattern <RegularExpression>)|
+        (matchfield attendeespattern <RESearchPattern>)|
        (matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>)|
-        (matchfield creatoremail <RegularExpression>)|
-        (matchfield creatorname <RegularExpression>)|
-        (matchfield description <RegularExpression>)|
-        (matchfield hangoutlink <RegularExpression>)|
-        (matchfield location <RegularExpression>)|
-        (matchfield organizeremail <RegularExpression>)|
-        (matchfield organizername <RegularExpression>)|
+        (matchfield creatoremail <RESearchPattern>)|
+        (matchfield creatorname <RESearchPattern>)|
+        (matchfield description <RESearchPattern>)|
+        (matchfield hangoutlink <RESearchPattern>)|
+        (matchfield location <RESearchPattern>)|
+        (matchfield organizeremail <RESearchPattern>)|
+        (matchfield organizername <RESearchPattern>)|
        (matchfield organizerself <Boolean>)|
-        (matchfield status <RegularExpression>)|
-        (matchfield summary <RegularExpression>)|
-        (matchfield transparency <RegularExpression>)|
-        (matchfield visibility <RegularExpression>)
+        (matchfield status <RESearchPattern>)|
+        (matchfield summary <RESearchPattern>)|
+        (matchfield transparency <RESearchPattern>)|
+        (matchfield visibility <RESearchPattern>)

 <EventIDEntity> ::=
        (id|eventid <EventId>) |
        (event|events <EventIdList> |
        <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVSubkeySelector> | <CSVDataSelector>)
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <EventSelectEntity> ::=
        (<EventSelectProperty>+ <EventMatchProperty>*)

@@ -264,6 +273,7 @@ Client access works when accessing Resource calendars.
        (range <Date> <Date>)|
        (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
        (reminder <Number> email|popup)|
+        (resource <ResourceID>)|
        (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
        (sequence <Integer>)|
        (sharedproperty <PropertyKey> <PropertyValue>)|
@@ -294,9 +304,11 @@ The following attributes are equivalent:
        clearattendees|
        clearhangoutsmeet|
        (clearprivateproperty <PropertyKey>)|
+        clearresources|
        (clearsharedproperty <PropertyKey>)|
        (removeattendee <EmailAddress>)|
-        (replacedescription <RegularExpression> <String>)|
+        (removeresource <ResourceID>)|
+        (replacedescription <REMatchPattern> <RESubstitution>)|
        (selectremoveattendees <UserTypeEntity>)

 <EventNotificationAttribute> ::=
@@ -370,26 +382,26 @@ GAM processes `<EventMatchProperty>*`; you may specify none or multiple properti
 * `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
  * For example, this lets you look for events with attendees not in your internal domains. You should include `resource.calendar.google.com`
    in `<DomainNameList>` if the events use resources.
-* `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
+* `matchfield attendeespattern <RESearchPattern>` - Some attendee's email address must match `<RESearchPattern>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.
    * `<AttendeeAttendance>` - Default is `required`
    * `<AttendanceStatus>` - Default is`needsaction`
-* `matchfield creatoremail <RegularExpression>` - The creator email address must match `<RegularExpression>`
-* `matchfield creatorname <RegularExpression>` - The creator name must match `<RegularExpression>`
-* `matchfield description <RegularExpression>` - The description (summary) must match `<RegularExpression>`
-* `matchfield location <RegularExpression>` - The location must match `<RegularExpression>`
-* `matchfield organizeremail <RegularExpression>` - The organizer email address must match `<RegularExpression>`
-* `matchfield organizername <RegularExpression>` - The orgainzer name must match `<RegularExpression>`
-* `matchfield status <RegularExpression>` - The summary must match `<RegularExpression>`. The API documented values are:
+* `matchfield creatoremail <RESearchPattern>` - The creator email address must match `<RESearchPattern>`
+* `matchfield creatorname <RESearchPattern>` - The creator name must match `<RESearchPattern>`
+* `matchfield description <RESearchPattern>` - The description (summary) must match `<RESearchPattern>`
+* `matchfield location <RESearchPattern>` - The location must match `<RESearchPattern>`
+* `matchfield organizeremail <RESearchPattern>` - The organizer email address must match `<RESearchPattern>`
+* `matchfield organizername <RESearchPattern>` - The orgainzer name must match `<RESearchPattern>`
+* `matchfield status <RESearchPattern>` - The summary must match `<RESearchPattern>`. The API documented values are:
    * `confirmed`
    * `tentative`
    * `cancelled`
-* `matchfield summary <RegularExpression>` - The summary must match `<RegularExpression>`
-* `matchfield transparency <RegularExpression>` - The summary must match `<RegularExpression>`. The API documented values are:
+* `matchfield summary <RESearchPattern>` - The summary must match `<RESearchPattern>`
+* `matchfield transparency <RESearchPattern>` - The summary must match `<RESearchPattern>`. The API documented values are:
    * `opaque` - Busy. The API does not seem to return this value; use `"(^$)|opaque"` to match no value or `opaque`.
    * `transparent` -  Free/Available
-* `matchfield visibility <RegularExpression>` - The summary must match `<RegularExpression>`. The API documented values are:
+* `matchfield visibility <RESearchPattern>` - The summary must match `<RESearchPattern>`. The API documented values are:
    * `default` - The API does not seem to return this value; use `"(^$)|default"` to match no value or `default`.
    * `public` - The API does not seem to return this value if it is the default; use `"(^$)|public"` to match no value or `public`.
    * `private` - The API does not seem to return this value if it is the default; use `"(^$)|private"` to match no value or `private`.
@@ -428,6 +440,7 @@ You can specify attendees in the following ways:
 * `selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>` - Multiple attendees
  * If `<AttendeeAttendance>` is not specified, all attendees are required to attend
  * If `<AttendeeStatus>` is not specified, `needsaction` is chosen
+* `resource <ResourceID>` - Add a resource attendee to the event

 To add an attendee to a single recurring calendar event, you need to specify the ID of that specific event. 
 ```
@@ -452,16 +465,13 @@ You can clear/modify existing attributes:
 * `clearhangoutsmeet` - Clear Hangouts/Meet link
 * `clearprivateproperty <PropertyKey>` - Clear private properties
 * `clearsharedproperty <PropertyKey>` - Clear shared properties
-* `replacedescription <RegularExpression> <String>` - Modify the description
+* `replacedescription <REMatchPattern> <RESubstitution>` - Modify the description

 ## Update calendar attendees
-The default behavior of `gam calendar <CalendarEntity> update events` has been changed regarding attendees.
-In versions of GAM before `5.02.00`, updating attendees in calendar events was complicated because you had to
-supply the complete attendee list even if you just wanted incremental changes.
-The default behavior now is to allow incremental changes to the attendees list;
+The default behavior is to allow incremental changes to the attendees list;
 the current attendee list is downloaded and the specified changes are applied.

-The `replacemode` option invokes the previous behavior from versions before `5.02.00`; the current attendee list is replaced.
+The `replacemode` option causes the current attendee list to be replaced with the specified changes.

 You can add attendees in the following ways:
 * `attendee <EmailAddress>` - The attendee attendance is required with status `needsaction'
@@ -474,11 +484,14 @@ You can add attendees in the following ways:
 * `selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>` - Multiple attendees
  * If `<AttendeeAttendance>` is not specified, all attendees are required to attend
  * If `<AttendeeStatus>` is not specified, `needsaction` is chosen
+* `resource <ResourceID>` - Add a resource attendee to the event

 You can remove attendees in the following ways:
 * `clearattendees` - Clear all current attendees from the attendee list
 * `removeattendee <EmailAddress>` - Remove a single attendee from the attendee list
 * `selectremoveattendees <UserTypeEntity>` - Remove a selected collection of attendees from the attendee list
+* `clearresources` - Clear all resource attendees from the event
+* `removeresource <ResourceID>` - Remove a resource attendee from the event

 For `<UserTypeEntity>` See: [Collections of Users](Collections-of-Users)

@@ -523,7 +536,7 @@ No events are deleted unless you specify the `doit` option; omit `doit` to verif

 ## Move calendar events to another calendar
 Generally you won't move all events from one calendar to another; typically, you'll move events created by the event creator
-using `matchfield creatoremail <RegularExpression>` in conjunction with other `<EventSelectProperty>` and `<EventMatchProperty>` options.
+using `matchfield creatoremail <RESearchPattern>` in conjunction with other `<EventSelectProperty>` and `<EventMatchProperty>` options.
 ```
 gam calendar <CalendarEntity> move event [<EventEntity>] destination|to <CalendarItem> [<EventNotificationAttribute>]
 ```
@@ -595,8 +608,19 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

+### Special character processing
+When outputting events with `formatjson` with the goal of adding the events to another calendar,
+use these options at the beginning of the command:
+```config csv_output_convert_cr_nl false csv_output_no_escape_char true```
+
+On the subsequent command to add the events, use this option at the beginning of the command:
+```config csv_input_no_escape_char true```
+
+These options ensure that newline `\n`, double quote `"`, single quote `'` and backslash `\` are
+properly processed.
+
 ### Old format commands
-These commands are backwards compatible with basic Gam.
+These commands are backwards compatible with Legacy GAM.
 ```
 gam calendar <CalendarEntity> addevent <EventAttribute>+ [<EventNotificationAttribute>]
 gam calendar <CalendarEntity> deleteevent (id|eventid <EventID>)+ [doit] [<EventNotificationAttribute>]
--- a/wiki/Calendars.md
+++ b/wiki/Calendars.md
@@ -14,14 +14,14 @@ In general, you should use the following commands to manage user's calendars.
 Client access works when accessing Resource calendars.

 ## API documentation
-* https://developers.google.com/google-apps/calendar/v3/reference/calendars
+* [Calendar API - Calendars](https://developers.google.com/google-apps/calendar/v3/reference/calendars)

 ## Definitions
 ```
 <CalendarItem> ::= <EmailAddress>
 <CalendarList> ::= "<CalendarItem>(,<CalendarItem>)*"
 <CalendarEntity> ::= <CalendarList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items

 <TimeZone> ::= <String>
        See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
--- a/wiki/Chat-Bot.md
+++ b/wiki/Chat-Bot.md
@@ -1,6 +1,5 @@
 # Chat Bot

- [Notes](#notes)
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Set up a Chat Bot](#set-up-a-chat-bot)
@@ -11,9 +10,6 @@
 - [Delete a Chat Message](#delete-a-chat-message)
 - [Display a Chat Message](#display-a-chat-message)

-## Notes
-This Wiki page was built directly from Jay Lee's Wiki page; my sincere thanks for his efforts.
-
 ## API documentation
 * https://developers.google.com/chat/concepts
 * https://developers.google.com/chat/reference/rest
@@ -113,7 +109,7 @@ Since GAM 6.04.00, GAM is capable of acting as a Chat Bot and sending messages t
 * Enter an App name and Description of your choosing.
 * For the Avatar URL you can use `https://dummyimage.com/384x256/4d4d4d/0011ff.png&text=+GAM` or a public URL to an image of your own choosing.
 * In Functionality, uncheck both "Receive 1:1 messages" and "Join spaces and group conversations"
-* In Connection settings, choose "Cloud Pub/Sub" and enter "no-topic" for the topic name. GAM doesn't yet listen to pub/sub so this option is not used.
+* In Connection settings, choose "Cloud Pub/Sub" and enter `projects/<ProjectID>/topics/no-topic` for the topic name. Replace `<ProjectID>` with your GAM project ID. GAM doesn't yet listen to pub/sub so this option is not used.
 * In Visibility, uncheck "Make this Chat app available to specific people and groups in  Domain Workspace".
 * Click Save.

--- a/wiki/Chrome-AUE-Counts.md
+++ b/wiki/Chrome-AUE-Counts.md
@@ -1,14 +1,11 @@
 # Chrome Auto Update Expiration Counts
-
- [Chrome Auto Update Expiration Counts](#chrome-auto-update-expiration-counts)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Quoting rules](#quoting-rules)
-  - [Display Chrome auto update expiration counts](#display-chrome-auto-update-expiration-counts)
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Quoting rules](#quoting-rules)
+- [Display Chrome auto update expiration counts](#display-chrome-auto-update-expiration-counts)

 ## API documentation
-
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeDevicesReachingAutoExpirationDate
+* [Chrome Management API - Count Devices Reaching AUE](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeDevicesReachingAutoExpirationDate)

 ## Notes
 To use these features you must add the `Chrome Management API` to your project and authorize
--- a/wiki/Chrome-Browser-Cloud-Management.md
+++ b/wiki/Chrome-Browser-Cloud-Management.md
@@ -1,27 +1,25 @@
 # Chrome Browser Cloud Management
-
- [Chrome Browser Cloud Management](#chrome-browser-cloud-management)
-  - [API documentation](#api-documentation)
-  - [Query documentation](#query-documentation)
-  - [Definitions](#definitions)
-  - [Manage Chrome browsers](#manage-chrome-browsers)
-    - [Update Chrome browsers](#update-chrome-browsers)
-      - [Example: Add a new note to existing notes](#example-add-a-new-note-to-existing-notes)
-    - [Move Chrome browsers from one OU to another](#move-chrome-browsers-from-one-ou-to-another)
-    - [Delete Chrome browsers](#delete-chrome-browsers)
-  - [Display Chrome browsers](#display-chrome-browsers)
-    - [Examples](#examples)
-  - [Browser Query Searchable Fields](#browser-query-searchable-fields)
-  - [Manage Chrome browser enrollment tokens](#manage-chrome-browser-enrollment-tokens)
-  - [Display Chrome browser enrollment tokens](#display-chrome-browser-enrollment-tokens)
+- [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
+- [Definitions](#definitions)
+- [Raw Fields](#raw-fields)
+- [Manage Chrome browsers](#manage-chrome-browsers)
+  - [Update Chrome browsers](#update-chrome-browsers)
+    - [Example: Add a new note to existing notes](#example-add-a-new-note-to-existing-notes)
+  - [Move Chrome browsers from one OU to another](#move-chrome-browsers-from-one-ou-to-another)
+  - [Delete Chrome browsers](#delete-chrome-browsers)
+- [Display Chrome browsers](#display-chrome-browsers)
+  - [Examples](#examples)
+- [Browser Query Searchable Fields](#browser-query-searchable-fields)
+- [Manage Chrome browser enrollment tokens](#manage-chrome-browser-enrollment-tokens)
+- [Display Chrome browser enrollment tokens](#display-chrome-browser-enrollment-tokens)

 ## API documentation
-
-* https://support.google.com/chrome/a/answer/9681204
-* https://support.google.com/chrome/a/answer/9949706
+* [Chrome Enterprise Core API](https://support.google.com/chrome/a/answer/9681204)
+* [Chrome Browser Enrollment Token API](https://support.google.com/chrome/a/answer/9949706)

 ## Query documentation
-* https://support.google.com/chrome/a/answer/9681204#retrieve_all_chrome_devices_for_an_account
+* [Search Chrome Browser Devices](https://support.google.com/chrome/a/answer/9681204#retrieve_all_chrome_devices_for_an_account)

 ## Definitions
 * [`<CrOSTypeEntity>`](Collections-of-ChromeOS-Devices)
@@ -41,7 +39,7 @@
        (query:<QueryBrowser>)|(query:orgunitpath:<OrgUnitPath>)|(query <QueryBrowser>) |
        (browserou <OrgUnitItem>) | (browserous <OrgUnitList>) |
        <FileSelector> | <CSVFileSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items

 <BrowserAttribute> ::=
        (annotatedassetid|asset|assetid <String>)|
@@ -114,6 +112,74 @@
        tokenpermanentid
 <BrowserTokenFieldNameList> ::= "<BrowseTokenFieldName>(,<BrowserTokenFieldName>)*"
 ```
+## Raw Fields
+
+This is the list of Browser fields showing their subfields.
+You enter `rawfields` like this: the field names must be entered exactly as shown.
+```
+rawfields "deviceId,browsers(profiles(id,name,extensions(appType,name))),lastDeviceUsers(userName),osPlatform,osVersion"
+```
+```
+annotatedAssetId
+annotatedLocation
+annotatedNotes
+annotatedUser
+deviceId
+browserVersions
+browsers
+  browserVersion
+  channel
+  executablePath
+  lastStatusReportTime
+  pendingInstallVersion
+  profiles
+    id
+    chromeSignedInUserEmail
+    lastPolicyFetchTime
+    lastStatusReportTime
+    name
+    extensions
+      appType
+      description
+      extensionId
+      homepageUrl
+      installType
+      manifestVersion
+      name
+      permissions
+      version
+deviceIdentifiersHistory
+  records
+    firstRecordTime
+    identifiers
+      machineName
+    lastActivityTime
+extensionCount
+lastActivityTime
+lastDeviceUser
+lastDeviceUsers
+  lastStatusReportTime
+  userName
+lastPolicyFetchTime
+lastRegistrationTime
+lastStatusReportTime
+machineName
+machinePolicies
+  error
+  name
+  source
+  value
+orgUnitPath
+osArchitecture
+osPlatform
+osPlatformVersion
+osVersion
+policyCount
+safeBrowsingClickThroughCount
+serialNumber
+virtualDeviceId
+```
+
 ## Manage Chrome browsers
 ## Update Chrome browsers
 There are four attributes that can be set for a browser.
@@ -163,7 +229,9 @@ gam delete browser <BrowserDeviceEntity>
 ## Display Chrome browsers
 ```
 gam info browser <BrowserEntity>
-        [basic|full|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
        [formatjson]
 ```
 Select the fields to be displayed:
@@ -171,6 +239,7 @@ Select the fields to be displayed:
 * `basic` - Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePolicies; this is the default
 * `allfields/full` - Display all fields
 * `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
+* `rawfields "<BrowserFieldNameList>"` - Display a selected list of fields

 By default, Gam displays the information as an indented list of keys and values:
 - `formatjson` - Display the fields in JSON format.
@@ -180,7 +249,9 @@ gam show browsers
        ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
        [querytime<String> <Time>]
        [orderby <BrowserOrderByFieldName> [ascending|descending]]
-        [basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
        [formatjson]
 ```

@@ -195,6 +266,7 @@ Select the fields to be displayed:
 * `allfields/full` - Display all fields
 * `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields
+* `rawfields "<BrowserFieldNameList>"` - Display a selected list of fields

 By default, Gam displays the information as an indented list of keys and values:
 - `formatjson` - Display the fields in JSON format.
@@ -208,7 +280,9 @@ gam print browsers [todrive <ToDriveAttribute>*]
        ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
        [querytime<String> <Time>]
        [orderby <BrowserOrderByFieldName> [ascending|descending]]
-        [basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
        [sortheaders] [formatjson [quotechar <Character>]]
 ```

@@ -235,6 +309,7 @@ Select the fields to be displayed:
 * `allfields/full` - Display all fields
 * `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields
+* `rawfields "<BrowserFieldNameList>"` - Display a selected list of fields

 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
--- a/wiki/Chrome-Installed-Apps.md
+++ b/wiki/Chrome-Installed-Apps.md
@@ -1,5 +1,4 @@
 # Chrome Installed Apps Counts
-
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Quoting rules](#quoting-rules)
@@ -8,9 +7,8 @@
 - [Display Chrome devices with a specific installed application](#display-chrome-devices-with-a-specific-installed-application)

 ## API documentation
-
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countInstalledApps
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/findInstalledAppDevices
+* [Chrome Management API - Count Installed Apps](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countInstalledApps)
+* [Chrome Management API - Find Installed App Devices](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/findInstalledAppDevices)

 ## Notes
 To use these features you must add the `Chrome Management API` to your project and authorize
--- a/wiki/Chrome-Needs-Attention-Counts.md
+++ b/wiki/Chrome-Needs-Attention-Counts.md
@@ -1,14 +1,11 @@
 # Chrome Device Needs Attention Counts
-
- [Chrome Device Needs Attention Counts](#chrome-device-needs-attention-counts)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Quoting rules](#quoting-rules)
-  - [Display Chrome Device needs attention counts](#display-chrome-device-needs-attention-counts)
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Quoting rules](#quoting-rules)
+- [Display Chrome Device needs attention counts](#display-chrome-device-needs-attention-counts)

 ## API documentation
-
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeDevicesThatNeedAttention
+* [Chrome Management API - Count Devices that Need Attention](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeDevicesThatNeedAttention)

 ## Notes
 To use these features you must add the `Chrome Management API` to your project and authorize
--- a/wiki/Chrome-Policies.md
+++ b/wiki/Chrome-Policies.md
--- a/wiki/Chrome-Printers.md
+++ b/wiki/Chrome-Printers.md
@@ -9,7 +9,7 @@
 - [Bulk printer updates](#bulk-printer-updates)

 ## API documentation
-* https://developers.google.com/admin-sdk/chrome-printer/reference/rest
+* [Chrome Printer Management API](https://developers.google.com/admin-sdk/chrome-printer/reference/rest)

 ## Notes
 To use these features you must authorize the appropriate scope: `Directory API - Printers (supports readonly)`.
@@ -79,7 +79,7 @@ gam oauth create
                 (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
                [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
                [endcsv|(fields <FieldNameList>)]
-                (matchfield|skipfield <FieldName> <RegularExpression>)*
+                (matchfield|skipfield <FieldName> <RESearchPattern>)*
                [delimiter <Character>]

 ```
--- a/wiki/Chrome-Profile-Management.md
+++ b/wiki/Chrome-Profile-Management.md
@@ -0,0 +1,195 @@
+# Chrome Profile Management
+- [API documentation](#api-documentation)
+- [Introduction](#introduction)
+- [Definitions](#definitions)
+- [Delete Chrome profiles](#delete-chrome-profiles)
+- [Display Chrome profiles](#display-chrome-profiles)
+- [Profile Query Searchable Fields](#profile-query-searchable-fields)
+
+## Introduction
+These features were added in version 7.01.00.
+
+To use these commands you must update your client authorization.
+```
+gam oauth create
+
+[*]  3)  Chrome Management API - Profiles (supports readonly)
+```
+
+You must enable managed profile reporting, see: https://support.google.com/chrome/a/answer/9301421
+Follow instructions at: Turn on managed profile reporting
+
+## API documentation
+* [Chrome Management API - Profiles](https://developers.google.com/chrome/management/reference/rest/v1/customers.profiles)
+* [Turn on Chrome Browser and Profile Reporting](https://support.google.com/chrome/a/answer/9301421)
+
+## Definitions
+```
+<CustomerID> ::= <String>
+<ChromeProfilePermanentID> ::= <String>
+<ChromeProfileName> ::= customers/<CustomerID>/profiles/<ChromeProfilePermanentID>
+
+<ChromeProfileFieldName> ::=
+        affiliationstate|
+        annotatedlocation|
+        annotateduser|
+        attestationcredential|
+        profilechannel|
+        profileversion|
+        deviceinfo|
+        displayname|
+        extensioncount|
+        firstenrollmenttime|
+        identityprovider|
+        lastactivitytime|
+        lastpolicyfetchtime|
+        lastpolicysynctime|
+        laststatusreporttime|
+        name|
+        osplatformtype|
+        osplatformversion|
+        osversion|
+        policycount|
+        profileid|
+        profilepermanentid|
+        reportingdata|
+        useremail|
+        userid
+<ChromeProfileFieldNameList> ::= "<ChromeProfileFieldName>(,<ChromeProfileFieldName>)*"
+
+<ChromeProfileOrderByFieldName> ::=
+        affiliationstate|
+        profilechannel|
+        profileversion|
+        displayname|
+        extensioncount|
+        firstenrollmenttime|
+        identityprovider|
+        lastactivitytime|
+        lastpolicysynctime|
+        laststatusreporttime|
+        osplatformtype|
+        osversion|
+        policycount|
+        profileid|
+        useremail
+```
+## Delete Chrome profiles
+```
+gam delete chromeprofile <ChromeProfileName>
+```
+
+## Display Chrome profiles
+```
+gam info chromeprofile <ChromeProfileName>
+        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
+        [formatjson]
+```
+Select the fields to be displayed:
+* `<ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]` - Display a selected list of fields
+
+By default, Gam displays the information as an indented list of keys and values:
+- `formatjson` - Display the fields in JSON format.
+
+```
+gam show chromeprofiles
+        [filtertime.* <Time>] [filter <String>]
+        [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]
+        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
+        [formatjson]
+```
+
+Use these options to select Chrome profiles; if none are chosen, all Chrome profiles in the account are selected:
+* `filter <String>` - Limit profiles to those that match a query
+
+Select the fields to be displayed:
+* `<ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]` - Display a selected list of fields
+
+Use the `filtertime<String> <Time>` option to allow times, usually relative, to be substituted into the `filter <String>` option.
+The `filtertime<String> <Time>` value replaces the string `#fiktertime<String>#` in the `filter <String>`.
+The characters following `filtertime` can be any combination of lowercase letters and numbers.
+
+By default, Gam displays the information as an indented list of keys and values:
+- `formatjson` - Display the fields in JSON format.
+
+```
+gam print chromeprofiles [todrive <ToDriveAttribute>*]
+        [filtertime.* <Time>] [filter <String>]
+        [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]
+        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
+        [[formatjson [quotechar <Character>]]
+```
+
+Use these options to select Chrome profiles; if none are chosen, all Chrome profiles in the account are selected:
+* `filter <String>` - Limit profiles to those that match a query
+
+The first two columns will always `name,profileId`; the remaining field names will be sorted if `sortheaders` is specified;
+otherwise, the remaining field names will appear in the order specified.
+
+Select the fields to be displayed:
+* `<ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]` - Display a selected list of fields
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Profile Query Searchable Fields
+
+These are the fields that can be used in a filter:
+```
+affiliationState
+browserChannel
+browserVersion
+displayName
+extensionCount
+firstEnrollmentTime
+identityProvider
+lastActivityTime
+lastPolicySyncTime
+lastStatusReportTime
+osPlatformType
+osVersion
+ouId
+policyCount
+profileId
+userEmail
+```
+Any of the above fields can be used to specify a filter, and filtering by multiple fields is supported with AND operator.
+String type fields and enum type fields support '=' and '!=' operators. Wildcard '*' can be used with a string type field filter.
+The integer type and the timestamp type fields support '=', '!=', '<', '>', '<=' and '>=' operators.
+Timestamps expect an RFC-3339 formatted string (e.g. 2012-04-21T11:30:00-04:00).
+In addition, string literal filtering is also supported, for example, 'ABC' as a filter maps to a filter that checks if any of the filterable string type fields contains 'ABC'.
+
+Organization unit number can be used as a filtering criteria here by specifying 'ouId = <String>', please note that only single OU ID matching is supported.
+
+### Examples
+
+For Windows PowerShell, replace `\"` with ``` `" ```.
+
+Print information about Chrome profiles synced more than 30 days ago:
+
+```
+gam print chromeprofiles filter "lastPolicySyncTime < \"#filtertime1#\"" filtertime1 -30d
+```
+
+Print information about Chrome profiles synced in the last 30 days:
+
+```
+gam print chromeprofiles filter "lastPolicySyncTime >= \"#filtertime1#\"" filtertime1 -30d
+```
+
+Print information about Chrome profiles synced between 45 days ago and 30 days ago:
+
+```
+gam print chromeprofiles filter "lastPolicySyncTime >= \"#filtertime1#\" lastPolicySyncTime <= \"#filtertime2#\"" filtertime1 -45d filtertime2 -30d
+```
+
+Print information about Chrome profiles on Windows.
+```
+gam print chromeprofiles filter "osPlatformType=WINDOWS"
+```
--- a/wiki/Chrome-Version-Counts.md
+++ b/wiki/Chrome-Version-Counts.md
@@ -1,14 +1,11 @@
 # Chrome Version Counts
-
- [Chrome Version Counts](#chrome-version-counts)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Quoting rules](#quoting-rules)
-  - [Display Chrome version counts](#display-chrome-version-counts)
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Quoting rules](#quoting-rules)
+- [Display Chrome version counts](#display-chrome-version-counts)

 ## API documentation
-
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeVersions
+* [Chrome Management API - Count Chrome Versions](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeVersions)

 ## Notes
 To use these features you must add the `Chrome Management API` to your project and authorize
--- a/wiki/Chrome-Version-History.md
+++ b/wiki/Chrome-Version-History.md
@@ -1,18 +1,15 @@
 # Chrome Version History
-
- [Chrome Version History](#chrome-version-history)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Display Chrome platforms](#display-chrome-platforms)
-  - [Display Chrome channels](#display-chrome-channels)
-  - [Display Chrome versions](#display-chrome-versions)
-  - [Display Chrome releases](#display-chrome-releases)
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Display Chrome platforms](#display-chrome-platforms)
+- [Display Chrome channels](#display-chrome-channels)
+- [Display Chrome versions](#display-chrome-versions)
+- [Display Chrome releases](#display-chrome-releases)

 ## API documentation
-
-* https://developer.chrome.com/docs/versionhistory/guide/
-* https://developer.chrome.com/docs/versionhistory/reference/#filter
-* https://developer.chrome.com/docs/versionhistory/reference/#order
+* [Version History API](https://developer.chrome.com/docs/versionhistory/guide)
+* [Version Filter](https://developer.chrome.com/docs/versionhistory/reference/#filter)
+* [Version Orderby](https://developer.chrome.com/docs/versionhistory/reference/#order)

 ## Definitions
 ```
--- a/wiki/ChromeOS-Devices.md
+++ b/wiki/ChromeOS-Devices.md
@@ -1,45 +1,42 @@
 # ChromeOS Devices
-
- [ChromeOS Devices](#chromeos-devices)
-  - [API documentation](#api-documentation)
-  - [Query documentation](#query-documentation)
-  - [Notes](#notes)
-  - [Definitions](#definitions)
-  - [CrOS Query Searchable Fields](#cros-query-searchable-fields)
-  - [ChromeOS device update OU error handling](#chromeos-device-update-ou-error-handling)
-  - [Manage ChromeOS devices](#manage-chromeos-devices)
-    - [Example: Move CrOS devices from one OU to another](#example-move-cros-devices-from-one-ou-to-another)
-    - [Example: Add a new note to existing notes](#example-add-a-new-note-to-existing-notes)
-  - [Add ChromeOS devices to an organizational unit](#add-chromeos-devices-to-an-organizational-unit)
-    - [Example: Add ChromeOS devices to a single OU](#example-add-chromeos-devices-to-a-single-ou)
-    - [Example: Add ChromeOS devices to multiple OUs](#example-add-chromeos-devices-to-multiple-ous)
-  - [Action ChromeOS devices](#action-chromeos-devices)
-  - [Send remote commands to ChromeOS devices](#send-remote-commands-to-chromeos-devices)
-    - [Action Examples](#action-examples)
-  - [ChromeOS device lists](#chromeos-device-lists)
-  - [Display information about ChromeOS devices](#display-information-about-chromeos-devices)
-  - [Print ChromeOS devices](#print-chromeos-devices)
-    - [Print no header row and deviceId for specified CrOS devices](#print-no-header-row-and-deviceid-for-specified-cros-devices)
-    - [Print a header row and fields for selected CrOS devices](#print-a-header-row-and-fields-for-selected-cros-devices)
-    - [Print a header row and fields for specified CrOS devices](#print-a-header-row-and-fields-for-specified-cros-devices)
-    - [Display Examples](#display-examples)
-    - [Display CrOS device counts](#display-cros-device-counts)
-  - [Print ChromeOS device activity](#print-chromeos-device-activity)
-    - [Print a header row and activity for selected CrOS devices](#print-a-header-row-and-activity-for-selected-cros-devices)
-    - [Print a header row and activity for specified CrOS devices](#print-a-header-row-and-activity-for-specified-cros-devices)
-  - [Download a ChromeOS device file](#download-a-chromeos-device-file)
-    - [Download Examples](#download-examples)
-  - [Display ChromeOS telemetry data](#display-chromeos-telemetry-data)
-  - [Check ChromeOS device serial number validity](#check-chromeos-device-serial-number-validity)
+- [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
+- [Notes](#notes)
+- [Definitions](#definitions)
+- [CrOS Query Searchable Fields](#cros-query-searchable-fields)
+- [ChromeOS device update OU error handling](#chromeos-device-update-ou-error-handling)
+- [Manage ChromeOS devices](#manage-chromeos-devices)
+  - [Example: Move CrOS devices from one OU to another](#example-move-cros-devices-from-one-ou-to-another)
+  - [Example: Add a new note to existing notes](#example-add-a-new-note-to-existing-notes)
+- [Add ChromeOS devices to an organizational unit](#add-chromeos-devices-to-an-organizational-unit)
+  - [Example: Add ChromeOS devices to a single OU](#example-add-chromeos-devices-to-a-single-ou)
+  - [Example: Add ChromeOS devices to multiple OUs](#example-add-chromeos-devices-to-multiple-ous)
+- [Action ChromeOS devices](#action-chromeos-devices)
+- [Send remote commands to ChromeOS devices](#send-remote-commands-to-chromeos-devices)
+  - [Action Examples](#action-examples)
+- [ChromeOS device lists](#chromeos-device-lists)
+- [Display information about ChromeOS devices](#display-information-about-chromeos-devices)
+- [Print ChromeOS devices](#print-chromeos-devices)
+  - [Print no header row and deviceId for specified CrOS devices](#print-no-header-row-and-deviceid-for-specified-cros-devices)
+  - [Print a header row and fields for selected CrOS devices](#print-a-header-row-and-fields-for-selected-cros-devices)
+  - [Print a header row and fields for specified CrOS devices](#print-a-header-row-and-fields-for-specified-cros-devices)
+  - [Display Examples](#display-examples)
+  - [Display CrOS device counts](#display-cros-device-counts)
+- [Print ChromeOS device activity](#print-chromeos-device-activity)
+  - [Print a header row and activity for selected CrOS devices](#print-a-header-row-and-activity-for-selected-cros-devices)
+  - [Print a header row and activity for specified CrOS devices](#print-a-header-row-and-activity-for-specified-cros-devices)
+- [Download a ChromeOS device file](#download-a-chromeos-device-file)
+  - [Download Examples](#download-examples)
+- [Display ChromeOS telemetry data](#display-chromeos-telemetry-data)
+- [Check ChromeOS device serial number validity](#check-chromeos-device-serial-number-validity)

 ## API documentation
-
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/chromeosdevices
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.telemetry.devices
+* [Directory API ChromeOS Devices](https://developers.google.com/admin-sdk/directory/reference/rest/v1/chromeosdevices)
+* [Chrome Management API - Device Telemetry](https://developers.google.com/chrome/management/reference/rest/v1/customers.telemetry.devices)

 ## Query documentation
-* https://developers.google.com/admin-sdk/directory/v1/list-query-operators
-* https://support.google.com/chrome/a/answer/1698333
+* [Search ChromeOS Devices](https://developers.google.com/admin-sdk/directory/v1/list-query-operators)
+* [View ChromeOS Device List and Details](https://support.google.com/chrome/a/answer/1698333)

 Undocumented API query terms.
 ```
@@ -58,7 +55,8 @@ update_status:default_os_up_to_date|pending_update|os_image_download_not_started
 ```
 ## Notes

-The `crostelemetry` commands were added in 6.13.04; to use them you must authorize an additional scope:
+To use the `crostelemetry` commands you must authorize an additional scope:
+
 * `Chrome Management API - Telemetry read only`
 ```
 gam oauth create
@@ -86,7 +84,7 @@ The second form is backwards compatible with Legacy GAM and selection with `<CrO
 <SerialNumberList> ::= "<SerialNumber>(,<SerialNumber>)*"
 <SerialNumberEntity> ::=
        <SerialNumberList> | <FileSelector> | <CSVFileSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items

 <CrOSEntity> ::=
        <CrOSIDList> | (cros_sn <SerialNumberList>) |
@@ -476,7 +474,7 @@ Remove profiles using the annotatedAssetID, which is a user editable field, in t
 ```
 gam cros_query "asset_id:CB1234" issuecommand command wipe_users doit
 ```
-For multiple devices you can sepatete each asset ID with a comma 
+For multiple devices you can separate each asset ID with a comma 
 ```
 gam cros_queries "asset_id:CB1234,asset_id:CB5678" issuecommand command wipe_users doit
 ```
--- a/wiki/Classroom-Courses.md
+++ b/wiki/Classroom-Courses.md
@@ -18,14 +18,14 @@
 - [Display course submissions](#display-course-submissions)

 ## API documentation
-* https://developers.google.com/classroom/reference/rest/
-* https://developers.google.com/classroom/reference/rest/v1/courses.students
-* https://developers.google.com/classroom/reference/rest/v1/courses.teachers
-* https://developers.google.com/classroom/reference/rest/v1/courses.announcements/list
-* https://developers.google.com/classroom/reference/rest/v1/courses.topics/list
-* https://developers.google.com/classroom/reference/rest/v1/courses.courseWork/list
-* https://developers.google.com/classroom/reference/rest/v1/courses.courseWorkMaterials/list
-* https://developers.google.com/classroom/reference/rest/v1/courses.courseWork.studentSubmissions/list
+* [Google Classroom API](https://developers.google.com/classroom/reference/rest)
+* [Google Classroom API - Courses Students](https://developers.google.com/classroom/reference/rest/v1/courses.students)
+* [Google Classroom API - Courses Teachers](https://developers.google.com/classroom/reference/rest/v1/courses.teachers)
+* [Google Classroom API - Announcements](https://developers.google.com/classroom/reference/rest/v1/courses.announcements/list)
+* [Google Classroom API - Topics](https://developers.google.com/classroom/reference/rest/v1/courses.topics/list)
+* [Google Classroom API - Course Work](https://developers.google.com/classroom/reference/rest/v1/courses.courseWork/list)
+* [Google Classroom API - Course Work Materials](https://developers.google.com/classroom/reference/rest/v1/courses.courseWorkMaterials/list)
+* [Google Classroom API - Course Work Student Submissions](https://developers.google.com/classroom/reference/rest/v1/courses.courseWork.studentSubmissions/list)

 ## Notes
 In this document, `course materials` refers to stand-alone materials, not the materials associated with
@@ -44,54 +44,60 @@ gam user user@domain.com check|update serviceaccount
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>

+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
+
 <CourseAlias> ::= <String>
 <CourseAliasList> ::= "<CourseAlias>(,<CourseAlias>)*"
 <CourseAliasEntity> ::=
        <CourseAliasList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>|<CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseAnnouncementID> ::= <Number>
 <CourseAnnouncementIDList> ::= "<CourseAnnouncementID>(,<CourseAnnouncementID>)*"
 <CourseAnnouncementIDEntity> ::=
        <CourseAnnouncementIDList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>|<CSVSubkeySelector>|<CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseAnnouncementState> ::= draft|published|deleted
 <CourseAnnouncementStateList> ::= all|"<CourseAnnouncementState>(,<CourseAnnouncementState>)*"
 <CourseID> ::= <Number>|d:<CourseAlias>
 <CourseIDList> ::= "<CourseID>(,<CourseID>)*"
 <CourseEntity> ::=
        <CourseIDList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseMaterialID> ::= <Number>
 <CourseMaterialIDList> ::= "<CourseMaterialID>(,<CourseMaterialID>)*"
 <CourseMaterialState> ::= draft|published|deleted
 <CourseMaterialStateList> ::= all|"<CourseMaterialState>(,<CourseMaterialState>)*"
 <CourseMaterialIDEntity> ::=
        <CourseMaterialIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVSubkeySelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseState> ::= active|archived|provisioned|declined|suspended
 <CourseStateList> ::= all|"<CourseState>(,<CourseState>)*"
 <CourseSubmissionID> ::= <Number>
 <CourseSubmissionIDList> ::= "<CourseSubmissionID>(,<CourseSubmissionID>)*"
 <CourseSubmissionIDEntity> ::=
        <CourseSubmissionIDList>|<FileSelector>|<CSVFileSelector>|<CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseSubmissionState> ::= new|created|turned_in|returned|reclaimed_by_student
 <CourseSubmissionStateList> ::= all|"<CourseSubmissionState>(,<CourseSubmissionState>)*"
 <CourseTopic> ::= <String>
 <CourseTopicList> ::= "<CourseTopic>(,<CourseTopic>)*"
 <CourseTopicEntity> ::=
        <CourseTopicList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseTopicID> ::= <Number>
 <CourseTopicIDList> ::= "<CourseTopicID>(,<CourseTopicID>)*"
 <CourseTopicIDEntity> ::=
        <CourseTopicIDList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>|<CSVSubkeySelector>|<CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseWorkID> ::= <Number>
 <CourseWorkIDList> ::= "<CourseWorkID>(,<CourseWorkID>)*"
 <CourseWorkIDEntity> ::=
        <CourseWorkIDList>|<FileSelector>|<CSVFileSelector>|<CSVkmdSelector>|<CSVSubkeySelector>|<CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseWorkState> ::= draft|published|deleted
 <CourseWorkStateList> ::= all|"<CourseWorkState>(,<CourseWorkState>)*"

@@ -239,24 +245,14 @@ See: [Lists and Collections](Lists-and-Collections)
 When updating a course owner, the Classroom API generates an error if the new owner is not a co-teacher
 or is the current owner.

-Prior to version 5.31.08, if `<UserItem>` was not a co-teacher, you got this error:
-```
-$ gam update course 123929046789 teacher newteacher@domain.com
-Course: 123929046789, Update Failed: @IneligibleOwner Only a co-teacher can be invited as owner of the course
-```
-GAM now adds `<UserItem>` as a co-teacher of the course, pauses 10 seconds, and then updates them to be the owner.
+If `<UserItem>` is not a co-teacher, GAM adds `<UserItem>` as a co-teacher of the course,
+pauses 10 seconds, and then updates them to be the owner.
 ```
 $ gam update course 123929046789 teacher newteacher@domain.com
 Course Name: Test, Course: 123929046789, Updated with new teacher as owner: newteacher@domain.com
 ```

-Prior to version 5.31.08, if `<UserItem>` is the current owner, you got this error:
-```
-$ gam update course 123929046789 teacher newteacher@domain.com
-Course: 123929046789, Update Failed: @UserAlreadyOwner Cannot transfer course to the user who is already the owner
-
-```
-GAM now reports that the current owner was retained.
+If `<UserItem>` is the current owner, GAM now reports that the current owner was retained.
 ```
 $ gam update course 123929046789 teacher newteacher@domain.com
 Course Name: Test, Course: 123929046789, Updated with current owner: newteacher@domain.com
@@ -413,7 +409,7 @@ gam info courses <CourseEntity> [owneremail] [alias|aliases] [show all|students|

 gam print courses [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
-        [owneremail] [owneremailmatchpattern <RegularExpression>]
+        [owneremail] [owneremailmatchpattern <REMatchPattern>]
        [alias|aliases|aliasesincolumns [delimiter <Character>]]
        [show all|students|teachers] [countsonly]
        [fields <CourseFieldNameList>] [skipfields <CourseFieldNameList>] [formatjson [quotechar <Character>]]
@@ -424,7 +420,7 @@ By default, the `print courses` command displays information about all courses.
 To get information about a specific set of courses, use the following option; it can be repeated to select multiple courses.
 * `(course|class <CourseEntity>)*` - Display courses with the IDs specified in `<CourseEntity>`.

-To get information about courses based on its owner's emailaddress, use the `owneremailmatchpattern <RegularExpression>` option.
+To get information about courses based on its owner's emailaddress, use the `owneremailmatchpattern <REMatchPattern>` option.
 * `foo@bar.com` - Display courses with a specific owner emailaddress.
 * `.*test.*` - Display courses with an owner emailaddress that matches a pattern.
 * `Unknown user` - Display courses where the owner emailaddress has been deleted.
@@ -467,7 +463,7 @@ Display the number of courses.
 ```
 gam print courses
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
-        [owneremailmatchpattern <RegularExpression>]
+        [owneremailmatchpattern <REMatchPattern>]
        showitemcountonly
 ```
 Example
--- a/wiki/Classroom-Guardians.md
+++ b/wiki/Classroom-Guardians.md
@@ -10,8 +10,8 @@
 - [Display guardians, CSV format](#display-guardians-csv-format)

 ## API documentation
-* https://developers.google.com/classroom/reference/rest/v1/userProfiles.guardianInvitations
-* https://developers.google.com/classroom/reference/rest/v1/userProfiles.guardians
+* [Classroom API - User Profile Guardian Invitations](https://developers.google.com/classroom/reference/rest/v1/userProfiles.guardianInvitations)
+* [Classroom API - User Profile Guardians](https://developers.google.com/classroom/reference/rest/v1/userProfiles.guardians)

 ## Definitions
 ```
@@ -22,13 +22,13 @@
 <GuardianItemList> ::= "<GuardianItem>(,<GuardianItem>)*"
 <GuardianEntity> ::=
        <GuardianList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <StudentItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GuardianInvitationID> ::= <String>
 <GuardianInvitationIDList> ::= "<GuardianInvitationId>(,<GuardianInvitationID>)*"
 <GuardianInvitationIDEntity> ::=
        <GuardianInvitationIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <GuardianState> ::= complete|pending
 <GuardianStateList> ::= "<GuardianState>(,<GuardianState>)*"
 ```
--- a/wiki/Classroom-Invitations.md
+++ b/wiki/Classroom-Invitations.md
@@ -10,18 +10,18 @@
 - [Display classroom invitations by course](#display-classroom-invitations-by-course)

 ## API documentation
-* https://developers.google.com/classroom/reference/rest/v1/invitations
+* [Classroom API - Invitations](https://developers.google.com/classroom/reference/rest/v1/invitations)

 ## Notes

 You must authorize an additional Service Account scope to use these commands.
 Do this command; sustitute a valid email address for user@domain.com.
 ```
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```
-You should see the following scope fail:
+You should enable:
 ```
-Scope: https://www.googleapis.com/auth/classroom.rosters           , Checked: FAIL (6/15)
+[*] 17)  Classroom API - Rosters (supports readonly)
 ```
 Follow the directions to authorize the Service Account scopes.

@@ -34,13 +34,13 @@ Follow the directions to authorize the Service Account scopes.
 <ClassroomInvitationIDList> ::= "<ClassroomInvitationID>(,<ClassroomInvitationID>)*"
 <ClassroomInvitationIDEntity> ::=
        <ClassroomInvitationIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseAlias> ::= <String>
 <CourseID> ::= <Number>|d:<CourseAlias>
 <CourseIDList> ::= "<CourseID>(,<CourseID>)*"
 <CourseEntity> ::=
        <CourseIDList> | <FileSelector> | <CSVFileSelector | <CSVkmdSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseState> ::= active|archived|provisioned|declined|suspended
 <CourseStateList> ::= all|"<CourseState>(,<CourseState>)*"
 ```
--- a/wiki/Classroom-Membership.md
+++ b/wiki/Classroom-Membership.md
@@ -9,9 +9,9 @@
 - [Display course membership counts](#display-course-membership-counts)

 ## API documentation
-* https://developers.google.com/classroom/reference/rest/
-* https://developers.google.com/classroom/reference/rest/v1/courses.students
-* https://developers.google.com/classroom/reference/rest/v1/courses.teachers
+* [Google Classroom API](https://developers.google.com/classroom/reference/rest)
+* [Google Classroom API - Courses Students](https://developers.google.com/classroom/reference/rest/v1/courses.students)
+* [Google Classroom API - Courses Teachers](https://developers.google.com/classroom/reference/rest/v1/courses.teachers)

 ## Definitions
 ```
@@ -25,7 +25,7 @@
 <CourseIDList> ::= "<CourseID>(,<CourseID>)*"
 <CourseEntity> ::=
        <CourseIDList> | <FileSelector> | <CSVFileSelector | <CSVkmdSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <CourseState> ::= active|archived|provisioned|declined|suspended
 <CourseStateList> ::= all|"<CourseState>(,<CourseState>)*"
 ```
--- a/wiki/Cloud-Channel.md
+++ b/wiki/Cloud-Channel.md
@@ -9,8 +9,8 @@
 - [Display Channel SKUs](#display-channel-skus)

 ## API documentation
-* https://cloud.google.com/channel/docs/reference/rest
-* https://cloud.google.com/channel/docs/concepts/google-cloud/filter-customers
+* [Cloud Channel API](https://cloud.google.com/channel/docs/reference/rest)
+* [Filter Customers](https://cloud.google.com/channel/docs/concepts/google-cloud/filter-customers)

 ## Notes
 To use these commands you must add the 'Cloud Channel API' to your project and update your client authorization.
--- a/wiki/Cloud-Identity-Devices.md
+++ b/wiki/Cloud-Identity-Devices.md
@@ -21,14 +21,14 @@
 - [Update device user client state](#update-device-user-client-state)

 ## API documentation
-* https://cloud.google.com/identity/docs/reference/rest/v1/devices
-* https://cloud.google.com/identity/docs/reference/rest/v1/devices.deviceUsers
-* https://cloud.google.com/identity/docs/reference/rest/v1/devices.deviceUsers.clientStates
-* https://cloud.google.com/endpoint-verification/docs/overview
+* [Cloud Identity API - Devices](https://cloud.google.com/identity/docs/reference/rest/v1/devices)
+* [Cloud Identity API - Device Users](https://cloud.google.com/identity/docs/reference/rest/v1/devices.deviceUsers)
+* [Cloud Identity API - Device User Client States](https://cloud.google.com/identity/docs/reference/rest/v1/devices.deviceUsers.clientStates)
+* [Endpoint Verification](https://cloud.google.com/endpoint-verification/docs/overview)

 ## Query documentation
-* https://developers.google.com/admin-sdk/directory/v1/search-operators
-* https://support.google.com/a/answer/7549103
+* [Filters](https://support.google.com/a/answer/7549103)
+* [Device Search Fields](https://developers.google.com/admin-sdk/directory/v1/search-operators)

 ## Definitions
 ```
@@ -57,11 +57,13 @@
        buildnumber|
        compromisedstate|
        createtime|
+        deviceid|
        devicetype|
        enableddeveloperoptions|
        enabledusbdebugging|
        endpointverificationspecificattributes|
        encryptionstate|
+        hostname|
        imei|
        kernelversion|
        lastsynctime|
@@ -77,6 +79,7 @@
        releaseversion|
        securitypatchtime|
        serialnumber|
+        unifieddeviceid|
        wifimacaddresses
 <DeviceFieldNameList> ::= "<DeviceFieldName>(,<DeviceFieldName>)*"

--- a/wiki/Cloud-Identity-Groups-Membership.md
+++ b/wiki/Cloud-Identity-Groups-Membership.md
@@ -1,8 +1,6 @@
 # Cloud Identity Groups - Membership
 - [API documentation](#api-documentation)
 - [Query documentation](#query-documentation)
- [Cloud Identity Group Documentation](#cloud-identity-group-documentation)
- [Security Group Documentation](#security-group-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [Notes](#Notes)
@@ -18,18 +16,15 @@
 - [Display group membership in hierarchical format](#display-group-membership-in-hierarchical-format)

 ## API documentation
-* https://cloud.google.com/identity/docs/groups
-* https://cloud.google.com/identity/docs/reference/rest/v1/groups
-* https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships
+* [Cloud Identity Groups Overview](https://cloud.google.com/identity/docs/groups)
+* [Cloud Identity Groups API - Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups)
+* [Cloud Identity Groups API - Membership](https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships)
+* [Cloud Identity Groups](https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html)
+* [Security Groups](https://gsuiteupdates.googleblog.com/2020/09/security-groups-beta.html)

 ## Query documentation
-* https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
-
-## Cloud Identity Group Documentation
-* https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
-
-## Security Group Documentation
-* https://gsuiteupdates.googleblog.com/2020/09/security-groups-beta.html
+* [Cloud Identity Groups API - Search Dynamic Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery)
+* [Member Restrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)

 ## Notes

@@ -56,6 +51,10 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require

 ## Definitions
 ```
+<DeviceId> ::= <String>
+<CBCMBrowser> ::= id:cbcm-browser.<DeviceId>
+<ChromeOSDevice> ::= id:chrome-os-device.<DeviceId>
+<BrowserDeviceList> ::= "(<CBCMBrowser>|<ChromeOSDevice>)(,(<CBCMBrowser>|<ChromeOSDevice>))*"
 <DomainName> ::= <String>(.<String>)+
 <EmailAddress> ::= <String>@<DomainName>
 <UniqueID> ::= id:<String>
@@ -63,27 +62,33 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require
 <GroupList> ::= "<GroupItem>(,<GroupItem>)*"
 <GroupEntity> ::=
        <GroupList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <GroupRole> ::= owner|manager|member
 <GroupRoleList> ::= "<GroupRole>(,<GroupRole>)*"
-<CIGroupType> ::= customer|group|other|serviceaccount|user
-<CIGroupTypeList> ::= "<CIGroupType>(,<CIGroupType>)*"
+<CIGroupMemberType> ::= cbcmbrowser|chromeosdevice|customer|group|other|serviceaccount|user
+<CIGroupMemberTypeList> ::= "<CIGroupMemberType>(,<CIGroupMemberType>)*"

 <CIGroupMembersFieldName> ::=
        createtime
+        email|useremail|
        expiretime|
        memberkey|
        name|
        preferredmemberkey|
        role|
        type|
-        updatetime|
-        useremail
+        updatetime
 <CIGroupMembersFieldNameList> ::= "<CIGroupMembersFieldName>(,<CIGroupMembersFieldName>)*"
+
+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
 ```

 ## Collections of Users
-Group membership commands involve specifying collections of users;
+Group membership commands involve specifying collections of users or lists of browsers/devices;
 for `<UserTypeEntity>`, see: [Collections of Users](Collections-of-Users)

 ## Add members to a group
@@ -92,7 +97,7 @@ gam update cigroups <GroupEntity> create|add [<GroupRole>]
        [usersonly|groupsonly]
        [notsuspended|suspended] [notarchived|archived]
        [expire|expires <Time>] [preview] [actioncsv]
-        <UserTypeEntity>
+        <UserTypeEntity>|<BrowserDeviceList>
 ```
 When `<UserTypeEntity>` specifies a group or groups:
 * `usersonly` - Only the user members from the specified groups are added
@@ -136,7 +141,7 @@ gam update cigroups <GroupEntity> delete|remove [<GroupRole>]
        [usersonly|groupsonly]
        [notsuspended|suspended] [notarchived|archived]
        [preview] [actioncsv]
-        <UserTypeEntity>
+        <UserTypeEntity>|<BrowserDeviceList>
 ```
 `<GroupRole>` is ignored, deletions take place regardless of role.

@@ -227,7 +232,7 @@ If `actioncsv` is specified, a CSV file with columns `group,email,role,action,me
 that shows the actions performed when updating the group.

 ### Examples using CSV file and Google sheets:
-* https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Users#examples-using-csv-files-and-google-sheets-to-update-the-membership-of-a-group
+* https://github.com/GAM-team/GAM/wiki/Collections-of-Users#examples-using-csv-files-and-google-sheets-to-update-the-membership-of-a-group

 ### Example
 Assume that at your school there is a group for each grade level and the members come from an OU; here is a sample CSV file GradeOU.csv
@@ -263,7 +268,7 @@ testgroup@domain.com,testuser4@domain.com,MEMBER,Added,Success
 ```
 gam update cigroups <GroupEntity> clear [member] [manager] [owner]
        [usersonly|groupsonly]
-        [emailclearpattern|emailretainpattern <RegularExpression>]
+        [emailclearpattern|emailretainpattern <REMatchPattern>]
        [preview] [actioncsv]
 ```
 If none of `member`, `manager`, or `owner` are specified, `member` is assumed.
@@ -273,8 +278,8 @@ By default, when clearing members from a group, all members, whether users or gr
 * `groupsonly` - Clear only the group members

 Members that have met the above qualifications to be cleared can be further qualifed by their email address.
-* `emailclearpattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be cleared; others will be retained
-* `emailretainpattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be retained; others will be cleared
+* `emailclearpattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be cleared; others will be retained
+* `emailretainpattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be retained; others will be cleared

 If `preview` is specified, the deletes will be previewed but not executed.

@@ -346,13 +351,14 @@ gam info cimember <UserTypeEntity> <GroupEntity>
 ```
 gam print cigroup-members [todrive <ToDriveAttribute>*]
        [(cimember|showownedby <UserItem>)|(cigroup <GroupItem>)|(select <GroupEntity>)]
-        [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
-        [descriptionmatchpattern [not] <RegularExpression>]
+        [emailmatchpattern [not] <REMatchPattern>] [namematchpattern [not] <REMatchPattern>]
+        [descriptionmatchpattern [not] <REMatchPattern>]
        [roles <GroupRoleList>] [members] [managers] [owners]
-        [types <CIGroupTypeList>]
+        [types <CIGroupMemberTypeList>]
        <CIGroupMembersFieldName>* [fields <CIGroupMembersFieldNameList>]
-        [(recursive [noduplicates])||includederivedmembership] [nogroupeemail]
-        [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
+        [minimal|basic|full]
+        [(recursive [noduplicates]) | |includederivedmembership] [nogroupeemail]
+        [memberemaildisplaypattern|memberemailskippattern <REMatchPattern>]
 ```
 By default, the group membership of all groups in the account are displayed, these options allow selection of subsets of groups:
 * `cimember <UserItem>` - Limit display to groups that contain `<UserItem>` as a member
@@ -361,12 +367,12 @@ By default, the group membership of all groups in the account are displayed, the
 * `select <GroupEntity>` - Limit display to the groups specified in `<GroupEntity>`

 These options further limit the list of groups selected above:
-* `emailmatchpattern <RegularExpression>` - Limit display to groups whose email address matches `<RegularExpression>`
-* `emailmatchpattern not <RegularExpression>` - Limit display to groups whose email address does not match `<RegularExpression>`
-* `namematchpattern <RegularExpression>` - Limit display to groups whose name matches `<RegularExpression>`
-* `namematchpattern not <RegularExpression>` - Limit display to groups whose name does not match `<RegularExpression>`
-* `descriptionmatchpattern <RegularExpression>` - Limit display to groups whose description matches `<RegularExpression>`
-* `descriptionmatchpattern not <RegularExpression>` - Limit display to groups whose description does not match `<RegularExpression>`
+* `emailmatchpattern <REMatchPattern>` - Limit display to groups whose email address matches `<REMatchPattern>`
+* `emailmatchpattern not <REMatchPattern>` - Limit display to groups whose email address does not match `<REMatchPattern>`
+* `namematchpattern <REMatchPattern>` - Limit display to groups whose name matches `<REMatchPattern>`
+* `namematchpattern not <REMatchPattern>` - Limit display to groups whose name does not match `<REMatchPattern>`
+* `descriptionmatchpattern <REMatchPattern>` - Limit display to groups whose description matches `<REMatchPattern>`
+* `descriptionmatchpattern not <REMatchPattern>` - Limit display to groups whose description does not match `<REMatchPattern>`

 By default, all members, managers and owners in the group are displayed; these options modify that behavior:
 * `roles <GroupRoleList>` - Display specified roles
@@ -374,26 +380,31 @@ By default, all members, managers and owners in the group are displayed; these o
 * `managers` - Display managers
 * `owners` - Display owners

-By default, all types of members (customer, group, serviceaccoun, user) in the group are displayed; when `recursive` is specified,
-the default is to only display type user members. This option modifies those behaviors:
-* `types <CIGroupTypeList>` - Display specified types
+By default, all types of members (cbcmbrowser, chromeosdevice, customer, group, serviceaccount, user) in the group are displayed; this option modifies that behavior:
+* `types <CIGroupMemberTypeList>` - Display specified types
+
+By default, members that are groups are displayed as a single entry of type GROUP; this option recursively expands group members to display their user members.
+* `recursive` - Recursively expand group members
+
+When `recursive` is specified, the default is to only display type user members; this option modifies those behaviors:
+* `types <GroupMemberTypeList>` - Display specified types

 Members that have met the above qualifications to be displayed can be further qualifed by their email address.
-* `memberemaildisplaypattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be displayed; others will not be displayed
-* `memberemailskippattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will not be displayed; others will be displayed
+* `memberemaildisplaypattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be displayed; others will not be displayed
+* `memberemailskippattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will not be displayed; others will be displayed

 By default, the ID, role, email address, type, createTime, updateTime and expireTime of each member is displayed along with the group email address;
 these options specify which fields to display:
 * `<CIGroupMembersFieldName>*` - Individual field names
 * `fields <CIGroupMembersFieldNameList>` - A comma separated list of field names

+You can control the fields displayed:
+* `minimal` - Fields displayed: group, id, role, email
+* `basic` - Fields displayed: group, type, id, role, email, expireTime
+* `full` - Fields displayed: group, type, id, role, email, createTime, updateTime, expireTime; this is the default
+
 By default, the group email address is always shown, you can suppress it with the `nogroupemail` option.

-By default, members that are groups are displayed as a single entry of type GROUP; this option recursively expands group members to display their user members.
-* `recursive` - Recursively expand group members
-
-The `recursive` option does not expand or display members of type CUSTOMER.
-
 The `recursive` option adds two columns, level and subgroup, to the output:
 * `level` - At what level of the expansion does the user appear; level 0 is the top level
 * `subgroup` - The group that contained the user
@@ -421,13 +432,13 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ```
 gam show cigroup-members
        [(cimember|showownedby <UserItem>)|(cigroup <GroupItem>)|(select <GroupEntity>)]
-        [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
-        [descriptionmatchpattern [not] <RegularExpression>]
-        [roles <GroupRoleList>] [members] [managers] [owners] [depth <Number>]
-        [types <CIGroupTypeList>]
-        [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
-        [includederivedmembership]
-        [formatjson [quotechar <Character>]]
+        [emailmatchpattern [not] <REMatchPattern>] [namematchpattern [not] <REMatchPattern>]
+        [descriptionmatchpattern [not] <REMatchPattern>]
+        [roles <GroupRoleList>] [members] [managers] [owners]
+        [types <CIGroupMemberTypeList>]
+        [memberemaildisplaypattern|memberemailskippattern <REMatchPattern>]
+        [minimal|basic|full]
+        [(depth <Number>) | includederivedmembership]
 ```
 By default, the group membership of all groups in the account are displayed, these options allow selection of subsets of groups:
 * `cimember <UserItem>` - Limit display to groups that contain `<UserItem>` as a member
@@ -436,12 +447,12 @@ By default, the group membership of all groups in the account are displayed, the
 * `select <GroupEntity>` - Limit display to the groups specified in `<GroupEntity>`

 These options further limit the list of groups selected above:
-* `emailmatchpattern <RegularExpression>` - Limit display to groups whose email address matches `<RegularExpression>`
-* `emailmatchpattern not <RegularExpression>` - Limit display to groups whose email address does not match `<RegularExpression>`
-* `namematchpattern <RegularExpression>` - Limit display to groups whose name matches `<RegularExpression>`
-* `namematchpattern not <RegularExpression>` - Limit display to groups whose name does not match `<RegularExpression>`
-* `descriptionmatchpattern <RegularExpression>` - Limit display to groups whose description matches `<RegularExpression>`
-* `descriptionmatchpattern not <RegularExpression>` - Limit display to groups whose description does not match `<RegularExpression>`
+* `emailmatchpattern <REMatchPattern>` - Limit display to groups whose email address matches `<REMatchPattern>`
+* `emailmatchpattern not <REMatchPattern>` - Limit display to groups whose email address does not match `<REMatchPattern>`
+* `namematchpattern <REMatchPattern>` - Limit display to groups whose name matches `<REMatchPattern>`
+* `namematchpattern not <REMatchPattern>` - Limit display to groups whose name does not match `<REMatchPattern>`
+* `descriptionmatchpattern <REMatchPattern>` - Limit display to groups whose description matches `<REMatchPattern>`
+* `descriptionmatchpattern not <REMatchPattern>` - Limit display to groups whose description does not match `<REMatchPattern>`

 By default, all members, managers and owners in the group are displayed; these options modify that behavior:
 * `roles <GroupRoleList>` - Display specified roles
@@ -449,12 +460,12 @@ By default, all members, managers and owners in the group are displayed; these o
 * `managers` - Display managers
 * `owners` - Display owners

-By default, all types of members (customer, group, serviceaccount, user) in the group are displayed; this option modifies that behavior:
-* `types <CIGroupTypeList>` - Display specified types
+By default, all types of members (cbcmbrowser, chromeosdevice, customer, group, serviceaccount, user) in the group are displayed; this option modifies that behavior:
+* `types <CIGroupMemberTypeList>` - Display specified types

 Members that have met the above qualifications to be displayed can be further qualifed by their email address.
-* `memberemaildisplaypattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be displayed; others will not be displayed
-* `memberemailskippattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will not be displayed; others will be displayed
+* `memberemaildisplaypattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be displayed; others will not be displayed
+* `memberemailskippattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will not be displayed; others will be displayed

 By default, members of type GROUP are recursively expanded to show their constituent members. (Members of
 type CUSTOMER are not expanded.) The `depth <Number>` argument controls the depth to which nested groups are displayed.
@@ -469,6 +480,11 @@ has in any constituent group, it is not necessarily its role in the top group.
 The options `types user` and `includederivedmembership types user` return the same list of users.
 The `includederivedmembership` option makes less API calls but doesn't show hierarchy.

+You can control the fields displayed:
+* `minimal` - Fields displayed: role, email
+* `basic` - Fields displayed: type, role, email, expireTime
+* `full` - Fields displayed: type, role, email, createTime, updateTime, expireTime; this is the default
+
 ### Display group structure
 To see a group's structure of nested groups use the `type group` option.
 ```
@@ -482,5 +498,5 @@ Group: testgroup5@domain.com
 ```
 To show the structure of all groups you can do the following; it will be time consuming for a large number of groups.
 ```
-gam redirect stdout ./groups.txt show group-members types group
-```
+gam redirect stdout ./groups.txt show cigroup-members types group
+```
--- a/wiki/Cloud-Identity-Groups.md
+++ b/wiki/Cloud-Identity-Groups.md
@@ -1,9 +1,7 @@
 # Cloud Identity Groups
 - [API documentation](#api-documentation)
- [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Query documentation](#query-documentation)
- [Cloud Identity Group Documentation](#cloud-identity-group-documentation)
- [Security Group Documentation](#security-group-documentation)
+- [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Notes](#Notes)
 - [Definitions](#definitions)
 - [Manage groups](#manage-groups)
@@ -12,24 +10,29 @@
 - [Display group counts](#display-group-counts)

 ## API documentation
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups
-* https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups
-* https://cloud.google.com/identity/docs/groups
-* https://cloud.google.com/identity/docs/reference/rest/v1/groups
-* https://support.google.com/a/answer/11192679
+* [Cloud Identity Groups Overview](https://cloud.google.com/identity/docs/groups)
+* [Create and Manage Groups uning API](https://support.google.com/a/answer/10427204)
+* [Cloud Identity Groups API - Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups)
+* [Restrict Group Membership](https://support.google.com/a/answer/11192679)
+* [Lock Groups Beta](https://workspaceupdates.googleblog.com/2024/12/locked-groups-open-beta.html)
+* [Cloud Identity Groups](https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html)
+* [Security Groups](https://gsuiteupdates.googleblog.com/2020/09/security-groups-beta.html)

 ## Query documentation
-* https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
-* https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction
-
-## Cloud Identity Group Documentation
-* https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
-
-## Security Group Documentation
-* https://gsuiteupdates.googleblog.com/2020/09/security-groups-beta.html
+* [Cloud Identity Groups API - Search Dynamic Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery)
+* [Member REstrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)

 ## Notes

+In version 7.02.01 options `locked` and `unlocked` wre added to `gam update cigroups` that allow locking groups.
+
+* See: https://workspaceupdates.googleblog.com/2024/12/locked-groups-open-beta.html
+
+You'll have to do a `gam oauth create` and enable the following scope to use these options:
+```
+[*] 22)  Cloud Identity Groups API Beta (Enables group locking/unlocking)
+```
+
 In the Admin Directory API a group has the following characteristics:
 * `id` - The unique ID of a group
 * `email` - The group's email address
@@ -60,11 +63,11 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require
 <GroupList> ::= "<GroupItem>(,<GroupItem>)*"
 <GroupEntity> ::=
        <GroupList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
+        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <GroupRole> ::= owner|manager|member
 <GroupRoleList> ::= "<GroupRole>(,<GroupRole>)*"
-<CIGroupType> ::= customer|group|other|serviceaccount|user
-<CIGroupTypeList> ::= "<CIGroupType>(,<CIGroupType>)*"
+<CIGroupMemberType> ::= cbcmbrowser|customer|group|other|serviceaccount|user
+<CIGroupMemberTypeList> ::= "<CIGroupMemberType>(,<CIGroupMemberType>)*"
 <QueryDynamicGroup> ::= <String>
        See: https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
 <QueryMemberRestrictions> ::= <String>
@@ -72,6 +75,12 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require

 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |

+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
+
 <GroupSettingsAttribute> ::=
        (allowexternalmembers <Boolean>)|
        (allowwebposting <Boolean>)|
@@ -231,11 +240,17 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require
 These commands allow you to create, update and delete groups. They use the Admin SDK Groups Settings API
 to set `<GroupAttribute>`.
 ```
-gam create cigroup <EmailAddress> [copyfrom <GroupItem>] <GroupAttribute>
-        [makeowner]
-        [alias|aliases <EmailAddressList>] [dynamic <QueryDynamicGroup>]
+gam create cigroup <EmailAddress>
+        [copyfrom <GroupItem>] <GroupAttribute>*
+        [makeowner] [alias|aliases <CIGroupAliasList>]
+        [security|makesecuritygroup]
+        [dynamic <QueryDynamicGroup>]
 gam update cigroup <GroupEntity> [copyfrom <GroupItem>] <GroupAttribute>
-        [makesecuritygroup|security] [makedynamicsecuritygroup|dynamicsecurity] [dynamic <QueryDynamicGroup>]
+        [security|makesecuritygroup|
+         dynamicsecurity|makedynamicsecuritygroup|
+         lockedsecurity|makelockedsecuritygroup]
+        [locked|unlocked]
+        [dynamic <QueryDynamicGroup>]
        [memberrestrictions <QueryMemberRestrictions>]
 gam delete cigroups <GroupEntity>
 ```
@@ -259,8 +274,9 @@ gam info cigroups <GroupEntity>
        [nosecurity|nosecuritysettings]
        [allfields|<CIGroupFieldName>*|(fields <CIGroupFieldNameList>)]
        [roles <GroupRoleList>] [members] [managers] [owners]
-        [types <CIGroupTypeList>]
-        [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
+        [internal] [internaldomains <DomainNameList>] [external]
+        [types <CIGroupMemberTypeList>]
+        [memberemaildisplaypattern|memberemailskippattern <REMatchPattern>]
        [formatjson]
 ```

@@ -272,11 +288,19 @@ By default, all direct members, managers and owners in the group are displayed;
 * `membertree` - Display all roles; expand all groups

 By default, when displaying members from a group, all types of members (customer, group, serviceaccount, user) in the group are displayed; this option modifies that behavior:
-* `types <CIGroupTypeList>` - Display specified types
+* `types <CIGroupMemberTypeList>` - Display specified types
+
+By default, when listing group members, GAM does not take the domain of the member into account.
+* `internal internaldomains <DomainNameList>` - Display members whose domain is in `<DomainNameList>`
+* `external internaldomains <DomainNameList>` - Display members whose domain is not in `<DomainNameList>`
+* `internal external internaldomains <DomainNameList>` - Display all members, indicate their category: internal or external
+* `internaldomains <DomainNameList>` - Defaults to value of `domain` in `gam.cfg`
+
+Members without an email address, e.g. `customer`, `chrome-os-device` and `cbcm-browser` are considered internal.

 Members that have met the above qualifications to be displayed can be further qualifed by their email address.
-* `memberemaildisplaypattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be displayed; others will not be displayed
-* `memberemailskippattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will not be displayed; others will be displayed
+* `memberemaildisplaypattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be displayed; others will not be displayed
+* `memberemailskippattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will not be displayed; others will be displayed

 By default, all group aliases are displayed, these options modify that behavior:
 * `noaliases` or `quick` - Do not display group aliases
@@ -296,13 +320,14 @@ This command displays information in CSV format.
 ```
 gam print cigroups [todrive <ToDriveAttribute>*]
        [(cimember|showownedby <UserItem>)|(select <GroupEntity>)|(query <String>)]
-        [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
-        [descriptionmatchpattern [not] <RegularExpression>]
+        [emailmatchpattern [not] <REMatchPattern>] [namematchpattern [not] <REMatchPattern>]
+        [descriptionmatchpattern [not] <REMatchPattern>]
        [basic|allfields|(<CIGroupFieldName>* [fields <CIGroupFieldNameList>])]
        [roles <GroupRoleList>] [memberrestrictions]
+        [internal] [internaldomains <DomainNameList>] [external]
        [members|memberscount] [managers|managerscount] [owners|ownerscount] [totalcount] [countsonly]
-        [types <CIGroupTypeList>]
-        [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
+        [types <CIGroupMemberTypeList>]
+        [memberemaildisplaypattern|memberemailskippattern <REMatchPattern>]
        [convertcrnl] [delimiter <Character>]
        [formatjson [quotechar <Character>]]
 ```
@@ -313,12 +338,12 @@ By default, all groups in the account are displayed, these options allow selecti
 * `query <String>` - Limit display to the groups that match the query

 These options further limit the list of groups selected above:
-* `emailmatchpattern <RegularExpression>` - Limit display to groups whose email address matches `<RegularExpression>`
-* `emailmatchpattern not <RegularExpression>` - Limit display to groups whose email address does not match `<RegularExpression>`
-* `namematchpattern <RegularExpression>` - Limit display to groups whose name matches `<RegularExpression>`
-* `namematchpattern not <RegularExpression>` - Limit display to groups whose name does not match `<RegularExpression>`
-* `descriptionmatchpattern <RegularExpression>` - Limit display to groups whose description matches `<RegularExpression>`
-* `descriptionmatchpattern not <RegularExpression>` - Limit display to groups whose description does not match `<RegularExpression>`
+* `emailmatchpattern <REMatchPattern>` - Limit display to groups whose email address matches `<REMatchPattern>`
+* `emailmatchpattern not <REMatchPattern>` - Limit display to groups whose email address does not match `<REMatchPattern>`
+* `namematchpattern <REMatchPattern>` - Limit display to groups whose name matches `<REMatchPattern>`
+* `namematchpattern not <REMatchPattern>` - Limit display to groups whose name does not match `<REMatchPattern>`
+* `descriptionmatchpattern <REMatchPattern>` - Limit display to groups whose description matches `<REMatchPattern>`
+* `descriptionmatchpattern not <REMatchPattern>` - Limit display to groups whose description does not match `<REMatchPattern>`

 By default, GAM does not make an additional API call todisplay the member restrictions from `SecuritySettings`.
 * `memberrestrictions` - Make an additional API call and display the member restrictions from `SecuritySettings`
@@ -353,11 +378,19 @@ By default, no members, managers or owners in the group are displayed; these opt
 * `totalcount` - Display sum of counts of members, managers, owners.

 By default, when displaying members from a group, all types of members (customer, group, serviceaccount, user) in the group are displayed; this option modifies that behavior:
-* `types <CIGroupTypeList>` - Display specified types
+* `types <CIGroupMemberTypeList>` - Display specified types
+
+By default, when listing group members, GAM does not take the domain of the member into account.
+* `internal internaldomains <DomainNameList>` - Display members whose domain is in `<DomainNameList>`
+* `external internaldomains <DomainNameList>` - Display members whose domain is not in `<DomainNameList>`
+* `internal external internaldomains <DomainNameList>` - Display all members, indicate their category: internal or external
+* `internaldomains <DomainNameList>` - Defaults to value of `domain` in `gam.cfg`
+
+Members without an email address, e.g. `customer`, `chrome-os-device` and `cbcm-browser` are considered internal.

 Members that have met the above qualifications to be displayed can be further qualifed by their email address.
-* `memberemaildisplaypattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be displayed; others will not be displayed
-* `memberemailskippattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will not be displayed; others will be displayed
+* `memberemaildisplaypattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be displayed; others will not be displayed
+* `memberemailskippattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will not be displayed; others will be displayed

 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
@@ -368,6 +401,37 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

+### Display member count examples
+```
+gam print cigroup select testgroup roles member,manager,owner countsonly totalcount                  
+Getting Cloud Identity Groups for testgroup@domain.com
+Getting Members, Managers, Owners for testgroup@domain.com
+Got 9 Members, Managers, Owners...
+email,TotalCount,ManagersCount,MembersCount,OwnersCount
+testgroup@domain.com,9,0,7,2
+
+gam print cigroup select testgroup roles member,manager,owner countsonly totalcount internal
+Getting Cloud Identity Groups for testgroup@domain.com
+Getting Members, Managers, Owners for testgroup@domain.com
+Got 9 Members, Managers, Owners...
+email,TotalCount,TotalInternalCount,InternalManagersCount,InternalMembersCount,InternalOwnersCount
+testgroup@domain.com,7,7,0,5,2
+
+gam print cigroup select testgroup roles member,manager,owner countsonly totalcount external
+Getting Cloud Identity Groups for testgroup@domain.com
+Getting Members, Managers, Owners for testgroup@domain.com
+Got 9 Members, Managers, Owners...
+email,TotalCount,TotalExternalCount,ExternalManagersCount,ExternalMembersCount,ExternalOwnersCount
+testgroup@domain.com,2,2,0,2,0
+
+gam print cigroup select testgroup roles member,manager,owner countsonly totalcount external internal
+Getting Cloud Identity Groups for testgroup@domain.com
+Getting Members, Managers, Owners for testgroup@domain.com
+Got 9 Members, Managers, Owners...
+email,TotalCount,TotalInternalCount,InternalManagersCount,InternalMembersCount,InternalOwnersCount,TotalExternalCount,ExternalManagersCount,ExternalMembersCount,ExternalOwnersCount
+testgroup@domain.com,9,7,0,5,2,2,0,2,0
+```
+
 ### Display dynamic groups
 ```
 gam print cigroups query "'cloudidentity.googleapis.com/groups.dynamic' in labels"
@@ -383,8 +447,8 @@ Display the number of groups.
 ```
 gam print cigroups
        [(cimember|showownedby <UserItem>)|(select <GroupEntity>)|(query <String>)]
-        [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
-        [descriptionmatchpattern [not] <RegularExpression>]
+        [emailmatchpattern [not] <REMatchPattern>] [namematchpattern [not] <REMatchPattern>]
+        [descriptionmatchpattern [not] <REMatchPattern>]
        showitemcountonly
 ```
 Example
--- a/wiki/Cloud-Identity-Policies.md
+++ b/wiki/Cloud-Identity-Policies.md
@@ -0,0 +1,402 @@
+# Cloud Identity Policies
+- [API documentation](#api-documentation)
+- [Notes](#notes)
+- [Python Regular Expressions](Python-Regular-Expressions) Match function
+- [Definitions](#definitions)
+- [Policies](#policies)
+- [Display Cloud Identity Policies](#display-cloud-identity-policies)
+
+## API documentation
+* [Policy API](https://cloud.google.com/identity/docs/reference/rest/v1/policies)
+* [Policy Settings](https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings)
+
+## Notes
+To use these commands you must update your client access authentication.
+You'll enter 19R to turn on the Cloud Identity Policy scope; then continue
+with authentication.
+```
+gam oauth delete
+gam oauth create
+...
+[R] 19)  Cloud Identity - Policy
+```
+
+## Definitions
+```
+<CIPolicyName> ::= policies/<String>|settings/<String>|<String>
+<CIPolicyNameList> ::= "<CIPolicyName>(,<CIPolicyName>)*"
+<CIPolicyNameEntity> ::=
+        <CIPolicyNameList> | <FileSelector> | <CSVFileSelector>
+
+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
+```
+
+## Policies
+These are the supported policies GAM can show today.
+
+See: https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings
+```
+user_takeout_status (is takeout enabled for service)
+  blogger.user_takeout
+  books.user_takeout
+  location_history.user_takeout
+  maps.user_takeout
+  pay.user_takeout
+  photos.user_takeout
+  play.user_takeout
+  play_console.user_takeout
+  youtube.user_takeout
+service_status (is service enabled)
+  ad_manager
+  ads
+  adsense
+  alerts
+  analytics
+  applied_digital_skills
+  appsheet
+  arts_and_culture
+  beyondcorp_enterprise
+  blogger
+  bookmarks
+  books
+  calendar
+  campaign_manager
+  chat
+  chrome_canvas
+  chrome_remote_desktop
+  chrome_sync
+  chrome_web_store
+  classroom
+  cloud
+  cloud_search
+  colab
+  cs_first
+  data_studio
+  developers
+  domains
+  drive_and_docs
+  earth
+  enterprise_service_restrictions
+  experimental_apps
+  feedburner
+  fi
+  gmail
+  groups
+  groups_for_business
+  jamboard
+  keep
+  location_history
+  managed_play
+  maps
+  material_gallery
+  meet
+  merchant_center
+  messages
+  migrate
+  my_business
+  my_maps
+  news
+  partner_dash
+  pay
+  pay_for_business
+  photos
+  pinpoint
+  play
+  play_books_partner_center
+  play_console
+  public_data
+  question_hub
+  scholar_profiles
+  search_ads_360
+  search_and_assistant
+  search_console
+  sites
+  socratic
+  takeout
+  tasks
+  third_party_app_backups
+  translate
+  trips
+  vault
+  voice
+  work_insights
+  youtube
+calendar.appointment_schedules
+  enablePayments
+chat.chat_apps_access
+  enableApps
+  enableWebhooks
+chat.chat_file_sharing
+  externalFileSharing
+  internalFileSharing
+chat.chat_history
+  enableChatHistory
+  historyOnByDefault
+  allowUserModification
+chat.external_chat_restriction
+  allowExternalChat
+chat.space_history
+  historyState
+classroom.api_data_access
+  enableApiAccess
+classroom.class_membership
+  whoCanJoinClasses
+  whichClassesCanUsersJoin
+classroom.guardian_access
+  allowAccess
+  whoCanManageGuardianAccess
+classroom.originality_reports
+  enableOriginalityReportsSchoolMatches
+classroom.roster_import
+  rosterImportOption
+classroom.student_unenrollment
+  whoCanUnenrollStudents
+classroom.teacher_permissions
+  whoCanCreateClasses
+cloud_sharing_options.cloud_data_sharing
+  sharingOptions
+detector.regular_expression
+  displayName
+  regularExpression
+  createTime
+  updateTime
+detector.word_list
+  displayName
+  wordList
+  createTime
+  updateTime
+  description
+drive_and_docs.drive_for_desktop
+  allowDriveForDesktop
+  restrictToAuthorizedDevices
+  showDownloadLink
+  allowRealTimePresence
+drive_and_docs.external_sharing
+  externalSharingMode
+  allowReceivingExternalFiles
+  warnForSharingOutsideAllowlistedDomains
+  allowReceivingFilesOutsideAllowlistedDomains
+  allowNonGoogleInvitesInAllowlistedDomains
+  warnForExternalSharing
+  allowNonGoogleInvites
+  allowPublishingFiles
+  accessCheckerSuggestions
+  allowedPartiesForDistributingContent
+drive_and_docs.file_security_update
+  securityUpdate
+  allowUsersToManageUpdate
+drive_and_docs.shared_drive_creation
+  allowSharedDriveCreation
+  orgUnitForNewSharedDrives
+  customOrgUnit
+  allowManagersToOverrideSettings
+  allowExternalUserAccess
+  allowNonMemberAccess
+  allowedPartiesForDownloadPrintCopy
+  allowContentManagersToShareFolders
+gmail.auto_forwarding
+  enableAutoForwarding
+gmail.confidential_mode
+  enableConfidentialMode
+gmail.email_attachment_safety
+  enableEncryptedAttachmentProtection
+  encryptedAttachmentProtectionConsequence
+  enableAttachmentWithScriptsProtection
+  attachmentWithScriptsProtectionConsequence
+  enableAnomalousAttachmentProtection
+  anomalousAttachmentProtectionConsequence
+  allowedAnomalousAttachmentFiletypes
+  applyFutureRecommendedSettingsAutomatically
+  encryptedAttachmentProtectionQuarantineId
+  attachmentWithScriptsProtectionQuarantineId
+  anomalousAttachmentProtectionQuarantineId
+gmail.email_image_proxy_bypass
+  imageProxyBypassPattern
+  enableImageProxy
+gmail.enhanced_pre_delivery_message_scanning
+  enableImprovedSuspiciousContentDetection
+gmail.enhanced_smime_encryption
+  enableSmimeEncryption
+  allowUserToUploadCertificates
+gmail.gmail_name_format
+  allowCustomDisplayNames
+  defaultDisplayNameFormat
+gmail.imap_access
+  enableImapAccess
+gmail.links_and_external_images
+  enableShortenerScanning
+  enableExternalImageScanning
+  enableAggressiveWarningsOnUntrustedLinks
+  applyFutureSettingsAutomatically
+gmail.per_user_outbound_gateway
+  allowUsersToUseExternalSmtpServers
+gmail.pop_access
+  enablePopAccess
+gmail.spoofing_and_authentication
+  detectDomainNameSpoofing
+  detectEmployeeNameSpoofing
+  detectDomainSpoofingFromUnauthenticatedSenders
+  detectUnauthenticatedEmails
+  domainNameSpoofingConsequence
+  employeeNameSpoofingConsequence
+  domainSpoofingConsequence
+  unauthenticatedEmailConsequence
+  detectGroupsSpoofing
+  groupsSpoofingVisibilityType
+  groupsSpoofingConsequence
+  applyFutureSettingsAutomatically
+  domainNameSpoofingQuarantineId
+  employeeNameSpoofingQuarantineId
+  domainSpoofingQuarantineId
+  unauthenticatedEmailQuarantineId
+  groupsSpoofingQuarantineId
+gmail.user_email_uploads
+  enableMailAndContactsImport
+gmail.workspace_sync_for_outlook
+  enableGoogleWorkspaceSyncForMicrosoftOutlook
+groups_for_business.groups_sharing
+  ownersCanAllowIncomingMailFromPublic
+  collaborationCapability
+  createGroupsAccessLevel
+  ownersCanAllowExternalMembers
+  ownersCanHideGroups
+  newGroupsAreHidden
+  viewTopicsDefaultAccessLevel
+meet.safety_access
+  meetingsAllowedToJoin
+meet.safety_domain
+  usersAllowedToJoin
+meet.safety_external_participants
+  enableExternalLabel
+meet.safety_host_management
+  enableHostManagement
+meet.video_recording
+  enableRecording
+rule.dlp
+  displayName
+  description
+  triggers
+  condition
+  action
+  state
+  createTime
+  updateTime
+  ruleTypeMetadata
+rule.system_defined_alerts
+  displayName
+  description
+  action
+  state
+  createTime
+  updateTime
+security.advanced_protection_program
+  enableAdvancedProtectionSelfEnrollment
+  securityCodeOption
+security.less_secure_apps
+  allowLessSecureApps
+security.login_challenges
+  enableEmployeeIdChallenge
+security.password
+  allowedStrength
+  minimumLength
+  maximumLength
+  enforceRequirementsAtLogin
+  allowReuse
+  expirationDuration
+security.session_controls
+  webSessionDuration
+security.super_admin_account_recovery
+  enableAccountRecovery
+security.user_account_recovery
+  enableAccountRecovery
+sites.sites_creation_and_modification
+  allowSitesCreation
+  allowSitesModification
+workspace_marketplace.apps_allowlist
+  apps
+```
+## Display Cloud Identity Policies
+Display selected policies.
+```
+gam info policies <CIPolicyEntity>
+        [nowarnings] [noappnames]
+        [formatjson]
+```
+
+Select policies::
+* `polices/<String>` - A policy name, `policies/ahv4hg7qc24kvaghb7zihwf4riid4`
+* `settings/<String>` - A policy setting type, `settings/workspace_marketplace.apps_allowlist`
+* `<String>` - A policy setting type, `workspace_marketplace.apps_allowlist`
+
+By default, policy warnings are displayed, use the 'nowarnings` option to suppress their display.
+
+By default,  additional API calls are made for `settings/workspace_marketplace.apps_allowlist`
+to get the application name for the application ID. Use option `noappnames` to suppress these calls.
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+Display all or filtered policies.
+```
+gam show policies
+        [filter <String>] [nowarnings] [noappnames]
+        [group <REMatchPattern>] [ou|org|orgunit <REMatchPattern>]
+        [formatjson]
+```
+By default, all policies are displayed.
+* `filter <String>` - Display filtered policies, See https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/list
+* `group <REMatchPattern>` - Only display policies whose group email address matches the `<REMatchPattern>`
+* `ou|org|orgunit <REMatchPattern>` - Only display policies whose OU path matches the `<REMatchPattern>`
+
+By default, policy warnings are displayed, use the `nowarnings` option to suppress their display.
+
+By default,  additional API calls are made for `settings/workspace_marketplace.apps_allowlist`
+to get the application name for the application ID. Use option `noappnames` to suppress these calls.
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam print policies [todrive <ToDriveAttribute>*]
+        [filter <String>] [nowarnings] [noappnames]
+        [group <REMatchPattern>] [ou|org|orgunit <REMatchPattern>]
+        [formatjson [quotechar <Character>]]
+```
+By default, all policies are displayed:
+* `filter <String>` - Display filtered policies, See https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/list
+* `group <REMatchPattern>` - Only display policies whose group email address matches the `<REMatchPattern>`
+* `ou|org|orgunit <REMatchPattern>` - Only display policies whose OU path matches the `<REMatchPattern>`
+
+By default, policy warnings are displayed, use the `nowarnings` option to suppress their display.
+
+By default,  additional API calls are made for `settings/workspace_marketplace.apps_allowlist`
+to get the application name for the application ID. Use option `noappnames` to suppress these calls.
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+### Examples
+Print all service status policies.
+```
+gam redirect csv ./ServiceStatusPolicies.csv print policies filter "setting.type.matches('.*service_status')"
+```
+
+Print all polices that apply directly to the OU "/Staff".
+```
+gam redirect csv ./StaffPolicies.csv print policies ou "^/Staff$"
+```
+
+Print all polices that apply to the OU "/Staff" and its sub-OUs.
+```
+gam redirect csv ./StaffPolicies.csv print policies ou "^/Staff"
+```
--- a/wiki/Cloud-Storage.md
+++ b/wiki/Cloud-Storage.md
@@ -5,7 +5,7 @@
 - [Download a Cloud Storage Bucket Object](#download-a-cloud-storage-bucket-object)

 ## API documentation
-* https://cloud.google.com/storage/docs/json_api/v1/objects
+* [Cloud Storage API - Objects](https://cloud.google.com/storage/docs/json_api/v1/objects)

 ## Notes
 To use these commands you must add the 'Cloud Storage API' to your project and update your client access authorization.
--- a/wiki/Collections-of-ChromeOS-Devices.md
+++ b/wiki/Collections-of-ChromeOS-Devices.md
@@ -1,5 +1,5 @@
 # Collections of ChromeOS Devices
- [Python Regular Expressions](Python-Regular-Expressions) Match function
+- [Python Regular Expressions](Python-Regular-Expressions) Search function
 - [Definitions](#definitions)
 - [Organization Unit Quoting](#organization-unit-quoting)
 - [Query Quoting](#query-quoting)
@@ -94,7 +94,7 @@
             (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
            [endcsv|(fields <FieldNameList>)]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [delimiter <Character>])|
        (croscsvfile_sn
            ((<FileName>(:<FieldName>)+ [charset <Charset>] )|
@@ -104,7 +104,7 @@
             (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
            [endcsv|(fields <FieldNameList>)]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [delimiter <Character>])|
        (datafile
            cros|cros_sn|cros_ous|cros_ous_and_children
@@ -121,7 +121,7 @@
              (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
            [endcsv|(fields <FieldNameList>)]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [delimiter <Character>])|
        (csvkmd
            cros|cros_sn|cros_ous|cros_ous_and_children
@@ -131,9 +131,9 @@
              (gcscsv <StorageBucketObjectName>)|
              (gcsdoc <StorageBucketObjectName>))
             [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>])
-            keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-            subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+            subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [datafield <FieldName>(:<FieldName>)* [delimiter <Character>]])
        (croscsvdata <FieldName>(:<FieldName>*))
 ```
@@ -141,17 +141,12 @@
 * `<OrgUnitItem>` should be enclosed in `"` if it contains a space, comma or single quote.
 * `<OrgUnitList>` may require special quoting based on whether the OUs contain spaces, commas or single quotes.

-For quoting rules, see: [List Items](List-Items)
+For quoting rules, see: [List Quoting Rules](Command-Line-Parsing)

 ## Query Quoting
 `<QueryCrOSList>` may require special quoting based on whether the queries contain spaces, commas or single quotes.

-* Surround `<QueryCrOSList>` with `" "`
-* Surround each query with `\" \"`, separate the queries with commas.
-
-```
-queries "\"orgUnitPath='/Path/To/OU 1'\",\"orgUnitPath='/Path/To/OU 2'\",\"orgUnitPath='/Path/To/OU 3'\""
-```
+For quoting rules, see: [List Quoting Rules](Command-Line-Parsing)

 ## Query Notes

@@ -267,7 +262,7 @@ croscsvfile
    (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
   [endcsv|(fields <FieldNameList>)]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
   [delimiter <Character>]
 ```
 * `<FileName>(:<FieldName>)+` - A CSV file and the one or more columns that contain ChromeOS deviceIds
@@ -282,7 +277,7 @@ croscsvfile
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `delimiter <Character>` - There are multiple deviceIds per column separated by `<Character>`; if not specified, there is single deviceId per column

 ## Selected ChromeOS serial numbers in a CSV file/Google Sheet/Google Doc/Google Cloud Storage Object
@@ -295,7 +290,7 @@ croscsvfile_sn
    (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
   [endcsv|(fields <FieldNameList>)]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
   [delimiter <Character>]
 ```
 * `<FileName>(:<FieldName>)+` - A CSV file and the one or more columns that contain ChromeOS serial numbers
@@ -310,7 +305,7 @@ croscsvfile_sn
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `delimiter <Character>` - There are multiple serial numbers per column separated by `<Character>`; if not specified, there is single deviceId per column

 ## ChromeOS devices from OUs in a flat file/Google Doc/Google Cloud Storage Object
@@ -340,7 +335,7 @@ csvdatafile
     (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
   [endcsv|(fields <FieldNameList>)]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
   [delimiter <Character>]
 ```
 * `cros|cros_ous|cros_ous_and_children` - The type of item in the file
@@ -356,7 +351,7 @@ csvdatafile
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `delimiter <Character>` - There are multiple deviceIds per column separated by `<Character>`; if not specified, there is single deviceId per column

 ## ChromeOS devices directly in or from OUs in a CSV file/Google Sheet/Google Doc/Google Cloud Storage Object
@@ -369,9 +364,9 @@ csvkmd
     (gcscsv <StorageBucketObjectName>)|
     (gcsdoc <StorageBucketObjectName>))
    [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>])
-   keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-   subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+   subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
   [datafield <FieldName>(:<FieldName>)* [delimiter <Character>]]
 ```
 * `cros|cros_sn|cros_ous|cros_ous_and_children` - The type of item in the file
@@ -385,15 +380,15 @@ csvkmd
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>])+`
+* `(keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>])+`
    * `keyfield <FieldName>` - The column containing key values
-    * `[keypattern <RegularExpression>] [keyvalue <String>]` - Allows transforming the value(s) in the `keyfield` column. If only `keyvalue <String>` is specified, all instances of `<FieldName>` in `keyvalue <String>` will be replaced by the item value. If `keypattern <RegularExpression>` is specified, the item value is matched against `<RegularExpression>` and the matched segments are substituted into `keyvalue <String>`
+    * `[keypattern <RESearchPattern>] [keyvalue <RESubstitution>]` - Allows transforming the value(s) in the `keyfield` column. If only `keyvalue <RESubstitution>` is specified, all instances of `<FieldName>` in `keyvalue <RESubstitution>` will be replaced by the item value. If `keypattern <RESearchPattern>` is specified, the item value is matched against `<RESearchPattern>` and the matched segments are substituted into `keyvalue <RESubstitution>`
    * `delimiter <Character>` - There are multiple values per keyfield column separated by `<Character>`; if not specified, there is single value per keyfield column
-* `(subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>])*`
+* `(subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>])*`
    * `subkeyfield <FieldName>` - The column containing subkey values
-    * `[keypattern <RegularExpression>] [keyvalue <String>]` - Allows transforming the value(s) in the `subkeyfield` column. If only `keyvalue <String>` is specified, all instances of `<FieldName>` in `keyvalue <String>` will be replaced by the item value. If `keypattern <RegularExpression>` is specified, the item value is matched against `<RegularExpression>` and the matched segments are substituted into `keyvalue <String>`
+    * `[keypattern <RESearchPattern>] [keyvalue <RESubstitution>]` - Allows transforming the value(s) in the `subkeyfield` column. If only `keyvalue <RESubstitution>` is specified, all instances of `<FieldName>` in `keyvalue <RESubstitution>` will be replaced by the item value. If `keypattern <RESearchPattern>` is specified, the item value is matched against `<RESearchPattern>` and the matched segments are substituted into `keyvalue <RESubstitution>`
    * `delimiter <Character>` - There are multiple values per subkeyfield column separated by `<Character>`; if not specified, there is single value per subkeyfield column
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `(datafield <FieldName>(:<FieldName)* [delimiter <Character>])*`
    * `datafield <FieldName>(:<FieldName)*` - The column(s) containing data values
    * `delimiter <Character>` - There are multiple values per datafield column separated by `<Character>`; if not specified, there is single value per datafield column
@@ -462,5 +457,3 @@ This is equivaluent to:
 ```
 gam cros_ous "'/Students/Middle School/2021','/Students/Middle School/2020'" print cros allfields nolists
 ```
-
-
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`Need more help? Ask on the [GAM Discussion Group](https://groups.google.com/forum/#!forum/google-apps-manager)`