Update GamUpdates.md

Added option shareddrives to gam print shareddriveorganizers
2026-06-10 17:21:36 +00:00 · 2025-06-01 09:33:11 -07:00 · 2025-06-01 08:51:33 -07:00 · 2025-06-01 08:51:08 -07:00 · 2025-05-31 21:13:22 -07:00 · 2025-05-31 20:58:18 -07:00
262 changed files with 19663 additions and 25915 deletions
--- a/.github/actions/creds.tar.xz.gpg
+++ b/.github/actions/creds.tar.xz.gpg
--- a/.github/actions/decrypt.sh
+++ b/.github/actions/decrypt.sh
@@ -1,32 +1,19 @@
 #!/bin/sh
-credspath="$3"
+credspath="$1"
 if [ ! -d "$credspath" ]; then
    echo "creating ${credspath}"
    mkdir -p "$credspath"
 fi
-gpgfile="$1"
-if [ -f "$gpgfile" ]; then
-    echo "source file is ${gpgfile}"
+credsfile="${credspath}/oauth2.txt"
+echo "$oa2" > "$credsfile"
+echo "File size:"
+wc -c "$credsfile"
+echo "File type:"
+file "$credsfile"
+echo "Validation:"
+jq -e . "$credsfile" > /dev/null
+if [ $? -eq 0 ]; then
+  echo "Valid JSON"
 else
-    echo "ERROR: ${gpgfile} does not exist"
-    exit 1
+  echo "Invalid JSON"
 fi
-credsfile="$2"
-echo "target file is ${credsfile}"
-if [ -z ${PASSCODE+x} ]; then
-  echo "ERROR: PASSCODE is unset";
-  exit 2
-else
-  echo "PASSCODE is set";
-fi
-
-gpg --batch \
-    --yes \
-    --decrypt \
-    --passphrase="${PASSCODE}" \
-    --output "${credsfile}" \
-    "${gpgfile}"
-
-tar xvvf "${credsfile}" --directory "${credspath}"
-rm -rvf "${gpgfile}"
-rm -rvf "${credsfile}"
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,9 +2,14 @@ name: Build and test GAM

 on:
  push:
+    paths-ignore:
+      - 'wiki/**'
  pull_request:
+    paths-ignore:
+      - 'wiki/**'
  schedule:
    - cron: '37 22 * * *'
+  workflow_dispatch:

 permissions:
  contents: read
@@ -17,12 +22,14 @@ defaults:
    working-directory: src

 env:
-  SCRATCH_COUNTER: 2
+  SCRATCH_COUNTER: 14
  OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
  OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
  OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
  PYTHON_INSTALL_PATH: ${{ github.workspace }}/bin/python
  PYTHON_SOURCE_PATH: ${{ github.workspace }}/src/cpython
+  CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY: 1
+  CRYPTOGRAPHY_OPENSSL_NO_LEGACY: 1

 jobs:
  build:
@@ -34,60 +41,69 @@ jobs:
          - os: ubuntu-22.04
            jid: 1
            goal: build
-            arch: x86_64
-            openssl_archs: linux-x86_64
-          - os: [self-hosted, linux, arm64]
+            name: Build Intel Ubuntu Jammy
+          - os: ubuntu-24.04
            jid: 2
            goal: build
-            arch: aarch64
-            openssl_archs: linux-aarch64
-          - os: ubuntu-22.04
+            name: Build Intel Ubuntu Noble
+          - os: ubuntu-24.04-arm
            jid: 3
            goal: build
-            arch: x86_64
-            openssl_archs: linux-x86_64
-            staticx: yes
-          - os: [self-hosted, linux, arm64]
+            name: Build Arm Ubuntu Noble
+          - os: ubuntu-22.04-arm
            jid: 4
            goal: build
-            arch: aarch64
-            openssl_archs: linux-aarch64
-            staticx: yes
-          - os: macos-13
+            name: Build Arm Ubuntu Jammy
+          - os: ubuntu-22.04
            jid: 5
            goal: build
-            arch: x86_64
-            openssl_archs: darwin64-x86_64
-          - os: macos-14
+            staticx: yes
+            name: Build Intel StaticX Legacy
+          - os: ubuntu-22.04-arm
            jid: 6
            goal: build
-            arch: aarch64
-            openssl_archs: darwin64-arm64
-          - os: windows-2022
+            staticx: yes
+            name: Build Arm StaticX Legacy
+          - os: macos-13
            jid: 7
            goal: build
-            arch: Win64
-            openssl_archs: VC-WIN64A
-          - os: ubuntu-24.04
-            goal: test
-            python: "3.9"
+            name: Build Intel MacOS
+          - os: macos-14
            jid: 8
-            arch: x86_64
+            goal: build
+            name: Build Arm MacOS 14
+          - os: macos-15
+            jid: 9
+            goal: build
+            name: Build Arm MacOS 15
+          - os: windows-2022
+            jid: 10
+            goal: build
+            name: Build Intel Windows
+          - os: windows-11-arm
+            jid: 11
+            goal: build
+            name: Build Arm Windows
          - os: ubuntu-24.04
            goal: test
            python: "3.10"
-            jid: 9
-            arch: x86_64
+            jid: 12
+            name: Test Python 3.10
          - os: ubuntu-24.04
            goal: test
            python: "3.11"
-            jid: 10
-            arch: x86_64
+            jid: 13
+            name: Test Python 3.11
          - os: ubuntu-24.04
            goal: test
            python: "3.12"
-            jid: 11
-            arch: x86_64
+            jid: 14
+            name: Test Python 3.12
+          - os: ubuntu-24.04
+            goal: test
+            python: "3.14-dev"
+            jid: 15
+            name: Test Python 3.14-dev

    steps:

@@ -110,7 +126,7 @@ jobs:
        with:
          path: |
            cache.tar.xz
-          key: gam-${{ matrix.jid }}-20241008
+          key: gam-${{ matrix.jid }}-20250422

      - name: Untar Cache archive
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -124,15 +140,25 @@ jobs:
        with:
          python-version: ${{ matrix.python }}
          allow-prereleases: true
+          check-latest: true

      - name: common variables for all runs
        env:
-          arch: ${{ matrix.arch }}
          JID: ${{ matrix.jid }}
          ACTIONS_CACHE: ${{ steps.cache-python-ssl.outputs.cache-hit }}
          ACTIONS_GOAL: ${{ matrix.goal }}
        run: |
-          echo "arch=${arch}" >> $GITHUB_ENV
+          case $RUNNER_ARCH in
+            X64)
+              echo "arch=x86_64" >> $GITHUB_ENV
+              ;;
+            ARM64)
+              echo "arch=arm64" >> $GITHUB_ENV
+              ;;
+            *)
+              echo "arch=${RUNNER_ARCH}" >> $GITHUB_ENV
+              ;;
+          esac 
          echo "JID=${JID}" >> $GITHUB_ENV
          echo "ACTIONS_CACHE=${ACTIONS_CACHE}" >> $GITHUB_ENV
          echo "ACTIONS_GOAL=${ACTIONS_GOAL}" >> $GITHUB_ENV
@@ -146,20 +172,12 @@ jobs:
          echo "curl_retry=${curl_retry}" >> $GITHUB_ENV
          # GAMCFGDIR should be recreated on every run
          GAMCFGDIR="${RUNNER_TEMP}/.gam"
-          if [ "$arch" == "Win64" ]; then
+          if [ "$RUNNER_OS" == "Windows" ]; then
            GAMCFGDIR=$(cygpath -u "$GAMCFGDIR")
          fi
          echo "GAMCFGDIR=${GAMCFGDIR}" >> $GITHUB_ENV
          echo "GAMCFGDIR is: ${GAMCFGDIR}"
-          if [[ "${RUNNER_OS}" == "macOS" ]]; then
-            GAMOS="macos"
-          elif [[ "${RUNNER_OS}" == "Linux" ]]; then
-            GAMOS="linux"
-          elif [[ "${RUNNER_OS}" == "Windows" ]]; then
-            GAMOS="windows"
-          else
-           GAMOS='unknown'
-          fi
+          export GAMOS=$(echo "$RUNNER_OS" | tr '[:upper:]' '[:lower:]')
          echo "GAMOS=${GAMOS}" >> $GITHUB_ENV
          echo "GAMOS is: ${GAMOS}"

@@ -177,11 +195,11 @@ jobs:
          echo "gampath=${gampath}" >> $GITHUB_ENV

      - name: Install necessary Github-hosted Linux packages
-        if: runner.os == 'Linux' && runner.arch == 'X64'
+        if: runner.os == 'Linux'
        run: |
          echo "RUNNING: apt update..."
          sudo apt-get -qq --yes update
-          sudo apt-get -qq --yes install swig libpcsclite-dev libxslt1-dev
+          sudo apt-get -qq --yes install swig libpcsclite-dev libxslt1-dev libsqlite3-dev libffi-dev pkg-config

      - name: MacOS install tools
        if: runner.os == 'macOS'
@@ -208,23 +226,15 @@ jobs:
        uses: ilammy/msvc-dev-cmd@v1
        if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        with:
-          arch: ${{ matrix.arch }}
+          arch: ${{ runner.arch }}

      - name: Set Env Variables for build
        if: matrix.goal == 'build'
        env:
-          openssl_archs: ${{ matrix.openssl_archs }}
          staticx: ${{ matrix.staticx }}
        run: |
          echo "We are running on ${RUNNER_OS}"
          LD_LIBRARY_PATH="${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib:/usr/local/lib"
-          if [[ "${arch}" == "Win64" ]]; then
-            PYEXTERNALS_PATH="amd64"
-            PYBUILDRELEASE_ARCH="x64"
-            GAM_ARCHIVE_ARCH="x86_64"
-            WIX_ARCH="x64"
-            CHOC_OPS=""
-          fi
          if [[ "${RUNNER_OS}" == "macOS" ]]; then
            MAKE=make
            MAKEOPT="-j$(sysctl -n hw.logicalcpu)"
@@ -242,9 +252,15 @@ jobs:
            MAKE=nmake
            MAKEOPT=""
            PERL="c:\strawberry\perl\bin\perl.exe"
+            if [[ "$RUNNER_ARCH" == "ARM64" ]]; then
+              PYEXTERNALS_PATH="arm64"
+              WIX_ARCH="arm64"
+            elif [[ "$RUNNER_ARCH" == "X64" ]]; then
+              PYEXTERNALS_PATH="amd64"
+              WIX_ARCH="x64"
+            fi
            LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}"
            echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}/python.exe" >> $GITHUB_ENV
-            echo "GAM_ARCHIVE_ARCH=${GAM_ARCHIVE_ARCH}" >> $GITHUB_ENV
            echo "WIX_ARCH=${WIX_ARCH}" >> $GITHUB_ENV
          fi
          echo "We'll run make with: ${MAKEOPT}"
@@ -254,8 +270,6 @@ jobs:
          echo "MAKEOPT=${MAKEOPT}" >> $GITHUB_ENV
          echo "PERL=${PERL}" >> $GITHUB_ENV
          echo "PYEXTERNALS_PATH=${PYEXTERNALS_PATH}" >> $GITHUB_ENV
-          echo "PYBUILDRELEASE_ARCH=${PYBUILDRELEASE_ARCH}" >> $GITHUB_ENV
-          echo "openssl_archs=${openssl_archs}" >> $GITHUB_ENV

      - name: Get latest stable OpenSSL source
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -269,29 +283,21 @@ jobs:
          git checkout "${LATEST_STABLE_TAG}"
          export COMPILED_OPENSSL_VERSION=${LATEST_STABLE_TAG:8} # Trim the openssl- prefix
          echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            for openssl_arch in $openssl_archs; do
-              ssldir="${OPENSSL_SOURCE_PATH}-${openssl_arch}"
-              mkdir -v "${ssldir}"
-              cp -vrf ${OPENSSL_SOURCE_PATH}/* "${ssldir}/"
-            done
-            rm -vrf "${OPENSSL_SOURCE_PATH}"
-          else
-            mv -v "${OPENSSL_SOURCE_PATH}" "${OPENSSL_SOURCE_PATH}-${openssl_archs}"
-          fi

      - name: Windows NASM Install
        uses: ilammy/setup-nasm@v1
-        if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
+        if: matrix.goal == 'build' && runner.os == 'Windows' && runner.arch == 'X64' && steps.cache-python-ssl.outputs.cache-hit != 'true'

      - name: Config OpenSSL
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
-          for openssl_arch in $openssl_archs; do
-            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
-            # --libdir=lib is needed so Python can find OpenSSL libraries
-            "${PERL}" ./Configure "${openssl_arch}" --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS
-          done
+          cd "${OPENSSL_SOURCE_PATH}"
+          if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
+            # https://github.com/openssl/openssl/issues/26239
+            export CFLAGS=-DNO_INTERLOCKEDOR64
+          fi
+          # --libdir=lib is needed so Python can find OpenSSL libraries
+          "${PERL}" ./Configure --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS

      - name: Rename GNU link on Windows
        if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -302,53 +308,29 @@ jobs:
      - name: Make OpenSSL
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
-          for openssl_arch in $openssl_archs; do
-            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
-            $MAKE "${MAKEOPT}"
-          done
+          cd "${OPENSSL_SOURCE_PATH}"
+          # TODO: remove this once https://github.com/openssl/openssl/issues/26239 is fixed.
+          if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
+            export CFLAGS=-DNO_INTERLOCKEDOR64
+          fi
+          $MAKE "$MAKEOPT"

      - name: Install OpenSSL
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            for openssl_arch in $openssl_archs; do
-              cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
-              # install_sw saves us ages processing man pages :-)
-              $MAKE install_sw
-              mv -v "${OPENSSL_INSTALL_PATH}" "${GITHUB_WORKSPACE}/bin/ssl-${openssl_arch}"
-            done
-            mkdir -vp "${OPENSSL_INSTALL_PATH}/lib"
-            mkdir -vp "${OPENSSL_INSTALL_PATH}/bin"
-            for archlib in libcrypto.3.dylib libssl.3.dylib libcrypto.a libssl.a; do
-              lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/lib/${archlib}" \
-                           "${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/lib/${archlib}" \
-                   -output "${GITHUB_WORKSPACE}/bin/ssl/lib/${archlib}"
-            done
-            mv ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/include ${GITHUB_WORKSPACE}/bin/ssl/
-            lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/bin/openssl" \
-                         "${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/bin/openssl" \
-                 -output "${GITHUB_WORKSPACE}/bin/ssl/bin/openssl"
-            rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64
-            rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64
-          else
-            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_archs}"
-            # install_sw saves us ages processing man pages :-)
-            $MAKE install_sw
-          fi
+          cd "${OPENSSL_SOURCE_PATH}"
+          # install_sw saves us ages processing man pages :-)
+          $MAKE install_sw
          if [[ "${RUNNER_OS}" != "Windows" ]]; then
            echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
          fi
          echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
-          case $arch in
-            universal2)
-              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include -arch arm64 -arch x86_64 ${CFLAGS}" >> $GITHUB_ENV
-              echo "ARCHFLAGS=-arch x86_64 -arch arm64" >> $GITHUB_ENV
-              ;;
-            x86_64)
+          case $RUNNER_ARCH in
+            X64)
              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
              echo "ARCHFLAGS=-arch x86_64" >> $GITHUB_ENV
              ;;
-            aarch64)
+            ARM64)
              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
              echo "ARCHFLAGS=-arch arm64" >> $GITHUB_ENV
              ;;
@@ -375,18 +357,12 @@ jobs:
        if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
          cd "${PYTHON_SOURCE_PATH}"
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            extra_args=( "--enable-universalsdk" "--with-universal-archs=universal2" )
-          else
-            extra_args=( )
-          fi
          ./configure --with-openssl="${OPENSSL_INSTALL_PATH}" \
                      --prefix="${PYTHON_INSTALL_PATH}" \
                      --enable-shared \
                      --with-ensurepip=upgrade \
                      --enable-optimizations \
-                      --with-lto \
-                      "${extra_args[@]}" || : # exit 0
+                      --with-lto || : # exit 0
          cat config.log

      - name: Windows Get External Python deps
@@ -406,10 +382,15 @@ jobs:
          Remove-Item -recurse -force "${env:OPENSSL_EXT_PATH}*"
          # Emulate what this script does:
          # https://github.com/python/cpython/blob/main/PCbuild/openssl.vcxproj
-          $env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}${env:PYEXTERNALS_PATH}"
+          if (${env:RUNNER_ARCH} -eq "X64") {
+            $env:ossl_path = "amd64"
+          } elseif (${env:RUNNER_ARCH} -eq "ARM64") {
+            $env:ossl_path =  "arm64"
+          }
+          $env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}${env:ossl_path}"
          echo "Copying our OpenSSL to ${env:OPENSSL_EXT_TARGET_PATH}"
          mkdir "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
-          Copy-Item -Path "${env:GITHUB_WORKSPACE}/src/openssl-${env:openssl_archs}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE" -Verbose
+          Copy-Item -Path "${env:OPENSSL_SOURCE_PATH}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE"
          cp -v "$env:OPENSSL_INSTALL_PATH\lib\*" "${env:OPENSSL_EXT_TARGET_PATH}"
          cp -v "$env:OPENSSL_INSTALL_PATH\bin\*" "${env:OPENSSL_EXT_TARGET_PATH}"
          cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\*" "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
@@ -430,8 +411,15 @@ jobs:
          cd "${env:PYTHON_SOURCE_PATH}"
          # We need out custom openssl.props which uses OpenSSL 3 DLL names
          Copy-Item -Path "${env:GITHUB_WORKSPACE}\src\tools\openssl.props" -Destination PCBuild\ -Verbose
-          echo "Building for ${env:PYBUILDRELEASE_ARCH}..."
-          PCBuild\build.bat -m --pgo -c Release -p "${env:PYBUILDRELEASE_ARCH}"
+          if (${env:RUNNER_ARCH} -eq "X64") {
+            $env:arch = "x64"
+            PCBuild\build.bat -c Release -p $env:arch --pgo
+          } elseif (${env:RUNNER_ARCH} -eq "ARM64") {
+            $env:arch =  "ARM64"
+            # TODO: figure out why Windows ARM64 isn't compat with PGO optimiazation
+            # causes 10-20% slowdown in Python
+            PCBuild\build.bat -c Release -p $env:arch
+          }

      - name: Mac/Linux Build Python
        if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -458,46 +446,43 @@ jobs:
      - name: Upgrade pip, wheel, etc
        run: |
          curl $curl_retry -O https://bootstrap.pypa.io/get-pip.py
-          "${PYTHON}" get-pip.py
-          "${PYTHON}" -m pip install --upgrade pip
-          "${PYTHON}" -m pip install --upgrade wheel
-          "${PYTHON}" -m pip install --upgrade setuptools
+          "$PYTHON" get-pip.py
+          "$PYTHON" -m pip install --upgrade pip
+          "$PYTHON" -m pip install --upgrade wheel
+          "$PYTHON" -m pip install setuptools
+          "$PYTHON" -m pip install --upgrade importlib-metadata
+          "$PYTHON" -m pip install --upgrade setuptools-scm
+          "$PYTHON" -m pip list
+
+      - name: Custom wheels for Win arm64
+        if: runner.os == 'Windows' && runner.arch == 'ARM64'
+        run: |
+          latest_lxml_whl=$(curl https://api.github.com/repos/GAM-team/lxml-wheel/releases/latest -s | jq -r .assets.[0].browser_download_url)
+          echo "Downloading ${latest_lxml_whl}..."
+          curl -O -L "$latest_lxml_whl"
+          "$PYTHON" -m pip install lxml*.whl
+          latest_crypt_whl=$(curl https://api.github.com/repos/jay0lee/cryptography/releases/latest -s | jq -r .assets.[0].browser_download_url)
+          echo "Downloading ${latest_crypt_whl}..."
+          curl -O -L "$latest_crypt_whl"
+          "$PYTHON" -m pip install cryptography*.whl
+
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+
+     # - name: Compile cryptography from source (no legacy)
+     #   if: runner.os != 'Windows' || runner.arch != 'ARM64'
+     #   run: |
+     #     pip install --no-binary ":all:" --force cryptography

      - name: Install pip requirements
        run: |
          echo "before anything..."
-          "${PYTHON}" -m pip list
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            # cffi is a dep of cryptography and doesn't ship
-            # a universal2 wheel so we must build one ourself :-/
-            export CFLAGS="-arch x86_64 -arch arm64"
-            export ARCHFLAGS="-arch x86_64 -arch arm64"
-            "${PYTHON}" -m pip install --upgrade --force-reinstall --no-binary :all: \
-                              --no-cache-dir --no-deps --use-pep517 \
-                              --use-feature=no-binary-enable-wheel-cache \
-                              cffi 
-            echo "before cryptography..."
-            "${PYTHON}" -m pip list
-            # cryptography has a universal2 wheel but getting it installed
-            # on x86-64 MacOS is a royal pain in the keester.
-            "${PYTHON}" -m pip download --only-binary :all: \
-                                          --dest . \
-                                          --no-cache \
-                                          --no-deps \
-                                          --platform macosx_10_15_universal2 \
-                                          cryptography
-            "${PYTHON}" -m pip install --force-reinstall --no-deps cryptography*.whl
-            echo "after cryptography..."
-            "${PYTHON}" -m pip list
-            "${PYTHON}" -m pip install --upgrade --no-binary :all: -r requirements.txt
-          else
-            "${PYTHON}" -m pip install --upgrade -r requirements.txt
-            echo "after requirements..."
-            "${PYTHON}" -m pip list
-            "${PYTHON}" -m pip install --force-reinstall --no-deps --upgrade cryptography
-          fi
+          "$PYTHON" -m pip list
+          "$PYTHON" -m pip install --upgrade -r requirements.txt
+          echo "after requirements..."
+          "$PYTHON" -m pip list
+          #"$PYTHON" -m pip install --force-reinstall --no-deps --upgrade cryptography
          echo "after everything..."
-          "${PYTHON}" -m pip list
+          "$PYTHON" -m pip list

      - name: Install PyInstaller
        if: matrix.goal == 'build'
@@ -510,14 +495,7 @@ jobs:
          # remove pre-compiled bootloaders so we fail if bootloader compile fails
          rm -rvf PyInstaller/bootloader/*-*/*
          cd bootloader
-          export PYINSTALLER_BUILD_ARGS=""
-          case "${arch}" in
-            "Win64")
-              export PYINSTALLER_BUILD_ARGS="--target-arch=64bit"
-              ;;
-          esac
-          echo "PyInstaller build arguments: ${PYINSTALLER_BUILD_ARGS}"
-          "${PYTHON}" ./waf all $PYINSTALLER_BUILD_ARGS
+          "${PYTHON}" ./waf all
          cd ..
          echo "---- Installing PyInstaller ----"
          "${PYTHON}" -m pip install .
@@ -538,7 +516,6 @@ jobs:
            # https://github.com/pyinstaller/pyinstaller/issues/7102
            export PATH="$(dirname ${PYTHON}):/usr/bin"
          fi
-          #if ([ "${staticx}" != "yes" ] && [ "$RUNNER_OS" != "Windows" ]); then
          if [[ "$staticx" != "yes" ]]; then
            export PYINSTALLER_BUILD_ONEDIR=yes
          fi
@@ -584,10 +561,15 @@ jobs:
      - name: Install StaticX
        if: matrix.staticx == 'yes'
        run: |
+          sudo apt-get -qq --yes update
+          # arm64 needs to build a wheel and needs scons to build
+          sudo apt-get -qq --yes install scons
          "${PYTHON}" -m pip install --upgrade patchelf-wrapper
-          "${PYTHON}" -m pip install --upgrade staticx
+          # "${PYTHON}" -m pip install --upgrade staticx
+          # install latest github src for staticx
+          "${PYTHON}" -m pip install --upgrade "git+https://github.com/JonathonReinhart/staticx"

-      - name: Make StaticX
+      - name: Make StaticX GAM build
        if: matrix.staticx == 'yes'
        run: |
          case $RUNNER_ARCH in
@@ -624,14 +606,12 @@ jobs:
          echo "GAM Version ${GAMVERSION}"
          echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV

-      - name: Configure service account auth
+      - name: Configure user and service account auth
        id: configserviceaccount
        env:
-          PASSCODE: ${{ secrets.PASSCODE }}
+          oa2: ${{ secrets[format('GAM_GHA_{0}', matrix.jid)] }}
        run: |
-          source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz "${GAMCFGDIR}"
-          mv -v "${GAMCFGDIR}/oauth2.txt-gam-gha-${JID}" "${GAMCFGDIR}/oauth2.txt"
-          rm -v $GAMCFGDIR/oauth2.txt-gam*
+          ../.github/actions/decrypt.sh "${GAMCFGDIR}"
          $gam create signjwtserviceaccount

      - name: Upload gam.exe Windows for signing
@@ -672,31 +652,39 @@ jobs:
        if: runner.os != 'Windows' && matrix.goal == 'build'
        run: |
          if [[ "${RUNNER_OS}" == "macOS" ]]; then
-              GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-macos-${arch}.tar.xz"
+              GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-macos${MACOSX_DEPLOYMENT_TARGET}-${arch}.tar.xz"
          elif [[ "${RUNNER_OS}" == "Linux" ]]; then
            if [[ "${staticx}" == "yes" ]]; then
              libver="legacy"
            else
              libver="glibc$(ldd --version | awk '/ldd/{print $NF}')"
            fi
-            GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-linux-$(arch)-${libver}.tar.xz"
+            GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-linux-${arch}-${libver}.tar.xz"
          fi
          echo "GAM Archive ${GAM_ARCHIVE}"
          tar -C "${gampath}/.." --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam7

-      - name: Windows package
+      - name: Install Wix on Win ARM64
+        if: runner.os == 'Windows' && runner.arch == 'ARM64'
+        run: |
+          choco install wixtoolset
+
+      - name: Windows package zip
        if: runner.os == 'Windows' && matrix.goal != 'test'
        run: |
          echo "started in $(pwd)"
          cd "${gampath}/.."
          echo "moved to $(pwd)"
-          GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.zip"
+          GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${arch}.zip"
          /c/Program\ Files/7-Zip/7z.exe a -tzip "$GAM_ARCHIVE" gam7 "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3
-          cd ../..
-          echo "moved to $(pwd)"
-          export MSI_FILENAME="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.msi"
+
+      - name: Windows package MSI
+        if: runner.os == 'Windows' && matrix.goal != 'test'
+        run: |
+          export MSI_FILENAME="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${arch}.msi"
          # auto-generate a lib.wxs based on the files PyInstaller created for the lib/ directory
          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/heat.exe dir "${gampath}/lib" -ke -srd -cg Lib -gg -dr lib -directoryid lib -out lib.wxs
+          $PYTHON tools/gen-wix-xml-filelist.py lib.wxs
          echo "-- begin lib.wxs --"
          cat lib.wxs
          echo "-- end lib.wxs --"
@@ -734,7 +722,7 @@ jobs:

      - name: Attest that gam package files were generated from this Action
        uses: actions/attest-build-provenance@v1
-        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal == 'build'
+        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal == 'build'
        with:
          subject-path: |
            gam*.tar.xz
@@ -743,7 +731,7 @@ jobs:

      - name: Archive production artifacts
        uses: actions/upload-artifact@v4
-        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal != 'test'
+        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal != 'test'
        with:
          name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
          path: |
@@ -771,8 +759,8 @@ jobs:
          fi
          echo "We successfully compiled Python ${this_python} and OpenSSL ${this_openssl}"

-      - name: Live API tests push only
-        if: (github.event_name == 'push' || github.event_name == 'schedule')
+      - name: Live API tests
+        if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
        run: |
          export gam_user="gam-gha-${JID}@pdl.jaylee.us"
          echo "gam_user=${gam_user}" >> $GITHUB_ENV
@@ -798,7 +786,10 @@ jobs:
          
          # cleanup old runs
          $gam config enable_dasa false save
-          $gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print vaultholds || if [ $? != 55 ]; then exit $?; fi | $gam csv - gam delete vaulthold "id:~~holdId~~" matter "id:~~matterId~~"
+          $gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print vaultholds | $gam csv - gam delete vaulthold "id:~~holdId~~" matter "id:~~matterId~~" || if [ $? != 55 ]; then exit $?; fi 
+          $gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print vaultmatters matterstate OPEN | $gam csv - gam update vaultmatter "id:~~matterId~~" action close
+          $gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print vaultmatters matterstate CLOSED | $gam csv - gam update vaultmatter "id:~~matterId~~" action delete
+          $gam config csv_output_row_filter "Emails.1.address:regex:^gha_test-${JID}_" print contacts | $gam csv - gam delete contact ~ContactID
          $gam config enable_dasa true save
          $gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print features | $gam csv - gam delete feature ~name
          $gam config csv_output_row_filter "name:regex:^gha_test_${JID}_" user $gam_user print shareddrives asadmin | $gam csv - gam user $gam_user delete shareddrive ~id nukefromorbit
@@ -807,7 +798,6 @@ jobs:
          $gam config csv_output_row_filter "email:regex:^gha_test_${JID}_" print cigroups | $gam csv - gam delete cigroup ~email
          $gam config csv_output_row_filter "resourceId:regex:^gha_test_${JID}_" print resources | $gam csv - gam delete resource ~resourceId
          $gam config csv_output_row_filter "buildingId:regex:^gha_test_${JID}_" print buildings | $gam csv - gam delete building ~buildingId
-          $gam config csv_output_row_filter "Emails.1.address:regex:^gha_test-${JID}_" print contacts | $gam csv - gam delete contact ~ContactID

          echo "Creating OrgUnit ${newou}"
          $gam create ou "${newou}"
@@ -818,8 +808,7 @@ jobs:
          done
          driveid=$($gam user $gam_user add shareddrive "${newbase}" returnidonly)
          echo "Created shared drive ${driveid}"
-          # 9/17/24 - temp create in root due to Google API issues creating users in new OUs
-          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- # ou "${newou}"
+          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- ou "${newou}"
          $gam user $newuser add license workspaceenterpriseplus
          $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
          $gam user $newuser get photo
@@ -828,7 +817,9 @@ jobs:
          $gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
          $gam user $gam_user sendemail recipient dev-null@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
          $gam config enable_dasa false save
-          #$gam create contact firstname GHA lastname "$JID" email work "${newbase}@example.com" primary
+          # don't expose policy output
+          $gam show policies > policies.csv
+          $gam create contact firstname GHA lastname "$JID" email work "${newbase}@example.com" primary
          $gam print contacts
          $gam print privileges
          $gam config enable_dasa true save
@@ -848,18 +839,18 @@ jobs:
          $gam csv sample.csv gam update user ~~email~~ recoveryphone "" recoveryemail ""
          $gam config enable_dasa false save
          $gam csv sample.csv gam user ~email add license workspaceenterpriseplus
+          #$gam user $newuser add contactdelegate "${newbase}-bulkuser-1"
+          #$gam user $newuser print contactdelegates
          $gam config enable_dasa true save
          $gam csv sample.csv gam user $gam_user sendemail recipient ~~email~~@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
          $gam csv sample.csv gam update group $newgroup add member ~email
          $gam info group $newgroup
          $gam info cigroup $newgroup membertree
          # confirm mailbox is provisoned before continuing
-          $gam user $newuser waitformailbox retries 20
+          $gam user $newuser waitformailbox retries 50
          $gam user $newuser imap on
          $gam user $newuser show imap
          $gam user $newuser show delegates
-          #$gam user $newuser add contactdelegate "${newbase}-bulkuser-1"
-          #$gam user $newuser print contactdelegates
          export biohazard=$(echo -e '\xe2\x98\xa3')
          $gam user $newuser label "$biohazard unicode biohazard $biohazard"
          $gam user $newuser show labels
@@ -891,7 +882,7 @@ jobs:
          $gam calendar $gam_user addevent summary "GHA test event" start +1h end +2h attendee $newgroup hangoutsmeet guestscanmodify true sendupdates all
          $gam calendar $gam_user printevents after -0d
          $gam config enable_dasa false save
-          matterid=uid:$($gam create vaultmatter name "GHA matter $newbase" description "test matter" collaborators $newuser returnidonly)
+          matterid=uid:$($gam create vaultmatter name "GHA matter $newbase" description "test matter" returnidonly)
          $gam create vaulthold matter $matterid name "GHA hold $newbase" corpus mail accounts $newuser
          $gam print vaultmatters matterstate open
          $gam print vaultholds matter $matterid
@@ -925,9 +916,9 @@ jobs:
          $gam user $newuser show holds || if [ $? != 55 ]; then exit $?; fi # expect a 55 return code
          export sn="$JID$JID$JID$JID-$(openssl rand -base64 32 | sed 's/[^a-zA-Z0-9]//g')"
          $gam create device serialnumber $sn devicetype android
+          $gam delete contacts emailmatchpattern "^${newbase}@example.com$"
          $gam config enable_dasa true save
          $gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail  || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (vault hold on user)
-          $gam delete contacts emailmatchpattern "^${newbase}@example.com$"
          $gam print mobile
          $gam print devices
          $gam print browsers
@@ -979,8 +970,8 @@ jobs:
          tar cJvvf cache.tar.xz $tar_folders

  merge:
-    if: (github.event_name == 'push' || github.event_name == 'schedule')
-    runs-on: ubuntu-latest
+    if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
+    runs-on: ubuntu-24.04
    needs: build
    permissions:
      contents: write
@@ -993,8 +984,8 @@ jobs:
          pattern: gam-binaries-*

  publish:
-    if: github.event_name == 'push'
-    runs-on: ubuntu-latest
+    if: (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
+    runs-on: ubuntu-24.04
    needs: merge
    permissions:
      contents: write
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -13,10 +13,11 @@ name: "CodeQL"

 on:
  push:
-    branches: [ main ]
+    paths-ignore:
+      - 'wiki/**'
  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
+    paths-ignore:
+      - 'wiki/**'
  schedule:
    - cron: '25 10 * * 1'

--- a/.github/workflows/get-cacerts.yml
+++ b/.github/workflows/get-cacerts.yml
@@ -2,7 +2,11 @@ name: Check for Google Root CA Updates

 on:
  push:
+    paths-ignore:
+      - 'wiki/**'
  pull_request:
+    paths-ignore:
+      - 'wiki/**'
  schedule:
    - cron: '23 23 * * *'

@@ -20,8 +24,24 @@ jobs:
          persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
          fetch-depth: 0 # otherwise, you will failed to push refs to dest repo

-      - name: Check for updates
-        run: curl -o ./cacerts.pem -vvvv https://pki.goog/roots.pem
+      - name: Get Current cacerts.pem hash
+        run: |
+          export CURRENT_HASH=$(sha256sum ./cacerts.pem)
+          echo "Current hash is: ${CURRENT_HASH}"
+          echo "CURRENT_HASH=${CURRENT_HASH}" >> $GITHUB_ENV
+
+      - name: Get latest cacerts.pem file from Google
+        run: |
+          curl -o ./cacerts.pem -vvvv https://pki.goog/roots.pem
+
+      - name: Compare hashes
+        run: |
+          export NEW_HASH=$(sha256sum ./cacerts.pem)
+          if [ "$NEW_HASH" == "$CURRENT_HASH" ]; then
+            echo "Same file."
+          else
+            echo "New file content. Was ${CURRENT_HASH} and now is ${NEW_HASH}"
+          fi

      - name: Commit file
        run: |
--- a/.github/workflows/pushwiki.yml
+++ b/.github/workflows/pushwiki.yml
@@ -0,0 +1,41 @@
+name: Push wiki
+permissions:
+  contents: write
+on:
+  push:
+    paths:
+      - 'wiki/**'
+jobs:
+  pushwiki:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout GAM source
+        run: |
+          # checkout via normal shell here
+          # so we're not authorized to actually make any changes
+          git clone https://github.com/GAM-team/GAM
+
+      - name: Checkout Wiki source
+        uses: actions/checkout@master
+        with:
+          path: GAM.wiki
+          repository: GAM-team/GAM.wiki
+          persist-credentials: true
+          fetch-depth: 0
+
+      - name: Overwrite all Wiki repo files with /wiki from main git
+        run: |
+          # remove all wiki repo files so deletes work
+          rm -fv GAM.wiki/*.md
+          # copy all files from main GAM repo wiki folder
+          cp -fv GAM/wiki/*.md GAM.wiki/
+
+      - name: Commit Wiki changes
+        run: |
+          cd GAM.wiki
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git add *.md
+          git commit -m "[no ci] Push Wiki changes"
+          git status
+          git push
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -0,0 +1,35 @@
+name: build and publish releases to PyPi
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+  workflow_dispatch:
+
+jobs:
+  pypi:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/gam7
+    permissions:
+      id-token: write
+    steps:
+
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Install required packages to publish
+        run: |
+          python3 -m pip install --upgrade build
+
+      - name: Build packages
+        run: |
+          python -m build
+
+      - name: Publish package distributions to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestation: true
--- a/docs/Administrators.md
+++ b/docs/Administrators.md
@@ -1,913 +0,0 @@
-!# Administrators
- [Administrator roles documentation](#administrator-roles-documentation)
- [API documentation](#api-documentation)
- [Definitions](#definitions)
- [Display administrative privileges](#display-administrative-privileges)
- [Manage administrative roles](#manage-administrative-roles)
- [Display administrative roles](#display-administrative-roles)
- [Create an administrator](#create-an-administrator)
- [Delete an administrator](#delete-an-administrator)
- [Display administrators](#display-administrators)
- [Copy roles from one administrator to another](#copy-roles-from-one-administrator-to-another)
-
-## Administrator roles documentation
-* https://support.google.com/a/answer/33325?ref_topic=4514341
-
-## API documentation
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/privileges
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/roles
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/roleAssignments
-
-## Definitions
-```
-<DomainName> ::= <String>(.<String>)+
-<EmailAddress> ::= <String>@<DomainName>
-<GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
-<OrgUnitID> ::= id:<String>
-<OrgUnitPath> ::= /|(/<String)+
-<OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
-<Privilege> ::= <String>
-<PrivilegeList> ::= "<Privilege>(,<Privilege)*"
-<RoleAssignmentID> ::= <String>
-<RoleItem> ::= id:<String>|uid:<String>|<String>
-<UniqueID> ::= id:<String>
-<UserItem> ::= <EmailAddress>|<UniqueID>|<String>
-```
-## Display administrative privileges
-```
-gam print privileges [todrive <ToDriveAttribute>*]
-gam show privileges
-```
-
-Here is the output from `gam show privileges`; use this to find `<Privilege>`.
-```
-Show 91 Privileges
-  Privilege: MANAGE_CSE_SETTINGS (1/91)
-    serviceId: 02pta16n4hxgyp2
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_PLAY_FOR_WORK_STORE (2/91)
-    serviceId: 00tyjcwt49hs5nq
-    serviceName: play_for_work
-    isOuScopable: False
-  Privilege: MANAGE_ENTERPRISE_PRIVATE_APPS (3/91)
-    serviceId: 00tyjcwt49hs5nq
-    serviceName: play_for_work
-    isOuScopable: False
-  Privilege: MANAGE_EXTERNALLY_HOSTED_APK_UPLOAD_IN_PLAY (4/91)
-    serviceId: 00tyjcwt49hs5nq
-    serviceName: play_for_work
-    isOuScopable: False
-  Privilege: MANAGE_PLAY_FOR_WORK_STORE (5/91)
-    serviceId: 02w5ecyt3pkeyqi
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_ENTERPRISE_PRIVATE_APPS (6/91)
-    serviceId: 02w5ecyt3pkeyqi
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_EXTERNALLY_HOSTED_APK_UPLOAD_IN_PLAY (7/91)
-    serviceId: 02w5ecyt3pkeyqi
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (8/91)
-    serviceId: 01ci93xb43sd8me
-    serviceName: Unknown
-    isOuScopable: True
-    childPrivileges: 2
-      Privilege: DELEGATES_READ (1/2)
-        serviceId: 01ci93xb43sd8me
-        serviceName: Unknown
-        isOuScopable: True
-      Privilege: DELEGATES_WRITE (2/2)
-        serviceId: 01ci93xb43sd8me
-        serviceName: Unknown
-        isOuScopable: True
-  Privilege: APP_ADMIN (9/91)
-    serviceId: 03cqmetx3hnlpuf
-    serviceName: gplus
-    isOuScopable: False
-  Privilege: GPLUS_SQUARE_BATCH_ADD (10/91)
-    serviceId: 03cqmetx3hnlpuf
-    serviceName: gplus
-    isOuScopable: False
-  Privilege: GPLUS_CONTENT_MANAGER_PRIVILEGE (11/91)
-    serviceId: 03cqmetx3hnlpuf
-    serviceName: gplus
-    isOuScopable: False
-  Privilege: APP_ADMIN (12/91)
-    serviceId: 039kk8xu49mji9t
-    serviceName: gmail
-    isOuScopable: False
-  Privilege: ACCESS_EMAIL_LOG_SEARCH (13/91)
-    serviceId: 039kk8xu49mji9t
-    serviceName: gmail
-    isOuScopable: False
-  Privilege: ACCESS_ADMIN_QUARANTINE (14/91)
-    serviceId: 039kk8xu49mji9t
-    serviceName: gmail
-    isOuScopable: False
-  Privilege: ACCESS_RESTRICTED_QUARANTINE (15/91)
-    serviceId: 039kk8xu49mji9t
-    serviceName: gmail
-    isOuScopable: False
-  Privilege: APP_ADMIN (16/91)
-    serviceId: 01tuee744837sjz
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_COURSE_SETTINGS (17/91)
-    serviceId: 037m2jsg4g9nirj
-    serviceName: Unknown
-    isOuScopable: True
-  Privilege: MANAGE_LTI_CREDENTIAL_MANAGEMENT_MODE (18/91)
-    serviceId: 037m2jsg4g9nirj
-    serviceName: Unknown
-    isOuScopable: True
-  Privilege: APP_ADMIN (19/91)
-    serviceId: 01baon6m1wv6b0p
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (20/91)
-    serviceId: 01yyy98l4k9lq4l
-    serviceName: directory
-    isOuScopable: False
-    childPrivileges: 3
-      Privilege: DIRECTORY_SETTINGS_READONLY (1/3)
-        serviceId: 01yyy98l4k9lq4l
-        serviceName: directory
-        isOuScopable: False
-        childPrivileges: 2
-          Privilege: PROFILE_EDITABILITY_READONLY (1/2)
-            serviceId: 01yyy98l4k9lq4l
-            serviceName: directory
-            isOuScopable: False
-          Privilege: CUSTOM_DIRECTORY_READONLY (2/2)
-            serviceId: 01yyy98l4k9lq4l
-            serviceName: directory
-            isOuScopable: False
-      Privilege: PROFILE_EDITABILITY_READWRITE (2/3)
-        serviceId: 01yyy98l4k9lq4l
-        serviceName: directory
-        isOuScopable: False
-      Privilege: CUSTOM_DIRECTORY_READWRITE (3/3)
-        serviceId: 01yyy98l4k9lq4l
-        serviceName: directory
-        isOuScopable: False
-  Privilege: LDAP_MANAGER (21/91)
-    serviceId: 02lwamvv18la4iw
-    serviceName: ldap
-    isOuScopable: False
-  Privilege: LDAP_PASSWORD_REBIND (22/91)
-    serviceId: 02lwamvv18la4iw
-    serviceName: ldap
-    isOuScopable: True
-    childPrivileges: 1
-      Privilege: LDAP_PASSWORD_REBIND_READONLY
-        serviceId: 02lwamvv18la4iw
-        serviceName: ldap
-        isOuScopable: True
-  Privilege: APP_ADMIN (23/91)
-    serviceId: 0319y80a15kueje
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (24/91)
-    serviceId: 044sinio4cntx2o
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (25/91)
-    serviceId: 01ksv4uv2d2noaq
-    serviceName: sites
-    isOuScopable: False
-  Privilege: ADMIN_DASHBOARD (26/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: True
-  Privilege: SERVICES (27/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: SECURITY_SETTINGS (28/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: SUPPORT (29/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: ADMIN_DOMAIN_SETTINGS (30/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: REPORTS (31/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: ADMIN_DASHBOARD (32/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: True
-  Privilege: SERVICES (33/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: SUPPORT (34/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: REPORTS (35/91)
-    serviceId: 01ci93xb3tmzyin
-    serviceName: admin
-    isOuScopable: False
-  Privilege: APP_ADMIN (36/91)
-    serviceId: 03fwokq01e2ht7x
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: UDM_NETWORK_ADMIN
-        serviceId: 03fwokq01e2ht7x
-        serviceName: Unknown
-        isOuScopable: True
-  Privilege: ADMIN_MATTER (37/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: True
-  Privilege: REMOVE_HOLD (38/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: True
-  Privilege: MANAGE_SEARCHES (39/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: True
-  Privilege: MANAGE_EXPORTS (40/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: True
-  Privilege: MANAGE_RETENTION_POLICY (41/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: VIEW_RETENTION_POLICY
-        serviceId: 03l18frh45c63dw
-        serviceName: vault
-        isOuScopable: False
-  Privilege: AUDIT_SYSTEM (42/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: False
-  Privilege: ACCESS_ALL_MATTERS (43/91)
-    serviceId: 03l18frh45c63dw
-    serviceName: vault
-    isOuScopable: False
-  Privilege: APP_ADMIN (44/91)
-    serviceId: 02afmg282jiquyg
-    serviceName: device_management
-    isOuScopable: False
-  Privilege: APP_ADMIN (45/91)
-    serviceId: 037m2jsg3ckz96v
-    serviceName: calendar
-    isOuScopable: False
-    childPrivileges: 2
-      Privilege: CALENDAR_SETTINGS (1/2)
-        serviceId: 037m2jsg3ckz96v
-        serviceName: calendar
-        isOuScopable: False
-        childPrivileges: 1
-          Privilege: CALENDAR_SETTINGS_READ
-            serviceId: 037m2jsg3ckz96v
-            serviceName: calendar
-            isOuScopable: False
-      Privilege: CALENDAR_RESOURCE (2/2)
-        serviceId: 037m2jsg3ckz96v
-        serviceName: calendar
-        isOuScopable: False
-        childPrivileges: 2
-          Privilege: ROOM_INSIGHTS_DASHBOARD_ACCESS (1/2)
-            serviceId: 037m2jsg3ckz96v
-            serviceName: calendar
-            isOuScopable: False
-          Privilege: CALENDAR_RESOURCE_MANAGE (2/2)
-            serviceId: 037m2jsg3ckz96v
-            serviceName: calendar
-            isOuScopable: False
-            childPrivileges: 1
-              Privilege: CALENDAR_RESOURCE_READ
-                serviceId: 037m2jsg3ckz96v
-                serviceName: calendar
-                isOuScopable: False
-  Privilege: APP_ADMIN (46/91)
-    serviceId: 03dy6vkm2sk0pzo
-    serviceName: docs
-    isOuScopable: False
-    childPrivileges: 5
-      Privilege: DOCS_TEMPLATE_ADMIN (1/5)
-        serviceId: 03dy6vkm2sk0pzo
-        serviceName: docs
-        isOuScopable: False
-      Privilege: MIGRATE_TO_TEAM_DRIVE (2/5)
-        serviceId: 03dy6vkm2sk0pzo
-        serviceName: docs
-        isOuScopable: False
-      Privilege: WRITE_APPS_METADATA_SCHEMAS (3/5)
-        serviceId: 03dy6vkm2sk0pzo
-        serviceName: docs
-        isOuScopable: False
-      Privilege: VIEW_SITE_DETAILS (4/5)
-        serviceId: 03dy6vkm2sk0pzo
-        serviceName: docs
-        isOuScopable: False
-      Privilege: MANAGE_CLASSIC_GOOGLE_SITES (5/5)
-        serviceId: 03dy6vkm2sk0pzo
-        serviceName: docs
-        isOuScopable: False
-  Privilege: APP_ACCESS (47/91)
-    serviceId: 03cqmetx1vygwki
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: ORGANIZATION_UNITS_ALL (48/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: True
-    childPrivileges: 4
-      Privilege: ORGANIZATION_UNITS_CREATE (1/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: ORGANIZATION_UNITS_RETRIEVE (2/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: ORGANIZATION_UNITS_UPDATE (3/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: ORGANIZATION_UNITS_DELETE (4/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-  Privilege: USERS_ALL (49/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: True
-    childPrivileges: 5
-      Privilege: USERS_CREATE (1/5)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: USERS_RETRIEVE (2/5)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: USERS_UPDATE (3/5)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-        childPrivileges: 6
-          Privilege: USERS_ALIAS (1/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-          Privilege: USERS_MOVE (2/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-          Privilege: USERS_RESET_PASSWORD (3/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-          Privilege: USERS_FORCE_PASSWORD_CHANGE (4/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-          Privilege: USERS_ADD_NICKNAME (5/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-          Privilege: USERS_SUSPEND (6/6)
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: True
-      Privilege: USERS_UPDATE_CUSTOM_ATTRIBUTES_USER_PRIVILEGE_GROUP (4/5)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-      Privilege: USERS_DELETE (5/5)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: True
-  Privilege: GROUPS_ALL (50/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 4
-      Privilege: GROUPS_CREATE (1/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-      Privilege: GROUPS_RETRIEVE (2/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-      Privilege: GROUPS_UPDATE (3/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-      Privilege: GROUPS_DELETE (4/4)
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: USER_SECURITY_ALL (51/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: True
-  Privilege: DATATRANSFER_API_PRIVILEGE_GROUP (52/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: DOMAIN_REGISTRATION_MANAGEMENT (53/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: SCHEMA_MANAGEMENT (54/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: SCHEMA_RETRIEVE
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: LICENSING (55/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: LICENSING_READ
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: BILLING (56/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: BILLING_READ
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: SAML2_SERVICE_PROVIDER (57/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: DOMAIN_MANAGEMENT (58/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: UPGRADE_CONSUMER_CONVERSION (59/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: TRUSTED_DOMAIN_WHITELIST_WRITE (60/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: TRUSTED_DOMAIN_WHITELIST_READ
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: FULL_MIGRATION_ACCESS (61/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: EXECUTE_MIGRATION
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-        childPrivileges: 1
-          Privilege: MODIFY_MIGRATION
-            serviceId: 00haapch16h1ysv
-            serviceName: admin_apis
-            isOuScopable: False
-            childPrivileges: 1
-              Privilege: VIEW_MIGRATION
-                serviceId: 00haapch16h1ysv
-                serviceName: admin_apis
-                isOuScopable: False
-  Privilege: GROUPS_MANAGE_SECURITY_LABEL (62/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: GROUPS_MANAGE_LOCKED_LABEL (63/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: ADMIN_REPORTING_ACCESS (64/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: REPORTING_AUDIT_ACCESS
-        serviceId: 00haapch16h1ysv
-        serviceName: admin_apis
-        isOuScopable: False
-  Privilege: SUPPORT_PRIVILEGE_GROUP (65/91)
-    serviceId: 00haapch16h1ysv
-    serviceName: admin_apis
-    isOuScopable: False
-  Privilege: APPS_INCIDENTS_FULL_ACCESS (66/91)
-    serviceId: 02pta16n3efhw69
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 2
-      Privilege: APPS_INCIDENTS_READONLY (1/2)
-        serviceId: 02pta16n3efhw69
-        serviceName: Unknown
-        isOuScopable: False
-      Privilege: APPS_INCIDENTS_VIEW_VIRUSTOTAL_REPORTS (2/2)
-        serviceId: 02pta16n3efhw69
-        serviceName: Unknown
-        isOuScopable: False
-  Privilege: APP_ADMIN (67/91)
-    serviceId: 019c6y1840fzfkt
-    serviceName: classroom
-    isOuScopable: True
-  Privilege: ADMIN_OVERSIGHT_MANAGE_CLASSES (68/91)
-    serviceId: 019c6y1840fzfkt
-    serviceName: classroom
-    isOuScopable: True
-  Privilege: EDU_ANALYTICS_DATA_ACCESS (69/91)
-    serviceId: 019c6y1840fzfkt
-    serviceName: classroom
-    isOuScopable: True
-  Privilege: APP_ADMIN (70/91)
-    serviceId: 037m2jsg46www3g
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_DYNAMITE_SETTINGS (71/91)
-    serviceId: 03whwml44f3n4vd
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MODERATE_DYNAMITE_REPORT (72/91)
-    serviceId: 03whwml44f3n4vd
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_DYNAMITE_SPACES (73/91)
-    serviceId: 03whwml44f3n4vd
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (74/91)
-    serviceId: 03hv69ve4bjwe54
-    serviceName: Unknown
-    isOuScopable: True
-    childPrivileges: 6
-      Privilege: MANAGE_CHROME_USER_SETTINGS (1/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-        childPrivileges: 2
-          Privilege: MANAGE_CHROME_APPLICATION_SETTINGS (1/2)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-          Privilege: MANAGE_CHROME_WEB_SETTINGS (2/2)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-      Privilege: MANAGE_CHROME_BROWSERS (2/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-        childPrivileges: 1
-          Privilege: MANAGED_CHROME_BROWSERS_READ_ONLY
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-      Privilege: VIEW_CHROME_REPORTS (3/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-        childPrivileges: 4
-          Privilege: VIEW_CHROME_EXTENSIONS_REPORT (1/4)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-          Privilege: VIEW_CHROME_VERSION_REPORT (2/4)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-          Privilege: VIEW_CHROME_INSIGHTS_REPORT (3/4)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-          Privilege: VIEW_CHROME_PRINTERS_REPORT (4/4)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-      Privilege: MANAGE_PRINTERS (4/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-      Privilege: MANAGE_DEVICES (5/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-        childPrivileges: 2
-          Privilege: MANAGE_DEVICES_READ_ONLY (1/2)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-            childPrivileges: 1
-              Privilege: TELEMETRY_API
-                serviceId: 03hv69ve4bjwe54
-                serviceName: Unknown
-                isOuScopable: True
-                childPrivileges: 19
-                  Privilege: TELEMETRY_API_DEVICE (1/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_USER (2/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_AUDIO_REPORT (3/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_BUS_DEVICE_INFO (4/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_OS_REPORT (5/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_CPU_INFO (6/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_CPU_REPORT (7/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_MEMORY_INFO (8/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_MEMORY_REPORT (9/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_GRAPHICS_INFO (10/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_GRAPHICS_REPORT (11/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_BATTERY_INFO (12/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_BATTERY_REPORT (13/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_STORAGE_INFO (14/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_STORAGE_REPORT (15/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_NETWORK_INFO (16/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_NETWORK_REPORT (17/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_DEVICE_ACTIVITY_REPORT (18/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-                  Privilege: TELEMETRY_API_PERIPHERALS_REPORT (19/19)
-                    serviceId: 03hv69ve4bjwe54
-                    serviceName: Unknown
-                    isOuScopable: True
-          Privilege: DEVICE_ACTION_CRD (2/2)
-            serviceId: 03hv69ve4bjwe54
-            serviceName: Unknown
-            isOuScopable: True
-      Privilege: MANAGE_DEVICE_SETTINGS (6/6)
-        serviceId: 03hv69ve4bjwe54
-        serviceName: Unknown
-        isOuScopable: True
-  Privilege: SERVICE_DATA_DOWNLOADER (75/91)
-    serviceId: 03hv69ve4bjwe54
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_DIRECTORY_SYNC_SETTINGS (76/91)
-    serviceId: 0147n2zr1ynkkmf
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: READ_DIRECTORY_SYNC_SETTINGS
-        serviceId: 0147n2zr1ynkkmf
-        serviceName: Unknown
-        isOuScopable: False
-  Privilege: APP_ADMIN (77/91)
-    serviceId: 0279ka651l5iy5q
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: ADMIN_QUALITY_DASHBOARD_ACCESS
-        serviceId: 0279ka651l5iy5q
-        serviceName: Unknown
-        isOuScopable: False
-  Privilege: SECURITY_SETTINGS (78/91)
-    serviceId: 00vx122734tbite
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: INBOUND_SSO_SETTINGS
-        serviceId: 00vx122734tbite
-        serviceName: Unknown
-        isOuScopable: False
-  Privilege: VIEW_DLP_RULE (79/91)
-    serviceId: 02250f4o3hg8pg8
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: MANAGE_DLP_RULE (80/91)
-    serviceId: 02250f4o3hg8pg8
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (81/91)
-    serviceId: 00nmf14n14wtgcf
-    serviceName: app_maker
-    isOuScopable: False
-  Privilege: VIEW_ALL_PROJECTS (82/91)
-    serviceId: 00nmf14n14wtgcf
-    serviceName: app_maker
-    isOuScopable: False
-  Privilege: APP_ADMIN (83/91)
-    serviceId: 02zbgiuw2wdxo5p
-    serviceName: youtube
-    isOuScopable: False
-  Privilege: APP_ADMIN (84/91)
-    serviceId: 03as4poj2zjehv7
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (85/91)
-    serviceId: 02afmg283v5nmx6
-    serviceName: Unknown
-    isOuScopable: False
-    childPrivileges: 1
-      Privilege: ADMIN_QUALITY_DASHBOARD_ACCESS
-        serviceId: 02afmg283v5nmx6
-        serviceName: Unknown
-        isOuScopable: False
-  Privilege: APP_ADMIN (86/91)
-    serviceId: 00upglbi0qz687j
-    serviceName: takeout
-    isOuScopable: False
-  Privilege: CLOUD_PRINT_MANAGER (87/91)
-    serviceId: 02bn6wsx379ol8g
-    serviceName: cloud_print
-    isOuScopable: False
-  Privilege: MANAGE_AGE_BASED_ACCESS_SETTINGS_AGE_LABEL (88/91)
-    serviceId: 046r0co22dnadsi
-    serviceName: Unknown
-    isOuScopable: True
-    childPrivileges: 1
-      Privilege: AGE_BASED_ACCESS_SETTINGS_AGE_LABEL_READ
-        serviceId: 046r0co22dnadsi
-        serviceName: Unknown
-        isOuScopable: True
-  Privilege: LOGO_PRIVILEGE_GROUP (89/91)
-    serviceId: 03j2qqm31d4j55e
-    serviceName: Unknown
-    isOuScopable: False
-  Privilege: APP_ADMIN (90/91)
-    serviceId: 04f1mdlm0ki64aw
-    serviceName: cros
-    isOuScopable: True
-    childPrivileges: 7
-      Privilege: MANAGE_DEVICES (1/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-      Privilege: MANAGE_USER_SETTINGS (2/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-        childPrivileges: 1
-          Privilege: MANAGE_APPLICATION_SETTINGS
-            serviceId: 04f1mdlm0ki64aw
-            serviceName: cros
-            isOuScopable: True
-      Privilege: MANAGE_DEVICE_SETTINGS (3/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-      Privilege: MANAGE_BROWSERS (4/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-      Privilege: VIEW_EXTENSIONS_REPORT (5/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-      Privilege: VIEW_VERSION_REPORT (6/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-      Privilege: MANAGE_PRINTERS (7/7)
-        serviceId: 04f1mdlm0ki64aw
-        serviceName: cros
-        isOuScopable: True
-  Privilege: APP_ADMIN (91/91)
-    serviceId: 02et92p02l9sq0n
-    serviceName: Unknown
-    isOuScopable: True
-```
-
-## Manage administrative roles
-```
-gam create adminrole <String> privileges all|all_ou|<PrivilegeList> [description <String>]
-gam update adminrole <RoleItem> [name <String>] [privileges all|all_ou|<PrivilegeList>] [description <String>]
-gam delete adminrole <RoleItem>
-```
-* `privileges all` - All defined privileges
-* `privileges all_ou` - All defined privileges than can be scoped to an OU
-* `privileges <PrivilegeList>` - A specific list of privileges
-
-## Display administrative roles
-```
-gam info adminrole <RoleItem> [privileges]
-gam print adminroles|roles [todrive <ToDriveAttribute>*]
-        [privileges] [oneitemperrow]
-gam show adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
-```
-* `privileges` - Display privileges associated with each role
-
-By default, all privileges for a role are shown on one row as a repeating item.
-When `oneitemperrow` is specified, each privilege is output on a separate row/line with the other role fields.
-
-## Create an administrator
-Add an administrator role to an administrator.
-```
-gam create admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <OrgUnitItem>)
-        [condition securitygroup|nonsecuritygroup]
-```
-* `customer` - The administrator can manage all organization units
-* `org_unit <OrgUnitItem>` - The administrator can manage the specified organization unit
-
-The option `condition` limits the conditions for delegate admin access. This currently only works with the _GROUPS_EDITOR_ROLE and _GROUPS_READER_ROLE roles.
-* `condition securitygroup` - limit the delegated admin to managing security groups
-* `condition nonsecuritygroup` - limit the delegated admin to managing non-security groups
-
-## Delete an administrator
-Remove an administrator role from an administrator.
-```
-gam delete admin <RoleAssignmentId>
-```
-## Display administrators
-```
-gam print admins [todrive <ToDriveAttribute>*]
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
-        [privileges] [oneitemperrow]
-gam show admins
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
-```
-By default, all administrators and roles are displayed; choose from the following
-options to limit the display:
-* `user <UserItem>` -  Display only this administrator
-* `role <RoleItem>` - Display only administrators with this role
-
-* `condition` - Display any conditions associated with a role assignment
-* `privileges` - Display privileges associated with each role assignment
-
-By default, all role privileges for an admin are shown on one row as a repeating item.
-When `oneitemperrow` is specified, each role privilege is output on a separate row/line with the other admin fields.
-
-In versions prior to 6.07.01, specification of both `user <UserItem>`
-and `role <RoleItem>` generated no output due to an undocumented API rule that disallows both.
-
-## Copy roles from one administrator to another
-Get roles for current admin.
-```
-gam redirect csv ./CurrentAdminRoles.csv print admins user currentadmin@domain.com
-```
-Add roles to new admin.
-```
-gam config csv_input_row_filter "scopeType:regex:CUSTOMER" redirect stdout ./UpdateNewAdminCustomerRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" customer
-gam config csv_input_row_filter "scopeType:regex:ORG_UNIT" redirect stdout ./UpdateNewAdminOrgUnitRoles.txt multiprocess redirect stderr stdout csv CurrentAdminRoles.csv gam create admin newadmin@domain.com "id:~~roleId~~" org_unit "id:~~orgUnitId~~"
-```
-
--- a/docs/Home.md
+++ b/docs/Home.md
@@ -1,61 +0,0 @@
- [Introduction](#introduction)
- [Requirements](#requirements)
- [Installation - First time GAM7 installation](#installation---first-time-gam7-installation)
- [Installation - Upgrading from Legacy GAM](#installation---upgrading-from-legacy-gam)
-
-# Introduction
-GAM7 is a free, open source command line tool for Google Workspace Administrators to manage domain and user settings quickly and easily.
-
-This page provides simple instructions for downloading, installing and starting to use GAM7.
-
-GAM7 requires paid, or Education/Non-profit, editions of Google Workspace. G Suite Legacy Free Edition has limited API support and not all GAM commands work.
-
-GAM7 is a rewrite/extension of Jay Lee's [Legacy GAM], without his efforts, this version wouldn't exist.
-
-GAM7 is backwards compatible with [Legacy GAM], meaning that if your command works with Legacy GAM, it will also work with GAM7. There may be differences in output, but the syntax is compatible.
-
-# Documentation
-Documentation for GAM7 is hosted in the [GitHub GAM7 Wiki] and in Gam*.txt files.
-Legacy GAM documentation is hosted in the [GitHub Legacy Wiki].
-
-# Mailing List / Discussion group
-The GAM mailing list / discussion group is hosted on [Google Groups].  You can join the list and interact via email, or just post from the web itself.
-
-# Source Repository
-The official GAM7 source repository is on [GitHub] in the master branch.
-
-# Author
-GAM7 is maintained by <a href="mailto:ross.scroggs@gmail.com">Ross Scroggs</a>.
-
-# Requirements
-To run all commands properly, GAM7 requires three things:
-* An API project which identifies your install of GAM7 to Google and keeps track of API quotas.
-* Authorization to act as your Google Workspace Administrator in order to perform management functions like add users, modify group settings and membership and pull domain reports.
-* A special service account that is authorized to act on behalf of your users in order to modify user-specific settings and data such as Drive files, Calendars and Gmail messages and settings like signatures.
-
-# Installation - First time GAM7 installation
-Use these steps if you have never used any version of GAM in your domain. They will create a GAM project
-and all necessary authentications.
-
-* Download: [Downloads-Installs](Downloads-Installs)
-* Configuration: [GAM7 Configuration](gam.cfg)
-* Install: [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
-
-# Installation - Upgrading from Legacy GAM
-Use these steps if you have used any version of Legacy GAM in your domain. They will update your GAM project
-and all necessary authentications.
-
-* Download: [Downloads-Installs](Downloads-Installs)
-* Configuration: [GAM7 Configuration](gam.cfg)
-* Upgrade: [How to Upgrade from Legacy GAM](How-to-Upgrade-from-Legacy-GAM)
-
-You can install multiple versions of GAM and GAM7 in different parallel directories.
-
-[Legacy GAM]: https://github.com/GAM-team/GAM/releases?q=6.58&expanded=true
-[GAM7]: https://github.com/GAM-team/GAM
-[GitHub Releases]: https://github.com/GAM-team/GAM/releases
-[GitHub]: https://github.com/GAM-team/GAM/tree/master
-[GitHub Legacy Wiki]: https://github.com/GAM-team/GAM/wiki/
-[GitHub GAM7 Wiki]: https://github.com/GAM-team/GAM/wiki/
-[Google Groups]: https://groups.google.com/group/google-apps-manager
-[GAM Updates]: https://github.com/GAM-team/GAM/wiki/GamUpdates
--- a/docs/How-to-Upgrade-Advanced-GAM-to-GAM7.md
+++ b/docs/How-to-Upgrade-Advanced-GAM-to-GAM7.md
@@ -1,120 +0,0 @@
-# Installation - Update Advanced GAM to GAM7
-
- [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
- [Windows](#windows)
-
-## Linux and MacOS and Google Cloud Shell
-
-This example assumes that GAMADV-XTD3 was installed in /Users/admin/bin/gamadv-xtd3.
-If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
-
-Rename install directory.
-```
-mv /Users/admin/bin/gamadv-xtd3 /Users/admin/bin/gam7
-```
-
-See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
-
-You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page. Choose one of the following:
-
-* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
-  - Start a terminal session and execute one of the following commands:
-  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
-    - `bash <(curl -s -S -L https://git.io/gam-install) -l`
-  - Update to latest version, do not create project or authorizations, specify a path
-    - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
-
-In these examples, the user home folder is shown as /Users/admin; adjust according to your
-specific situation; e.g., /home/administrator.
-
-### Update gam  alias
-You should set an alias to point to /Users/admin/bin/gam/gam so you can operate from the /Users/admin/GAMWork directory.
-Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
-
-Change the following line:
-```
-alias gam="/Users/admin/bin/gamadv-xtd3/gam"
-```
-to
-```
-alias gam="/Users/admin/bin/gam7/gam"
-```
-in one of these files based on your shell:
-```
-~/.bash_aliases
-~/.bash_profile
-~/.bashrc
-~/.zshrc
-~/.profile
-```
-
-Issue the following command replacing `<Filename>` with the name of the file you edited:
-```
-source <Filename>
-```
-
-### Set a symlink if desired
-Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
-```
-ln -s "/Users/admin/bin/gam7/gam" /usr/local/bin/gam
-```
-
-### Test
-```
-gam version
-```
-
-## Windows
-
-You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
-
-This example assumes that GAMADV-XTD3 was installed in C:\GAMADV-XTD3.
-If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
-
-These steps assume Command Prompt, adjust if you're using PowerShell.
-
-Rename install directory.
-```
-ren C:\GAMADV-STD3 C:\GAM7
-```
-
-See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
-
-* Executable Archive, Manual, Windows 64 bit
-  - `gam-7.wx.yz-windows-x86_64.zip`
-  - Download the archive, extract the contents into C:\GAM7.
-  - Start a Command Prompt/PowerShell session.
-
-* Executable Installer, Manual, Windows 64 bit
-  - `gam-7.wx.yz-windows-x86_64.msi`
-  - Download the installer and run it.
-  - Start a Command Prompt/PowerShell session.
-
-### Update system path
-You should set the system path to point to C:\GAM7 so you can operate from the C:\GAMWork directory.
-```
-Start Control Panel
-Click System
-Click Advanced system settings
-Click Environment Variables...
-Click Path under System variables
-Click Edit...
-If you have an existing entry referencing GAMADV-XTD3:
-  Click that entry
-  Click Delete
-If C:\GAM7 is already on the Path, skip the next three steps
-  Click New
-  Enter C:\GAM7
-  Click OK
-Click OK
-Click OK
-Exit Control Panel
-```
-
-At this point, you should restart Command Prompt so that it has the updated path and environment variables.
-
-### Test
-```
-gam version
-```
--- a/docs/Sites.md
+++ b/docs/Sites.md
@@ -1,81 +0,0 @@
-# Sites
- [API documentation](#api-documentation)
- [Definitions](#definitions)
- [Manage classic sites](#manage-classic-sites)
- [Display classic sites](#display-classic-sites)
- [Manage classic sites access](#manage-classic-sites-access)
- [Display classic sites access](#display-classic-sites-access)
-
-## API documentation
-* https://developers.google.com/google-apps/sites/docs/1.0/developers_guide_python
-
-## Definitions
-```
-<Date> ::=
-        <Year>-<Month>-<Day> |
-        (+|-)<Number>(d|w|y) |
-        never|
-        today
-
-<DomainName> ::= <String>(.<String>)+
-<DomainNameList> ::= "<DomainName>(,<DomainName>)*"
-<DomainNameEntity> ::=
-        <DomainNameList> | <FileSelector> | <CSVkmdSelector> |  <CSVDataSelector>
-        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
-
-<SiteName> ::= [a-z,0-9,-]+
-<SiteItem> ::= [<DomainName>/]<SiteName>
-<SiteList> ::= "<SiteItem>(,<SiteItem>)*"
-<SiteEntity> ::=
-        <SiteList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
-
-<SiteACLRole> ::= editor|owner|reader|writer
-<SiteACLRoleList> ::= "<SiteACLRole>(,<SiteACLRole>)*"
-
-<SiteAttribute> ::=
-        (categories <String>)|
-        (name <String>)|
-        (sourcelink <URI>])|
-        (summary <String>)|
-        (theme <String>)
-
-<SiteACLScope> ::=
-        <EmailAddress>|user:<EmailAdress>|group:<EmailAddress>|
-        domain:<DomainName>|domain|default
-<SiteACLScopeList> ::= "<SiteACLScope>(,<SiteACLScope>)*"
-<SiteACLScopeEntity> ::=
-        <SiteACLScopeList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
-```
-## Manage classic sites
-```
-gam [<UserTypeEntity>] create site <SiteItem> <SiteAttribute>*
-gam [<UserTypeEntity>] update sites <SiteEntity> <SiteAttribute>+
-```
-## Display classic sites
-```
-gam [<UserTypeEntity>] info sites <SiteEntity>
-        [withmappings] [role|roles all|<SiteACLRoleList>]
-gam [<UserTypeEntity>] show sites [domain|domains <DomainNameEntity>] [includeallsites]
-        [withmappings] [role|roles all|<SiteACLRoleList>] [maxresults <Number>]
-gam [<UserTypeEntity>] print sites [todrive <ToDriveAttribute>*]
-        [domain|domains <DomainNameEntity>] [includeallsites] 
-        [withmappings] [role|roles all|<SiteACLRoleList>] [maxresults <Number>]
-        [convertcrnl] [delimiter <Character>]
-
-gam [<UserTypeEntity>] print siteactivity <SiteEntity> [todrive <ToDriveAttribute>*]
-        [maxresults <Number>] [updated_min <Date>] [updated_max <Date>]
-```
-## Manage classic sites access
-```
-gam [<UserTypeEntity>] add siteacls <SiteEntity> <SiteACLRole> <SiteACLScopeEntity>
-gam [<UserTypeEntity>] update siteacls <SiteEntity> <SiteACLRole> <SiteACLScopeEntity>
-gam [<UserTypeEntity>] delete siteacls <SiteEntity> <SiteACLScopeEntity>
-```
-## Display classic sites access
-```
-gam [<UserTypeEntity>] info siteacls <SiteEntity> <SiteACLScopeEntity>
-gam [<UserTypeEntity>] show siteacls <SiteEntity>
-gam [<UserTypeEntity>] print siteacls <SiteEntity> [todrive <ToDriveAttribute>*]
-```
--- a/docs/_Footer.md
+++ b/docs/_Footer.md
@@ -1 +0,0 @@
-Need more help? Ask on the [GAM Discussion Group](https://groups.google.com/forum/#!forum/google-apps-manager)
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -0,0 +1,65 @@
+[project]
+name = "gam7"
+dynamic = [
+    "version",
+]
+authors = [
+    { name="Jay Lee", email="jay0lee@gmail.com" },
+    { name="Ross Scroggs", email="Ross.Scroggs@gmail.com" },
+]
+# # The following files should be edited to match: setup.cfg, requirements.txt
+dependencies = [
+    "chardet>=5.2.0",
+    "cryptography>=44.0.2",
+    "distro; sys_platform=='linux'",
+    "filelock>=3.18.0",
+    "google-api-python-client>=2.167.0",
+    "google-auth-httplib2>=0.2.0",
+    "google-auth-oauthlib>=1.2.2",
+    "google-auth>=2.39.0",
+    "httplib2>=0.22.0",
+    "lxml>=5.4.0",
+    "passlib>=1.7.4",
+    "pathvalidate>=3.2.3",
+    "python-dateutil",
+    "yubikey-manager>=5.6.1",
+]
+description = "CLI tool to manage Google Workspace"
+readme = "README.md"
+requires-python = ">=3.9"
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3 :: Only",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Operating System :: OS Independent",
+]
+license = {text = "Apache License (2.0)"}
+license-files = ["LICEN[CS]E*"]
+
+[project.optional-dependencies]
+yubikey = ["yubikey-manager>=5.6.1"]
+
+[project.scripts]
+gam = "gam.__main__:main"
+
+[project.urls]
+Homepage = "https://github.com/GAM-team/GAM"
+Issues = "https://github.com/GAM-team/GAM/issues"
+Discussion = "https://groups.google.com/group/google-apps-manager"
+Chat = "https://git.io/gam-chat"
+
+[tool.hatch.version]
+path = "src/gam/__init__.py"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/gam"]
+
+[build-system]
+requires = [
+    "hatchling",
+]
+build-backend = "hatchling.build"
--- a/src/GamCommands.txt
+++ b/src/GamCommands.txt
--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
--- a/src/admin-directory_v1.1beta1.json
+++ b/src/admin-directory_v1.1beta1.json
--- a/src/cacerts.pem
+++ b/src/cacerts.pem
@@ -1,33 +1,3 @@
-# Operating CA: DigiCert
-# Issuer: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
-# Subject: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
-# Label: "Baltimore CyberTrust Root"
-# Serial: 33554617
-# MD5 Fingerprint: ac:b6:94:a5:9c:17:e0:d7:91:52:9b:b1:97:06:a6:e4
-# SHA1 Fingerprint: d4:de:20:d0:5e:66:fc:53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74
-# SHA256 Fingerprint: 16:af:57:a9:f6:76:b0:ab:12:60:95:aa:5e:ba:de:f2:2a:b3:11:19:d6:44:ac:95:cd:4b:93:db:f3:f2:6a:eb
-----BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----
-
 # Operating CA: DigiCert
 # Issuer: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
 # Subject: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
@@ -273,257 +243,6 @@ r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
 gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
 -----END CERTIFICATE-----

-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
-# Subject: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
-# Label: "Entrust Root Certification Authority"
-# Serial: 1164660820
-# MD5 Fingerprint: d6:a5:c3:ed:5d:dd:3e:00:c1:3d:87:92:1f:1d:3f:e4
-# SHA1 Fingerprint: b3:1e:b1:b7:40:e3:6c:84:02:da:dc:37:d4:4d:f5:d4:67:49:52:f9
-# SHA256 Fingerprint: 73:c1:76:43:4f:1b:c6:d5:ad:f4:5b:0e:76:e7:27:28:7c:8d:e5:76:16:c1:e6:e6:14:1a:2b:2c:bc:7d:8e:4c
-----BEGIN CERTIFICATE-----
-MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
-VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
-Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
-KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl
-cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0MloXDTI2MTEyNzIw
-NTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkw
-NwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSBy
-ZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNV
-BAMTJEVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALaVtkNC+sZtKm9I35RMOVcF7sN5EUFo
-Nu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYszA9u3g3s+IIRe7bJWKKf4
-4LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOwwCj0Yzfv9
-KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGI
-rb68j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi
-94DkZfs0Nw4pgHBNrziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOB
-sDCBrTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAi
-gA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1MzQyWjAfBgNVHSMEGDAWgBRo
-kORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DHhmak8fdLQ/uE
-vW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
-A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9t
-O1KzKtvn1ISMY/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6Zua
-AGAT/3B+XxFNSRuzFVJ7yVTav52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP
-9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTSW3iDVuycNsMm4hH2Z0kdkquM++v/
-eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m
-0vdXcDazv/wor3ElhVsT/h5/WrQ8
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust Root Certification Authority - EC1 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2012 Entrust, Inc. - for authorized use only
-# Subject: CN=Entrust Root Certification Authority - EC1 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2012 Entrust, Inc. - for authorized use only
-# Label: "Entrust Root Certification Authority - EC1"
-# Serial: 51543124481930649114116133369
-# MD5 Fingerprint: b6:7e:1d:f0:58:c5:49:6c:24:3b:3d:ed:98:18:ed:bc
-# SHA1 Fingerprint: 20:d8:06:40:df:9b:25:f5:12:25:3a:11:ea:f7:59:8a:eb:14:b5:47
-# SHA256 Fingerprint: 02:ed:0e:b2:8c:14:da:45:16:5c:56:67:91:70:0d:64:51:d7:fb:56:f0:b2:ab:1d:3b:8e:b0:70:e5:6e:df:f5
-----BEGIN CERTIFICATE-----
-MIIC+TCCAoCgAwIBAgINAKaLeSkAAAAAUNCR+TAKBggqhkjOPQQDAzCBvzELMAkG
-A1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3
-d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVu
-dHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEGA1UEAxMq
-RW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMB4XDTEy
-MTIxODE1MjUzNloXDTM3MTIxODE1NTUzNlowgb8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0
-L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0g
-Zm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMzAxBgNVBAMTKkVudHJ1c3QgUm9vdCBD
-ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEVDMTB2MBAGByqGSM49AgEGBSuBBAAi
-A2IABIQTydC6bUF74mzQ61VfZgIaJPRbiWlH47jCffHyAsWfoPZb1YsGGYZPUxBt
-ByQnoaD41UcZYUx9ypMn6nQM72+WCf5j7HBdNq1nd67JnXxVRDqiY1Ef9eNi1KlH
-Bz7MIKNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
-BBYEFLdj5xrdjekIplWDpOBqUEFlEUJJMAoGCCqGSM49BAMDA2cAMGQCMGF52OVC
-R98crlOZF7ZvHH3hvxGU0QOIdeSNiaSKd0bebWHvAvX7td/M/k7//qnmpwIwW5nX
-hTcGtXsI/esni0qU+eH6p44mCOh8kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust Root Certification Authority - G2 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2009 Entrust, Inc. - for authorized use only
-# Subject: CN=Entrust Root Certification Authority - G2 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2009 Entrust, Inc. - for authorized use only
-# Label: "Entrust Root Certification Authority - G2"
-# Serial: 1246989352
-# MD5 Fingerprint: 4b:e2:c9:91:96:65:0c:f4:0e:5a:93:92:a0:0a:fe:b2
-# SHA1 Fingerprint: 8c:f4:27:fd:79:0c:3a:d1:66:06:8d:e8:1e:57:ef:bb:93:22:72:d4
-# SHA256 Fingerprint: 43:df:57:74:b0:3e:7f:ef:5f:e4:0d:93:1a:7b:ed:f1:bb:2e:6b:42:73:8c:4e:6d:38:41:10:3d:3a:a7:f3:39
-----BEGIN CERTIFICATE-----
-MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
-VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
-cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
-IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
-dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
-NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
-dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
-dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
-aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
-RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
-cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
-wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
-U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
-jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
-BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
-BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
-jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
-Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
-1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
-nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
-VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust.net Certification Authority (2048) O=Entrust.net OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
-# Subject: CN=Entrust.net Certification Authority (2048) O=Entrust.net OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
-# Label: "Entrust.net Premium 2048 Secure Server CA"
-# Serial: 946069240
-# MD5 Fingerprint: ee:29:31:bc:32:7e:9a:e6:e8:b5:f7:51:b4:34:71:90
-# SHA1 Fingerprint: 50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31
-# SHA256 Fingerprint: 6d:c4:71:72:e0:1c:bc:b0:bf:62:58:0d:89:5f:e2:b8:ac:9a:d4:f8:73:80:1e:0c:10:b9:c8:37:d2:1e:b1:77
-----BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
-RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
-bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
-IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
-ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3
-MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
-LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
-YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
-A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
-K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
-sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
-MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
-XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
-HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
-4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
-HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub
-j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo
-U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
-zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b
-u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
-bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
-fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Commercial O=AffirmTrust
-# Subject: CN=AffirmTrust Commercial O=AffirmTrust
-# Label: "AffirmTrust Commercial"
-# Serial: 8608355977964138876
-# MD5 Fingerprint: 82:92:ba:5b:ef:cd:8a:6f:a6:3d:55:f9:84:f6:d6:b7
-# SHA1 Fingerprint: f9:b5:b6:32:45:5f:9c:be:ec:57:5f:80:dc:e9:6e:2c:c7:b2:78:b7
-# SHA256 Fingerprint: 03:76:ab:1d:54:c5:f9:80:3c:e4:b2:e2:01:a0:ee:7e:ef:7b:57:b6:36:e8:a9:3c:9b:8d:48:60:c9:6f:5f:a7
-----BEGIN CERTIFICATE-----
-MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
-dCBDb21tZXJjaWFsMB4XDTEwMDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDEL
-MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
-cm1UcnVzdCBDb21tZXJjaWFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEA9htPZwcroRX1BiLLHwGy43NFBkRJLLtJJRTWzsO3qyxPxkEylFf6EqdbDuKP
-Hx6GGaeqtS25Xw2Kwq+FNXkyLbscYjfysVtKPcrNcV/pQr6U6Mje+SJIZMblq8Yr
-ba0F8PrVC8+a5fBQpIs7R6UjW3p6+DM/uO+Zl+MgwdYoic+U+7lF7eNAFxHUdPAL
-MeIrJmqbTFeurCA+ukV6BfO9m2kVrn1OIGPENXY6BwLJN/3HR+7o8XYdcxXyl6S1
-yHp52UKqK39c/s4mT6NmgTWvRLpUHhwwMmWd5jyTXlBOeuM61G7MGvv50jeuJCqr
-VwMiKA1JdX+3KNp1v47j3A55MQIDAQABo0IwQDAdBgNVHQ4EFgQUnZPGU4teyq8/
-nx4P5ZmVvCT2lI8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
-KoZIhvcNAQELBQADggEBAFis9AQOzcAN/wr91LoWXym9e2iZWEnStB03TX8nfUYG
-XUPGhi4+c7ImfU+TqbbEKpqrIZcUsd6M06uJFdhrJNTxFq7YpFzUf1GO7RgBsZNj
-vbz4YYCanrHOQnDiqX0GJX0nof5v7LMeJNrjS1UaADs1tDvZ110w/YETifLCBivt
-Z8SOyUOyXGsViQK8YvxO8rUzqrJv0wqiUOP2O+guRMLbZjipM1ZI8W0bM40NjD9g
-N53Tym1+NH4Nn3J2ixufcv1SNUFFApYvHLKac0khsUlHRUe072o0EclNmsxZt9YC
-nlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8=
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Networking O=AffirmTrust
-# Subject: CN=AffirmTrust Networking O=AffirmTrust
-# Label: "AffirmTrust Networking"
-# Serial: 8957382827206547757
-# MD5 Fingerprint: 42:65:ca:be:01:9a:9a:4c:a9:8c:41:49:cd:c0:d5:7f
-# SHA1 Fingerprint: 29:36:21:02:8b:20:ed:02:f5:66:c5:32:d1:d6:ed:90:9f:45:00:2f
-# SHA256 Fingerprint: 0a:81:ec:5a:92:97:77:f1:45:90:4a:f3:8d:5d:50:9f:66:b5:e2:c5:8f:cd:b5:31:05:8b:0e:17:f3:f0:b4:1b
-----BEGIN CERTIFICATE-----
-MIIDTDCCAjSgAwIBAgIIfE8EORzUmS0wDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
-dCBOZXR3b3JraW5nMB4XDTEwMDEyOTE0MDgyNFoXDTMwMTIzMTE0MDgyNFowRDEL
-MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
-cm1UcnVzdCBOZXR3b3JraW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAtITMMxcua5Rsa2FSoOujz3mUTOWUgJnLVWREZY9nZOIG41w3SfYvm4SEHi3y
-YJ0wTsyEheIszx6e/jarM3c1RNg1lho9Nuh6DtjVR6FqaYvZ/Ls6rnla1fTWcbua
-kCNrmreIdIcMHl+5ni36q1Mr3Lt2PpNMCAiMHqIjHNRqrSK6mQEubWXLviRmVSRL
-QESxG9fhwoXA3hA/Pe24/PHxI1Pcv2WXb9n5QHGNfb2V1M6+oF4nI979ptAmDgAp
-6zxG8D1gvz9Q0twmQVGeFDdCBKNwV6gbh+0t+nvujArjqWaJGctB+d1ENmHP4ndG
-yH329JKBNv3bNPFyfvMMFr20FQIDAQABo0IwQDAdBgNVHQ4EFgQUBx/S55zawm6i
-QLSwelAQUHTEyL0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
-KoZIhvcNAQEFBQADggEBAIlXshZ6qML91tmbmzTCnLQyFE2npN/svqe++EPbkTfO
-tDIuUFUaNU52Q3Eg75N3ThVwLofDwR1t3Mu1J9QsVtFSUzpE0nPIxBsFZVpikpzu
-QY0x2+c06lkh1QF612S4ZDnNye2v7UsDSKegmQGA3GWjNq5lWUhPgkvIZfFXHeVZ
-Lgo/bNjR9eUJtGxUAArgFU2HdW23WJZa3W3SAKD0m0i+wzekujbgfIeFlxoVot4u
-olu9rxj5kFDNcFn4J2dHy8egBzp90SxdbBk6ZrV9/ZFvgrG+CJPbFEfxojfHRZ48
-x3evZKiT3/Zpg4Jg8klCNO1aAFSFHBY2kgxc+qatv9s=
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Premium O=AffirmTrust
-# Subject: CN=AffirmTrust Premium O=AffirmTrust
-# Label: "AffirmTrust Premium"
-# Serial: 7893706540734352110
-# MD5 Fingerprint: c4:5d:0e:48:b6:ac:28:30:4e:0a:bc:f9:38:16:87:57
-# SHA1 Fingerprint: d8:a6:33:2c:e0:03:6f:b1:85:f6:63:4f:7d:6a:06:65:26:32:28:27
-# SHA256 Fingerprint: 70:a7:3f:7f:37:6b:60:07:42:48:90:45:34:b1:14:82:d5:bf:0e:69:8e:cc:49:8d:f5:25:77:eb:f2:e9:3b:9a
-----BEGIN CERTIFICATE-----
-MIIFRjCCAy6gAwIBAgIIbYwURrGmCu4wDQYJKoZIhvcNAQEMBQAwQTELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVz
-dCBQcmVtaXVtMB4XDTEwMDEyOTE0MTAzNloXDTQwMTIzMTE0MTAzNlowQTELMAkG
-A1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1U
-cnVzdCBQcmVtaXVtMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxBLf
-qV/+Qd3d9Z+K4/as4Tx4mrzY8H96oDMq3I0gW64tb+eT2TZwamjPjlGjhVtnBKAQ
-JG9dKILBl1fYSCkTtuG+kU3fhQxTGJoeJKJPj/CihQvL9Cl/0qRY7iZNyaqoe5rZ
-+jjeRFcV5fiMyNlI4g0WJx0eyIOFJbe6qlVBzAMiSy2RjYvmia9mx+n/K+k8rNrS
-s8PhaJyJ+HoAVt70VZVs+7pk3WKL3wt3MutizCaam7uqYoNMtAZ6MMgpv+0GTZe5
-HMQxK9VfvFMSF5yZVylmd2EhMQcuJUmdGPLu8ytxjLW6OQdJd/zvLpKQBY0tL3d7
-70O/Nbua2Plzpyzy0FfuKE4mX4+QaAkvuPjcBukumj5Rp9EixAqnOEhss/n/fauG
-V+O61oV4d7pD6kh/9ti+I20ev9E2bFhc8e6kGVQa9QPSdubhjL08s9NIS+LI+H+S
-qHZGnEJlPqQewQcDWkYtuJfzt9WyVSHvutxMAJf7FJUnM7/oQ0dG0giZFmA7mn7S
-5u046uwBHjxIVkkJx0w3AJ6IDsBz4W9m6XJHMD4Q5QsDyZpCAGzFlH5hxIrff4Ia
-C1nEWTJ3s7xgaVY5/bQGeyzWZDbZvUjthB9+pSKPKrhC9IK31FOQeE4tGv2Bb0TX
-OwF0lkLgAOIua+rF7nKsu7/+6qqo+Nz2snmKtmcCAwEAAaNCMEAwHQYDVR0OBBYE
-FJ3AZ6YMItkm9UWrpmVSESfYRaxjMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
-BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByvMiPIs0laUZx2
-KI15qldGF9X1Uva3ROgIRL8YhNILgM3FEv0AVQVhh0HctSSePMTYyPtwni94loMg
-Nt58D2kTiKV1NpgIpsbfrM7jWNa3Pt668+s0QNiigfV4Py/VpfzZotReBA4Xrf5B
-8OWycvpEgjNC6C1Y91aMYj+6QrCcDFx+LmUmXFNPALJ4fqENmS2NuB2OosSw/WDQ
-MKSOyARiqcTtNd56l+0OOF6SL5Nwpamcb6d9Ex1+xghIsV5n61EIJenmJWtSKZGc
-0jlzCFfemQa0W50QBuHCAKi4HEoCChTQwUHK+4w1IX2COPKpVJEZNZOUbWo6xbLQ
-u4mGk+ibyQ86p3q4ofB4Rvr8Ny/lioTz3/4E2aFooC8k4gmVBtWVyuEklut89pMF
-u+1z6S3RdTnX5yTb2E5fQ4+e0BQ5v1VwSJlXMbSc7kqYA5YwH2AG7hsj/oFgIxpH
-YoWlzBk0gG+zrBrjn/B7SK3VAdlntqlyk+otZrWyuOQ9PLLvTIzq6we/qzWaVYa8
-GKa1qF60g2xraUDTn9zxw2lrueFtCfTxqlB2Cnp9ehehVZZCmTEJ3WARjQUwfuaO
-RtGdFNrHF+QFlozEJLUbzxQHskD4o55BhrwE0GuWyCqANP2/7waj3VjFhT0+j/6e
-KeC2uAloGRwYQw==
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Premium ECC O=AffirmTrust
-# Subject: CN=AffirmTrust Premium ECC O=AffirmTrust
-# Label: "AffirmTrust Premium ECC"
-# Serial: 8401224907861490260
-# MD5 Fingerprint: 64:b0:09:55:cf:b1:d5:99:e2:be:13:ab:a6:5d:ea:4d
-# SHA1 Fingerprint: b8:23:6b:00:2f:1d:16:86:53:01:55:6c:11:a4:37:ca:eb:ff:c3:bb
-# SHA256 Fingerprint: bd:71:fd:f6:da:97:e4:cf:62:d1:64:7a:dd:25:81:b0:7d:79:ad:f8:39:7e:b4:ec:ba:9c:5e:84:88:82:14:23
-----BEGIN CERTIFICATE-----
-MIIB/jCCAYWgAwIBAgIIdJclisc/elQwCgYIKoZIzj0EAwMwRTELMAkGA1UEBhMC
-VVMxFDASBgNVBAoMC0FmZmlybVRydXN0MSAwHgYDVQQDDBdBZmZpcm1UcnVzdCBQ
-cmVtaXVtIEVDQzAeFw0xMDAxMjkxNDIwMjRaFw00MDEyMzExNDIwMjRaMEUxCzAJ
-BgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJt
-VHJ1c3QgUHJlbWl1bSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNMF4bFZ0D
-0KF5Nbc6PJJ6yhUczWLznCZcBz3lVPqj1swS6vQUX+iOGasvLkjmrBhDeKzQN8O9
-ss0s5kfiGuZjuD0uL3jET9v0D6RoTFVya5UdThhClXjMNzyR4ptlKymjQjBAMB0G
-A1UdDgQWBBSaryl6wBE1NSZRMADDav5A1a7WPDAPBgNVHRMBAf8EBTADAQH/MA4G
-A1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjAXCfOHiFBar8jAQr9HX/Vs
-aobgxCd05DhT1wV/GzTjxi+zygk8N53X57hG8f2h4nECMEJZh0PUUd+60wkyWs6I
-flc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKMeQ==
-----END CERTIFICATE-----
-
 # Operating CA: GlobalSign
 # Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
 # Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
--- a/src/cbcm-v1.1beta1.json
+++ b/src/cbcm-v1.1beta1.json
@@ -1,594 +0,0 @@
-{
-  "auth": {
-    "oauth2": {
-      "scopes": {
-        "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers": {
-          "description": "View and manage your Chrome browsers registered with Cloud Management"
-        },
-        "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly": {
-          "description": "View your Chrome browsers registered with Cloud Management"
-        }
-      }
-    }
-  },
-  "basePath": "",
-  "baseUrl": "https://admin.googleapis.com/admin/directory/v1.1beta1/customer/",
-  "batchPath": "batch",
-  "canonicalName": "cbcm",
-  "discoveryVersion": "v1",
-  "documentationLink": "https://support.google.com/chrome/a/answer/9681204",
-  "fullyEncodeReservedExpansion": true,
-  "icons": {
-    "x16": "http://www.google.com/images/icons/product/search-16.gif",
-    "x32": "http://www.google.com/images/icons/product/search-32.gif"
-  },
-  "id": "cbcm:v1.1beta1",
-  "kind": "discovery#restDescription",
-  "mtlsRootUrl": "https://admin.mtls.googleapis.com/",
-  "name": "cbcm",
-  "ownerDomain": "google.com",
-  "ownerName": "Jay Lee",
-  "packagePath": "cbcm",
-  "parameters": {
-    "$.xgafv": {
-      "description": "V1 error format.",
-      "enum": [
-        "1",
-        "2"
-      ],
-      "enumDescriptions": [
-        "v1 error format",
-        "v2 error format"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "access_token": {
-      "description": "OAuth access token.",
-      "location": "query",
-      "type": "string"
-    },
-    "alt": {
-      "default": "json",
-      "description": "Data format for response.",
-      "enum": [
-        "json",
-        "media",
-        "proto"
-      ],
-      "enumDescriptions": [
-        "Responses with Content-Type of application/json",
-        "Media download with context-dependent Content-Type",
-        "Responses with Content-Type of application/x-protobuf"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "callback": {
-      "description": "JSONP",
-      "location": "query",
-      "type": "string"
-    },
-    "fields": {
-      "description": "Selector specifying which fields to include in a partial response.",
-      "location": "query",
-      "type": "string"
-    },
-    "key": {
-      "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.",
-      "location": "query",
-      "type": "string"
-    },
-    "oauth_token": {
-      "description": "OAuth 2.0 token for the current user.",
-      "location": "query",
-      "type": "string"
-    },
-    "prettyPrint": {
-      "default": "true",
-      "description": "Returns response with indentations and line breaks.",
-      "location": "query",
-      "type": "boolean"
-    },
-    "quotaUser": {
-      "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.",
-      "location": "query",
-      "type": "string"
-    },
-    "uploadType": {
-      "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    },
-    "upload_protocol": {
-      "description": "Upload protocol for media (e.g. \"raw\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    }
-  },
-  "protocol": "rest",
-  "resources": {
-    "chromebrowsers": {
-      "methods": {
-        "delete": {
-          "description": "Deletes a browser.",
-          "flatPath": "{customer}/devices/chromebrowsers/{deviceId}",
-          "httpMethod": "DELETE",
-          "id": "cbcm.chromebrowsers.delete",
-          "parameterOrder": [
-            "customer",
-            "deviceId"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "deviceId": {
-              "description": "Immutable ID of the browser.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "{customer}/devices/chromebrowsers/{deviceId}",
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
-          ]
-        },
-        "get": {
-          "description": "Retrieves a browser.",
-          "flatPath": "{customer}/devices/chromebrowsers/{deviceId}",
-          "httpMethod": "GET",
-          "id": "cbcm.chromebrowsers.get",
-          "parameterOrder": [
-            "customer",
-            "deviceId"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "deviceId": {
-              "description": "Immutable ID of the browser.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "projection": {
-              "description": "Restrict information returned to a set of selected fields. FULL or BASIC.",
-              "location": "query",
-              "type": "string"
-            }
-          },
-          "path": "{customer}/devices/chromebrowsers/{deviceId}",
-          "response": {
-            "$ref": "ChromeBrowser"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers",
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly"
-          ]
-        },
-        "list": {
-          "description": "Retrieves a paginated list of all the browsers in a domain.",
-          "flatPath": "{customer}/devices/chromebrowsers",
-          "httpMethod": "GET",
-          "id": "cbcm.chromebrowsers.list",
-          "parameterOrder": [
-            "customer"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "maxResults": {
-              "description": "Maximum number of results to return.",
-              "format": "int32",
-              "location": "query",
-              "maximum": "100",
-              "minimum": "1",
-              "type": "integer"
-            },
-            "orderBy": {
-              "description": "property to use for sorting results.",
-              "location": "query",
-              "type": "string"
-            },
-            "orgUnitPath": {
-              "description": "The full path of the organizational unit or its unique ID.",
-              "location": "query",
-              "type": "string"
-            },
-            "pageToken": {
-              "description": "Token to specify the next page in the list.",
-              "location": "query",
-              "type": "string"
-            },
-            "projection": {
-              "description": "Restrict information returned to a set of selected fields. FULL or BASIC.",
-              "location": "query",
-              "type": "string"
-            },
-            "query": {
-              "description": "Search string using the list page query language.",
-              "location": "query",
-              "type": "string"
-            },
-            "sortOrder": {
-              "description": "Whether to return results in ascending or descending order. Must be used with the orderBy parameter.",
-              "location": "query",
-              "type": "string"
-            }
-          },
-          "path": "{customer}/devices/chromebrowsers",
-          "response": {
-            "$ref": "ChromeBrowsers"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers",
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly"
-          ]
-        },
-        "moveChromeBrowsersToOu": {
-          "description": "Move Chrome Browsers Device between Organization Units",
-          "flatPath": "{customer}/devices/chromebrowsers/moveChromeBrowsersToOu",
-          "httpMethod": "POST",
-          "id": "cbcm.chromebrowsers.moveChromeBrowsersToOu",
-          "parameterOrder": [
-            "customer"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "{customer}/devices/chromebrowsers/moveChromeBrowsersToOu",
-          "request": {
-            "$ref": "MoveChromeBrowsersRequest"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
-          ]
-        },
-        "update": {
-          "description": "Updates a browser.",
-          "flatPath": "{customer}/devices/chromebrowsers/{deviceId}",
-          "httpMethod": "PUT",
-          "id": "cbcm.chromebrowsers.update",
-          "parameterOrder": [
-            "customer",
-            "deviceId"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "deviceId": {
-              "description": "Immutable ID of the browser.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "projection": {
-              "description": "BASIC or FULL",
-              "location": "query",
-              "type": "string"
-            }
-          },
-          "path": "{customer}/devices/chromebrowsers/{deviceId}",
-          "request": {
-            "$ref": "ChromeBrowser"
-          },
-          "response": {
-            "$ref": "ChromeBrowser"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
-          ]
-        }
-      }
-    },
-    "enrollmentTokens": {
-      "methods": {
-        "list": {
-          "description": "Retrieves a paginated list of all the browser entollment tokens in a domain.",
-          "flatPath": "{customer}/chrome/enrollmentTokens",
-          "httpMethod": "GET",
-          "id": "cbcm.enrollmentTokens.list",
-          "parameterOrder": [
-            "customer"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "pageSize": {
-              "description": "Maximum number of results to return.",
-              "format": "int32",
-              "location": "query",
-              "maximum": "100",
-              "minimum": "1",
-              "type": "integer"
-            },
-            "orgUnitPath": {
-              "description": "The full path of the organizational unit or its unique ID.",
-              "location": "query",
-              "type": "string"
-            },
-            "pageToken": {
-              "description": "Token to specify the next page in the list.",
-              "location": "query",
-              "type": "string"
-            },
-            "query": {
-              "description": "Search string using the list page query language.",
-              "location": "query",
-              "type": "string"
-            }
-          },
-          "path": "{customer}/chrome/enrollmentTokens",
-          "response": {
-            "$ref": "EnrollmentTokens"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers",
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly"
-          ]
-        },
-        "create": {
-          "description": "Creates a browser enrollment token in a domain.",
-          "flatPath": "{customer}/chrome/enrollmentTokens",
-          "httpMethod": "POST",
-          "id": "cbcm.enrollmentTokens.create",
-          "parameterOrder": [
-            "customer"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "{customer}/chrome/enrollmentTokens",
-          "request": {
-            "$ref": "CreateEnrollmentTokenRequest"
-          },
-          "response": {
-            "$ref": "EnrollmentToken"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
-          ]
-        },
-        "revoke": {
-          "description": "Revokes a browser enrollment token in a domain.",
-          "flatPath": "{customer}/chrome/enrollmentTokens/{tokenPermanentId}:revoke",
-          "httpMethod": "POST",
-          "id": "cbcm.enrollmentTokens.revoke",
-          "parameterOrder": [
-            "customer",
-            "tokenPermanentId"
-          ],
-          "parameters": {
-            "customer": {
-              "description": "Immutable ID of the G Suite account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "tokenPermanentId": {
-              "description": "Unique identifier for an enrollment token.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "{customer}/chrome/enrollmentTokens/{tokenPermanentId}:revoke",
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.directory.device.chromebrowsers"
-          ]
-        }
-      }
-    }
-  },
-  "revision": "20201203",
-  "rootUrl": "https://admin.googleapis.com/admin/directory/v1.1beta1/customer/",
-  "schemas": {
-    "ChromeBrowser": {
-      "id": "ChromeBrowser",
-      "properties": {
-        "annotatedAssetId": {
-          "description": "Asset identifier as annotated by the administrator or specified during enrollment.",
-          "type": "string"
-        },
-        "annotatedLocation": {
-          "description": "Address or location of the device as annotated by the administrator.",
-          "type": "string"
-        },
-        "annotatedNotes": {
-          "description": "Notes about this device as annotated by the administrator",
-          "type": "string"
-        },
-        "annotatedUser": {
-          "description": "User of the device as annotated by the administrator.",
-          "type": "string"
-        },
-        "deviceId": {
-          "annotations": {
-            "required": [
-              "cbcm.chromebrowsers.update"
-            ]
-          },
-          "description": "The unique ID of the device.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "ChromeBrowsers": {
-      "id": "ChromeBrowsers",
-      "properties": {
-        "browsers": {
-          "description": "List of Chrome browser objects.",
-          "items": {
-            "$ref": "ChromeBrowser"
-          },
-          "type": "array"
-        },
-        "etag": {
-          "description": "ETag of the resource.",
-          "type": "string"
-        },
-        "kind": {
-          "default": "admin#directory#chromeosdevices",
-          "description": "Kind of resource this is.",
-          "type": "string"
-        },
-        "nextPageToken": {
-          "description": "Token used to access the next page of this result. To access the next page, use this token's value in the `pageToken` query string of this request.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "EnrollmentToken": {
-      "id": "EnrollmentToken",
-      "properties": {
-        "kind": {
-          "default": "admin#directory#chromeEnrollmentToken",
-          "description": "Kind of resource this is.",
-          "type": "string"
-        },
-        "tokenId": {
-          "description": "Enrollment Token ID.",
-          "type": "string"
-        },
-        "tokenPermanentId": {
-          "description": "Enrollment Token Permanent ID.",
-          "type": "string"
-        },
-        "customerId": {
-          "description": "Immutable ID of the G Suite account.",
-          "type": "string"
-        },
-        "orgUnitPath": {
-          "description": "The full path of the organizational unit or its unique ID.",
-          "type": "string"
-        },
-        "creatorId": {
-          "description": "Creator ID.",
-          "type": "string"
-        },
-        "createTime": {
-          "description": "Creation Time.",
-          "type": "string"
-        },
-        "revokerId": {
-          "description": "Revoker ID.",
-          "type": "string"
-        },
-        "revokeTime": {
-          "description": "Revoke Time",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "EnrollmentTokens": {
-      "id": "EnrollmentTokens",
-      "properties": {
-        "chrome_enrollment_tokens": {
-          "description": "List of Chrome browser enrollment token objects.",
-          "items": {
-            "$ref": "EnrollmentToken"
-          },
-          "type": "array"
-        },
-        "kind": {
-          "default": "admin#directory#chromeEnrollmentTokens",
-          "description": "Kind of resource this is.",
-          "type": "string"
-        },
-        "nextPageToken": {
-          "description": "Token used to access the next page of this result. To access the next page, use this token's value in the `pageToken` query string of this request.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "CreateEnrollmentTokenRequest": {
-      "id": "CreateEnrollmentTokenRequest",
-      "type": "object",
-      "properties": {
-        "org_unit_path": {
-          "description": "The full path of the organizational unit or its unique ID.",
-          "type": "string"
-        },
-        "expire_time": {
-          "description": "Expiration Time.",
-          "type": "string"
-        },
-        "token_type": {
-          "id": "token_type",
-          "annotations": {
-            "required": [
-              "cbcm.enrollmentTokens.create"
-            ]
-          },
-          "description": "CHROME_BROWSER.",
-          "type": "string"
-        }
-      }
-    },
-    "MoveChromeBrowsersRequest": {
-      "id": "MoveChromeBrowsersRequest",
-      "type": "object",
-      "properties": {
-        "org_unit_path": {
-          "annotations": {
-            "required": [
-              "cbcm.chromebrowsers.moveChromeBrowsersToOu"
-            ]
-          },
-          "description": "Destination organization unit to move devices to. Full path of the organizational unit or its ID prefixed with id:",
-          "type": "string"
-        },
-        "resource_ids": {
-          "annotations": {
-            "required": [
-              "cbcm.chromebrowsers.moveChromeBrowsersToOu"
-            ]
-          },
-          "description": "List of unique device IDs of Chrome Browser Devices to move. A maximum of 600 browsers may be moved per request.",
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        }
-      }
-    }
-  },
-  "servicePath": "",
-  "title": "Admin SDK API",
-  "version": "cbcm_v1.1beta1"
-}
--- a/src/contactdelegation-v1.json
+++ b/src/contactdelegation-v1.json
@@ -1,249 +0,0 @@
-{
-  "auth": {
-    "oauth2": {
-      "scopes": {
-        "https://www.googleapis.com/auth/admin.contact.delegation": {
-          "description": "View and manage your Contact Delegation"
-        },
-        "https://www.googleapis.com/auth/admin.contact.delegation.readonly": {
-          "description": "View your Contact Delegation"
-        }
-      }
-    }
-  },
-  "basePath": "",
-  "baseUrl": "https://admin.googleapis.com/admin/contacts/v1/",
-  "batchPath": "batch",
-  "canonicalName": "contactdelegation",
-  "description": "The Contact Delegation API allows Admins to delegate access of one user's, called the delegator, contacts to another user, called the delegate.",
-  "discoveryVersion": "v1",
-  "documentationLink": "https://developers.google.com/admin-sdk/contact-delegation",
-  "fullyEncodeReservedExpansion": true,
-  "icons": {
-    "x16": "http://www.google.com/images/icons/product/search-16.gif",
-    "x32": "http://www.google.com/images/icons/product/search-32.gif"
-  },
-  "id": "contactdelegation:v1",
-  "kind": "discovery#restDescription",
-  "name": "contactdelegation",
-  "ownerDomain": "google.com",
-  "ownerName": "Google",
-  "packagePath": "admin",
-  "parameters": {
-    "$.xgafv": {
-      "description": "V1 error format.",
-      "enum": [
-        "1",
-        "2"
-      ],
-      "enumDescriptions": [
-        "v1 error format",
-        "v2 error format"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "access_token": {
-      "description": "OAuth access token.",
-      "location": "query",
-      "type": "string"
-    },
-    "alt": {
-      "default": "json",
-      "description": "Data format for response.",
-      "enum": [
-        "json",
-        "media",
-        "proto"
-      ],
-      "enumDescriptions": [
-        "Responses with Content-Type of application/json",
-        "Media download with context-dependent Content-Type",
-        "Responses with Content-Type of application/x-protobuf"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "callback": {
-      "description": "JSONP",
-      "location": "query",
-      "type": "string"
-    },
-    "fields": {
-      "description": "Selector specifying which fields to include in a partial response.",
-      "location": "query",
-      "type": "string"
-    },
-    "key": {
-      "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.",
-      "location": "query",
-      "type": "string"
-    },
-    "oauth_token": {
-      "description": "OAuth 2.0 token for the current user.",
-      "location": "query",
-      "type": "string"
-    },
-    "prettyPrint": {
-      "default": "true",
-      "description": "Returns response with indentations and line breaks.",
-      "location": "query",
-      "type": "boolean"
-    },
-    "quotaUser": {
-      "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.",
-      "location": "query",
-      "type": "string"
-    },
-    "uploadType": {
-      "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    },
-    "upload_protocol": {
-      "description": "Upload protocol for media (e.g. \"raw\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    }
-  },
-  "protocol": "rest",
-  "resources": {
-    "delegates": {
-      "methods": {
-        "create": {
-          "description": "Creates a contact delegations",
-          "flatPath": "users/{user}/delegates",
-          "httpMethod": "POST",
-          "id": "contactdelegations.delegates.create",
-          "parameterOrder": [
-            "user"
-          ],
-          "parameters": {
-            "user": {
-              "description": "Email address of the delegator.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "users/{user}/delegates/{delegate}",
-          "request": {
-            "$ref": "Delegate"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.contact.delegation"
-          ]
-        },
-        "delete": {
-          "description": "Deletes a contact delegation.",
-          "flatPath": "users/{user}/delegates/{delegate}",
-          "httpMethod": "DELETE",
-          "id": "contactdelegations.delegates.delete",
-          "parameterOrder": [
-            "user",
-            "delegate"
-          ],
-          "parameters": {
-            "delegate": {
-              "description": "Email address of the delegate",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            },
-            "user": {
-              "description": "Email address of the delegator.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "users/{user}/delegates/{delegate}",
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.contact.delegation"
-          ]
-        },
-        "list": {
-          "description": "Lists contact delegates for a user",
-          "flatPath": "users/{user}/delegates",
-          "httpMethod": "GET",
-          "id": "contactdelegations.delegates.list",
-          "parameterOrder": [
-            "user"
-          ],
-          "parameters": {
-            "pageSize": {
-              "description": "Determines how many delegates are returned in each response. ",
-              "format": "int32",
-              "location": "query",
-              "minimum": "1",
-              "type": "integer"
-            },
-            "pageToken": {
-              "description": "Token to specify the next page in the list.",
-              "location": "query",
-              "type": "string"
-            },
-            "user": {
-              "description": "Email address of the delegator.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "users/{user}/delegates",
-          "response": {
-            "$ref": "Delegates"
-          },
-          "scopes": [
-            "https://www.googleapis.com/auth/admin.contact.delegation",
-            "https://www.googleapis.com/auth/admin.contact.delegation.readonly"
-          ]
-        }
-      }
-    }
-  },
-  "rootUrl": "https://admin.googleapis.com/admin/contacts/v1/",
-  "schemas": {
-    "Delegate": {
-      "description": "JSON template for a delegate.",
-      "id": "Delegate",
-      "properties": {
-        "email": {
-          "description": "Email of the delegate.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    },
-    "Delegates": {
-      "id": "Delegates",
-      "properties": {
-        "delegates": {
-          "description": "List of delegates.",
-          "items": {
-            "$ref": "Delegate"
-          },
-          "type": "array"
-        },
-        "etag": {
-          "description": "ETag of the resource.",
-          "type": "string"
-        },
-        "kind": {
-          "default": "",
-          "description": "Kind of resource this is.",
-          "type": "string"
-        },
-        "nextPageToken": {
-          "description": "Token used to access the next page of this result. To access the next page, use this token's value in the `pageToken` query string of this request.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    }
-  },
-  "servicePath": "",
-  "title": "Contact Delegation API",
-  "version": "v1",
-  "version_module": true
-}
--- a/src/datastudio-v1.json
+++ b/src/datastudio-v1.json
@@ -1,486 +0,0 @@
-{
-  "basePath": "",
-  "discoveryVersion": "v1",
-  "documentationLink": "https://support.google.com/datastudio",
-  "canonicalName": "Data Studio",
-  "id": "datastudio:v1",
-  "ownerName": "Google",
-  "description": "Allows programmatic viewing and editing of Data Studio assets.",
-  "rootUrl": "https://datastudio.googleapis.com/",
-  "ownerDomain": "google.com",
-  "mtlsRootUrl": "https://datastudio.mtls.googleapis.com/",
-  "batchPath": "batch",
-  "version_module": true,
-  "version": "v1",
-  "schemas": {
-    "Asset": {
-      "id": "Asset",
-      "properties": {
-        "title": {
-          "description": "The title of the asset.",
-          "type": "string"
-        },
-        "createTime": {
-          "format": "google-datetime",
-          "description": "Date the asset was created.",
-          "type": "string"
-        },
-        "lastViewByMeTime": {
-          "type": "string",
-          "description": "Date the asset was last viewed by me.",
-          "format": "google-datetime"
-        },
-        "owner": {
-          "type": "string",
-          "description": "The owner of the asset."
-        },
-        "name": {
-          "type": "string",
-          "description": "The name of the asset."
-        },
-        "trashed": {
-          "type": "boolean",
-          "description": "Value indicating if the asset is in the trash."
-        },
-        "updateTime": {
-          "format": "google-datetime",
-          "description": "Date the asset was last modified.",
-          "type": "string"
-        },
-        "updateByMeTime": {
-          "description": "Date the asset was last modified by me.",
-          "type": "string",
-          "format": "google-datetime"
-        },
-        "assetType": {
-          "enumDescriptions": [
-            "Asset type not specified.",
-            "A report asset.",
-            "A data Source asset."
-          ],
-          "enum": [
-            "ASSET_TYPE_UNSPECIFIED",
-            "REPORT",
-            "DATA_SOURCE"
-          ],
-          "description": "The type of the asset.",
-          "type": "string"
-        }
-      },
-      "description": "A Data Studio asset.",
-      "type": "object"
-    },
-    "SearchAssetsResponse": {
-      "id": "SearchAssetsResponse",
-      "properties": {
-        "assets": {
-          "items": {
-            "$ref": "Asset"
-          },
-          "type": "array",
-          "description": "The list of assets."
-        },
-        "nextPageToken": {
-          "type": "string",
-          "description": "A token to retrieve next page of results. Pass this value in the SearchAssetsRequest.page_token field in the subsequent call to `SearchAssets` method to retrieve the next page of results."
-        }
-      },
-      "description": "Response message for DataStudioService.SearchAssets",
-      "type": "object"
-    },
-    "UpdatePermissionsRequest": {
-      "description": "Request message for DataStudioService.UpdatePermissions",
-      "properties": {
-        "updateMask": {
-          "description": "The list of fields to be updated. Currently not supported.",
-          "type": "string",
-          "format": "google-fieldmask"
-        },
-        "permissions": {
-          "description": "The permissions object to update.",
-          "$ref": "Permissions"
-        }
-      },
-      "id": "UpdatePermissionsRequest",
-      "type": "object"
-    },
-    "AddMembersRequest": {
-      "properties": {
-        "members": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "Required. The members to add to the role. The format of a member is one of - user:alice@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-app@appspot.gserviceaccount.com"
-        },
-        "role": {
-          "type": "string",
-          "enumDescriptions": [
-            "Role not specified.",
-            "A viewer.",
-            "An editor.",
-            "An owner.",
-            "Link shared viewer.",
-            "Link shared editor."
-          ],
-          "enum": [
-            "ROLE_UNSPECIFIED",
-            "VIEWER",
-            "EDITOR",
-            "OWNER",
-            "LINK_VIEWER",
-            "LINK_EDITOR"
-          ],
-          "description": "Required. The role to add members to."
-        }
-      },
-      "type": "object",
-      "id": "AddMembersRequest",
-      "description": "Request message for DataStudioService.AddMembers"
-    },
-    "Permissions": {
-      "type": "object",
-      "id": "Permissions",
-      "description": "A Data Studio asset's Permissions.",
-      "properties": {
-        "permissions": {
-          "description": "A map from a Role to a list of members. Role is a string representation of the Role enum. One of: - OWNER - EDITOR - VIEWER",
-          "additionalProperties": {
-            "$ref": "Members"
-          },
-          "type": "object"
-        },
-        "etag": {
-          "format": "byte",
-          "description": "etag to detect and fail concurrent modifications",
-          "type": "string"
-        }
-      }
-    },
-    "RevokeAllPermissionsRequest": {
-      "description": "Request message for DataStudioService.RevokeAllPermissions",
-      "id": "RevokeAllPermissionsRequest",
-      "type": "object",
-      "properties": {
-        "members": {
-          "description": "Required. The members that are having their access revoked. The format of a member is one of - user:alice@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-app@appspot.gserviceaccount.com",
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      }
-    },
-    "Members": {
-      "description": "A wrapper message for a list of members.",
-      "properties": {
-        "members": {
-          "description": "Format of string is one of - user:alice@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-app@appspot.gserviceaccount.com",
-          "items": {
-            "type": "string"
-          },
-          "type": "array"
-        }
-      },
-      "type": "object",
-      "id": "Members"
-    }
-  },
-  "name": "datastudio",
-  "protocol": "rest",
-  "baseUrl": "https://datastudio.googleapis.com/",
-  "title": "Data Studio API",
-  "revision": "20210412",
-  "fullyEncodeReservedExpansion": true,
-  "icons": {
-    "x32": "http://www.google.com/images/icons/product/search-32.gif",
-    "x16": "http://www.google.com/images/icons/product/search-16.gif"
-  },
-  "parameters": {
-    "quotaUser": {
-      "location": "query",
-      "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.",
-      "type": "string"
-    },
-    "prettyPrint": {
-      "location": "query",
-      "type": "boolean",
-      "description": "Returns response with indentations and line breaks.",
-      "default": "true"
-    },
-    "callback": {
-      "location": "query",
-      "type": "string",
-      "description": "JSONP"
-    },
-    "uploadType": {
-      "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
-      "type": "string",
-      "location": "query"
-    },
-    "upload_protocol": {
-      "type": "string",
-      "location": "query",
-      "description": "Upload protocol for media (e.g. \"raw\", \"multipart\")."
-    },
-    "$.xgafv": {
-      "enumDescriptions": [
-        "v1 error format",
-        "v2 error format"
-      ],
-      "description": "V1 error format.",
-      "location": "query",
-      "type": "string",
-      "enum": [
-        "1",
-        "2"
-      ]
-    },
-    "oauth_token": {
-      "type": "string",
-      "location": "query",
-      "description": "OAuth 2.0 token for the current user."
-    },
-    "alt": {
-      "type": "string",
-      "enum": [
-        "json",
-        "media",
-        "proto"
-      ],
-      "location": "query",
-      "description": "Data format for response.",
-      "enumDescriptions": [
-        "Responses with Content-Type of application/json",
-        "Media download with context-dependent Content-Type",
-        "Responses with Content-Type of application/x-protobuf"
-      ],
-      "default": "json"
-    },
-    "fields": {
-      "description": "Selector specifying which fields to include in a partial response.",
-      "location": "query",
-      "type": "string"
-    },
-    "access_token": {
-      "type": "string",
-      "description": "OAuth access token.",
-      "location": "query"
-    },
-    "key": {
-      "type": "string",
-      "location": "query",
-      "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token."
-    }
-  },
-  "servicePath": "",
-  "kind": "discovery#restDescription",
-  "resources": {
-    "assets": {
-      "methods": {
-        "getPermissions": {
-          "parameters": {
-            "name": {
-              "type": "string",
-              "location": "path",
-              "description": "Required. The name of the asset.",
-              "required": true
-            },
-            "role": {
-              "enumDescriptions": [
-                "Role not specified.",
-                "A viewer.",
-                "An editor.",
-                "An owner.",
-                "Link shared viewer.",
-                "Link shared editor."
-              ],
-              "type": "string",
-              "location": "query",
-              "description": "The role of the permssion.",
-              "enum": [
-                "ROLE_UNSPECIFIED",
-                "VIEWER",
-                "EDITOR",
-                "OWNER",
-                "LINK_VIEWER",
-                "LINK_EDITOR"
-              ]
-            }
-          },
-          "id": "datastudio.assets.getPermissions",
-          "response": {
-            "$ref": "Permissions"
-          },
-          "flatPath": "v1/assets/{name}/permissions",
-          "path": "v1/assets/{name}/permissions",
-          "description": "Gets the asset's permission for a given role.",
-          "parameterOrder": [
-            "name"
-          ],
-          "httpMethod": "GET"
-        },
-        "updatePermissions": {
-          "id": "datastudio.assets.updatePermissions",
-          "parameterOrder": [
-            "name"
-          ],
-          "flatPath": "v1/assets/{name}/permissions",
-          "description": "Updates a permission.",
-          "request": {
-            "$ref": "UpdatePermissionsRequest"
-          },
-          "path": "v1/assets/{name}/permissions",
-          "parameters": {
-            "name": {
-              "description": "Required. The name of the asset.",
-              "location": "path",
-              "type": "string",
-              "required": true
-            }
-          },
-          "response": {
-            "$ref": "Permissions"
-          },
-          "httpMethod": "PATCH"
-        },
-        "get": {
-          "path": "v1/{+name}",
-          "id": "datastudio.assets.get",
-          "parameterOrder": [
-            "name"
-          ],
-          "description": "Gets the asset by name.",
-          "parameters": {
-            "name": {
-              "description": "Required. The name of the asset. Format: assets/{asset}",
-              "location": "path",
-              "required": true,
-              "pattern": "^assets/[^/]+$",
-              "type": "string"
-            }
-          },
-          "flatPath": "v1/assets/{assetsId}",
-          "response": {
-            "$ref": "Asset"
-          },
-          "httpMethod": "GET"
-        },
-        "search": {
-          "response": {
-            "$ref": "SearchAssetsResponse"
-          },
-          "path": "v1/assets:search",
-          "parameters": {
-            "pageToken": {
-              "type": "string",
-              "location": "query",
-              "description": "A token identifying a page of results the server should return. Use the value of SearchAssetsResponse.next_page_token returned from the previous call to `SearchAssets` method."
-            },
-            "assetTypes": {
-              "type": "string",
-              "repeated": true,
-              "description": "Exactly one AssetType must be specified.",
-              "enumDescriptions": [
-                "Asset type not specified.",
-                "A report asset.",
-                "A data Source asset."
-              ],
-              "location": "query",
-              "enum": [
-                "ASSET_TYPE_UNSPECIFIED",
-                "REPORT",
-                "DATA_SOURCE"
-              ]
-            },
-            "title": {
-              "description": "The title of assets to include. Not an exact match, works the same as search from the UI.",
-              "location": "query",
-              "type": "string"
-            },
-            "owner": {
-              "type": "string",
-              "location": "query",
-              "description": "The email of the owner of the asset."
-            },
-            "pageSize": {
-              "description": "Requested page size. If unspecified, server will pick an appropriate default.",
-              "location": "query",
-              "type": "integer",
-              "format": "int32"
-            },
-            "orderBy": {
-              "location": "query",
-              "description": "How the results should be ordered. Valid options are: - title",
-              "type": "string"
-            },
-            "includeTrashed": {
-              "location": "query",
-              "type": "boolean",
-              "description": "Value indicating if assets in trash should be included."
-            }
-          },
-          "flatPath": "v1/assets:search",
-          "httpMethod": "GET",
-          "description": "Searches assets.",
-          "id": "datastudio.assets.search",
-          "parameterOrder": []
-        }
-      },
-      "resources": {
-        "permissions": {
-          "methods": {
-            "revokeAllPermissions": {
-              "path": "v1/assets/{name}/permissions:revokeAllPermissions",
-              "response": {
-                "$ref": "Permissions"
-              },
-              "flatPath": "v1/assets/{name}/permissions:revokeAllPermissions",
-              "id": "datastudio.assets.permissions.revokeAllPermissions",
-              "description": "Revokes one or more members' access to an asset.",
-              "parameters": {
-                "name": {
-                  "required": true,
-                  "type": "string",
-                  "location": "path",
-                  "description": "Required. The name of the asset."
-                }
-              },
-              "parameterOrder": [
-                "name"
-              ],
-              "httpMethod": "POST",
-              "request": {
-                "$ref": "RevokeAllPermissionsRequest"
-              }
-            },
-            "addMembers": {
-              "path": "v1/assets/{name}/permissions:addMembers",
-              "parameters": {
-                "name": {
-                  "required": true,
-                  "location": "path",
-                  "type": "string",
-                  "description": "Required. The name of the asset."
-                }
-              },
-              "httpMethod": "POST",
-              "parameterOrder": [
-                "name"
-              ],
-              "response": {
-                "$ref": "Permissions"
-              },
-              "id": "datastudio.assets.permissions.addMembers",
-              "request": {
-                "$ref": "AddMembersRequest"
-              },
-              "description": "Adds one or more members to a role.",
-              "flatPath": "v1/assets/{name}/permissions:addMembers"
-            }
-          }
-        }
-      }
-    }
-  }
-}
--- a/src/gam-install.sh
+++ b/src/gam-install.sh
@@ -8,7 +8,7 @@ GAM installation script.
 OPTIONS:
   -h      show help.
   -d      Directory where gam folder will be installed. Default is \$HOME/bin/
-   -a      Architecture to install (i386, x86_64, x86_64_legacy, arm, arm64). Default is to detect your arch with "uname -m".
+   -a      Architecture to install (x86_64, arm64). Default is to detect your arch with "uname -m".
   -o      OS we are running (linux, macos). Default is to detect your OS with "uname -s".
   -b      OS version. Default is to detect on MacOS and Linux.
   -l      Just upgrade GAM to latest version. Skips project creation and auth.
@@ -21,7 +21,7 @@ EOF
 }

 target_dir="$HOME/bin"
-target_gam="gam7/gam"
+target_folder="$target_dir/gam7"
 gamarch=$(uname -m)
 gamos=$(uname -s)
 osversion=""
@@ -30,15 +30,13 @@ upgrade_only=false
 gamversion="latest"
 adminuser=""
 regularuser=""
-gam_x86_64_glibc_vers="2.35"
-gam_arm64_glibc_vers="2.35"
 strip_gam="--strip-components 0"

 while getopts "hd:a:o:b:lp:u:r:v:s" OPTION
 do
     case $OPTION in
         h) usage; exit;;
-         d) target_dir="$OPTARG";;
+         d) target_dir="${OPTARG%/}"; target_folder="$target_dir/gam7";;
         a) gamarch="$OPTARG";;
         o) gamos="$OPTARG";;
         b) osversion="$OPTARG";;
@@ -47,13 +45,11 @@ do
         u) adminuser="$OPTARG";;
         r) regularuser="$OPTARG";;
         v) gamversion="$OPTARG";;
-         s) strip_gam="--strip-components 1"; target_gam="gam";;
+         s) strip_gam="--strip-components 1"; target_folder="$target_dir";;
         ?) usage; exit;;
     esac
 done
-
-# remove possible / from end of target_dir
-target_dir=${target_dir%/}
+target_gam="$target_folder/gam"

 update_profile() {
        [ "$2" -eq 1 ] || [ -f "$1" ] || return 1
@@ -90,7 +86,6 @@ version_gt()
 # MacOS < 10.13 doesn't support sort -V
 echo "" | sort -V > /dev/null 2>&1
 vsort_failed=$?
-echo "Check:${2}"
 if [ "${1}" = "${2}" ]; then
  true
 elif (( $vsort_failed != 0 )); then
@@ -100,81 +95,6 @@ else
 fi
 }

-case $gamos in
-  [lL]inux)
-    gamos="linux"
-    if [ "$osversion" == "" ]; then
-      this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
-    else
-      this_glibc_ver=$osversion
-    fi
-    echo "This Linux distribution uses glibc $this_glibc_ver"
-    case $gamarch in
-      x86_64)
-        useglibc="legacy"
-        for gam_glibc_ver in $gam_x86_64_glibc_vers; do
-          if version_gt $this_glibc_ver $gam_glibc_ver; then
-            useglibc="glibc$gam_glibc_ver"
-            echo_green "Using GAM compiled against $useglibc"
-            break
-          fi
-        done
-        gamfile="linux-x86_64-$useglibc.tar.xz";;
-      arm|arm64|aarch64)
-        useglibc=""
-        for gam_glibc_ver in $gam_arm64_glibc_vers; do
-          if version_gt $this_glibc_ver $gam_glibc_ver; then
-            useglibc="glibc$gam_glibc_ver"
-            echo_green "Using GAM compiled against $useglibc"
-            break
-          fi
-        done
-        if [ "$useglibc" == "" ]; then
-          echo_red "Sorry, you need to be running at least glibc $useglibc to run GAM"
-          exit
-        fi
-        gamfile="linux-aarch64-$useglibc.tar.xz";;
-      *)
-        echo_red "ERROR: this installer currently only supports x86_64 and arm64 Linux. Looks like you're running on $gamarch. Exiting."
-        exit
-    esac
-    ;;
-  [Mm]ac[Oo][sS]|[Dd]arwin)
-    gamos="macos"
-    fullversion=$(sw_vers -productVersion)
-    osversion=${fullversion:0:2}
-    case $gamarch in
-      x86_64)
-        gamfile="macos-x86_64.tar.xz"
-	minimum_version=13
-        ;;
-      arm|arm64|aarch64)
-        gamfile="macos-aarch64.tar.xz"
-	minimum_version=14
-        ;;
-      *)
-        echo_red "ERROR: this installer currently only supports x86_64 and arm64 MacOS. Looks like you're running on $gamarch. Exiting."
-        exit
-	;;
-    esac
-    if [[ "$osversion" -ge "$minimum_version" ]]; then
-      echo_green "You are running MacOS ${fullversion}, good. Using GAM with ${gamfile}."
-    else
-      echo_red "Sorry, you are running MacOS ${fullversion} but GAM on ${gamarch} requires MacOS ${minimum_version}. Exiting."
-      exit
-    fi
-    ;;
-  MINGW64_NT*)
-    gamos="windows"
-    echo "You are running Windows"
-    gamfile="-windows-x86_64.zip"
-    ;;
-  *)
-    echo_red "Sorry, this installer currently only supports Linux and MacOS. Looks like you're running on $gamos. Exiting."
-    exit
-    ;;
-esac
-
 if [ "$gamversion" == "latest" ]; then
  release_url="https://api.github.com/repos/GAM-team/GAM/releases/latest"
 elif [ "$gamversion" == "prerelease" -o "$gamversion" == "draft" ]; then
@@ -185,15 +105,34 @@ fi

 if [ -z ${GHCLIENT+x} ]; then
  check_type="unauthenticated"
-  echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
-  release_json=$(curl -s "$release_url" 2>&1 /dev/null)
+  curl_opts=( )
 else
  check_type="authenticated"
-  echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
-  release_json=$(curl -s "$GHCLIENT" "$release_url" 2>&1 /dev/null)
+  curl_opts=( "$GHCLIENT" )
+fi
+curl_ver=$(curl --version|head -1|cut -d " " -f 2)
+if [[ "${curl_ver:0:4}" < "7.76" ]]; then
+  curl_fail=( )
+else
+  curl_fail=( "--fail-with-body" )
+fi
+echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
+release_json=$(curl \
+	--silent \
+	"${curl_opts[@]}" \
+	-H "Accept: application/vnd.github+json" \
+	-H "X-GitHub-Api-Version: 2022-11-28" \
+	"$release_url" \
+	"${curl_fail[@]}")
+curl_exit_code=$?
+if [ $curl_exit_code -ne 0 ]; then
+  echo_red "ERROR retrieving URL: ${release_json}"
+  exit
+else
+  echo_green "done"
 fi

-echo_yellow "Getting file and download URL..."
+echo_yellow "Calculating download URL for this device..."
 # Python is sadly the nearest to universal way to safely handle JSON with Bash
 # At least this code should be compatible with just about any Python version ever
 # unlike GAM itself. If some users don't have Python we can try grep / sed / etc
@@ -215,11 +154,9 @@ if type(release) is list:
    break
 try:
  for asset in release['assets']:
-    if asset[attrib].endswith('$gamfile'):
-      print(asset[attrib])
-      break
-  else:
-    print('ERROR: Attribute: {0} for $gamfile version {1} not found'.format(attrib, gamversion))
+    print(asset[attrib])
+  #else:
+  #  print('ERROR: Attribute: {0} for version {1} not found'.format(attrib, gamversion))
 except KeyError:
  print('ERROR: assets value not found in JSON value of:\n\n%s' % release)"

@@ -245,41 +182,161 @@ if (( $rc != 0 )); then
  echo_red "ERROR: No version of python installed."
  exit
 fi
+# also sort the URLs once so we're evaluating newest OS version first
+download_urls=$(echo "$release_json" | \
+	        $pycmd -c "$pycode" browser_download_url "$gamversion" | \
+	        sort --version-sort --reverse)
+if [[ ${download_urls:0:5} = "ERROR" ]]; then
+  echo_red "${download_urls}"
+  exit
+fi
+
+case $gamos in
+  [lL]inux)
+    gamos="linux"
+    download_urls=$(echo -e "$download_urls" | grep -e "-linux-")
+    if [ "$osversion" == "" ]; then
+      this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
+    else
+      this_glibc_ver=$osversion
+    fi
+    echo "This Linux distribution uses glibc $this_glibc_ver"
+    case $gamarch in
+      x86_64)
+	download_urls=$(echo -e "$download_urls" | grep -e "-x86_64-")
+	gam_x86_64_glibc_vers=$(echo -e "$download_urls" | \
+		grep --only-matching 'glibc[0-9\.]*\.tar\.xz$' \
+	        | cut -c 6-9 )
+	useglibc="legacy"
+        for gam_glibc_ver in $gam_x86_64_glibc_vers; do
+	  if version_gt $this_glibc_ver $gam_glibc_ver; then
+            useglibc="glibc$gam_glibc_ver"
+            echo_green "Using GAM compiled against $useglibc"
+            break
+          fi
+        done
+        download_url=$(echo -e "$download_urls" | grep "$useglibc")
+	;;
+      arm|arm64|aarch64)
+        download_urls=$(echo -e "$download_urls" | grep -e "-arm64-\|-aarch64-")
+        gam_arm64_glibc_vers=$(echo -e "$download_urls" | \
+                grep --only-matching 'glibc[0-9\.]*\.tar\.xz$' | \
+                cut -c 6-9)
+        useglibc="legacy"
+        for gam_glibc_ver in $gam_arm64_glibc_vers; do
+          if version_gt $this_glibc_ver $gam_glibc_ver; then
+            useglibc="glibc$gam_glibc_ver"
+            echo_green "Using GAM compiled against $useglibc"
+            break
+          fi
+        done
+        download_url=$(echo -e "$download_urls" | grep "$useglibc")
+	;;
+      *)
+        echo_red "ERROR: this installer currently only supports x86_64 and arm64 Linux. Looks like you're running on $gamarch. Exiting."
+        exit
+    esac
+    ;;
+  [Mm]ac[Oo][sS]|[Dd]arwin)
+    gamos="macos"
+    currentversion=$(sw_vers -productVersion | awk -F '.' '{print $1 "." $2}')
+    # override osversion only if it wasn't set by cli arguments
+    osversion=${osversion:-${currentversion}}
+    # override osversion only if it wasn't set by cli arguments
+    download_urls=$(echo -e "$download_urls" | grep -e "-macos")
+    case $gamarch in
+      x86_64)
+        archgrep="-x86_64"
+	;;
+      arm|arm64|aarch64)
+        archgrep="-arm64\|-aarch64"
+        ;;
+      *)
+        echo_red "ERROR: this installer currently only supports x86_64 and arm64 MacOS. Looks like you're running on ${gamarch}. Exiting."
+        exit
+	;;
+    esac
+    gam_macos_urls=$(echo -e "$download_urls" | \
+                     grep -e $archgrep)
+    versionless_urls=$(echo -e "$gam_macos_urls" | \
+                       grep -e "-macos-")
+    if [ "$versionless_urls" == "" ]; then
+        # versions after 7.00.38 include MacOS version info
+        gam_macos_vers=$(echo -e "$gam_macos_urls" | \
+                         grep --only-matching -e '-macos[0-9\.]*' | \
+                         cut -c 7-10)
+        for gam_mac_ver in $gam_macos_vers; do
+            if version_gt $currentversion $gam_mac_ver; then
+                download_url=$(echo -e "$gam_macos_urls" | grep "$gam_mac_ver")
+                echo_green "You are running MacOS ${currentversion} Using GAM compiled against ${gam_mac_ver}"
+                break
+            fi
+            done
+        if [ -z ${download_url+x} ]; then
+	    echo_red "Sorry, you are running MacOS ${osversion} but GAM on ${gamarch} requires MacOS ${gam_mac_ver} or newer. Exiting."
+            exit
+	fi
+    else
+        # versions 7.00.38 and older don't include version info
+        case $gamarch in
+            x86_64)
+	        minimum_version=13
+                ;;
+            arm|arm64|aarch64)
+	        minimum_version=14
+                ;;
+        esac
+        download_url=$(echo -e "$download_urls" | grep -e $archgrep)
+        if version_gt "$osversion" "$minimum_version"; then
+            echo_green "You are running MacOS ${osversion}, good. Downloading GAM from ${download_url}."
+        else
+          echo_red "Sorry, you are running MacOS ${osversion} but GAM on ${gamarch} requires MacOS ${minimum_version}. Exiting."
+          exit
+        fi 
+        if [ -z ${download_url+x} ]; then
+          echo_red "Sorry, you are running MacOS ${currentversion} but GAM on ${gamarch} requires MacOS ${minimum_version}. Exiting."
+          exit
+        fi
+    fi
+    ;;
+  MINGW64_NT*)
+    gamos="windows"
+    echo "You are running Windows"
+    download_url=$(echo -e "$download_urls" | \
+                   grep -e "-windows-" | \
+                   grep ".zip")
+    ;;
+  *)
+    echo_red "Sorry, this installer currently only supports Linux and MacOS. Looks like you're running on ${gamos}. Exiting."
+    exit
+    ;;
+esac

-browser_download_url=$(echo "$release_json" | $pycmd -c "$pycode" browser_download_url "$gamversion")
-if [[ ${browser_download_url:0:5} = "ERROR" ]]; then
-  echo_red "${browser_download_url}"
-  exit
-fi
-name=$(echo "$release_json" | $pycmd -c "$pycode" name "$gamversion")
-if [[ ${name:0:5} = "ERROR" ]]; then
-  echo_red "${name}"
-  exit
-fi
 # Temp dir for archive
-#temp_archive_dir=$(mktemp -d)
 temp_archive_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')

 # Clean up after ourselves even if we are killed with CTRL-C
 trap "rm -rf $temp_archive_dir" EXIT

-echo_yellow "Downloading file $name from $browser_download_url to $temp_archive_dir ($check_type)..."
-# Save archive to temp w/o losing our path
-if [ -z ${GHCLIENT+x} ]; then
-  (cd "$temp_archive_dir" && curl -O -L $browser_download_url)
-else
-  (cd "$temp_archive_dir" && curl -O -L $GHCLIENT $browser_download_url)
-fi
+# hack to grab the end of the URL which should be the filename.
+name=$(echo -e "$download_url" | rev | cut -f1 -d "/" | rev)

-mkdir -p "$target_dir"
+echo_yellow "Downloading ${download_url} to $temp_archive_dir ($check_type)..."
+# Save archive to temp w/o losing our path
+(cd "$temp_archive_dir" && curl -O -L -s "${curl_opts[@]}" "$download_url")
+
+mkdir -p "$target_folder"
+echo_yellow "Deleting contents of $target_folder/lib"
+rm -frv "$target_folder/lib"

 echo_yellow "Extracting archive to $target_dir"
-if [[ "${name}" == *.tar.xz ]]; then
-  tar $strip_gam -xf "$temp_archive_dir"/"$name" -C "$target_dir"
-elif [[ "${name}" == *.tar ]]; then
+if [[ "$name" =~ tar.xz|tar.gz|tar ]]; then
  tar $strip_gam -xf "$temp_archive_dir"/"$name" -C "$target_dir"
+elif [[ "$name" == *.zip ]]; then
+  unzip -o "${temp_archive_dir}/${name}" -d "${target_dir}"
 else
-  unzip "${temp_archive_dir}/${name}" -d "${target_dir}"
+  echo "I don't know what to do with files like ${name}. Giving up."
+  exit 1
 fi
 rc=$?
 if (( $rc != 0 )); then
@@ -291,7 +348,7 @@ fi

 # Update profile to add gam command
 if [ "$update_profile" = true ]; then
-  alias_line="alias gam=\"${target_dir// /\\ }/$target_gam\""
+  alias_line="alias gam=\"$target_gam\""
  if [ "$gamos" == "linux" ]; then
    update_profile "$HOME/.bash_aliases" 0 || update_profile "$HOME/.bash_profile" 0 || update_profile "$HOME/.bashrc" 0
    update_profile "$HOME/.zshrc" 0
@@ -305,7 +362,7 @@ fi

 if [ "$upgrade_only" = true ]; then
  echo_green "Here's information about your GAM upgrade:"
-  "$target_dir/$target_gam" version extended
+  "$target_gam" version extended
  rc=$?
  if (( $rc != 0 )); then
    echo_red "ERROR: Failed running GAM for the first time with return code $rc. Please report this error to GAM mailing list. Exiting."
@@ -327,7 +384,7 @@ while true; do
      ;;
    [Nn]*)
 #      config_cmd="config no_browser true"
-      touch "$target_dir/gam/nobrowser.txt" > /dev/null 2>&1
+      touch "$target_folder/nobrowser.txt" > /dev/null 2>&1
      break
      ;;
    *)
@@ -345,8 +402,8 @@ while true; do
      if [ "$adminuser" == "" ]; then
        read -p "Please enter your Google Workspace admin email address: " adminuser
      fi
-#      "$target_dir/$target_gam" $config_cmd create project $adminuser
-      "$target_dir/$target_gam" create project $adminuser
+#      "$target_gam" $config_cmd create project $adminuser
+      "$target_gam" create project $adminuser
      rc=$?
      if (( $rc == 0 )); then
        echo_green "Project creation complete."
@@ -371,8 +428,8 @@ while $project_created; do
  read -p "Are you ready to authorize GAM to perform Google Workspace management operations as your admin account? (yes or no) " yn
  case $yn in
    [Yy]*)
-#      "$target_dir/$target_gam" $config_cmd oauth create $adminuser
-      "$target_dir/$target_gam" oauth create $adminuser
+#      "$target_gam" $config_cmd oauth create $adminuser
+      "$target_gam" oauth create $adminuser
      rc=$?
      if (( $rc == 0 )); then
        echo_green "Admin authorization complete."
@@ -401,8 +458,8 @@ while $admin_authorized; do
        read -p "Please enter the email address of a regular Google Workspace user: " regularuser
      fi
      echo_yellow "Great! Checking service account scopes.This will fail the first time. Follow the steps to authorize and retry. It can take a few minutes for scopes to PASS after they've been authorized in the admin console."
-#      "$target_dir/$target_gam" $config_cmd user $regularuser check serviceaccount
-      "$target_dir/$target_gam" user $regularuser check serviceaccount
+#      "$target_gam" $config_cmd user $regularuser check serviceaccount
+      "$target_gam" user $regularuser check serviceaccount
      rc=$?
      if (( $rc == 0 )); then
        echo_green "Service account authorization complete."
@@ -423,8 +480,8 @@ while $admin_authorized; do
 done

 echo_green "Here's information about your new GAM installation:"
-#"$target_dir/$target_gam" $config_cmd save version extended
-"$target_dir/$target_gam" version extended
+#"$target_gam" $config_cmd save version extended
+"$target_gam" version extended
 rc=$?
 if (( $rc != 0 )); then
  echo_red "ERROR: Failed running GAM for the first time with $rc. Please report this error to GAM mailing list. Exiting."
--- a/src/gam.exe.manifest
+++ b/src/gam.exe.manifest
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
+<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
+    <application> 
+        <!-- Windows 8.1 / Server 2012 R2 -->
+        <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
+        <!-- Windows 10+ / Server 2016+ -->
+        <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
+    </application> 
+</compatibility>
+</assembly>
--- a/src/gam.spec
+++ b/src/gam.spec
@@ -1,25 +1,47 @@
 # -*- mode: python ; coding: utf-8 -*-
 from os import getenv
-from re import search
+import re
 from sys import platform

 from PyInstaller.utils.hooks import copy_metadata

 from gam.gamlib.glverlibs import GAM_VER_LIBS

+
+with open("gam/__init__.py") as f:
+    version_file = f.read()
+version = re.search(r"^__version__ = ['\"]([^'\"]*)['\"]", version_file, re.M).group(1)
+version_list = [int(i) for i in version.split('.')]
+while len(version_list) < 4:
+  version_list.append(0)
+version_tuple = tuple(version_list)
+version_str = str(version_tuple)
+with open("version_info.txt.in") as f:
+    version_info = f.read()
+version_info = version_info.replace("{VERSION}", version).replace(
+    "{VERSION_TUPLE}", version_str
+)
+with open("version_info.txt", "w") as f:
+    f.write(version_info)
+print(version_info)
+
 datas = []
 for pkg in GAM_VER_LIBS:
    datas += copy_metadata(pkg, recursive=True)
-datas += [('admin-directory_v1.1beta1.json', '.')]
-datas += [('cbcm-v1.1beta1.json', '.')]
-datas += [('contactdelegation-v1.json', '.')]
-datas += [('datastudio-v1.json', '.')]
-datas += [('serviceaccountlookup-v1.json', '.')]
+datas += [('gam/cbcm-v1.1beta1.json', '.')]
+datas += [('gam/contactdelegation-v1.json', '.')]
+datas += [('gam/datastudio-v1.json', '.')]
+datas += [('gam/meet-v2beta.json', '.')]
+datas += [('gam/serviceaccountlookup-v1.json', '.')]
 datas += [('cacerts.pem', '.')]
 hiddenimports = [
     'gam.gamlib.yubikey',
     ]

+excludes = [
+    'pkg_resources',
+]
+
 runtime_hooks = []
 a = Analysis(
    ['gam/__main__.py'],
@@ -30,7 +52,7 @@ a = Analysis(
    hookspath=[],
    hooksconfig={},
    runtime_hooks=runtime_hooks,
-    excludes=[],
+    excludes=excludes,
    win_no_prefer_redirects=False,
    win_private_assemblies=False,
    cipher=None,
@@ -50,6 +72,8 @@ pyz = PYZ(a.pure,
 target_arch = None
 codesign_identity = None
 entitlements_file = None
+manifest = None
+version = 'version_info.txt'
 match platform:
    case "darwin":
        if getenv('arch') == 'universal2':
@@ -62,6 +86,7 @@ match platform:
    case "win32":
        target_arch = None
        strip = False
+        manifest = 'gam.exe.manifest'
    case _:
        target_arch = None
        strip = True
@@ -83,6 +108,7 @@ if getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
              debug=debug,
              bootloader_ignore_signals=bootloader_ignore_signals,
              strip=strip,
+              manifest=manifest,
              upx=upx,
              console=console,
              # put most everyting under a lib/ subfolder
@@ -92,6 +118,7 @@ if getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
              target_arch=target_arch,
              codesign_identity=codesign_identity,
              entitlements_file=entitlements_file,
+              version=version,
              )
    coll = COLLECT(
        exe,
@@ -115,6 +142,7 @@ else:
              name=name,
              debug=debug,
              bootloader_ignore_signals=bootloader_ignore_signals,
+              manifest=manifest,
              strip=strip,
              upx=upx,
              console=console,
@@ -123,5 +151,6 @@ else:
              target_arch=target_arch,
              codesign_identity=codesign_identity,
              entitlements_file=entitlements_file,
+              version=version,
              )

--- a/src/gam/init.py
+++ b/src/gam/init.py
--- a/src/gam/admin-directory_v1.1beta1.json
+++ b/src/gam/admin-directory_v1.1beta1.json
--- a/src/gam/atom/http.py
+++ b/src/gam/atom/http.py
@@ -247,7 +247,9 @@ class ProxiedHttpClient(HttpClient):
                # Trivial setup for ssl socket.
                sslobj = None
                if ssl_imported:
-                    sslobj = ssl.wrap_socket(p_sock, None, None)
+                    context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+                    context.minimum_version = ssl.TLSVersion.TLSv1_2
+                    sslobj = context.wrap_socket(p_sock, server_hostname=url.host)
                else:
                    sock_ssl = socket.ssl(p_sock, None, None)
                    sslobj = http.client.FakeSocket(p_sock, sock_ssl)
--- a/src/gam/atom/http_core.py
+++ b/src/gam/atom/http_core.py
@@ -564,9 +564,11 @@ class ProxiedHttpClient(HttpClient):
            # Trivial setup for ssl socket.
            sslobj = None
            if ssl is not None:
-                sslobj = ssl.wrap_socket(p_sock, None, None)
+                context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+                context.minimum_version = ssl.TLSVersion.TLSv1_2
+                sslobj = context.wrap_socket(p_sock, server_hostname=uri.host)
            else:
-                sock_ssl = socket.ssl(p_sock, None, Nonesock_)
+                sock_ssl = socket.ssl(p_sock, None, None)
                sslobj = http.client.FakeSocket(p_sock, sock_ssl)
            # Initalize httplib and replace with the proxy socket.
            connection = http.client.HTTPConnection(proxy_uri.host)
--- a/src/gam/atom/mock_http.py
+++ b/src/gam/atom/mock_http.py
@@ -108,7 +108,7 @@ class MockHttpClient(atom.http_interface.GenericHttpClient):
            for recording in self.recordings:
                if recording[0].operation == operation and recording[0].url == url:
                    return recording[1]
-            raise NoRecordingFound('No recodings found for %s %s' % (
+            raise NoRecordingFound('No recordings found for %s %s' % (
                operation, url))
        else:
            # There is a real HTTP client, so make the request, and record the
--- a/src/gam/cacerts.pem
+++ b/src/gam/cacerts.pem
@@ -1,33 +1,3 @@
-# Operating CA: DigiCert
-# Issuer: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
-# Subject: CN=Baltimore CyberTrust Root O=Baltimore OU=CyberTrust
-# Label: "Baltimore CyberTrust Root"
-# Serial: 33554617
-# MD5 Fingerprint: ac:b6:94:a5:9c:17:e0:d7:91:52:9b:b1:97:06:a6:e4
-# SHA1 Fingerprint: d4:de:20:d0:5e:66:fc:53:fe:1a:50:88:2c:78:db:28:52:ca:e4:74
-# SHA256 Fingerprint: 16:af:57:a9:f6:76:b0:ab:12:60:95:aa:5e:ba:de:f2:2a:b3:11:19:d6:44:ac:95:cd:4b:93:db:f3:f2:6a:eb
-----BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----
-
 # Operating CA: DigiCert
 # Issuer: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
 # Subject: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
@@ -273,257 +243,6 @@ r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
 gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
 -----END CERTIFICATE-----

-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
-# Subject: CN=Entrust Root Certification Authority O=Entrust, Inc. OU=www.entrust.net/CPS is incorporated by reference/(c) 2006 Entrust, Inc.
-# Label: "Entrust Root Certification Authority"
-# Serial: 1164660820
-# MD5 Fingerprint: d6:a5:c3:ed:5d:dd:3e:00:c1:3d:87:92:1f:1d:3f:e4
-# SHA1 Fingerprint: b3:1e:b1:b7:40:e3:6c:84:02:da:dc:37:d4:4d:f5:d4:67:49:52:f9
-# SHA256 Fingerprint: 73:c1:76:43:4f:1b:c6:d5:ad:f4:5b:0e:76:e7:27:28:7c:8d:e5:76:16:c1:e6:e6:14:1a:2b:2c:bc:7d:8e:4c
-----BEGIN CERTIFICATE-----
-MIIEkTCCA3mgAwIBAgIERWtQVDANBgkqhkiG9w0BAQUFADCBsDELMAkGA1UEBhMC
-VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
-Lm5ldC9DUFMgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
-KGMpIDIwMDYgRW50cnVzdCwgSW5jLjEtMCsGA1UEAxMkRW50cnVzdCBSb290IENl
-cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MTEyNzIwMjM0MloXDTI2MTEyNzIw
-NTM0MlowgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMuMTkw
-NwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSBy
-ZWZlcmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNV
-BAMTJEVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBALaVtkNC+sZtKm9I35RMOVcF7sN5EUFo
-Nu3s/poBj6E4KPz3EEZmLk0eGrEaTsbRwJWIsMn/MYszA9u3g3s+IIRe7bJWKKf4
-4LlAcTfFy0cOlypowCKVYhXbR9n10Cv/gkvJrT7eTNuQgFA/CYqEAOwwCj0Yzfv9
-KlmaI5UXLEWeH25DeW0MXJj+SKfFI0dcXv1u5x609mhF0YaDW6KKjbHjKYD+JXGI
-rb68j6xSlkuqUY3kEzEZ6E5Nn9uss2rVvDlUccp6en+Q3X0dgNmBu1kmwhH+5pPi
-94DkZfs0Nw4pgHBNrziGLp5/V6+eF67rHMsoIV+2HNjnogQi+dPa2MsCAwEAAaOB
-sDCBrTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zArBgNVHRAEJDAi
-gA8yMDA2MTEyNzIwMjM0MlqBDzIwMjYxMTI3MjA1MzQyWjAfBgNVHSMEGDAWgBRo
-kORnpKZTgMeGZqTx90tD+4S9bTAdBgNVHQ4EFgQUaJDkZ6SmU4DHhmak8fdLQ/uE
-vW0wHQYJKoZIhvZ9B0EABBAwDhsIVjcuMTo0LjADAgSQMA0GCSqGSIb3DQEBBQUA
-A4IBAQCT1DCw1wMgKtD5Y+iRDAUgqV8ZyntyTtSx29CW+1RaGSwMCPeyvIWonX9t
-O1KzKtvn1ISMY/YPyyYBkVBs9F8U4pN0wBOeMDpQ47RgxRzwIkSNcUesyBrJ6Zua
-AGAT/3B+XxFNSRuzFVJ7yVTav52Vr2ua2J7p8eRDjeIRRDq/r72DQnNSi6q7pynP
-9WQcCk3RvKqsnyrQ/39/2n3qse0wJcGE2jTSW3iDVuycNsMm4hH2Z0kdkquM++v/
-eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m
-0vdXcDazv/wor3ElhVsT/h5/WrQ8
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust Root Certification Authority - EC1 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2012 Entrust, Inc. - for authorized use only
-# Subject: CN=Entrust Root Certification Authority - EC1 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2012 Entrust, Inc. - for authorized use only
-# Label: "Entrust Root Certification Authority - EC1"
-# Serial: 51543124481930649114116133369
-# MD5 Fingerprint: b6:7e:1d:f0:58:c5:49:6c:24:3b:3d:ed:98:18:ed:bc
-# SHA1 Fingerprint: 20:d8:06:40:df:9b:25:f5:12:25:3a:11:ea:f7:59:8a:eb:14:b5:47
-# SHA256 Fingerprint: 02:ed:0e:b2:8c:14:da:45:16:5c:56:67:91:70:0d:64:51:d7:fb:56:f0:b2:ab:1d:3b:8e:b0:70:e5:6e:df:f5
-----BEGIN CERTIFICATE-----
-MIIC+TCCAoCgAwIBAgINAKaLeSkAAAAAUNCR+TAKBggqhkjOPQQDAzCBvzELMAkG
-A1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3
-d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVu
-dHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEGA1UEAxMq
-RW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMB4XDTEy
-MTIxODE1MjUzNloXDTM3MTIxODE1NTUzNlowgb8xCzAJBgNVBAYTAlVTMRYwFAYD
-VQQKEw1FbnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0
-L2xlZ2FsLXRlcm1zMTkwNwYDVQQLEzAoYykgMjAxMiBFbnRydXN0LCBJbmMuIC0g
-Zm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMzAxBgNVBAMTKkVudHJ1c3QgUm9vdCBD
-ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEVDMTB2MBAGByqGSM49AgEGBSuBBAAi
-A2IABIQTydC6bUF74mzQ61VfZgIaJPRbiWlH47jCffHyAsWfoPZb1YsGGYZPUxBt
-ByQnoaD41UcZYUx9ypMn6nQM72+WCf5j7HBdNq1nd67JnXxVRDqiY1Ef9eNi1KlH
-Bz7MIKNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
-BBYEFLdj5xrdjekIplWDpOBqUEFlEUJJMAoGCCqGSM49BAMDA2cAMGQCMGF52OVC
-R98crlOZF7ZvHH3hvxGU0QOIdeSNiaSKd0bebWHvAvX7td/M/k7//qnmpwIwW5nX
-hTcGtXsI/esni0qU+eH6p44mCOh8kmhtc9hvJqwhAriZtyZBWyVgrtBIGu4G
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust Root Certification Authority - G2 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2009 Entrust, Inc. - for authorized use only
-# Subject: CN=Entrust Root Certification Authority - G2 O=Entrust, Inc. OU=See www.entrust.net/legal-terms/(c) 2009 Entrust, Inc. - for authorized use only
-# Label: "Entrust Root Certification Authority - G2"
-# Serial: 1246989352
-# MD5 Fingerprint: 4b:e2:c9:91:96:65:0c:f4:0e:5a:93:92:a0:0a:fe:b2
-# SHA1 Fingerprint: 8c:f4:27:fd:79:0c:3a:d1:66:06:8d:e8:1e:57:ef:bb:93:22:72:d4
-# SHA256 Fingerprint: 43:df:57:74:b0:3e:7f:ef:5f:e4:0d:93:1a:7b:ed:f1:bb:2e:6b:42:73:8c:4e:6d:38:41:10:3d:3a:a7:f3:39
-----BEGIN CERTIFICATE-----
-MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
-VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
-cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
-IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz
-dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy
-NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu
-dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt
-dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0
-aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T
-RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN
-cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW
-wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1
-U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0
-jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
-BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN
-BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/
-jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ
-Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v
-1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R
-nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH
-VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=Entrust.net Certification Authority (2048) O=Entrust.net OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
-# Subject: CN=Entrust.net Certification Authority (2048) O=Entrust.net OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/(c) 1999 Entrust.net Limited
-# Label: "Entrust.net Premium 2048 Secure Server CA"
-# Serial: 946069240
-# MD5 Fingerprint: ee:29:31:bc:32:7e:9a:e6:e8:b5:f7:51:b4:34:71:90
-# SHA1 Fingerprint: 50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31
-# SHA256 Fingerprint: 6d:c4:71:72:e0:1c:bc:b0:bf:62:58:0d:89:5f:e2:b8:ac:9a:d4:f8:73:80:1e:0c:10:b9:c8:37:d2:1e:b1:77
-----BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
-RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
-bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
-IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
-ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3
-MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
-LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
-YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
-A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
-K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
-sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
-MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
-XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
-HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
-4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
-HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub
-j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo
-U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
-zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b
-u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
-bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
-fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Commercial O=AffirmTrust
-# Subject: CN=AffirmTrust Commercial O=AffirmTrust
-# Label: "AffirmTrust Commercial"
-# Serial: 8608355977964138876
-# MD5 Fingerprint: 82:92:ba:5b:ef:cd:8a:6f:a6:3d:55:f9:84:f6:d6:b7
-# SHA1 Fingerprint: f9:b5:b6:32:45:5f:9c:be:ec:57:5f:80:dc:e9:6e:2c:c7:b2:78:b7
-# SHA256 Fingerprint: 03:76:ab:1d:54:c5:f9:80:3c:e4:b2:e2:01:a0:ee:7e:ef:7b:57:b6:36:e8:a9:3c:9b:8d:48:60:c9:6f:5f:a7
-----BEGIN CERTIFICATE-----
-MIIDTDCCAjSgAwIBAgIId3cGJyapsXwwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
-dCBDb21tZXJjaWFsMB4XDTEwMDEyOTE0MDYwNloXDTMwMTIzMTE0MDYwNlowRDEL
-MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
-cm1UcnVzdCBDb21tZXJjaWFsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEA9htPZwcroRX1BiLLHwGy43NFBkRJLLtJJRTWzsO3qyxPxkEylFf6EqdbDuKP
-Hx6GGaeqtS25Xw2Kwq+FNXkyLbscYjfysVtKPcrNcV/pQr6U6Mje+SJIZMblq8Yr
-ba0F8PrVC8+a5fBQpIs7R6UjW3p6+DM/uO+Zl+MgwdYoic+U+7lF7eNAFxHUdPAL
-MeIrJmqbTFeurCA+ukV6BfO9m2kVrn1OIGPENXY6BwLJN/3HR+7o8XYdcxXyl6S1
-yHp52UKqK39c/s4mT6NmgTWvRLpUHhwwMmWd5jyTXlBOeuM61G7MGvv50jeuJCqr
-VwMiKA1JdX+3KNp1v47j3A55MQIDAQABo0IwQDAdBgNVHQ4EFgQUnZPGU4teyq8/
-nx4P5ZmVvCT2lI8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
-KoZIhvcNAQELBQADggEBAFis9AQOzcAN/wr91LoWXym9e2iZWEnStB03TX8nfUYG
-XUPGhi4+c7ImfU+TqbbEKpqrIZcUsd6M06uJFdhrJNTxFq7YpFzUf1GO7RgBsZNj
-vbz4YYCanrHOQnDiqX0GJX0nof5v7LMeJNrjS1UaADs1tDvZ110w/YETifLCBivt
-Z8SOyUOyXGsViQK8YvxO8rUzqrJv0wqiUOP2O+guRMLbZjipM1ZI8W0bM40NjD9g
-N53Tym1+NH4Nn3J2ixufcv1SNUFFApYvHLKac0khsUlHRUe072o0EclNmsxZt9YC
-nlpOZbWUrhvfKbAW8b8Angc6F2S1BLUjIZkKlTuXfO8=
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Networking O=AffirmTrust
-# Subject: CN=AffirmTrust Networking O=AffirmTrust
-# Label: "AffirmTrust Networking"
-# Serial: 8957382827206547757
-# MD5 Fingerprint: 42:65:ca:be:01:9a:9a:4c:a9:8c:41:49:cd:c0:d5:7f
-# SHA1 Fingerprint: 29:36:21:02:8b:20:ed:02:f5:66:c5:32:d1:d6:ed:90:9f:45:00:2f
-# SHA256 Fingerprint: 0a:81:ec:5a:92:97:77:f1:45:90:4a:f3:8d:5d:50:9f:66:b5:e2:c5:8f:cd:b5:31:05:8b:0e:17:f3:f0:b4:1b
-----BEGIN CERTIFICATE-----
-MIIDTDCCAjSgAwIBAgIIfE8EORzUmS0wDQYJKoZIhvcNAQEFBQAwRDELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZpcm1UcnVz
-dCBOZXR3b3JraW5nMB4XDTEwMDEyOTE0MDgyNFoXDTMwMTIzMTE0MDgyNFowRDEL
-MAkGA1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MR8wHQYDVQQDDBZBZmZp
-cm1UcnVzdCBOZXR3b3JraW5nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAtITMMxcua5Rsa2FSoOujz3mUTOWUgJnLVWREZY9nZOIG41w3SfYvm4SEHi3y
-YJ0wTsyEheIszx6e/jarM3c1RNg1lho9Nuh6DtjVR6FqaYvZ/Ls6rnla1fTWcbua
-kCNrmreIdIcMHl+5ni36q1Mr3Lt2PpNMCAiMHqIjHNRqrSK6mQEubWXLviRmVSRL
-QESxG9fhwoXA3hA/Pe24/PHxI1Pcv2WXb9n5QHGNfb2V1M6+oF4nI979ptAmDgAp
-6zxG8D1gvz9Q0twmQVGeFDdCBKNwV6gbh+0t+nvujArjqWaJGctB+d1ENmHP4ndG
-yH329JKBNv3bNPFyfvMMFr20FQIDAQABo0IwQDAdBgNVHQ4EFgQUBx/S55zawm6i
-QLSwelAQUHTEyL0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJ
-KoZIhvcNAQEFBQADggEBAIlXshZ6qML91tmbmzTCnLQyFE2npN/svqe++EPbkTfO
-tDIuUFUaNU52Q3Eg75N3ThVwLofDwR1t3Mu1J9QsVtFSUzpE0nPIxBsFZVpikpzu
-QY0x2+c06lkh1QF612S4ZDnNye2v7UsDSKegmQGA3GWjNq5lWUhPgkvIZfFXHeVZ
-Lgo/bNjR9eUJtGxUAArgFU2HdW23WJZa3W3SAKD0m0i+wzekujbgfIeFlxoVot4u
-olu9rxj5kFDNcFn4J2dHy8egBzp90SxdbBk6ZrV9/ZFvgrG+CJPbFEfxojfHRZ48
-x3evZKiT3/Zpg4Jg8klCNO1aAFSFHBY2kgxc+qatv9s=
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Premium O=AffirmTrust
-# Subject: CN=AffirmTrust Premium O=AffirmTrust
-# Label: "AffirmTrust Premium"
-# Serial: 7893706540734352110
-# MD5 Fingerprint: c4:5d:0e:48:b6:ac:28:30:4e:0a:bc:f9:38:16:87:57
-# SHA1 Fingerprint: d8:a6:33:2c:e0:03:6f:b1:85:f6:63:4f:7d:6a:06:65:26:32:28:27
-# SHA256 Fingerprint: 70:a7:3f:7f:37:6b:60:07:42:48:90:45:34:b1:14:82:d5:bf:0e:69:8e:cc:49:8d:f5:25:77:eb:f2:e9:3b:9a
-----BEGIN CERTIFICATE-----
-MIIFRjCCAy6gAwIBAgIIbYwURrGmCu4wDQYJKoZIhvcNAQEMBQAwQTELMAkGA1UE
-BhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1UcnVz
-dCBQcmVtaXVtMB4XDTEwMDEyOTE0MTAzNloXDTQwMTIzMTE0MTAzNlowQTELMAkG
-A1UEBhMCVVMxFDASBgNVBAoMC0FmZmlybVRydXN0MRwwGgYDVQQDDBNBZmZpcm1U
-cnVzdCBQcmVtaXVtMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxBLf
-qV/+Qd3d9Z+K4/as4Tx4mrzY8H96oDMq3I0gW64tb+eT2TZwamjPjlGjhVtnBKAQ
-JG9dKILBl1fYSCkTtuG+kU3fhQxTGJoeJKJPj/CihQvL9Cl/0qRY7iZNyaqoe5rZ
-+jjeRFcV5fiMyNlI4g0WJx0eyIOFJbe6qlVBzAMiSy2RjYvmia9mx+n/K+k8rNrS
-s8PhaJyJ+HoAVt70VZVs+7pk3WKL3wt3MutizCaam7uqYoNMtAZ6MMgpv+0GTZe5
-HMQxK9VfvFMSF5yZVylmd2EhMQcuJUmdGPLu8ytxjLW6OQdJd/zvLpKQBY0tL3d7
-70O/Nbua2Plzpyzy0FfuKE4mX4+QaAkvuPjcBukumj5Rp9EixAqnOEhss/n/fauG
-V+O61oV4d7pD6kh/9ti+I20ev9E2bFhc8e6kGVQa9QPSdubhjL08s9NIS+LI+H+S
-qHZGnEJlPqQewQcDWkYtuJfzt9WyVSHvutxMAJf7FJUnM7/oQ0dG0giZFmA7mn7S
-5u046uwBHjxIVkkJx0w3AJ6IDsBz4W9m6XJHMD4Q5QsDyZpCAGzFlH5hxIrff4Ia
-C1nEWTJ3s7xgaVY5/bQGeyzWZDbZvUjthB9+pSKPKrhC9IK31FOQeE4tGv2Bb0TX
-OwF0lkLgAOIua+rF7nKsu7/+6qqo+Nz2snmKtmcCAwEAAaNCMEAwHQYDVR0OBBYE
-FJ3AZ6YMItkm9UWrpmVSESfYRaxjMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
-BAQDAgEGMA0GCSqGSIb3DQEBDAUAA4ICAQCzV00QYk465KzquByvMiPIs0laUZx2
-KI15qldGF9X1Uva3ROgIRL8YhNILgM3FEv0AVQVhh0HctSSePMTYyPtwni94loMg
-Nt58D2kTiKV1NpgIpsbfrM7jWNa3Pt668+s0QNiigfV4Py/VpfzZotReBA4Xrf5B
-8OWycvpEgjNC6C1Y91aMYj+6QrCcDFx+LmUmXFNPALJ4fqENmS2NuB2OosSw/WDQ
-MKSOyARiqcTtNd56l+0OOF6SL5Nwpamcb6d9Ex1+xghIsV5n61EIJenmJWtSKZGc
-0jlzCFfemQa0W50QBuHCAKi4HEoCChTQwUHK+4w1IX2COPKpVJEZNZOUbWo6xbLQ
-u4mGk+ibyQ86p3q4ofB4Rvr8Ny/lioTz3/4E2aFooC8k4gmVBtWVyuEklut89pMF
-u+1z6S3RdTnX5yTb2E5fQ4+e0BQ5v1VwSJlXMbSc7kqYA5YwH2AG7hsj/oFgIxpH
-YoWlzBk0gG+zrBrjn/B7SK3VAdlntqlyk+otZrWyuOQ9PLLvTIzq6we/qzWaVYa8
-GKa1qF60g2xraUDTn9zxw2lrueFtCfTxqlB2Cnp9ehehVZZCmTEJ3WARjQUwfuaO
-RtGdFNrHF+QFlozEJLUbzxQHskD4o55BhrwE0GuWyCqANP2/7waj3VjFhT0+j/6e
-KeC2uAloGRwYQw==
-----END CERTIFICATE-----
-
-# Operating CA: Entrust Datacard
-# Issuer: CN=AffirmTrust Premium ECC O=AffirmTrust
-# Subject: CN=AffirmTrust Premium ECC O=AffirmTrust
-# Label: "AffirmTrust Premium ECC"
-# Serial: 8401224907861490260
-# MD5 Fingerprint: 64:b0:09:55:cf:b1:d5:99:e2:be:13:ab:a6:5d:ea:4d
-# SHA1 Fingerprint: b8:23:6b:00:2f:1d:16:86:53:01:55:6c:11:a4:37:ca:eb:ff:c3:bb
-# SHA256 Fingerprint: bd:71:fd:f6:da:97:e4:cf:62:d1:64:7a:dd:25:81:b0:7d:79:ad:f8:39:7e:b4:ec:ba:9c:5e:84:88:82:14:23
-----BEGIN CERTIFICATE-----
-MIIB/jCCAYWgAwIBAgIIdJclisc/elQwCgYIKoZIzj0EAwMwRTELMAkGA1UEBhMC
-VVMxFDASBgNVBAoMC0FmZmlybVRydXN0MSAwHgYDVQQDDBdBZmZpcm1UcnVzdCBQ
-cmVtaXVtIEVDQzAeFw0xMDAxMjkxNDIwMjRaFw00MDEyMzExNDIwMjRaMEUxCzAJ
-BgNVBAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJt
-VHJ1c3QgUHJlbWl1bSBFQ0MwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNMF4bFZ0D
-0KF5Nbc6PJJ6yhUczWLznCZcBz3lVPqj1swS6vQUX+iOGasvLkjmrBhDeKzQN8O9
-ss0s5kfiGuZjuD0uL3jET9v0D6RoTFVya5UdThhClXjMNzyR4ptlKymjQjBAMB0G
-A1UdDgQWBBSaryl6wBE1NSZRMADDav5A1a7WPDAPBgNVHRMBAf8EBTADAQH/MA4G
-A1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNnADBkAjAXCfOHiFBar8jAQr9HX/Vs
-aobgxCd05DhT1wV/GzTjxi+zygk8N53X57hG8f2h4nECMEJZh0PUUd+60wkyWs6I
-flc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKMeQ==
-----END CERTIFICATE-----
-
 # Operating CA: GlobalSign
 # Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
 # Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
@@ -818,16 +537,16 @@ smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
 # Issuer: CN=COMODO Certification Authority O=COMODO CA Limited
 # Subject: CN=COMODO Certification Authority O=COMODO CA Limited
 # Label: "COMODO Certification Authority"
-# Serial: 104350513648249232941998508985834464573
-# MD5 Fingerprint: 5c:48:dc:f7:42:72:ec:56:94:6d:1c:cc:71:35:80:75
-# SHA1 Fingerprint: 66:31:bf:9e:f7:4f:9e:b6:c9:d5:a6:0c:ba:6a:be:d1:f7:bd:ef:7b
-# SHA256 Fingerprint: 0c:2c:d6:3d:f7:80:6f:a3:99:ed:e8:09:11:6b:57:5b:f8:79:89:f0:65:18:f9:80:8c:86:05:03:17:8b:af:66
+# Serial: 43390818032842818540635488309124489234
+# MD5 Fingerprint:  20:E7:4F:82:C2:7E:94:80:34:82:8A:13:A9:17:1D:97
+# SHA1 Fingerprint EE:86:93:87:FF:FD:83:49:AB:5A:D1:43:22:58:87:89:A4:57:B0:12
+# SHA256 Fingerprint: 1A:0D:20:44:5D:E5:BA:18:62:D1:9E:F8:80:85:8C:BC:E5:01:02:B3:6E:8F:0A:04:0C:3C:69:E7:45:22:FE:6E
 -----BEGIN CERTIFICATE-----
-MIIEHTCCAwWgAwIBAgIQToEtioJl4AsC7j41AkblPTANBgkqhkiG9w0BAQUFADCB
+MIID0DCCArigAwIBAgIQIKTEf93f4cdTYwcTiHdgEjANBgkqhkiG9w0BAQUFADCB
 gTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
 A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNV
-BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEyMDEwMDAw
-MDBaFw0yOTEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
+BAMTHkNPTU9ETyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMTAxMDEwMDAw
+MDBaFw0zMDEyMzEyMzU5NTlaMIGBMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
 YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
 RE8gQ0EgTGltaXRlZDEnMCUGA1UEAxMeQ09NT0RPIENlcnRpZmljYXRpb24gQXV0
 aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ECLi3LjkRv3
@@ -836,16 +555,14 @@ UcEbVASY06m/weaKXTuH+7uIzg3jLz8GlvCiKVCZrts7oVewdFFxze1CkU1B/qnI
 Q5sVW7euNJH+1GImGEaaP+vB+fGQV+useg2L23IwambV4EajcNxo2f8ESIl33rXp
 +2dtQem8Ob0y2WIC8bGoPW43nOIv4tOiJovGuFVDiOEjPqXSJDlqR6sA1KGzqSX+
 DT+nHbrTUcELpNqsOO9VUCQFZUaTNE8tja3G1CEZ0o7KBWFxB3NH5YoZEr0ETc5O
-nKVIrLsm9wIDAQABo4GOMIGLMB0GA1UdDgQWBBQLWOWLxkwVN6RAqTCpIb5HNlpW
-/zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBJBgNVHR8EQjBAMD6g
-PKA6hjhodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9u
-QXV0aG9yaXR5LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAPpiem/Yb6dc5t3iuHXIY
-SdOH5EOC6z/JqvWote9VfCFSZfnVDeFs9D6Mk3ORLgLETgdxb8CPOGEIqB6BCsAv
-IC9Bi5HcSEW88cbeunZrM8gALTFGTO3nnc+IlP8zwFboJIYmuNg4ON8qa90SzMc/
-RxdMosIGlgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4
-zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
-BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB
-ZQ==
+nKVIrLsm9wIDAQABo0IwQDAdBgNVHQ4EFgQUC1jli8ZMFTekQKkwqSG+RzZaVv8w
+DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
+ggEBAC/JxBwHO89hAgCx2SFRdXIDMLDEFh9sAIsQrK/xR9SuEDwMGvjUk2ysEDd8
+t6aDZK3N3w6HM503sMZ7OHKx8xoOo/lVem0DZgMXlUrxsXrfViEGQo+x06iF3u6X
+HWLrp+cxEmbDD6ZLLkGC9/3JG6gbr+48zuOcrigHoSybJMIPIyaDMouGDx8rEkYl
+Fo92kANr3ryqImhrjKGsKxE5pttwwn1y6TPn/CbxdFqR5p2ErPioBhlG5qfpqjQi
+pKGfeq23sqSaM4hxAjwu1nqyH6LKwN0vEJT9s4yEIHlG1QXUEOTS22RPuFvuG8Ug
+R1uUq27UlTMdphVx8fiUylQ5PsE=
 -----END CERTIFICATE-----

 # Operating CA: Sectigo
--- a/src/gam/gamlib/glaction.py
+++ b/src/gam/gamlib/glaction.py
@@ -38,8 +38,8 @@ class GamAction():
  CLAIM_OWNERSHIP = 'clow'
  CLEAR = 'clea'
  CLOSE = 'clos'
-  COLLECT = 'collect'
-  COMMENT = 'comment'
+  COLLECT = 'coll'
+  COMMENT = 'comm'
  COPY = 'copy'
  COPY_MERGE = 'copm'
  CREATE = 'crea'
--- a/src/gam/gamlib/glapi.py
+++ b/src/gam/gamlib/glapi.py
@@ -22,7 +22,6 @@
 # APIs
 ACCESSCONTEXTMANAGER = 'accesscontextmanager'
 ALERTCENTER = 'alertcenter'
-ANALYTICS = 'analytics'
 ANALYTICS_ADMIN = 'analyticsadmin'
 CALENDAR = 'calendar'
 CBCM = 'cbcm'
@@ -37,6 +36,7 @@ CHAT_SPACES_DELETE = 'chatspacesdelete'
 CHAT_SPACES_DELETE_ADMIN = 'chatspacesdeleteadmin'
 CHROMEMANAGEMENT = 'chromemanagement'
 CHROMEMANAGEMENT_APPDETAILS = 'chromemanagementappdetails'
+CHROMEMANAGEMENT_CHROMEPROFILES = 'chromemanagementchromeprofiles'
 CHROMEMANAGEMENT_TELEMETRY = 'chromemanagementtelemetry'
 CHROMEPOLICY = 'chromepolicy'
 CHROMEVERSIONHISTORY = 'versionhistory'
@@ -44,17 +44,17 @@ CLASSROOM = 'classroom'
 CLOUDCHANNEL = 'cloudchannel'
 CLOUDIDENTITY_DEVICES = 'cloudidentitydevices'
 CLOUDIDENTITY_GROUPS = 'cloudidentitygroups'
+CLOUDIDENTITY_GROUPS_BETA = 'cloudidentitygroupsbeta'
 CLOUDIDENTITY_INBOUND_SSO = 'cloudidentityinboundsso'
 CLOUDIDENTITY_ORGUNITS = 'cloudidentityorgunits'
 CLOUDIDENTITY_ORGUNITS_BETA = 'cloudidentityorgunitsbeta'
+CLOUDIDENTITY_POLICY = 'cloudidentitypolicy'
 CLOUDIDENTITY_USERINVITATIONS = 'cloudidentityuserinvitations'
 CLOUDRESOURCEMANAGER = 'cloudresourcemanager'
-CLOUDRESOURCEMANAGER_V1 = 'cloudresourcemanager1'
 CONTACTS = 'contacts'
 CONTACTDELEGATION = 'contactdelegation'
 DATATRANSFER = 'datatransfer'
 DIRECTORY = 'directory'
-DIRECTORY_BETA = 'directory_beta'
 DOCS = 'docs'
 DRIVE2 = 'drive2'
 DRIVE3 = 'drive3'
@@ -70,11 +70,11 @@ GROUPSMIGRATION = 'groupsmigration'
 GROUPSSETTINGS = 'groupssettings'
 IAM = 'iam'
 IAM_CREDENTIALS = 'iamcredentials'
-IAP = 'iap'
 KEEP = 'keep'
 LICENSING = 'licensing'
 LOOKERSTUDIO = 'datastudio'
 MEET = 'meet'
+MEET_BETA = 'meetbeta'
 OAUTH2 = 'oauth2'
 ORGPOLICY = 'orgpolicy'
 PEOPLE = 'people'
@@ -89,7 +89,6 @@ SERVICEMANAGEMENT = 'servicemanagement'
 SERVICEUSAGE = 'serviceusage'
 SHEETS = 'sheets'
 SHEETSTD = 'sheetstd'
-SITES = 'sites'
 SITEVERIFICATION = 'siteVerification'
 STORAGE = 'storage'
 STORAGEREAD = 'storageread'
@@ -162,7 +161,6 @@ PROJECT_APIS = [
  'accesscontextmanager.googleapis.com',
  'admin.googleapis.com',
  'alertcenter.googleapis.com',
-  'analytics.googleapis.com',
  'analyticsadmin.googleapis.com',
 #  'audit.googleapis.com',
  'calendar-json.googleapis.com',
@@ -184,7 +182,6 @@ PROJECT_APIS = [
  'groupsmigration.googleapis.com',
  'groupssettings.googleapis.com',
  'iam.googleapis.com',
-  'iap.googleapis.com',
  'keep.googleapis.com',
  'licensing.googleapis.com',
  'meet.googleapis.com',
@@ -202,7 +199,6 @@ PROJECT_APIS = [
 _INFO = {
  ACCESSCONTEXTMANAGER: {'name': 'Access Context Manager API', 'version': 'v1', 'v2discovery': True},
  ALERTCENTER: {'name': 'AlertCenter API', 'version': 'v1beta1', 'v2discovery': True},
-  ANALYTICS: {'name': 'Analytics API', 'version': 'v3', 'v2discovery': False},
  ANALYTICS_ADMIN: {'name': 'Analytics Admin API', 'version': 'v1beta', 'v2discovery': True},
  CALENDAR: {'name': 'Calendar API', 'version': 'v3', 'v2discovery': True, 'mappedAPI': 'calendar-json'},
  CBCM: {'name': 'Chrome Browser Cloud Management API', 'version': 'v1.1beta1', 'v2discovery': True, 'localjson': True},
@@ -224,35 +220,36 @@ _INFO = {
  CLOUDCHANNEL: {'name': 'Channel Channel API', 'version': 'v1', 'v2discovery': True},
  CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity Devices API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity Groups API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_GROUPS_BETA: {'name': 'Cloud Identity Groups API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity Inbound SSO API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity OrgUnits API', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
+  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity Policy API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity User Invitations API', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDRESOURCEMANAGER: {'name': 'Cloud Resource Manager API v3', 'version': 'v3', 'v2discovery': True},
  CONTACTS: {'name': 'Contacts API', 'version': 'v3', 'v2discovery': False},
  CONTACTDELEGATION: {'name': 'Contact Delegation API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
  DATATRANSFER: {'name': 'Data Transfer API', 'version': 'datatransfer_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
  DIRECTORY: {'name': 'Directory API', 'version': 'directory_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
-  DIRECTORY_BETA: {'name': 'Directory API', 'version': 'directory_v1.1beta1', 'v2discovery': True, 'mappedAPI': 'admin', 'localjson': True},
  DOCS: {'name': 'Docs API', 'version': 'v1', 'v2discovery': True},
  DRIVE2: {'name': 'Drive API v2', 'version': 'v2', 'v2discovery': False, 'mappedAPI': 'drive'},
  DRIVE3: {'name': 'Drive API v3', 'version': 'v3', 'v2discovery': False, 'mappedAPI': 'drive'},
  DRIVETD: {'name': 'Drive API v3 - todrive', 'version': 'v3', 'v2discovery': False, 'mappedAPI': 'drive'},
  DRIVEACTIVITY: {'name': 'Drive Activity API v2', 'version': 'v2', 'v2discovery': True},
-  DRIVELABELS_ADMIN: {'name': 'Drive Labels API v2beta - Admin', 'version': 'v2beta', 'v2discovery': True, 'mappedAPI': DRIVELABELS},
-  DRIVELABELS_USER: {'name': 'Drive Labels API v2beta - User', 'version': 'v2beta', 'v2discovery': True, 'mappedAPI': DRIVELABELS},
+  DRIVELABELS_ADMIN: {'name': 'Drive Labels API - Admin', 'version': 'v2', 'v2discovery': True, 'mappedAPI': DRIVELABELS},
+  DRIVELABELS_USER: {'name': 'Drive Labels API - User', 'version': 'v2', 'v2discovery': True, 'mappedAPI': DRIVELABELS},
  EMAIL_AUDIT: {'name': 'Email Audit API', 'version': 'v1', 'v2discovery': False},
  FORMS: {'name': 'Forms API', 'version': 'v1', 'v2discovery': True},
  GMAIL: {'name': 'Gmail API', 'version': 'v1', 'v2discovery': True},
-  GROUPSMIGRATION: {'name': 'Groups Migration API', 'version': 'v1', 'v2discovery': False},
+  GROUPSMIGRATION: {'name': 'Groups Migration API', 'version': 'v1', 'v2discovery': True},
  GROUPSSETTINGS: {'name': 'Groups Settings API', 'version': 'v1', 'v2discovery': True},
  IAM: {'name': 'Identity and Access Management API', 'version': 'v1', 'v2discovery': True},
  IAM_CREDENTIALS: {'name': 'Identity and Access Management Credentials API', 'version': 'v1', 'v2discovery': True},
-  IAP: {'name': 'Cloud Identity-Aware Proxy API', 'version': 'v1', 'v2discovery': True},
  KEEP: {'name': 'Keep API', 'version': 'v1', 'v2discovery': True},
  LICENSING: {'name': 'License Manager API', 'version': 'v1', 'v2discovery': True},
  LOOKERSTUDIO: {'name': 'Looker Studio API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
  MEET: {'name': 'Meet API', 'version': 'v2', 'v2discovery': True},
+  MEET_BETA: {'name': 'Meet API', 'version': 'v2beta', 'v2discovery': True, 'localjson': True, 'mappedAPI': MEET},
  OAUTH2: {'name': 'OAuth2 API', 'version': 'v2', 'v2discovery': False},
  ORGPOLICY: {'name': 'Organization Policy API', 'version': 'v2', 'v2discovery': True},
  PEOPLE: {'name': 'People API', 'version': 'v1', 'v2discovery': True},
@@ -267,7 +264,6 @@ _INFO = {
  SERVICEUSAGE: {'name': 'Service Usage API', 'version': 'v1', 'v2discovery': True},
  SHEETS: {'name': 'Sheets API', 'version': 'v4', 'v2discovery': True},
  SHEETSTD: {'name': 'Sheets API - todrive', 'version': 'v4', 'v2discovery': True, 'mappedAPI': SHEETS},
-  SITES: {'name': 'Sites API', 'version': 'v1', 'v2discovery': False},
  SITEVERIFICATION: {'name': 'Site Verification API', 'version': 'v1', 'v2discovery': True},
  STORAGE: {'name': 'Cloud Storage API', 'version': 'v1', 'v2discovery': True},
  STORAGEREAD: {'name': 'Cloud Storage API - Read', 'version': 'v1', 'v2discovery': True, 'mappedAPI': STORAGE},
@@ -296,6 +292,10 @@ _CLIENT_SCOPES = [
   'api': CHROMEMANAGEMENT_APPDETAILS,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/chrome.management.appdetails.readonly'},
+  {'name': 'Chrome Management API - Profiles',
+   'api': CHROMEMANAGEMENT_CHROMEPROFILES,
+   'subscopes': READONLY,
+   'scope': 'https://www.googleapis.com/auth/chrome.management.profiles'},
  {'name': 'Chrome Management API - Telemetry read only',
   'api': CHROMEMANAGEMENT_TELEMETRY,
   'subscopes': [],
@@ -357,6 +357,10 @@ _CLIENT_SCOPES = [
   'api': CLOUDIDENTITY_GROUPS,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
+  {'name': 'Cloud Identity Groups API Beta (Enables group locking/unlocking)',
+   'api': CLOUDIDENTITY_GROUPS_BETA,
+   'subscopes': [],
+   'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
  {'name': 'Cloud Identity - Inbound SSO Settings',
   'api': CLOUDIDENTITY_INBOUND_SSO,
   'subscopes': READONLY,
@@ -365,6 +369,12 @@ _CLIENT_SCOPES = [
   'api': CLOUDIDENTITY_ORGUNITS_BETA,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.orgunits'},
+  {'name': 'Cloud Identity - Policy',
+   'api': CLOUDIDENTITY_POLICY,
+   'subscopes': READONLY,
+   'roByDefault': True,
+   'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'
+  },
  {'name': 'Cloud Identity User Invitations API',
   'api': CLOUDIDENTITY_USERINVITATIONS,
   'subscopes': READONLY,
@@ -485,12 +495,8 @@ _CLIENT_SCOPES = [
  {'name': 'Site Verification API',
   'api': SITEVERIFICATION,
   'subscopes': [],
-   'scope': 'https://www.googleapis.com/auth/siteverification'},
-  {'name': 'Sites API',
-   'api': SITES,
-   'subscopes': [],
   'offByDefault': True,
-   'scope': 'https://sites.google.com/feeds'},
+   'scope': 'https://www.googleapis.com/auth/siteverification'},
  {'name': 'Vault API',
   'api': VAULT,
   'subscopes': READONLY,
@@ -523,10 +529,6 @@ _SVCACCT_SCOPES = [
   'api': ALERTCENTER,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/apps.alerts'},
-  {'name': 'Analytics API - read only',
-   'api': ANALYTICS,
-   'subscopes': [],
-   'scope': 'https://www.googleapis.com/auth/analytics.readonly'},
  {'name': 'Analytics Admin API - read only',
   'api': ANALYTICS_ADMIN,
   'subscopes': [],
@@ -611,11 +613,11 @@ _SVCACCT_SCOPES = [
   'api': DRIVEACTIVITY,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/drive.activity'},
-  {'name': 'Drive Labels API v2beta - Admin',
+  {'name': 'Drive Labels API - Admin',
   'api': DRIVELABELS_ADMIN,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/drive.admin.labels'},
-  {'name': 'Drive Labels API v2beta - User',
+  {'name': 'Drive Labels API - User',
   'api': DRIVELABELS_USER,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/drive.labels'},
@@ -658,7 +660,8 @@ _SVCACCT_SCOPES = [
  {'name': 'Meet API',
   'api': MEET,
   'subscopes': READONLY,
-   'scope': 'https://www.googleapis.com/auth/meetings.space.created'},
+   'scope': 'https://www.googleapis.com/auth/meetings.space.created',
+   'roscope': 'https://www.googleapis.com/auth/meetings.space.readonly'},
  {'name': 'OAuth2 API',
   'api': OAUTH2,
   'subscopes': [],
@@ -679,10 +682,6 @@ _SVCACCT_SCOPES = [
   'api': SHEETS,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/spreadsheets'},
-  {'name': 'Sites API',
-   'api': SITES,
-   'subscopes': [],
-   'scope': 'https://sites.google.com/feeds'},
  {'name': 'Tasks API',
   'api': TASKS,
   'subscopes': READONLY,
@@ -695,10 +694,6 @@ _SVCACCT_SCOPES = [
  ]

 _SVCACCT_SPECIAL_SCOPES = [
-  {'name': 'Cloud Resource Manager API v3',
-   'api': CLOUDRESOURCEMANAGER,
-   'subscopes': [],
-   'scope': CLOUD_PLATFORM_SCOPE},
  {'name': 'Drive API - todrive',
   'api': DRIVETD,
   'subscopes': [],
--- a/src/gam/gamlib/glcfg.py
+++ b/src/gam/gamlib/glcfg.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-

-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -117,6 +117,8 @@ CSV_OUTPUT_HEADER_FILTER = 'csv_output_header_filter'
 CSV_OUTPUT_HEADER_DROP_FILTER = 'csv_output_header_drop_filter'
 # Force output column headers
 CSV_OUTPUT_HEADER_FORCE = 'csv_output_header_force'
+# Orde output column headers
+CSV_OUTPUT_HEADER_ORDER = 'csv_output_header_order'
 # Line terminator in CSV output file
 CSV_OUTPUT_LINE_TERMINATOR = 'csv_output_line_terminator'
 # Quote character in CSV output file
@@ -175,8 +177,14 @@ INTER_BATCH_WAIT = 'inter_batch_wait'
 LICENSE_MAX_RESULTS = 'license_max_results'
 # License SKUs to process
 LICENSE_SKUS = 'license_skus'
+# Use Meet V2 beta
+MEET_V2_BETA = 'meet_v2_beta'
 # When retrieving lists of Google Group members from API, how many should be retrieved in each chunk
 MEMBER_MAX_RESULTS = 'member_max_results'
+# CI API Group members max page size when view=BASIC
+MEMBER_MAX_RESULTS_CI_BASIC = 'member_max_results_ci_basic'
+# CI API Group members max page size when view=FULL
+MEMBER_MAX_RESULTS_CI_FULL = 'member_max_results_ci_full'
 # When deleting or modifying Gmail messages, how many should be processed in each batch
 MESSAGE_BATCH_SIZE = 'message_batch_size'
 # When retrieving lists of Gmail messages from API, how many should be retrieved in each chunk
@@ -252,12 +260,12 @@ SMTP_HOST = 'smtp_host'
 SMTP_USERNAME = 'smtp_username'
 # SMTP password
 SMTP_PASSWORD = 'smtp_password'
+# Time Zone
+TIMEZONE = 'timezone'
 ## Minimum TLS Version required for HTTPS connections
 TLS_MIN_VERSION = 'tls_min_version'
 ## Maximum TLS Version used for HTTPS connections
 TLS_MAX_VERSION = 'tls_max_version'
-# Time Zone
-TIMEZONE = 'timezone'
 # Clear basic filter when updating an existing sheet
 TODRIVE_CLEARFILTER = 'todrive_clearfilter'
 # Use client access for todrive
@@ -309,7 +317,8 @@ CSV_INPUT_ROW_FILTER_ITEMS = {CSV_INPUT_ROW_FILTER, CSV_INPUT_ROW_FILTER_MODE,
                              CSV_INPUT_ROW_DROP_FILTER, CSV_INPUT_ROW_DROP_FILTER_MODE,
                              CSV_INPUT_ROW_LIMIT}

-CSV_OUTPUT_ROW_FILTER_ITEMS = {CSV_OUTPUT_HEADER_FILTER, CSV_OUTPUT_HEADER_DROP_FILTER, CSV_OUTPUT_HEADER_FORCE,
+CSV_OUTPUT_ROW_FILTER_ITEMS = {CSV_OUTPUT_HEADER_FILTER, CSV_OUTPUT_HEADER_DROP_FILTER,
+                               CSV_OUTPUT_HEADER_FORCE, CSV_OUTPUT_HEADER_ORDER,
                               CSV_OUTPUT_ROW_FILTER, CSV_OUTPUT_ROW_FILTER_MODE,
                               CSV_OUTPUT_ROW_DROP_FILTER, CSV_OUTPUT_ROW_DROP_FILTER_MODE,
                               CSV_OUTPUT_ROW_LIMIT}
@@ -351,6 +360,7 @@ Defaults = {
  CSV_OUTPUT_HEADER_FILTER: '',
  CSV_OUTPUT_HEADER_DROP_FILTER: '',
  CSV_OUTPUT_HEADER_FORCE: '',
+  CSV_OUTPUT_HEADER_ORDER: '',
  CSV_OUTPUT_LINE_TERMINATOR: 'lf',
  CSV_OUTPUT_QUOTE_CHAR: '\'"\'',
  CSV_OUTPUT_ROW_FILTER: '',
@@ -380,7 +390,10 @@ Defaults = {
  INTER_BATCH_WAIT: '0',
  LICENSE_MAX_RESULTS: '100',
  LICENSE_SKUS: '',
+  MEET_V2_BETA: FALSE,
  MEMBER_MAX_RESULTS: '200',
+  MEMBER_MAX_RESULTS_CI_BASIC: '1000',
+  MEMBER_MAX_RESULTS_CI_FULL: '500',
  MESSAGE_BATCH_SIZE: '50',
  MESSAGE_MAX_RESULTS: '500',
  MOBILE_MAX_RESULTS: '100',
@@ -418,9 +431,9 @@ Defaults = {
  SMTP_HOST: '',
  SMTP_USERNAME: '',
  SMTP_PASSWORD: '',
+  TIMEZONE: 'utc',
  TLS_MIN_VERSION: 'TLSv1_3',
  TLS_MAX_VERSION: '',
-  TIMEZONE: 'utc',
  TODRIVE_CLEARFILTER: FALSE,
  TODRIVE_CLIENTACCESS: FALSE,
  TODRIVE_CONVERSION: TRUE,
@@ -460,6 +473,7 @@ TYPE_FILE = 'file'
 TYPE_FLOAT = 'floa'
 TYPE_HEADERFILTER = 'heaf'
 TYPE_HEADERFORCE = 'hefo'
+TYPE_HEADERORDER = 'heor'
 TYPE_INTEGER = 'inte'
 TYPE_LANGUAGE = 'lang'
 TYPE_LOCALE = 'locl'
@@ -514,6 +528,7 @@ VAR_INFO = {
  CSV_OUTPUT_HEADER_FILTER: {VAR_TYPE: TYPE_HEADERFILTER},
  CSV_OUTPUT_HEADER_DROP_FILTER: {VAR_TYPE: TYPE_HEADERFILTER},
  CSV_OUTPUT_HEADER_FORCE: {VAR_TYPE: TYPE_HEADERFORCE},
+  CSV_OUTPUT_HEADER_ORDER: {VAR_TYPE: TYPE_HEADERORDER},
  CSV_OUTPUT_LINE_TERMINATOR: {VAR_TYPE: TYPE_CHOICE, VAR_CHOICES: {'cr': '\r', 'lf': '\n', 'crlf': '\r\n'}},
  CSV_OUTPUT_QUOTE_CHAR: {VAR_TYPE: TYPE_CHARACTER},
  CSV_OUTPUT_ROW_FILTER: {VAR_TYPE: TYPE_ROWFILTER},
@@ -543,7 +558,10 @@ VAR_INFO = {
  INTER_BATCH_WAIT: {VAR_TYPE: TYPE_FLOAT, VAR_LIMITS: (0.0, 60.0)},
  LICENSE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (10, 1000)},
  LICENSE_SKUS: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
+  MEET_V2_BETA: {VAR_TYPE: TYPE_BOOLEAN},
  MEMBER_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
+  MEMBER_MAX_RESULTS_CI_BASIC: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
+  MEMBER_MAX_RESULTS_CI_FULL: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 500)},
  MESSAGE_BATCH_SIZE: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
  MESSAGE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 10000)},
  MOBILE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 100)},
@@ -581,9 +599,9 @@ VAR_INFO = {
  SMTP_HOST: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
  SMTP_USERNAME: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
  SMTP_PASSWORD: {VAR_TYPE: TYPE_PASSWORD, VAR_LIMITS: (0, None)},
+  TIMEZONE: {VAR_TYPE: TYPE_TIMEZONE},
  TLS_MIN_VERSION: {VAR_TYPE: TYPE_CHOICE, VAR_ENVVAR: 'GAM_TLS_MIN_VERSION', VAR_CHOICES: TLS_CHOICE_MAP},
  TLS_MAX_VERSION: {VAR_TYPE: TYPE_CHOICE, VAR_ENVVAR: 'GAM_TLS_MAX_VERSION', VAR_CHOICES: TLS_CHOICE_MAP},
-  TIMEZONE: {VAR_TYPE: TYPE_TIMEZONE},
  TODRIVE_CLEARFILTER: {VAR_TYPE: TYPE_BOOLEAN},
  TODRIVE_CLIENTACCESS: {VAR_TYPE: TYPE_BOOLEAN},
  TODRIVE_CONVERSION: {VAR_TYPE: TYPE_BOOLEAN},
--- a/src/gam/gamlib/glclargs.py
+++ b/src/gam/gamlib/glclargs.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-

-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -423,8 +423,6 @@ class GamCLArgs():
  ARG_ANALYTICDATASTREAMS = 'analyticdatastreams'
  ARG_ANALYTICPROPERTY = 'analyticproperty'
  ARG_ANALYTICPROPERTIES = 'analyticproperties'
-  ARG_ANALYTICUAPROPERTY = 'analyticuaproperty'
-  ARG_ANALYTICUAPROPERTIES = 'analyticuaproperties'
  ARG_API = 'api'
  ARG_APIS = 'apis'
  ARG_APIPROJECT = 'apiproject'
@@ -483,6 +481,8 @@ class GamCLArgs():
  ARG_CHROMEPOLICYIMAGE = 'chromepolicyimage'
  ARG_CHROMEPOLICY = 'chromepolicy'
  ARG_CHROMEPOLICIES = 'chromepolicies'
+  ARG_CHROMEPROFILE = 'chromeprofile'
+  ARG_CHROMEPROFILES = 'chromeprofiles'
  ARG_CHROMESCHEMA = 'chromeschema'
  ARG_CHROMESCHEMAS = 'chromeschemas'
  ARG_CHROMESNVALIDITY = 'chromesnvalidity'
@@ -493,6 +493,12 @@ class GamCLArgs():
  ARG_CIGROUPSMEMBERS = 'cigroupsmembers'
  ARG_CIMEMBER = 'cimember'
  ARG_CIMEMBERS = 'cimembers'
+  ARG_CIPOLICY = 'policy'
+  ARG_CIPOLICIES = 'policies'
+  ARG_CLASSIFICATIONLABEL = 'classificationlabel'
+  ARG_CLASSIFICATIONLABELS = 'classificationlabels'
+  ARG_CLASSIFICATIONLABELPERMISSION = 'classificationlabelpermission'
+  ARG_CLASSIFICATIONLABELPERMISSIONS = 'classificationlabelpermissions'
  ARG_CLASS = 'class'
  ARG_CLASSES = 'classes'
  ARG_CLASSPARTICIPANTS = 'classparticipants'
@@ -571,6 +577,8 @@ class GamCLArgs():
  ARG_DRIVELABELS = 'drivelabels'
  ARG_DRIVELABELPERMISSION = 'drivelabelpermission'
  ARG_DRIVELABELPERMISSIONS = 'drivelabelpermissions'
+  ARG_DRIVELASTMODIFICATION = 'drivelastmodification'
+  ARG_DRIVELASTMODIFICATIONS = 'drivelastmodifications'
  ARG_DRIVESETTINGS = 'drivesettings'
  ARG_DRIVETRASH = 'drivetrash'
  ARG_EMPTYDRIVEFOLDERS = 'emptydrivefolders'
@@ -608,7 +616,6 @@ class GamCLArgs():
  ARG_FORWARDS = 'forwards'
  ARG_FORWARDINGADDRESS = 'forwardingaddress'
  ARG_FORWARDINGADDRESSES = 'forwardingaddresses'
-  ARG_GAL = 'gal'
  ARG_GCPFOLDER = 'gcpfolder'
  ARG_GCPSERVICEACCOUNT = 'gcpserviceaccount'
  ARG_GMAIL = 'gmail'
@@ -748,6 +755,7 @@ class GamCLArgs():
  ARG_SHAREDDRIVES = 'shareddrives'
  ARG_SHAREDDRIVEACLS = 'shareddriveacls'
  ARG_SHAREDDRIVEINFO = 'shareddriveinfo'
+  ARG_SHAREDDRIVEORGANIZERS = 'shareddriveorganizers'
  ARG_SHAREDDRIVETHEMES = 'shareddrivethemes'
  ARG_SHEET = 'sheet'
  ARG_SHEETS = 'sheets'
@@ -777,6 +785,7 @@ class GamCLArgs():
  ARG_TEAMDRIVES = 'teamdrives'
  ARG_TEAMDRIVEACLS = 'teamdriveacls'
  ARG_TEAMDRIVEINFO = 'teamdriveinfo'
+  ARG_TEAMDRIVEORGANIZERS = 'teamdriveorganizers'
  ARG_TEAMDRIVETHEMES = 'teamdrivethemes'
  ARG_THREAD = 'thread'
  ARG_THREADS = 'threads'
@@ -839,10 +848,18 @@ class GamCLArgs():
  OB_CHAT_MESSAGE = 'ChatMessage'
  OB_CHAT_MESSAGE_ID = 'ChatMessageID'
  OB_CHAT_SPACE = 'ChatSpace'
+  OB_CHAT_SPACE_LIST = 'ChatSpaceList'
  OB_CHAT_THREAD = 'ChatThread'
+  OB_CHROMEPROFILE_ID = 'ChromeProfileId'
  OB_CHROME_VERSION = 'ChromeVersion'
  OB_CIDR_NETMASK = 'CIDRnetmask'
  OB_CIGROUP_ALIAS_LIST = "CIGroupAliasList"
+  OB_CIPOLICY_NAME_ENTITY = 'CIPolicyNameEntity'
+  OB_CLASSIFICATION_LABEL_ID = 'ClassificationLabelID'
+  OB_CLASSIFICATION_LABEL_NAME = 'ClassificationLabelName'
+  OB_CLASSIFICATION_LABEL_PERMISSION_NAME = 'ClassificationLabelPermissionName'
+  OB_CLASSIFICATION_LABEL_FIELD_ID = 'ClassificationLabelFieldID'
+  OB_CLASSIFICATION_LABEL_SELECTION_ID_LIST = 'ClassificationLabelSelectionIDList'
  OB_CLASSROOM_INVITATION_ID_ENTITY = 'ClassroomInvitationIDEntity'
  OB_CLIENT_ID = 'ClientID'
  OB_COLLABORATOR_ITEM = 'CollaboratorItem'
@@ -896,11 +913,6 @@ class GamCLArgs():
  OB_DRIVE_FOLDER_NAME = 'DriveFolderName'
  OB_DRIVE_FOLDER_NAME_LIST = 'DriveFolderNameList'
  OB_DRIVE_FOLDER_PATH = 'DriveFolderPath'
-  OB_DRIVE_LABEL_ID = 'DriveLabelID'
-  OB_DRIVE_LABEL_NAME = 'DriveLabelName'
-  OB_DRIVE_LABEL_PERMISSION_NAME = 'DriveLabelPermissionName'
-  OB_DRIVE_LABEL_FIELD_ID = 'DriveLabelFieldID'
-  OB_DRIVE_LABEL_SELECTION_ID_LIST = 'DriveLabelSelectionIDList'
  OB_EMAIL_ADDRESS = 'EmailAddress'
  OB_EMAIL_ADDRESS_ENTITY = 'EmailAddressEntity'
  OB_EMAIL_ADDRESS_LIST = 'EmailAddressList'
@@ -914,6 +926,7 @@ class GamCLArgs():
  OB_EXPORT_ITEM = 'ExportItem'
  OB_FIELD_NAME = 'FieldName'
  OB_FIELD_NAME_LIST = "FieldNameList"
+  OB_FIELDS = 'Fields'
  OB_FILE_NAME = 'FileName'
  OB_FILE_NAME_FIELD_NAME = OB_FILE_NAME+'(:'+OB_FIELD_NAME+')+'
  OB_FILE_NAME_OR_URL = 'FileName|URL'
@@ -941,7 +954,6 @@ class GamCLArgs():
  OB_LABEL_ID_LIST = 'LabelIDLIst'
  OB_LABEL_NAME = 'LabelName'
  OB_LABEL_NAME_LIST = 'LabelNameList'
-  OB_LABEL_REPLACEMENT = 'LabelReplacement'
  OB_LANGUAGE_LIST = 'LanguageList'
  OB_LOOKERSTUDIO_PERMISSION_ENTITY = 'LookerStudioPermissionEntity'
  OB_MATTER_ITEM = 'MatterItem'
@@ -954,6 +966,7 @@ class GamCLArgs():
  OB_MOBILE_ENTITY = 'MobileEntity'
  OB_NETWORK_ID = 'networkID'
  OB_NAME = 'Name'
+  OB_ORGANIZER_TYPE_LIST = 'OrganizerTypeList'
  OB_ORGUNIT_ENTITY = 'OrgUnitEntity'
  OB_ORGUNIT_ITEM = 'OrgUnitItem'
  OB_ORGUNIT_PATH = 'OrgUnitPath'
@@ -980,10 +993,10 @@ class GamCLArgs():
  OB_RESOURCE_ENTITY = 'ResourceEntity'
  OB_RESOURCE_ID = 'ResourceID'
  OB_RE_PATTERN = 'REPattern'
+  OB_RE_SUBSTITUTION = 'RESubstitution'
  OB_ROLE_ASSIGNMENT_ID = 'RoleAssignmentID'
  OB_ROLE_ITEM = 'RoleItem'
  OB_ROLE_LIST = 'RoleList'
-  OB_ROOM_LIST = 'RoomList'
  OB_SCHEMA_ENTITY = 'SchemaEntity'
  OB_SCHEMA_NAME = 'SchemaName'
  OB_SCHEMA_NAME_FIELD_NAME = 'SchemaName.FieldName'
@@ -1139,6 +1152,10 @@ class GamCLArgs():
      return f'Command: {self.QuotedArgumentList(self.argv[:self.argvI])} >>>{self.QuotedArgumentList([self.argv[self.argvI]])}<<< {self.QuotedArgumentList(self.argv[self.argvI+1:])}\n'
    return f'Command: {self.QuotedArgumentList(self.argv)} >>><<<\n'

+# Deprecated command
+  def CommandDeprecated(self):
+    return f'{self.QuotedArgumentList(self.argv)}\n'
+
 # Peek to see if next argument is in choices
  def PeekArgumentPresent(self, choices):
    if self.ArgumentsRemaining():
--- a/src/gam/gamlib/glentity.py
+++ b/src/gam/gamlib/glentity.py
@@ -25,14 +25,16 @@ class GamEntity():
  ROLE_MANAGER = 'MANAGER'
  ROLE_MEMBER = 'MEMBER'
  ROLE_OWNER = 'OWNER'
+  ROLE_LIST = [ROLE_MANAGER, ROLE_MEMBER, ROLE_OWNER]
  ROLE_USER = 'USER'
  ROLE_MANAGER_MEMBER = ','.join([ROLE_MANAGER, ROLE_MEMBER])
  ROLE_MANAGER_OWNER = ','.join([ROLE_MANAGER, ROLE_OWNER])
  ROLE_MEMBER_OWNER = ','.join([ROLE_MEMBER, ROLE_OWNER])
-  ROLE_MANAGER_MEMBER_OWNER = ','.join([ROLE_MANAGER, ROLE_MEMBER, ROLE_OWNER])
+  ROLE_MANAGER_MEMBER_OWNER = ','.join(ROLE_LIST)
  ROLE_PUBLIC = 'PUBLIC'
  ROLE_ALL = ROLE_MANAGER_MEMBER_OWNER

+  TYPE_CBCM_BROWSER = 'CBCM_BROWSER'
  TYPE_CUSTOMER = 'CUSTOMER'
  TYPE_EXTERNAL = 'EXTERNAL'
  TYPE_OTHER = 'OTHER'
@@ -59,7 +61,6 @@ class GamEntity():
  ANALYTIC_ACCOUNT_SUMMARY = 'anas'
  ANALYTIC_DATASTREAM = 'anad'
  ANALYTIC_PROPERTY = 'anap'
-  ANALYTIC_UA_PROPERTY = 'anau'
  API = 'api '
  APP_ACCESS_SETTINGS = 'apps'
  APP_ID = 'appi'
@@ -108,8 +109,15 @@ class GamEntity():
  CHROME_POLICY = 'cpol'
  CHROME_POLICY_IMAGE = 'cpim'
  CHROME_POLICY_SCHEMA = 'cpsc'
+  CHROME_PROFILE = 'cpro'
  CHROME_RELEASE = 'crel'
  CHROME_VERSION = 'cver'
+  CLASSIFICATION_LABEL = 'dlab'
+  CLASSIFICATION_LABEL_FIELD_ID = 'dlfi'
+  CLASSIFICATION_LABEL_ID = 'dlid'
+  CLASSIFICATION_LABEL_NAME = 'dlna'
+  CLASSIFICATION_LABEL_PERMISSION = 'dlpe'
+  CLASSIFICATION_LABEL_PERMISSION_NAME = 'dlpn'
  CLASSROOM_INVITATION = 'clai'
  CLASSROOM_INVITATION_OWNER = 'clio'
  CLASSROOM_INVITATION_STUDENT = 'clis'
@@ -193,12 +201,6 @@ class GamEntity():
  DRIVE_FOLDER_PATH = 'folp'
  DRIVE_FOLDER_RENAMED = 'forn'
  DRIVE_FOLDER_SHORTCUT = 'fols'
-  DRIVE_LABEL = 'dlab'
-  DRIVE_LABEL_FIELD_ID = 'dlfi'
-  DRIVE_LABEL_ID = 'dlid'
-  DRIVE_LABEL_NAME = 'dlna'
-  DRIVE_LABEL_PERMISSION = 'dlpe'
-  DRIVE_LABEL_PERMISSION_NAME = 'dlpn'
  DRIVE_ORPHAN_FILE_OR_FOLDER = 'orph'
  DRIVE_PARENT_FOLDER = 'fipf'
  DRIVE_PARENT_FOLDER_ID = 'fipi'
@@ -302,6 +304,7 @@ class GamEntity():
  PERMITTEE = 'prmt'
  PERSONAL_DEVICE = 'pedv'
  PHOTO = 'phot'
+  POLICY = 'poli'
  POP_ENABLED = 'popa'
  PRESENTATION = 'pres'
  PRINTER = 'prin'
@@ -338,8 +341,6 @@ class GamEntity():
  SHEET = 'shet'
  SHEET_ID = 'shti'
  SIGNATURE = 'sign'
-  SITE = 'site'
-  SITE_ACL = 'sacl'
  SIZE = 'size'
  SKU = 'sku '
  SMIME_ID = 'smid'
@@ -410,7 +411,6 @@ class GamEntity():
    ANALYTIC_ACCOUNT_SUMMARY: ['Analytic Account Summaries', 'Analytic Account Summary'],
    ANALYTIC_DATASTREAM: ['Analytic Datastreams', 'Analytic Datastream'],
    ANALYTIC_PROPERTY: ['Analytic GA4 Properties', 'Analytic GA4 Property'],
-    ANALYTIC_UA_PROPERTY: ['Analytic UA Properties', 'Analytic UA Property'],
    API: ['APIs', 'API'],
    APP_ACCESS_SETTINGS: ['Application Access Settings', 'Application Access Settings'],
    APP_ID: ['Application IDs', 'Application ID'],
@@ -459,8 +459,15 @@ class GamEntity():
    CHROME_POLICY: ['Chrome Policies', 'Chrome Policy'],
    CHROME_POLICY_IMAGE: ['Chrome Policy Images', 'Chrome Policy Image'],
    CHROME_POLICY_SCHEMA: ['Chrome Policy Schemas', 'Chrome Policy Schema'],
+    CHROME_PROFILE: ['Chrome Profiles', 'Chrome Profile'],
    CHROME_RELEASE: ['Chrome Releases', 'Chrome Release'],
    CHROME_VERSION: ['Chrome Versions', 'Chrome Version'],
+    CLASSIFICATION_LABEL: ['Classification Labels', 'Classification Label'],
+    CLASSIFICATION_LABEL_FIELD_ID: ['Classification Label Field IDs', 'Classification Label Field ID'],
+    CLASSIFICATION_LABEL_ID: ['Classification Label IDs', 'Classification Label ID'],
+    CLASSIFICATION_LABEL_NAME: ['Classification Label Names', 'Classification Label Name'],
+    CLASSIFICATION_LABEL_PERMISSION: ['Classification Label Permissions', 'Classification Label Permission'],
+    CLASSIFICATION_LABEL_PERMISSION_NAME: ['Classification Label Permission Names', 'Classification Label Permission Name'],
    CLASSROOM_INVITATION: ['Classroom Invitations', 'Classroom Invitation'],
    CLASSROOM_INVITATION_OWNER: ['Classroom Owner Invitations', 'Classroom Owner Invitation'],
    CLASSROOM_INVITATION_STUDENT: ['Classroom Student Invitations', 'Classroom Student Invitation'],
@@ -544,12 +551,6 @@ class GamEntity():
    DRIVE_FOLDER_PATH: ['Drive Folder Paths', 'Drive Folder Path'],
    DRIVE_FOLDER_RENAMED: ['Drive Folders Renamed', 'Drive Folder Renamed'],
    DRIVE_FOLDER_SHORTCUT: ['Drive Folder Shortcuts', 'Drive Folder Shortcut'],
-    DRIVE_LABEL: ['Drive Labels', 'Drive Label'],
-    DRIVE_LABEL_FIELD_ID: ['Drive Label Field IDs', 'Drive Label Field ID'],
-    DRIVE_LABEL_ID: ['Drive Label IDs', 'Drive Label ID'],
-    DRIVE_LABEL_NAME: ['Drive Label Names', 'Drive Label Name'],
-    DRIVE_LABEL_PERMISSION: ['Drive Label Permissions', 'Drive Label Permission'],
-    DRIVE_LABEL_PERMISSION_NAME: ['Drive Label Permission Names', 'Drive Label Permission Name'],
    DRIVE_ORPHAN_FILE_OR_FOLDER: ['Drive Orphan Files/Folders', 'Drive Orphan File/Folder'],
    DRIVE_PARENT_FOLDER: ['Drive Parent Folders', 'Drive Parent Folder'],
    DRIVE_PARENT_FOLDER_ID: ['Drive Parent Folder IDs', 'Drive Parent Folder ID'],
@@ -653,6 +654,7 @@ class GamEntity():
    PERMITTEE: ['Permittees', 'Permittee'],
    PERSONAL_DEVICE: ['Personal Devices', 'Personal Device'],
    PHOTO: ['Photos', 'Photo'],
+    POLICY: ['Policies', 'Policy'],
    POP_ENABLED: ['POP Enabled', 'POP Enabled'],
    PRESENTATION: ['Presentations', 'Presentation'],
    PRINTER: ['Printers', 'Printer'],
@@ -689,8 +691,6 @@ class GamEntity():
    SHEET: ['Sheets', 'Sheet'],
    SHEET_ID: ['Sheet IDs', 'Sheet ID'],
    SIGNATURE: ['Signatures', 'Signature'],
-    SITE: ['Sites', 'Site'],
-    SITE_ACL: ['Site ACLs', 'Site ACL'],
    SIZE: ['Sizes', 'Size'],
    SKU: ['SKUs', 'SKU'],
    SMIME_ID: ['S/MIME Certificate IDs', 'S/MIME Certificate ID'],
--- a/src/gam/gamlib/glgapi.py
+++ b/src/gam/gamlib/glgapi.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-

-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -37,6 +37,7 @@ CANNOT_CHANGE_OWNER_ACL = 'cannotChangeOwnerAcl'
 CANNOT_CHANGE_OWN_PRIMARY_SUBSCRIPTION = 'cannotChangeOwnPrimarySubscription'
 CANNOT_COPY_FILE = 'cannotCopyFile'
 CANNOT_DELETE_ONLY_REVISION = 'cannotDeleteOnlyRevision'
+CANNOT_DELETE_PERMISSION = 'cannotDeletePermission'
 CANNOT_DELETE_PRIMARY_CALENDAR = 'cannotDeletePrimaryCalendar'
 CANNOT_DELETE_PRIMARY_SENDAS = 'cannotDeletePrimarySendAs'
 CANNOT_DELETE_RESOURCE_WITH_CHILDREN = 'cannotDeleteResourceWithChildren'
@@ -47,6 +48,7 @@ CANNOT_MOVE_TRASHED_ITEM_INTO_TEAMDRIVE = 'cannotMoveTrashedItemIntoTeamDrive'
 CANNOT_MOVE_TRASHED_ITEM_OUT_OF_TEAMDRIVE = 'cannotMoveTrashedItemOutOfTeamDrive'
 CANNOT_REMOVE_OWNER = 'cannotRemoveOwner'
 CANNOT_SET_EXPIRATION = 'cannotSetExpiration'
+CANNOT_SET_EXPIRATION_ON_ANYONE_OR_DOMAIN = 'cannotSetExpirationOnAnyoneOrDomain'
 CANNOT_SHARE_GROUPS_WITHLINK = 'cannotShareGroupsWithLink'
 CANNOT_SHARE_USERS_WITHLINK = 'cannotShareUsersWithLink'
 CANNOT_SHARE_TEAMDRIVE_TOPFOLDER_WITH_ANYONEORDOMAINS = 'cannotShareTeamDriveTopFolderWithAnyoneOrDomains'
@@ -70,6 +72,8 @@ DOMAIN_POLICY = 'domainPolicy'
 DOWNLOAD_QUOTA_EXCEEDED = 'downloadQuotaExceeded'
 DUPLICATE = 'duplicate'
 EVENT_DURATION_EXCEEDS_LIMIT = 'eventDurationExceedsLimit'
+EVENT_TYPE_RESTRICTION = 'eventTypeRestriction'
+EXPIRATION_DATES_MUST_BE_IN_THE_FUTURE = 'expirationDatesMustBeInTheFuture'
 EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS = 'expirationDateNotAllowedForSharedDriveMembers'
 FAILED_PRECONDITION = 'failedPrecondition'
 FIELD_IN_USE = 'fieldInUse'
@@ -153,6 +157,7 @@ SERVICE_NOT_AVAILABLE = 'serviceNotAvailable'
 SHARE_IN_NOT_PERMITTED = 'shareInNotPermitted'
 SHARE_OUT_NOT_PERMITTED = 'shareOutNotPermitted'
 SHARE_OUT_NOT_PERMITTED_TO_USER = 'shareOutNotPermittedToUser'
+SHARE_OUT_WARNING = 'shareOutWarning'
 SHARING_RATE_LIMIT_EXCEEDED = 'sharingRateLimitExceeded'
 SHORTCUT_TARGET_INVALID = 'shortcutTargetInvalid'
 STORAGE_QUOTA_EXCEEDED = 'storageQuotaExceeded'
@@ -184,7 +189,7 @@ DEFAULT_RETRY_REASONS = [QUOTA_EXCEEDED, RATE_LIMIT_EXCEEDED, SHARING_RATE_LIMIT
                         BACKEND_ERROR, BAD_GATEWAY, GATEWAY_TIMEOUT, INTERNAL_ERROR, TRANSIENT_ERROR]
 SERVICE_NOT_AVAILABLE_RETRY_REASONS = [SERVICE_NOT_AVAILABLE]
 ACTIVITY_THROW_REASONS = [SERVICE_NOT_AVAILABLE, BAD_REQUEST]
-ALERT_THROW_REASONS = [SERVICE_NOT_AVAILABLE, AUTH_ERROR]
+ALERT_THROW_REASONS = [SERVICE_NOT_AVAILABLE, AUTH_ERROR, PERMISSION_DENIED]
 CALENDAR_THROW_REASONS = [SERVICE_NOT_AVAILABLE, AUTH_ERROR, NOT_A_CALENDAR_USER]
 CIGROUP_CREATE_THROW_REASONS = [SERVICE_NOT_AVAILABLE, ALREADY_EXISTS, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, FORBIDDEN, INVALID, INVALID_ARGUMENT, PERMISSION_DENIED, FAILED_PRECONDITION]
 CIGROUP_GET_THROW_REASONS = [SERVICE_NOT_AVAILABLE, NOT_FOUND, GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, FORBIDDEN, BAD_REQUEST, INVALID, SYSTEM_ERROR, PERMISSION_DENIED]
@@ -210,7 +215,8 @@ DRIVE_COPY_THROW_REASONS = DRIVE_ACCESS_THROW_REASONS+[CANNOT_COPY_FILE, BAD_REQ
                                                       STORAGE_QUOTA_EXCEEDED, TEAMDRIVE_FILE_LIMIT_EXCEEDED, TEAMDRIVE_HIERARCHY_TOO_DEEP]
 DRIVE_GET_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, DOWNLOAD_QUOTA_EXCEEDED]
 DRIVE3_CREATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID, INVALID_SHARING_REQUEST, OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED,
-                                   CANNOT_SET_EXPIRATION, EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS,
+                                   CANNOT_SET_EXPIRATION, CANNOT_SET_EXPIRATION_ON_ANYONE_OR_DOMAIN,
+                                   EXPIRATION_DATES_MUST_BE_IN_THE_FUTURE, EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS,
                                   NOT_FOUND, TEAMDRIVE_DOMAIN_USERS_ONLY_RESTRICTION, TEAMDRIVE_TEAM_MEMBERS_ONLY_RESTRICTION,
                                   TARGET_USER_ROLE_LIMITED_BY_LICENSE_RESTRICTION, INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
                                   PUBLISH_OUT_NOT_PERMITTED, SHARE_IN_NOT_PERMITTED, SHARE_OUT_NOT_PERMITTED, SHARE_OUT_NOT_PERMITTED_TO_USER,
@@ -227,7 +233,8 @@ DRIVE3_GET_ACL_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, FORBIDDEN, IN
                                                   INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, INSUFFICIENT_FILE_PERMISSIONS,
                                                   UNKNOWN_ERROR, INVALID]
 DRIVE3_UPDATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID_OWNERSHIP_TRANSFER, CANNOT_REMOVE_OWNER,
-                                   CANNOT_SET_EXPIRATION, EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS,
+                                   CANNOT_SET_EXPIRATION, CANNOT_SET_EXPIRATION_ON_ANYONE_OR_DOMAIN,
+                                   EXPIRATION_DATES_MUST_BE_IN_THE_FUTURE, EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS,
                                   OWNERSHIP_CHANGE_ACROSS_DOMAIN_NOT_PERMITTED,
                                   NOT_FOUND, TEAMDRIVE_DOMAIN_USERS_ONLY_RESTRICTION, TEAMDRIVE_TEAM_MEMBERS_ONLY_RESTRICTION,
                                   TARGET_USER_ROLE_LIMITED_BY_LICENSE_RESTRICTION, INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
@@ -246,7 +253,7 @@ DRIVE3_UPDATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID_OWNERSHIP_TRANSFER, CANN
 DRIVE3_DELETE_ACL_THROW_REASONS = [BAD_REQUEST, CANNOT_REMOVE_OWNER,
                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION,
                                   INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
-                                   NOT_FOUND, PERMISSION_NOT_FOUND]
+                                   NOT_FOUND, PERMISSION_NOT_FOUND, CANNOT_DELETE_PERMISSION]
 DRIVE3_MODIFY_LABEL_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, NOT_FOUND, FORBIDDEN, INTERNAL_ERROR,
                                                              FILE_NEVER_WRITABLE, APPLY_LABEL_FORBIDDEN,
                                                              INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, INSUFFICIENT_FILE_PERMISSIONS,
@@ -268,17 +275,17 @@ GROUP_SETTINGS_THROW_REASONS = [NOT_FOUND, GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DO
 GROUP_SETTINGS_RETRY_REASONS = [INVALID, SERVICE_LIMIT, SERVICE_NOT_AVAILABLE]
 GROUP_LIST_THROW_REASONS = [RESOURCE_NOT_FOUND, DOMAIN_NOT_FOUND, FORBIDDEN, BAD_REQUEST]
 GROUP_LIST_USERKEY_THROW_REASONS = GROUP_LIST_THROW_REASONS+[INVALID_MEMBER, INVALID_INPUT]
-KEEP_THROW_REASONS = [SERVICE_NOT_AVAILABLE, BAD_REQUEST, PERMISSION_DENIED, INVALID_ARGUMENT, NOT_FOUND]
+KEEP_THROW_REASONS = [AUTH_ERROR, BAD_REQUEST, PERMISSION_DENIED, INVALID_ARGUMENT, NOT_FOUND]
 LOOKERSTUDIO_THROW_REASONS = [INVALID_ARGUMENT, SERVICE_NOT_AVAILABLE, BAD_REQUEST, NOT_FOUND, PERMISSION_DENIED, INTERNAL_ERROR]
 MEMBERS_THROW_REASONS = [GROUP_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, INVALID, FORBIDDEN, SERVICE_NOT_AVAILABLE]
 MEMBERS_RETRY_REASONS = [SYSTEM_ERROR, SERVICE_NOT_AVAILABLE]
 ORGUNIT_GET_THROW_REASONS = [INVALID_ORGUNIT, ORGUNIT_NOT_FOUND, BACKEND_ERROR, BAD_REQUEST, INVALID_CUSTOMER_ID, LOGIN_REQUIRED]
-PEOPLE_ACCESS_THROW_REASONS = [SERVICE_NOT_AVAILABLE, FORBIDDEN, PERMISSION_DENIED]
+PEOPLE_ACCESS_THROW_REASONS = [SERVICE_NOT_AVAILABLE, FORBIDDEN, PERMISSION_DENIED, FAILED_PRECONDITION]
 RESELLER_THROW_REASONS = [BAD_REQUEST, RESOURCE_NOT_FOUND, FORBIDDEN, INVALID]
 SHEETS_ACCESS_THROW_REASONS = DRIVE_USER_THROW_REASONS+[NOT_FOUND, PERMISSION_DENIED, FORBIDDEN, INTERNAL_ERROR, INSUFFICIENT_FILE_PERMISSIONS,
                                                        BAD_REQUEST, INVALID, INVALID_ARGUMENT, FAILED_PRECONDITION]
-TASK_THROW_REASONS = [SERVICE_NOT_AVAILABLE, BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
-TASKLIST_THROW_REASONS = [SERVICE_NOT_AVAILABLE, BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
+TASK_THROW_REASONS = [BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
+TASKLIST_THROW_REASONS = [BAD_REQUEST, PERMISSION_DENIED, INVALID, NOT_FOUND, ACCESS_NOT_CONFIGURED]
 USER_GET_THROW_REASONS = [USER_NOT_FOUND, DOMAIN_NOT_FOUND, DOMAIN_CANNOT_USE_APIS, FORBIDDEN, BAD_REQUEST, SYSTEM_ERROR]
 YOUTUBE_THROW_REASONS = [SERVICE_NOT_AVAILABLE, AUTH_ERROR, UNSUPPORTED_SUPERVISED_ACCOUNT, UNSUPPORTED_LANGUAGE_CODE, CONTENT_OWNER_ACCOUNT_NOT_FOUND]

@@ -299,6 +306,7 @@ REASON_MESSAGE_MAP = {
    ('userId', USER_NOT_FOUND),
    ('memberKey', INVALID_MEMBER),
    ('A system error has occurred', SYSTEM_ERROR),
+    ('Expiration dates must be in the future', EXPIRATION_DATES_MUST_BE_IN_THE_FUTURE),
    ('Invalid attribute value', INVALID_ATTRIBUTE_VALUE),
    ('Invalid Customer Id', INVALID_CUSTOMER_ID),
    ('Invalid Input: INVALID_OU_ID', INVALID_ORGUNIT),
@@ -382,6 +390,8 @@ class cannotCopyFile(Exception):
  pass
 class cannotDeleteOnlyRevision(Exception):
  pass
+class cannotDeletePermission(Exception):
+  pass
 class cannotDeletePrimaryCalendar(Exception):
  pass
 class cannotDeletePrimarySendAs(Exception):
@@ -402,6 +412,8 @@ class cannotRemoveOwner(Exception):
  pass
 class cannotSetExpiration(Exception):
  pass
+class cannotSetExpirationOnAnyoneOrDomain(Exception):
+  pass
 class cannotShareGroupsWithLink(Exception):
  pass
 class cannotShareUsersWithLink(Exception):
@@ -446,6 +458,10 @@ class duplicate(Exception):
  pass
 class eventDurationExceedsLimit(Exception):
  pass
+class eventTypeRestriction(Exception):
+  pass
+class expirationDatesMustBeInTheFuture(Exception):
+  pass
 class expirationDateNotAllowedForSharedDriveMembers(Exception):
  pass
 class failedPrecondition(Exception):
@@ -606,6 +622,8 @@ class shareOutNotPermitted(Exception):
  pass
 class shareOutNotPermittedToUser(Exception):
  pass
+class shareOutWarning(Exception):
+  pass
 class sharingRateLimitExceeded(Exception):
  pass
 class shortcutTargetInvalid(Exception):
@@ -676,6 +694,7 @@ REASON_EXCEPTION_MAP = {
  CANNOT_CHANGE_OWN_PRIMARY_SUBSCRIPTION: cannotChangeOwnPrimarySubscription,
  CANNOT_COPY_FILE: cannotCopyFile,
  CANNOT_DELETE_ONLY_REVISION: cannotDeleteOnlyRevision,
+  CANNOT_DELETE_PERMISSION: cannotDeletePermission,
  CANNOT_DELETE_PRIMARY_CALENDAR: cannotDeletePrimaryCalendar,
  CANNOT_DELETE_PRIMARY_SENDAS: cannotDeletePrimarySendAs,
  CANNOT_DELETE_RESOURCE_WITH_CHILDREN: cannotDeleteResourceWithChildren,
@@ -686,6 +705,7 @@ REASON_EXCEPTION_MAP = {
  CANNOT_MOVE_TRASHED_ITEM_OUT_OF_TEAMDRIVE: cannotMoveTrashedItemOutOfTeamDrive,
  CANNOT_REMOVE_OWNER: cannotRemoveOwner,
  CANNOT_SET_EXPIRATION: cannotSetExpiration,
+  CANNOT_SET_EXPIRATION_ON_ANYONE_OR_DOMAIN: cannotSetExpirationOnAnyoneOrDomain,
  CANNOT_SHARE_GROUPS_WITHLINK: cannotShareGroupsWithLink,
  CANNOT_SHARE_USERS_WITHLINK: cannotShareUsersWithLink,
  CANNOT_SHARE_TEAMDRIVE_TOPFOLDER_WITH_ANYONEORDOMAINS: cannotShareTeamDriveTopFolderWithAnyoneOrDomains,
@@ -708,6 +728,8 @@ REASON_EXCEPTION_MAP = {
  DOWNLOAD_QUOTA_EXCEEDED: downloadQuotaExceeded,
  DUPLICATE: duplicate,
  EVENT_DURATION_EXCEEDS_LIMIT: eventDurationExceedsLimit,
+  EVENT_TYPE_RESTRICTION: eventTypeRestriction,
+  EXPIRATION_DATES_MUST_BE_IN_THE_FUTURE: expirationDatesMustBeInTheFuture,
  EXPIRATION_DATE_NOT_ALLOWED_FOR_SHARED_DRIVE_MEMBERS: expirationDateNotAllowedForSharedDriveMembers,
  FAILED_PRECONDITION: failedPrecondition,
  FIELD_IN_USE: fieldInUse,
@@ -788,6 +810,7 @@ REASON_EXCEPTION_MAP = {
  SHARE_IN_NOT_PERMITTED: shareInNotPermitted,
  SHARE_OUT_NOT_PERMITTED: shareOutNotPermitted,
  SHARE_OUT_NOT_PERMITTED_TO_USER: shareOutNotPermittedToUser,
+  SHARE_OUT_WARNING: shareOutWarning,
  SHARING_RATE_LIMIT_EXCEEDED: sharingRateLimitExceeded,
  SHORTCUT_TARGET_INVALID: shortcutTargetInvalid,
  STORAGE_QUOTA_EXCEEDED: storageQuotaExceeded,
--- a/src/gam/gamlib/glglobals.py
+++ b/src/gam/gamlib/glglobals.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-

-# Copyright (C) 2023 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -23,8 +23,8 @@
 # The following GM_XXX constants are arbitrary but must be unique
 # Most errors print a message and bail out with a return code
 # Some commands want to set a non-zero return code but not bail
-# GAM admin user
-ADMIN = 'admin'
+# GAM admin user from oauth2.txt or oauth2service.json
+ADMIN = 'admn'
 # Number/length of API call retries
 API_CALLS_RETRY_DATA = 'rtry'
 # GAM cache directory. If no_cache is True, this variable will be set to None
@@ -65,6 +65,8 @@ CSV_OUTPUT_HEADER_DROP_FILTER = 'cohd'
 CSV_OUTPUT_HEADER_FILTER = 'cohf'
 # Force output column headers
 CSV_OUTPUT_HEADER_FORCE = 'cofh'
+# Order output column headers
+CSV_OUTPUT_HEADER_ORDER = 'coho'
 # No escape character in CSV output file
 CSV_OUTPUT_NO_ESCAPE_CHAR = 'cone'
 # Quote character in CSV output file
@@ -80,7 +82,9 @@ CSV_OUTPUT_ROW_FILTER_MODE = 'corm'
 # Limit number of output rows
 CSV_OUTPUT_ROW_LIMIT = 'corl'
 # Add timestamp column to CSV output file
-CSV_OUTPUT_TIMESTAMP_COLUMN = 'csv_output_timestamp_column'
+CSV_OUTPUT_TIMESTAMP_COLUMN = 'cotc'
+# Transpose output rows/columns
+CSV_OUTPUT_TRANSPOSE = 'cotr'
 # Output sort headers
 CSV_OUTPUT_SORT_HEADERS = 'cosh'
 # CSV todrive options
@@ -201,6 +205,7 @@ REDIRECT_WRITE_HEADER = 'rdwh'
 REDIRECT_MULTIPROCESS = 'rdmp'
 REDIRECT_QUEUE = 'rdq'
 REDIRECT_QUEUE_NAME = 'name'
+REDIRECT_QUEUE_CLEAR_ROW_FILTERS = 'clearRowFilters'
 REDIRECT_QUEUE_TODRIVE = 'todrive'
 REDIRECT_QUEUE_CSVPF = 'csvpf'
 REDIRECT_QUEUE_DATA = 'rows'
@@ -235,6 +240,7 @@ Globals = {
  CSV_OUTPUT_HEADER_DROP_FILTER: [],
  CSV_OUTPUT_HEADER_FILTER: [],
  CSV_OUTPUT_HEADER_FORCE: [],
+  CSV_OUTPUT_HEADER_ORDER: [],
  CSV_OUTPUT_NO_ESCAPE_CHAR: None,
  CSV_OUTPUT_QUOTE_CHAR: None,
  CSV_OUTPUT_ROW_DROP_FILTER: [],
@@ -244,6 +250,7 @@ Globals = {
  CSV_OUTPUT_ROW_LIMIT: 0,
  CSV_OUTPUT_SORT_HEADERS: [],
  CSV_OUTPUT_TIMESTAMP_COLUMN: None,
+  CSV_OUTPUT_TRANSPOSE: False,
  CSV_TODRIVE: {},
  CURRENT_API_SERVICES: {},
  CURRENT_CLIENT_API: None,
--- a/src/gam/gamlib/glmsgs.py
+++ b/src/gam/gamlib/glmsgs.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-

-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -40,21 +40,43 @@ sign in as {0} and accept the Terms of Service (ToS). As soon as you've accepted

 PROJECT_STILL_BEING_CREATED_SLEEPING = 'Project still being created. Sleeping {0} seconds\n'
 FAILED_TO_CREATE_PROJECT = 'Failed to create project: {0}\n'
-SETTING_GAM_PROJECT_CONSENT_SCREEN = 'Setting GAM project consent screen...\n'
-CREATE_PROJECT_INSTRUCTIONS = '''
+SETTING_GAM_PROJECT_CONSENT_SCREEN_CREATING_CLIENT = 'Setting GAM project consent screen, creating client...\n'
+CREATE_CLIENT_INSTRUCTIONS = '''
 Please go to:

  {0}

-1. Choose "Desktop App" or "Other" for "Application type".
-2. Enter "GAM" or another desired value for "Name".
-3. Click the blue "Create" button.
-4. Copy your "Client ID" value that shows on the next page.
+ 1. If "+ CREATE CLIENT" is on the screen, skip to step 14
+ 2. Click "GET STARTED"
+ 3. Under "App Information", enter {1} or another value in "App name *"
+ 4. Under "App Information", enter {2} in "User support email *"
+ 5. Click "NEXT"
+ 6. Under "Audience", choose INTERNAL
+ 7. Click "NEXT"
+ 8. Under, "Contact Information", enter an email address in "Email addresses *"
+ 9. Click "NEXT"
+10. Under "Finish", click "I agree to the Google API Services: User Data Policy."
+11. Click "CONTINUE"
+12. Click "CREATE"
+13. Click "Clients" in the left-hand column
+14. Click "+ CREATE CLIENT"
+15. Choose "Desktop App" for "Application type"
+16. Enter {1} or another value in "Name *"
+17. Click "Create"
+18. Under "Name", click your client name
+19. Copy the "Client ID" value under "Additional information"
+20. Paste it at the "Enter your Client ID: " prompt in your terminal
+21. Press return/enter in your terminal
+22. Switch back to the browser
+23. Copy the "Client secret" value under "Client Secrets"
+24. Paste it at the "Enter your Client Secret: " prompt in your terminal
+25. Press return/enter in your terminal
+26. Switch back to the browser
+27. Click "OK"
+28. These steps are complete
 '''
 ENTER_YOUR_CLIENT_ID = '\nEnter your Client ID: '
-GO_BACK_TO_YOUR_BROWSER_AND_COPY_YOUR_CLIENT_SECRET_VALUE = '\n5. Go back to your browser and copy your "Client Secret" value.\n'
 ENTER_YOUR_CLIENT_SECRET = '\nEnter your Client Secret: '
-GO_BACK_TO_YOUR_BROWSER_AND_CLICK_OK_TO_CLOSE_THE_OAUTH_CLIENT_POPUP = '\n6. Go back to your browser and click OK to close the "OAuth client" popup if it\'s still open.\n'
 IS_NOT_A_VALID_CLIENT_ID = '''

 {0}
@@ -78,12 +100,12 @@ Please go to:

  https://admin.google.com/ac/owl/list?tab=configuredApps

-1. Click on: Configure new app > OAuth App Name Or Client ID.
-2. Enter the following Client ID value:
+1. Click on: Configure new app
+2. Enter the following Client ID value in Search for app:

  {1}

-3. Press Search, select the {0} app, press Select, check the box and press Select.
+3. Press Search, select the {0} app, click
 4. Keep the default scope or select a preferred scope that includes your GAM admin.
 5. Press Continue
 6. Select Trusted radio button, press Continue and Finish.
@@ -96,7 +118,7 @@ Your workspace is configured to disable service account private key uploads.

 Please go to:

-  https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#authorize-service-account-key-uploads
+  https://github.com/GAM-team/GAM/wiki/Authorization#authorize-service-account-key-uploads

 Follow the steps to allow a service account private key upload for the project ({0}) just created.
 Once those steps are completed, you can continue with your project authentication.
@@ -162,7 +184,7 @@ ALREADY_EXISTS_USE_MERGE_ARGUMENT = 'Already exists; use the "merge" argument to
 API_ACCESS_DENIED = 'API access Denied'
 API_CALLS_RETRY_DATA = 'API calls retry data\n'
 API_CHECK_CLIENT_AUTHORIZATION = 'Please make sure the Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam oauth create\n'
-API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client name: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} update serviceaccount\n'
+API_CHECK_SVCACCT_AUTHORIZATION = 'Please make sure the Service Account Client ID: {0} is authorized for the appropriate API or scopes:\n{1}\n\nRun: gam user {2} update serviceaccount\n'
 API_ERROR_SETTINGS = 'API error, some settings not set'
 ARE_BOTH_REQUIRED = 'Arguments {0} and {1} are both required'
 ARE_MUTUALLY_EXCLUSIVE = 'Arguments {0} and {1} are mutually exclusive'
@@ -265,6 +287,7 @@ GAM_OUT_OF_MEMORY = 'GAM has run out of memory. If this is a large Google Worksp
 GENERATING_NEW_PRIVATE_KEY = 'Generating new private key'
 GETTING = 'Getting'
 GETTING_ALL = 'Getting all'
+GRANTING_RIGHTS_TO_ROTATE_ITS_OWN_PRIVATE_KEY = '{0} rights to rotate its own private key'
 GOOGLE_DELEGATION_ERROR = 'Google delegation error, delegator and delegate both exist and are valid for delegation'
 GOT = 'Got'
 GROUP_MAPS_TO_MULTIPLE_OUS = 'File: {0}, Group: {1} references multiple OUs: {2}'
@@ -272,13 +295,12 @@ GROUP_MAPS_TO_OU_INVALID_ROW = 'File: {0}, Invalid row, must contain non-blank <
 GUARDIAN_INVITATION_STATUS_NOT_PENDING = 'Guardian invitation status is not PENDING'
 HAS_CHILD_ORGS = 'Has child {0}'
 HAS_INVALID_FORMAT = '{0}: {1}, Has invalid format'
-HAS_RIGHTS_TO_ROTATE_OWN_PRIVATE_KEY = 'Giving account {0} rights to rotate {1} private key'
 HEADER_NOT_FOUND_IN_CSV_HEADERS = 'Header "{0}" not found in CSV headers of "{1}".'
 HELP_SYNTAX = 'Help: Syntax in file {0}\n'
 HELP_WIKI = 'Help: Documentation is at {0}\n'
 IGNORED = 'Ignored'
 INSTRUCTIONS_CLIENT_SECRETS_JSON = 'Please run\n\ngam create|use project\ngam oauth create\n\nto create and authorize a Client account.\n'
-INSTRUCTIONS_OAUTH2SERVICE_JSON = 'Please run\n\ngam create|use project\ngam user <user> check serviceaccount\n\nto create and authorize a Service account.\n'
+INSTRUCTIONS_OAUTH2SERVICE_JSON = 'Please run\n\ngam create|use project\ngam user <user> update serviceaccount\n\nto create and authorize a Service account.\n'
 INSUFFICIENT_PERMISSIONS_TO_PERFORM_TASK = 'Insufficient permissions to perform this task'
 INTER_BATCH_WAIT_INCREASED = 'inter_batch_wait increased to {0:.2f}'
 INVALID = 'Invalid'
@@ -300,7 +322,7 @@ INVALID_NUMBER_OF_CHAT_SPACE_MEMBERS = '{0} type {1} number of members, {2}, mus
 INVALID_ORGUNIT = 'Invalid Organizational Unit'
 INVALID_PATH = 'Invalid Path'
 INVALID_PERMISSION_ATTRIBUTE_TYPE = 'permission attribute {0} not allowed with type {1}'
-INVALID_REGION = 'See: https://github.com/taers232c/GAMADV-XTD3/wiki/Context-Aware-Access-Levels#caa-region-codes'
+INVALID_REGION = 'See: https://github.com/GAM-team/GAM/wiki/Context-Aware-Access-Levels#caa-region-codes'
 INVALID_QUERY = 'Invalid Query'
 INVALID_RE = 'Invalid RE'
 INVALID_REQUEST = 'Invalid Request'
@@ -446,6 +468,10 @@ REFUSING_TO_DEPROVISION_DEVICES = 'Refusing to deprovision {0} devices because a
 REPLY_TO_CUSTOM_REQUIRES_EMAIL_ADDRESS = 'replyto REPLY_TO_CUSTOM requires customReplyTo <EmailAddress>'
 REQUEST_COMPLETED_NO_FILES = 'Request completed but no results/files were returned, try requesting again'
 REQUEST_NOT_COMPLETE = 'Request needs to be completed before downloading, current status is: {0}'
+RERUN_THE_COMMAND_AND_SPECIFY_A_NEW_SANAME = """
+Re-run the command specify a new service account name with: saname <ServiceAccountName>
+See: https://github.com/GAM-team/GAM/wiki/Authorization#advanced-use
+"""
 RESOURCE_CAPACITY_FLOOR_REQUIRED = 'Options "capacity <Number>" (<Number> > 0) and "floor <String>" required'
 RESOURCE_FLOOR_REQUIRED = 'Option "floor <String>" required'
 RESULTS_TOO_LARGE_FOR_GOOGLE_SPREADSHEET = 'Results are too large for Google Spreadsheets. Uploading as a regular CSV file.'
@@ -457,7 +483,10 @@ SCHEMA_WOULD_HAVE_NO_FIELDS = '{0} would have no {1}'
 SELECTED = 'Selected'
 SERVICE_NOT_APPLICABLE = 'Service not applicable/Does not exist'
 SERVICE_NOT_APPLICABLE_THIS_ADDRESS = 'Service not applicable for this address: {0}'
+SERVICE_NOT_ENABLED = '{0} Service/App not enabled'
 SHORTCUT_TARGET_CAPABILITY_IS_FALSE = '{0} capability {1} is False'
+SITES_COMMAND_DEPRECATED = 'The Classic Sites API is deprecated, this command will not work:\n{0}'
+SKU_HAS_NO_MATCHING_ARCHIVED_USER_SKU = 'SKU {0} has no matching Archived User SKU'
 STARTING_THREAD = 'Starting thread'
 STATISTICS_COPY_FILE = 'Total: {0}, Copied: {1}, Shortcut created {2}, Shortcut exists {3}, Duplicate: {4}, Copy Failed: {5}, Not copyable: {6}, In skipids: {7}, Permissions Failed: {8}, Protected Ranges Failed: {9}'
 STATISTICS_COPY_FOLDER = 'Total: {0}, Copied: {1}, Shortcut created {2}, Shortcut exists {3}, Duplicate: {4}, Merged: {5}, Copy Failed: {6}, Not writable: {7}, Permissions Failed: {8}'
@@ -475,11 +504,15 @@ TO = 'To'
 TO_LC = 'to'
 TO_MAXIMUM_OF = 'to maximum of'
 TO_SET_UP_GOOGLE_CHAT = """
-To set up Google Chat for your API project, please go to:
+To set up Google Chat for your current project, please go to:

    {0}

-and complete all fields.
+and follow the instructions at:
+
+    https://github.com/GAM-team/GAM/wiki/Chat-Bot#set-up-a-chat-bot
+
+    You'll use projects/{1}/topics/no-topic in Connection settings Cloud Pub/Sub Topic Name
 """
 TOTAL_ITEMS_IN_ENTITY = 'Total {0} in {1}'
 TRIMMED_MESSAGE_FROM_LENGTH_TO_MAXIMUM = 'Trimmed message of length {0} to maximum length {1}'
--- a/src/gam/gamlib/glskus.py
+++ b/src/gam/gamlib/glskus.py
@@ -22,7 +22,7 @@

 # Products/SKUs
 _PRODUCTS = {
-  '101001': 'Cloud Identity Free',
+  '101001': 'Cloud Identity',
  '101005': 'Cloud Identity Premium',
  '101031': 'Google Workspace for Education',
  '101033': 'Google Voice',
@@ -47,6 +47,10 @@ _SKUS = {
    'product': '101001', 'aliases': ['identity', 'cloudidentity'], 'displayName': 'Cloud Identity'},
  '1010050001': {
    'product': '101005', 'aliases': ['identitypremium', 'cloudidentitypremium'], 'displayName': 'Cloud Identity Premium'},
+  '1010070001': {
+    'product': 'Google-Apps', 'aliases': ['gwef', 'workspaceeducationfundamentals'], 'displayName': 'Google Workspace for Education Fundamentals'},
+  '1010070004': {
+    'product': 'Google-Apps', 'aliases': ['gwegmo', 'workspaceeducationgmailonly'], 'displayName': 'Google Workspace for Education Gmail Only'},
  '1010310002': {
    'product': '101031', 'aliases': ['gsefe', 'e4e', 'gsuiteenterpriseeducation'], 'displayName': 'Google Workspace for Education Plus - Legacy'},
  '1010310003': {
@@ -83,6 +87,8 @@ _SKUS = {
    'product': '101038', 'aliases': ['appsheetplus', 'appsheetenterpriseplus'], 'displayName': 'AppSheet Enterprise Plus'},
  '1010390001': {
    'product': '101039', 'aliases': ['assuredcontrols'], 'displayName': 'Assured Controls'},
+  '1010390002': {
+    'product': '101039', 'aliases': ['assuredcontrolsplus'], 'displayName': 'Assured Controls Plus'},
  '1010400001': {
    'product': '101040', 'aliases': ['beyondcorp', 'beyondcorpenterprise', 'bce', 'cep', 'chromeenterprisepremium'], 'displayName': 'Chrome Enterprise Premium'},
  '1010430001': {
@@ -111,6 +117,8 @@ _SKUS = {
    'product': 'Google-Apps', 'aliases': ['standard', 'free'], 'displayName': 'G Suite Legacy'},
  'Google-Apps-For-Business': {
    'product': 'Google-Apps', 'aliases': ['gafb', 'gafw', 'basic', 'gsuitebasic'], 'displayName': 'G Suite Basic'},
+  'Google-Apps-For-Education': {
+    'product': 'Google-Apps', 'aliases': ['gafe', 'gsuiteeducation', 'gsuiteedu'], 'displayName': 'Google Workspace for Education - Fundamentals'},
  'Google-Apps-For-Government': {
    'product': 'Google-Apps', 'aliases': ['gafg', 'gsuitegovernment', 'gsuitegov'], 'displayName': 'Google Workspace Government'},
  'Google-Apps-For-Postini': {
@@ -121,7 +129,7 @@ _SKUS = {
    'product': 'Google-Apps', 'aliases': ['gau', 'gsb', 'unlimited', 'gsuitebusiness'], 'displayName': 'G Suite Business'},
  '1010020020': {
    'product': 'Google-Apps', 'aliases': ['gae', 'gse', 'enterprise', 'gsuiteenterprise',
-                                          'wsentplus', 'workspaceenterpriseplus'], 'displayName': 'Google Workspace Enterprise Plus'},
+                                          'wsentplus', 'workspaceenterpriseplus'], 'displayName': 'Google Workspace Enterprise Plus (formerly G Suite Enterprise)'},
  '1010020025': {
    'product': 'Google-Apps', 'aliases': ['wsbizplus', 'workspacebusinessplus'], 'displayName': 'Google Workspace Business Plus'},
  '1010020026': {
@@ -136,6 +144,8 @@ _SKUS = {
    'product': 'Google-Apps', 'aliases': ['wsflw', 'workspacefrontline', 'workspacefrontlineworker'], 'displayName': 'Google Workspace Frontline Starter'},
  '1010020031': {
    'product': 'Google-Apps', 'aliases': ['wsflwstan', 'workspacefrontlinestan', 'workspacefrontlineworkerstan'], 'displayName': 'Google Workspace Frontline Standard'},
+  '1010020034': {
+    'product': 'Google-Apps', 'aliases': ['wsflwplus', 'workspacefrontlineplus', 'workspacefrontlineworkerplus'], 'displayName': 'Google Workspace Frontline Plus'},
  '1010340001': {
    'product': '101034', 'aliases': ['gseau', 'enterprisearchived', 'gsuiteenterprisearchived'], 'displayName': 'Google Workspace Enterprise Plus - Archived User'},
  '1010340002': {
@@ -148,14 +158,16 @@ _SKUS = {
    'product': '101034', 'aliases': ['wsbizstarterarchived', 'workspacebusinessstarterarchived'], 'displayName': 'Google Workspace Business Starter - Archived User'},
  '1010340006': {
    'product': '101034', 'aliases': ['wsbizstanarchived', 'workspacebusinessstanarchived'], 'displayName': 'Google Workspace Business Standard - Archived User'},
+  '1010340007': {
+    'product': '101034', 'aliases': ['gwefau', 'gwefarchived', 'workspaceeducationfundamentalsarchived'], 'displayName': 'Google Workspace for Education Fundamentals - Archived User'},
  '1010060001': {
    'product': '101006', 'aliases': ['gsuiteessentials', 'essentials',
                                     'd4e', 'driveenterprise', 'drive4enterprise',
-                                     'wsess', 'workspaceesentials'], 'displayName': 'Google Workspace Essentials'},
+                                     'wsess', 'workspaceesentials'], 'displayName': 'Google Workspace Essentials (formerly G Suite Essentials)'},
  '1010060003': {
    'product': 'Google-Apps', 'aliases': ['wsentess', 'workspaceenterpriseessentials'], 'displayName': 'Google Workspace Enterprise Essentials'},
  '1010060005': {
-    'product': 'Google-Apps', 'aliases': ['wsessplus', 'workspaceessentialsplus'], 'displayName': 'Google Workspace Essentials Plus'},
+    'product': 'Google-Apps', 'aliases': ['wsessplus', 'workspaceessentialsplus'], 'displayName': 'Google Workspace Enterprise Essentials Plus'},
  'Google-Drive-storage-20GB': {
    'product': 'Google-Drive-storage', 'aliases': ['drive20gb', '20gb', 'googledrivestorage20gb'], 'displayName': 'Google Drive Storage 20GB'},
  'Google-Drive-storage-50GB': {
@@ -182,6 +194,8 @@ _SKUS = {
    'product': 'Google-Chrome-Device-Management', 'aliases': ['chrome', 'cdm', 'googlechromedevicemanagement'], 'displayName': 'Google Chrome Device Management'}
  }

+ARCHIVABLE_SKUS = {'1010020020', '1010020025', '1010020026', '1010020027', '1010020028', 'Google-Apps-Unlimited'}
+
 def getProductAndSKU(sku):
  l_sku = sku.lower().replace('-', '').replace(' ', '').replace('"', '').replace("'", '').strip()
  if l_sku.startswith('nv:'):
--- a/src/gam/gamlib/glverlibs.py
+++ b/src/gam/gamlib/glverlibs.py
@@ -20,14 +20,19 @@

 """

-GAM_VER_LIBS = ['cryptography',
-                'filelock',
-                'google-api-python-client',
-                'google-auth-httplib2',
-                'google-auth-oauthlib',
-                'google-auth',
-                'httplib2',
-                'passlib',
-                'python-dateutil',
-                'yubikey-manager',
-                ]
+GAM_VER_LIBS = [
+  'chardet',
+  'cryptography',
+  'filelock',
+  'google-api-python-client',
+  'google-auth-httplib2',
+  'google-auth-oauthlib',
+  'google-auth',
+  'lxml',
+  'httplib2',
+  'passlib',
+  'pathvalidate',
+  'pyscard',
+  'python-dateutil',
+  'yubikey-manager',
+]
--- a/src/gam/gdata/apps/sites/init.py
+++ b/src/gam/gdata/apps/sites/init.py
@@ -1,283 +0,0 @@
-#!/usr/bin/env python
-#
-# Copyright 2009 Google Inc. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Data model classes for parsing and generating XML for the Sites Data API."""
-
-import atom
-import gdata
-
-# XML Namespaces used in Google Sites entities.
-SITES_NAMESPACE = 'http://schemas.google.com/sites/2008'
-SITES_TEMPLATE = '{http://schemas.google.com/sites/2008}%s'
-SPREADSHEETS_NAMESPACE = 'http://schemas.google.com/spreadsheets/2006'
-SPREADSHEETS_TEMPLATE = '{http://schemas.google.com/spreadsheets/2006}%s'
-GACL_NAMESPACE = 'http://schemas.google.com/acl/2007'
-GACL_TEMPLATE = '{http://schemas.google.com/acl/2007}%s'
-DC_TERMS_TEMPLATE = '{http://purl.org/dc/terms}%s'
-THR_TERMS_TEMPLATE = '{http://purl.org/syndication/thread/1.0}%s'
-XHTML_NAMESPACE = 'http://www.w3.org/1999/xhtml'
-XHTML_TEMPLATE = '{http://www.w3.org/1999/xhtml}%s'
-
-SITES_INVITE_LINK_REL = SITES_NAMESPACE + '#invite'
-SITES_PARENT_LINK_REL = SITES_NAMESPACE + '#parent'
-SITES_REVISION_LINK_REL = SITES_NAMESPACE + '#revision'
-SITES_SOURCE_LINK_REL = SITES_NAMESPACE + '#source'
-SITES_TEMPLATE_LINK_REL = SITES_NAMESPACE + '#template'
-
-ALTERNATE_REL = 'alternate'
-WEB_ADDRESS_MAPPING_REL = 'webAddressMapping'
-
-SITES_KIND_SCHEME = 'http://schemas.google.com/g/2005#kind'
-ANNOUNCEMENT_KIND_TERM = SITES_NAMESPACE + '#announcement'
-ANNOUNCEMENT_PAGE_KIND_TERM = SITES_NAMESPACE + '#announcementspage'
-ATTACHMENT_KIND_TERM = SITES_NAMESPACE + '#attachment'
-COMMENT_KIND_TERM = SITES_NAMESPACE + '#comment'
-FILECABINET_KIND_TERM = SITES_NAMESPACE + '#filecabinet'
-LISTITEM_KIND_TERM = SITES_NAMESPACE + '#listitem'
-LISTPAGE_KIND_TERM = SITES_NAMESPACE + '#listpage'
-WEBPAGE_KIND_TERM = SITES_NAMESPACE + '#webpage'
-WEBATTACHMENT_KIND_TERM = SITES_NAMESPACE + '#webattachment'
-FOLDER_KIND_TERM = SITES_NAMESPACE + '#folder'
-TAG_KIND_TERM = SITES_NAMESPACE + '#tag'
-
-SUPPORT_KINDS = [
-  'announcement', 'announcementspage', 'attachment', 'comment', 'filecabinet',
-  'listitem', 'listpage', 'webpage', 'webattachment', 'tag'
-  ]
-
-
-class GDataBase(atom.AtomBase):
-  """The Google Sites intermediate class from atom.AtomBase."""
-  _namespace = gdata.GDATA_NAMESPACE
-  _children = atom.AtomBase._children.copy()
-  _attributes = atom.AtomBase._attributes.copy()
-
-  def __init__(self, text=None):
-    atom.AtomBase.__init__(self, text=text)
-
-class SitesBase(GDataBase):
-  _namespace = SITES_NAMESPACE
-
-class SiteName(SitesBase):
-  """Google Sites <sites:siteName>."""
-  _tag = 'siteName'
-
-class Theme(SitesBase):
-  """Google Sites <sites:theme>."""
-  _tag = 'theme'
-
-class SiteEntry(gdata.BatchEntry):
-  """Google Sites Site Feed Entry."""
-  _tag = 'entry'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchEntry._children.copy()
-
-  _children['{%s}siteName' % SITES_NAMESPACE] = ('siteName', SiteName)
-  _children['{%s}theme' % SITES_NAMESPACE] = ('theme', Theme)
-  _attributes = gdata.BatchEntry._attributes.copy()
-  _attributes['{%s}etag' % gdata.GDATA_NAMESPACE] = 'etag'
-
-  def __init__(self, siteName=None, title=None, summary=None, theme=None, sourceSite=None, category=None, etag=None):
-    gdata.BatchEntry.__init__(self, category=category)
-    self.siteName = siteName
-    self.title = title
-    self.summary = summary
-    self.theme = theme
-    if sourceSite is not None:
-      sourceLink = atom.Link(href=sourceSite, rel=SITES_SOURCE_LINK_REL, link_type='application/atom+xml')
-      self.link.append(sourceLink)
-    self.etag = etag
-
-  def find_alternate_link(self):
-    for link in self.link:
-      if link.rel == ALTERNATE_REL and link.href:
-        return link.href
-    return None
-
-  FindAlternateLink = find_alternate_link
-
-  def find_source_link(self):
-    for link in self.link:
-      if link.rel == SITES_SOURCE_LINK_REL and link.href:
-        return link.href
-    return None
-
-  FindSourceLink = find_source_link
-
-  def find_webaddress_mappings(self):
-    mappingLinks = []
-    for link in self.link:
-      if link.rel == WEB_ADDRESS_MAPPING_REL and link.href:
-        mappingLinks.append(link.href)
-    return mappingLinks
-
-  FindWebAddressMappings = find_webaddress_mappings
-
-def SiteEntryFromString(xml_string):
-  return atom.CreateClassFromXMLString(SiteEntry, xml_string)
-
-class SiteFeed(gdata.BatchFeed, gdata.LinkFinder):
-  """A Google Sites feed flavor of an Atom Feed."""
-  _tag = 'feed'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchFeed._children.copy()
-  _children['{%s}entry' % atom.ATOM_NAMESPACE] = ('entry', [SiteEntry])
-
-  def __init__(self):
-    gdata.BatchFeed.__init__(self)
-
-def SiteFeedFromString(xml_string):
-  return atom.CreateClassFromXMLString(SiteFeed, xml_string)
-
-class AclBase(GDataBase):
-  _namespace = GACL_NAMESPACE
-
-class AclRole(AclBase):
-  """Describes the role of an entry in an access control list."""
-  _tag = 'role'
-  _children = AclBase._children.copy()
-  _attributes = AclBase._attributes.copy()
-  _attributes['value'] = 'value'
-
-  def __init__(self, value=None):
-    AclBase.__init__(self)
-    self.value = value
-
-class AclAdditionalRole(AclBase):
-  """Describes an additionalRole element."""
-  _tag = 'additionalRole'
-  _children = AclBase._children.copy()
-  _attributes = AclBase._attributes.copy()
-  _attributes['value'] = 'value'
-
-  def __init__(self, value=None):
-    AclBase.__init__(self)
-    self.value = value
-
-class AclScope(AclBase):
-  """Describes the scope of an entry in an access control list."""
-  _tag = 'scope'
-  _children = AclBase._children.copy()
-  _attributes = AclBase._attributes.copy()
-  _attributes['type'] = 'type'
-  _attributes['value'] = 'value'
-
-  def __init__(self, stype=None, value=None):
-    AclBase.__init__(self)
-    self.type = stype
-    self.value = value
-
-
-class AclWithKey(AclBase):
-  """Describes a key that can be used to access a document."""
-  _tag = 'withKey'
-  _children = AclBase._children.copy()
-  _children['{%s}role' % GACL_NAMESPACE] = ('role', AclRole)
-  _children['{%s}additionalRole' % GACL_NAMESPACE] = ('additionalRole', AclAdditionalRole)
-  _attributes = AclBase._attributes.copy()
-  _attributes['key'] = 'key'
-
-  def __init__(self, key=None, role=None, additionalRole=None):
-    AclBase.__init__(self)
-    self.key = key
-    self.role = role
-    self.additionalRole = additionalRole
-
-class AclEntry(gdata.BatchEntry):
-  """Describes an entry in a feed of an access control list (ACL)."""
-  _tag = 'entry'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchEntry._children.copy()
-
-  _children['{%s}role' % GACL_NAMESPACE] = ('role', AclRole)
-  _children['{%s}additionalRole' % GACL_NAMESPACE] = ('additionalRole', AclAdditionalRole)
-  _children['{%s}scope' % GACL_NAMESPACE] = ('scope', AclScope)
-  _children['{%s}withKey' % GACL_NAMESPACE] = ('withKey', AclWithKey)
-  _attributes = gdata.BatchEntry._attributes.copy()
-  _attributes['{%s}etag' % gdata.GDATA_NAMESPACE] = 'etag'
-
-  def __init__(self, role=None, additionalRole=None, scope=None, withKey=None, etag=None):
-    gdata.BatchEntry.__init__(self)
-    self.role = role
-    self.additionalRole = additionalRole
-    self.scope = scope
-    self.withKey = withKey
-    self.etag = etag
-
-  def find_invite_link(self):
-    for link in self.link:
-      if link.rel == SITES_INVITE_LINK_REL and link.href:
-        return link.href
-    return None
-
-  FindInviteLink = find_invite_link
-
-def AclEntryFromString(xml_string):
-  return atom.CreateClassFromXMLString(AclEntry, xml_string)
-
-class AclFeed(gdata.BatchFeed, gdata.LinkFinder):
-  """Describes a feed of an access control list (ACL)."""
-  _tag = 'feed'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchFeed._children.copy()
-  _children['{%s}entry' % atom.ATOM_NAMESPACE] = ('entry', [AclEntry])
-
-  def __init__(self):
-    gdata.BatchFeed.__init__(self)
-
-def AclFeedFromString(xml_string):
-  return atom.CreateClassFromXMLString(AclFeed, xml_string)
-
-class ActivityEntry(gdata.BatchEntry):
-  """Describes an entry in a feed of site activity (changes)."""
-  _tag = 'entry'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchEntry._children.copy()
-  _attributes = gdata.BatchEntry._attributes.copy()
-
-  def __init__(self):
-    gdata.BatchEntry.__init__(self)
-
-  def __find_category_scheme(self, scheme):
-    for category in self.category:
-      if category.scheme == scheme:
-        return category
-    return None
-
-  def kind(self):
-    kind = self.__find_category_scheme(SITES_KIND_SCHEME)
-    if kind is not None:
-      return kind.term[len(SITES_NAMESPACE) + 1:]
-    else:
-      return None
-
-  Kind = kind
-
-def ActivityEntryFromString(xml_string):
-  return atom.CreateClassFromXMLString(ActivityEntry, xml_string)
-
-class ActivityFeed(gdata.BatchFeed, gdata.LinkFinder):
-  """Describes a feed of site activity (changes)."""
-  _tag = 'feed'
-  _namespace = atom.ATOM_NAMESPACE
-  _children = gdata.BatchFeed._children.copy()
-  _children['{%s}entry' % atom.ATOM_NAMESPACE] = ('entry', [ActivityEntry])
-
-  def __init__(self):
-    gdata.BatchFeed.__init__(self)
-
-def ActivityFeedFromString(xml_string):
-  return atom.CreateClassFromXMLString(ActivityFeed, xml_string)
--- a/src/gam/gdata/apps/sites/service.py
+++ b/src/gam/gdata/apps/sites/service.py
@@ -1,246 +0,0 @@
-#!/usr/bin/python
-#
-# Copyright 2009 Google Inc. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""SitesService extends the GDataService for Google Sites API calls."""
-
-import gdata.apps
-import gdata.apps.service
-import gdata.service
-
-
-# Feed URI templates
-CONTENT_FEED_TEMPLATE = '/feeds/content/%s/%s/'
-REVISION_FEED_TEMPLATE = '/feeds/revision/%s/%s/'
-ACTIVITY_FEED_TEMPLATE = '/feeds/activity/%s/%s/'
-ACTIVITY_ENTRY_TEMPLATE = '/feeds/activity/%s/%s/%s'
-SITE_FEED_TEMPLATE = '/feeds/site/%s/'
-ACL_FEED_TEMPLATE = '/feeds/acl/site/%s/%s'
-ACL_ENTRY_TEMPLATE = '/feeds/acl/site/%s/%s/%s'
-
-
-class SitesService(gdata.service.GDataService):
-  """Client extension for the Google Sites API service."""
-
-  def __init__(self,
-               source=None, server='sites.google.com', additional_headers=None,
-               **kwargs):
-    """Constructs a new client for the Sites API.
-
-    Args:
-      site: string (optional) Name (webspace) of the Google Site
-      domain: string (optional) Domain of the (Google Apps hosted) Site.
-          If no domain is given, the Site is assumed to be a consumer Google
-          Site, in which case the value 'site' is used.
-      source: string (optional) The name of the user's application.
-      server: string (optional) The name of the server to which a connection
-          will be opened. Default value: 'sites..google.com'.
-      **kwargs: The other parameters to pass to gdata.service.GDataService
-          constructor.
-    """
-    if additional_headers == None:
-      additional_headers = {}
-    additional_headers['GData-Version'] = '1.4'
-    gdata.service.GDataService.__init__(self,
-                                        source=source, server=server, additional_headers=additional_headers,
-                                        **kwargs)
-    self.ssl = True
-    self.port = 443
-
-  def make_site_feed_uri(self, domain=None, site=None):
-    if not domain:
-      domain = 'site'
-    if not site:
-      return SITE_FEED_TEMPLATE % domain
-    return (SITE_FEED_TEMPLATE % domain) + site
-
-  MakeSiteFeedUri = make_site_feed_uri
-
-  def get_site_feed(self, uri=None, domain=None, site=None,
-                    extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_site_feed_uri(domain=domain, site=site)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.SiteFeedFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetSiteFeed = get_site_feed
-
-  def create_site(self, siteentry=None, uri=None, domain=None, site=None,
-                  extra_headers=None, url_params=None, escape_params=True):
-
-    if uri is None:
-      uri = self.make_site_feed_uri(domain=domain, site=site)
-    try:
-      return self.Post(siteentry, uri,
-                       url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                       converter=gdata.apps.sites.SiteEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  CreateSite = create_site
-
-  def get_site(self, uri=None, domain=None, site=None,
-               extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_site_feed_uri(domain=domain, site=site)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.SiteEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetSite = get_site
-
-  def update_site(self, siteentry=None, uri=None, domain=None, site=None,
-                  extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_site_feed_uri(domain=domain, site=site)
-    try:
-      return self.Put(siteentry, uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.SiteEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  UpdateSite = update_site
-
-  def make_acl_feed_uri(self, domain=None, site=None):
-    return ACL_FEED_TEMPLATE % (domain, site)
-
-  MakeAclFeedUri = make_acl_feed_uri
-
-  def get_acl_feed(self, uri=None, domain=None, site=None,
-                   extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_acl_feed_uri(domain=domain, site=site)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.AclFeedFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetAclFeed = get_acl_feed
-
-  def make_acl_entry_uri(self, domain=None, site=None, ruleId=None):
-    return ACL_ENTRY_TEMPLATE % (domain, site, ruleId)
-
-  MakeAclEntryUri = make_acl_entry_uri
-
-  def create_acl_entry(self, aclentry=None, uri=None, domain=None, site=None,
-                       extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_acl_feed_uri(domain=domain, site=site)
-    try:
-      return self.Post(aclentry, uri,
-                       url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                       converter=gdata.apps.sites.AclEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  CreateAclEntry = create_acl_entry
-
-  def get_acl_entry(self, uri=None, domain=None, site=None, ruleId=None,
-                    extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_acl_entry_uri(domain=domain, site=site, ruleId=ruleId)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.AclEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetAclEntry = get_acl_entry
-
-  def update_acl_entry(self, aclentry=None, uri=None, domain=None, site=None, ruleId=None,
-                       extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_acl_entry_uri(domain=domain, site=site, ruleId=ruleId)
-    try:
-      return self.Put(aclentry, uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.AclEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  UpdateAclEntry = update_acl_entry
-
-  def delete_acl_entry(self, uri=None, domain=None, site=None, ruleId=None,
-                       extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_acl_entry_uri(domain=domain, site=site, ruleId=ruleId)
-    try:
-      return self.Delete(uri,
-                         url_params=url_params, escape_params=escape_params, extra_headers=extra_headers)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  DeleteAclEntry = delete_acl_entry
-
-  def make_activity_feed_uri(self, domain=None, site=None):
-    return ACTIVITY_FEED_TEMPLATE % (domain, site)
-
-  MakeActivityFeedUri = make_activity_feed_uri
-
-  def get_activity_feed(self, uri=None, domain=None, site=None,
-                        extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_activity_feed_uri(domain=domain, site=site)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.ActivityFeedFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetActivityFeed = get_activity_feed
-
-  def make_activity_entry_uri(self, domain=None, site=None, activityId=None):
-    return ACTIVITY_ENTRY_TEMPLATE % (domain, site, activityId)
-
-  MakeActivityEntryUri = make_activity_entry_uri
-
-  def get_activity_entry(self, uri=None, domain=None, site=None, activityId=None,
-                         extra_headers=None, url_params=None, escape_params=True):
-
-    uri = uri or self.make_activity_entry_uri(domain=domain, site=site, activityId=activityId)
-    try:
-      return self.Get(uri,
-                      url_params=url_params, extra_headers=extra_headers, escape_params=escape_params,
-                      converter=gdata.apps.sites.ActivityEntryFromString)
-    except gdata.service.RequestError as e:
-      raise gdata.apps.service.AppsForYourDomainException(e.args[0])
-
-  GetActivityEntry = get_activity_entry
-
-class SitesQuery(gdata.service.Query):
-
-  def make_site_feed_uri(self, domain=None, site=None):
-    if not domain:
-      domain = 'site'
-    if not site:
-      return SITE_FEED_TEMPLATE % domain
-    return (SITE_FEED_TEMPLATE % domain) + site
-
-  def __init__(self, feed=None, domain=None, site=None, params=None):
-    self.feed = feed or self.make_site_feed_uri(domain=domain, site=site)
-    gdata.service.Query.__init__(self, feed=self.feed, params=params)
-
--- a/src/gam/googleapiclient/version.py
+++ b/src/gam/googleapiclient/version.py
@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-__version__ = "2.146.0"
+__version__ = "2.164.0"
--- a/src/gam/meet-v2beta.json
+++ b/src/gam/meet-v2beta.json
--- a/src/license.rtf
+++ b/src/license.rtf
--- a/src/new-gam-install-script.sh
+++ b/src/new-gam-install-script.sh
@@ -1,441 +0,0 @@
-#!/usr/bin/env bash
-
-usage()
-{
-cat << EOF
-GAM installation script.
-
-OPTIONS:
-   -h      show help.
-   -d      Directory where gam folder will be installed. Default is \$HOME/bin/
-   -a      Architecture to install (i386, x86_64, x86_64_legacy, arm, arm64). Default is to detect your arch with "uname -m".
-   -o      OS we are running (linux, macos). Default is to detect your OS with "uname -s".
-   -b      OS version. Default is to detect on MacOS and Linux.
-   -l      Just upgrade GAM to latest version. Skips project creation and auth.
-   -p      Profile update (true, false). Should script add gam command to environment. Default is true.
-   -u      Admin user email address to use with GAM. Default is to prompt.
-   -r      Regular user email address. Used to test service account access to user data. Default is to prompt.
-   -v      Version to install (latest, prerelease, draft, 3.8, etc). Default is latest.
-   -s      Strip gam component from extracted files, files will be downloaded directly to $target_dir
-EOF
-}
-
-target_dir="$HOME/bin"
-target_gam="gam7/gam"
-gamarch=$(uname -m)
-gamos=$(uname -s)
-osversion=""
-update_profile=true
-upgrade_only=false
-gamversion="latest"
-adminuser=""
-regularuser=""
-strip_gam="--strip-components 0"
-
-while getopts "hd:a:o:b:lp:u:r:v:s" OPTION
-do
-     case $OPTION in
-         h) usage; exit;;
-         d) target_dir="$OPTARG";;
-         a) gamarch="$OPTARG";;
-         o) gamos="$OPTARG";;
-         b) osversion="$OPTARG";;
-         l) upgrade_only=true;;
-         p) update_profile="$OPTARG";;
-         u) adminuser="$OPTARG";;
-         r) regularuser="$OPTARG";;
-         v) gamversion="$OPTARG";;
-         s) strip_gam="--strip-components 1"; target_gam="gam";;
-         ?) usage; exit;;
-     esac
-done
-
-# remove possible / from end of target_dir
-target_dir=${target_dir%/}
-
-update_profile() {
-        [ "$2" -eq 1 ] || [ -f "$1" ] || return 1
-
-        grep -F "$alias_line" "$1" > /dev/null 2>&1
-        if [ $? -ne 0 ]; then
-                echo_yellow "Adding gam alias to profile file $1."
-                echo -e "\n$alias_line" >> "$1"
-        else
-          echo_yellow "gam alias already exists in profile file $1. Skipping add."
-        fi
-}
-
-echo_red()
-{
-echo -e "\x1B[1;31m$1"
-echo -e '\x1B[0m'
-}
-
-echo_green()
-{
-echo -e "\x1B[1;32m$1"
-echo -e '\x1B[0m'
-}
-
-echo_yellow()
-{
-echo -e "\x1B[1;33m$1"
-echo -e '\x1B[0m'
-}
-
-version_gt()
-{
-# MacOS < 10.13 doesn't support sort -V
-echo "" | sort -V > /dev/null 2>&1
-vsort_failed=$?
-if [ "${1}" = "${2}" ]; then
-  true
-elif (( $vsort_failed != 0 )); then
-  false
-else
-  test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"
-fi
-}
-
-if [ "$gamversion" == "latest" ]; then
-  release_url="https://api.github.com/repos/GAM-team/GAM/releases/latest"
-elif [ "$gamversion" == "prerelease" -o "$gamversion" == "draft" ]; then
-  release_url="https://api.github.com/repos/GAM-team/GAM/releases"
-else
-  release_url="https://api.github.com/repos/GAM-team/GAM/releases/tags/v$gamversion"
-fi
-
-if [ -z ${GHCLIENT+x} ]; then
-  check_type="unauthenticated"
-  curl_opts=( )
-else
-  check_type="authenticated"
-  curl_opts=( "$GHCLIENT" )
-fi
-echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
-release_json=$(curl \
-	--silent \
-	"${curl_opts[@]}" \
-	-H "Accept: application/vnd.github+json" \
-	-H "X-GitHub-Api-Version: 2022-11-28" \
-	"$release_url" \
-	2>&1 /dev/null)
-
-echo_yellow "Getting file and download URL..."
-# Python is sadly the nearest to universal way to safely handle JSON with Bash
-# At least this code should be compatible with just about any Python version ever
-# unlike GAM itself. If some users don't have Python we can try grep / sed / etc
-# but that gets really ugly
-pycode="import json
-import sys
-
-attrib = sys.argv[1]
-gamversion = sys.argv[2]
-
-release = json.load(sys.stdin)
-if type(release) is list:
-  for a_release in release:
-    if a_release['prerelease'] and gamversion != 'prerelease':
-      continue
-    elif a_release['draft'] and gamversion != 'draft':
-      continue
-    release = a_release
-    break
-try:
-  for asset in release['assets']:
-    print(asset[attrib])
-  #else:
-  #  print('ERROR: Attribute: {0} for version {1} not found'.format(attrib, gamversion))
-except KeyError:
-  print('ERROR: assets value not found in JSON value of:\n\n%s' % release)"
-
-pycmd="python3"
-$pycmd -V >/dev/null 2>&1
-rc=$?
-if (( $rc != 0 )); then
-  pycmd="python"
-fi
-$pycmd -V >/dev/null 2>&1
-rc=$?
-if (( $rc != 0 )); then
-  pycmd="/usr/bin/python3"
-fi
-$pycmd -V >/dev/null 2>&1
-rc=$?
-if (( $rc != 0 )); then
-  pycmd="python2"
-fi
-$pycmd -V >/dev/null 2>&1
-rc=$?
-if (( $rc != 0 )); then
-  echo_red "ERROR: No version of python installed."
-  exit
-fi
-download_urls=$(echo "$release_json" | $pycmd -c "$pycode" browser_download_url "$gamversion")
-if [[ ${download_urls:0:5} = "ERROR" ]]; then
-  echo_red "${download_urls}"
-  exit
-fi
-
-case $gamos in
-  [lL]inux)
-    gamos="linux"
-    download_urls=$(echo -e "$download_urls" | grep "\-linux-")
-    if [ "$osversion" == "" ]; then
-      this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
-    else
-      this_glibc_ver=$osversion
-    fi
-    echo "This Linux distribution uses glibc $this_glibc_ver"
-    case $gamarch in
-      x86_64)
-	download_urls=$(echo -e "$download_urls" | grep "\-x86_64-")
-	gam_x86_64_glibc_vers=$(echo -e "$download_urls" | \
-		grep --only-matching 'glibc[0-9\.]*\.tar\.xz$' \
-	        | cut -c 6-9 )
-	useglibc="legacy"
-        for gam_glibc_ver in $gam_x86_64_glibc_vers; do
-          if version_gt $this_glibc_ver $gam_glibc_ver; then
-            useglibc="glibc$gam_glibc_ver"
-            echo_green "Using GAM compiled against $useglibc"
-            break
-          fi
-        done
-        download_url=$(echo -e "$download_urls" | grep "$useglibc")
-	;;
-      arm|arm64|aarch64)
-        download_urls=$(echo -e "$download_urls" | grep "\-aarch64-")
-        gam_arm64_glibc_vers=$(echo -e "$download_urls" | \
-                grep --only-matching 'glibc[0-9\.]*\.tar\.xz$' \
-                | cut -c 6-9 )
-        useglibc="legacy"
-        for gam_glibc_ver in $gam_arm64_glibc_vers; do
-          if version_gt $this_glibc_ver $gam_glibc_ver; then
-            useglibc="glibc$gam_glibc_ver"
-            echo_green "Using GAM compiled against $useglibc"
-            break
-          fi
-        done
-        download_url=$(echo -e "$download_urls" | grep "$useglibc")
-	;;
-      *)
-        echo_red "ERROR: this installer currently only supports x86_64 and arm64 Linux. Looks like you're running on $gamarch. Exiting."
-        exit
-    esac
-    ;;
-  [Mm]ac[Oo][sS]|[Dd]arwin)
-    gamos="macos"
-    fullversion=$(sw_vers -productVersion)
-    # override osversion only if it wasn't set by cli arguments
-    osversion=${osversion:-${fullversion:0:2}}
-    download_urls=$(echo -e "$download_urls" | grep "\-macos-")
-    case $gamarch in
-      x86_64)
-        download_url=$(echo -e "$download_urls" | grep "\-x86_64")
-	minimum_version=13
-        ;;
-      arm|arm64|aarch64)
-        download_url=$(echo -e "$download_urls" | grep "\-aarch64")
-	minimum_version=14
-        ;;
-      *)
-        echo_red "ERROR: this installer currently only supports x86_64 and arm64 MacOS. Looks like you're running on ${gamarch}. Exiting."
-        exit
-	;;
-    esac
-    if [[ "$osversion" -ge "$minimum_version" ]]; then
-      echo_green "You are running MacOS ${fullversion}, good. Using GAM with ${download_url}."
-    else
-      echo_red "Sorry, you are running MacOS ${fullversion} but GAM on ${gamarch} requires MacOS ${minimum_version}. Exiting."
-      exit
-    fi
-    ;;
-  MINGW64_NT*)
-    gamos="windows"
-    echo "You are running Windows"
-    download_url=$(echo -e "$download_urls" | grep "\-windows-" | grep ".zip")
-    ;;
-  *)
-    echo_red "Sorry, this installer currently only supports Linux and MacOS. Looks like you're running on ${gamos}. Exiting."
-    exit
-    ;;
-esac
-
-# Temp dir for archive
-temp_archive_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
-
-# Clean up after ourselves even if we are killed with CTRL-C
-trap "rm -rf $temp_archive_dir" EXIT
-
-# hack to grab the end of the URL which should be the filename.
-name=$(echo -e "$download_url" | rev | cut -f1 -d "/" | rev)
-
-echo_yellow "Downloading ${download_url} to $temp_archive_dir ($check_type)..."
-# Save archive to temp w/o losing our path
-(cd "$temp_archive_dir" && curl -O -L -s "${curl_opts[@]}" "$download_url")
-
-mkdir -p "$target_dir"
-
-echo_yellow "Extracting archive to $target_dir"
-if [[ "$name" =~ tar.xz|tar.gz|tar ]]; then
-  tar $strip_gam -xf "$temp_archive_dir"/"$name" -C "$target_dir"
-elif [[ "$name" == *.zip ]]; then
-  unzip -o "${temp_archive_dir}/${name}" -d "${target_dir}"
-else
-  echo "I don't know what to do with files like ${name}. Giving up."
-  exit 1
-fi
-rc=$?
-if (( $rc != 0 )); then
-  echo_red "ERROR: extracting the GAM archive with tar failed with error $rc. Exiting."
-  exit
-else
-  echo_green "Finished extracting GAM archive."
-fi
-
-# Update profile to add gam command
-if [ "$update_profile" = true ]; then
-  alias_line="alias gam=\"${target_dir// /\\ }/$target_gam\""
-  if [ "$gamos" == "linux" ]; then
-    update_profile "$HOME/.bash_aliases" 0 || update_profile "$HOME/.bash_profile" 0 || update_profile "$HOME/.bashrc" 0
-    update_profile "$HOME/.zshrc" 0
-  elif [ "$gamos" == "macos" ]; then
-    update_profile "$HOME/.bash_aliases" 0 || update_profile "$HOME/.bash_profile" 0 || update_profile "$HOME/.bashrc" 0 || update_profile "$HOME/.profile" 1
-    update_profile "$HOME/.zshrc" 1
-  fi
-else
-  echo_yellow "skipping profile update."
-fi
-
-if [ "$upgrade_only" = true ]; then
-  echo_green "Here's information about your GAM upgrade:"
-  "$target_dir/$target_gam" version extended
-  rc=$?
-  if (( $rc != 0 )); then
-    echo_red "ERROR: Failed running GAM for the first time with return code $rc. Please report this error to GAM mailing list. Exiting."
-    exit
-  fi
-
-  echo_green "GAM upgrade complete!"
-  exit
-fi
-
-# Set config command
-#config_cmd="config no_browser false"
-
-while true; do
-  read -p "Can you run a full browser on this machine? (usually Y for MacOS, N for Linux if you SSH into this machine) " yn
-  case $yn in
-    [Yy]*)
-      break
-      ;;
-    [Nn]*)
-#      config_cmd="config no_browser true"
-      touch "$target_dir/gam/nobrowser.txt" > /dev/null 2>&1
-      break
-      ;;
-    *)
-      echo_red "Please answer yes or no."
-      ;;
-  esac
-done
-echo
-
-project_created=false
-while true; do
-  read -p "GAM is now installed. Are you ready to set up a Google API project for GAM? (yes or no) " yn
-  case $yn in
-    [Yy]*)
-      if [ "$adminuser" == "" ]; then
-        read -p "Please enter your Google Workspace admin email address: " adminuser
-      fi
-#      "$target_dir/$target_gam" $config_cmd create project $adminuser
-      "$target_dir/$target_gam" create project $adminuser
-      rc=$?
-      if (( $rc == 0 )); then
-        echo_green "Project creation complete."
-        project_created=true
-        break
-      else
-        echo_red "Project creation failed. Trying again. Say N to skip project creation."
-      fi
-      ;;
-    [Nn]*)
-      echo -e "\nYou can create an API project later by running:\n\ngam create project\n"
-      break
-      ;;
-    *)
-      echo_red "Please answer yes or no."
-      ;;
-  esac
-done
-
-admin_authorized=false
-while $project_created; do
-  read -p "Are you ready to authorize GAM to perform Google Workspace management operations as your admin account? (yes or no) " yn
-  case $yn in
-    [Yy]*)
-#      "$target_dir/$target_gam" $config_cmd oauth create $adminuser
-      "$target_dir/$target_gam" oauth create $adminuser
-      rc=$?
-      if (( $rc == 0 )); then
-        echo_green "Admin authorization complete."
-        admin_authorized=true
-        break
-      else
-        echo_red "Admin authorization failed. Trying again. Say N to skip admin authorization."
-      fi
-      ;;
-     [Nn]*)
-       echo -e "\nYou can authorize an admin later by running:\n\ngam oauth create\n"
-       break
-       ;;
-     *)
-       echo_red "Please answer yes or no."
-       ;;
-  esac
-done
-
-service_account_authorized=false
-while $admin_authorized; do
-  read -p "Are you ready to authorize GAM to manage Google Workspace user data and settings? (yes or no) " yn
-  case $yn in
-    [Yy]*)
-      if [ "$regularuser" == "" ]; then
-        read -p "Please enter the email address of a regular Google Workspace user: " regularuser
-      fi
-      echo_yellow "Great! Checking service account scopes.This will fail the first time. Follow the steps to authorize and retry. It can take a few minutes for scopes to PASS after they've been authorized in the admin console."
-#      "$target_dir/$target_gam" $config_cmd user $regularuser check serviceaccount
-      "$target_dir/$target_gam" user $regularuser check serviceaccount
-      rc=$?
-      if (( $rc == 0 )); then
-        echo_green "Service account authorization complete."
-        service_account_authorized=true
-        break
-      else
-        echo_red "Service account authorization failed. Confirm you entered the scopes correctly in the admin console. It can take a few minutes for scopes to PASS after they are entered in the admin console so if you're sure you entered them correctly, go grab a coffee and then hit Y to try again. Say N to skip admin authorization."
-      fi
-      ;;
-     [Nn]*)
-       echo -e "\nYou can authorize a service account later by running:\n\ngam user $adminuser check serviceaccount\n"
-       break
-       ;;
-     *)
-       echo_red "Please answer yes or no."
-       ;;
-  esac
-done
-
-echo_green "Here's information about your new GAM installation:"
-#"$target_dir/$target_gam" $config_cmd save version extended
-"$target_dir/$target_gam" version extended
-rc=$?
-if (( $rc != 0 )); then
-  echo_red "ERROR: Failed running GAM for the first time with $rc. Please report this error to GAM mailing list. Exiting."
-  exit
-fi
-
-echo_green "GAM installation and setup complete!"
-if [ "$update_profile" = true ]; then
-  echo_green "Please restart your terminal shell or to get started right away run:\n\n$alias_line"
-fi
--- a/src/project-apis.txt
+++ b/src/project-apis.txt
@@ -1,23 +0,0 @@
-accesscontextmanager.googleapis.com
-admin.googleapis.com
-alertcenter.googleapis.com
-calendar-json.googleapis.com
-chat.googleapis.com
-chromemanagement.googleapis.com
-chromepolicy.googleapis.com
-classroom.googleapis.com
-cloudidentity.googleapis.com
-cloudresourcemanager.googleapis.com
-contacts.googleapis.com
-drive.googleapis.com
-driveactivity.googleapis.com
-iap.googleapis.com
-gmail.googleapis.com
-groupssettings.googleapis.com
-iam.googleapis.com
-licensing.googleapis.com
-reseller.googleapis.com
-sheets.googleapis.com
-siteverification.googleapis.com
-storage-api.googleapis.com
-vault.googleapis.com
--- a/src/requirements.txt
+++ b/src/requirements.txt
@@ -1,14 +1,14 @@
-chardet
-cryptography
+chardet>=5.2.0
+cryptography>=44.0.2
 distro; sys_platform=='linux'
-filelock
-google-api-python-client>=2.1
-google-auth-httplib2
-google-auth-oauthlib>=0.4.1
-google-auth>=2.3.2
-httplib2>=0.17.0
-lxml
-passlib>=1.7.2
-pathvalidate
+filelock>=3.18.0
+google-api-python-client>=2.167.0
+google-auth-httplib2>=0.2.0
+google-auth-oauthlib>=1.2.2
+google-auth>=2.39.0
+httplib2>=0.22.0
+lxml>=5.4.0
+passlib>=1.7.4
+pathvalidate>=3.2.3
 python-dateutil
-yubikey-manager>=5.0
+yubikey-manager>=5.6.1
--- a/src/serviceaccountlookup-v1.json
+++ b/src/serviceaccountlookup-v1.json
@@ -1,141 +0,0 @@
-{
-  "basePath": "",
-  "baseUrl": "https://www.googleapis.com/service_accounts/v1",
-  "canonicalName": "serviceaccountlookup",
-  "description": "Pseudo-API to lookup public certificates for a service account anonymously",
-  "discoveryVersion": "v1",
-  "documentationLink": "https://example.com/",
-  "fullyEncodeReservedExpansion": true,
-  "icons": {
-    "x16": "http://www.google.com/images/icons/product/search-16.gif",
-    "x32": "http://www.google.com/images/icons/product/search-32.gif"
-  },
-  "id": "serviceaccountlookup:v1",
-  "kind": "discovery#restDescription",
-  "name": "serviceaccountlookup",
-  "ownerDomain": "google.com",
-  "ownerName": "Google",
-  "packagePath": "admin",
-  "parameters": {
-    "$.xgafv": {
-      "description": "V1 error format.",
-      "enum": [
-        "1",
-        "2"
-      ],
-      "enumDescriptions": [
-        "v1 error format",
-        "v2 error format"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "access_token": {
-      "description": "OAuth access token.",
-      "location": "query",
-      "type": "string"
-    },
-    "alt": {
-      "default": "json",
-      "description": "Data format for response.",
-      "enum": [
-        "json",
-        "media",
-        "proto"
-      ],
-      "enumDescriptions": [
-        "Responses with Content-Type of application/json",
-        "Media download with context-dependent Content-Type",
-        "Responses with Content-Type of application/x-protobuf"
-      ],
-      "location": "query",
-      "type": "string"
-    },
-    "callback": {
-      "description": "JSONP",
-      "location": "query",
-      "type": "string"
-    },
-    "fields": {
-      "description": "Selector specifying which fields to include in a partial response.",
-      "location": "query",
-      "type": "string"
-    },
-    "key": {
-      "description": "API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token.",
-      "location": "query",
-      "type": "string"
-    },
-    "oauth_token": {
-      "description": "OAuth 2.0 token for the current user.",
-      "location": "query",
-      "type": "string"
-    },
-    "prettyPrint": {
-      "default": "true",
-      "description": "Returns response with indentations and line breaks.",
-      "location": "query",
-      "type": "boolean"
-    },
-    "quotaUser": {
-      "description": "Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters.",
-      "location": "query",
-      "type": "string"
-    },
-    "uploadType": {
-      "description": "Legacy upload protocol for media (e.g. \"media\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    },
-    "upload_protocol": {
-      "description": "Upload protocol for media (e.g. \"raw\", \"multipart\").",
-      "location": "query",
-      "type": "string"
-    }
-  },
-  "protocol": "rest",
-  "resources": {
-    "serviceaccounts": {
-      "methods": {
-        "lookup": {
-          "description": "Lookup",
-          "flatPath": "metadata/x509/{account}",
-          "httpMethod": "GET",
-          "id": "serviceaccountslookup.lookup",
-          "parameterOrder": [
-            "account"
-          ],
-          "parameters": {
-            "account": {
-              "description": "Email or ID of the service account.",
-              "location": "path",
-              "required": true,
-              "type": "string"
-            }
-          },
-          "path": "metadata/x509/{account}",
-	  "response": {
-            "$ref": "Certificates"
-          }
-        }
-      }
-    }
-  },
-  "rootUrl": "https://www.googleapis.com/service_accounts/v1",
-  "schemas": {
-    "Certificates": { 
-      "description": "JSON template for certificates.",
-      "id": "Certificates",
-      "properties": {
-        "email": {          "description": "Email of the delegate.",
-          "type": "string"
-        }
-      },
-      "type": "object"
-    }
-  },
-  "servicePath": "",
-  "title": "Service Account Lookup Pseudo-API",
-  "version": "v1",
-  "version_module": true
-}
--- a/src/setup.cfg
+++ b/src/setup.cfg
@@ -17,26 +17,28 @@ classifiers =
    Programming Language :: Python :: 3.10
    Programming Language :: Python :: 3.11
    Programming Language :: Python :: 3.12
+    Programming Language :: Python :: 3.13
    License :: OSI Approved :: Apache License

 [options]
 packages = find:
-python_requires = >= 3.8
+python_requires = >= 3.9
+# The following files should be edited to match: pyproject.toml, requirements.txt
 install_requires =
-    chardet
-    cryptography
+    chardet >= 5.2.0
+    cryptography >= 44.0.2
    distro; sys_platform == 'linux'
-    filelock
-    google-api-python-client >= 2.36
-    google-auth-httplib2
-    google-auth-oauthlib >= 0.4.6
-    google-auth >= 2.3.3
-    httplib2 >= 0.20.2
-    lxml
+    filelock >= 3.18.0
+    google-api-python-client >= 2.167.0
+    google-auth-httplib2 >= 0.2.0
+    google-auth-oauthlib >= 1.2.2
+    google-auth >= 2.39.0
+    httplib2 >= 0.22.0
+    lxml >= 5.4.0
    passlib >= 1.7.4
-    pathvalidate
+    pathvalidate >= 3.2.3
    python-dateutil
-    yubikey-manager >= 5.0
+    yubikey-manager >= 5.6.1

 [options.package_data]
 * = *.pem
--- a/src/tools/gen-wix-xml-filelist.py
+++ b/src/tools/gen-wix-xml-filelist.py
@@ -1,58 +1,23 @@
-import os
-import sys
 import uuid
+from lxml import etree
+import sys

-source_dir = sys.argv[1]
-template_file = sys.argv[2]
-target_file = sys.argv[3]
+# Hacky solution to create a Guid for all files
+# so Wix is happy and Guid is stable every time.
+# uuid5 is used for the Guid and the input is the
+# source filename so the Guid will be the same
+# every time as long as the source file name is
+# the same.

-existing_components = {
-    'gam.exe': '''      <Component Id="gam_exe" Guid="d046ea24-c9f8-40ca-84db-70b0119933ff">
-        <File Name="gam.exe" KeyPath="yes" />
-        <Environment Id="PATH" Name="PATH" Value="[INSTALLFOLDER]" Permanent="yes" Part="last" Action="set" System="yes" />
-      </Component>
-''',
-    'LICENSE': '''      <Component Id="license" Guid="c76864c5-d005-44d5-bb7c-a27e5923792d">
-        <File Name="LICENSE" KeyPath="yes" />
-      </Component>
-''',
-    'gam-setup.bat': '''      <Component Id="gam_setup_bat" Guid="5e6bbacb-d86f-4d80-a10b-89b81ee63fcb">
-        <File Name="gam-setup.bat" KeyPath="yes" />
-      </Component>
-''',
-    'GamCommands.txt': '''      <Component Id="GamCommands_txt" Guid="a2dca862-b222-469e-a637-95ea2a1c53e7">
-        <File Name="GamCommands.txt" KeyPath="yes" />
-      </Component>
-''',
-    'GamUpdate.txt': '''      <Component Id="GamUpdate_txt" Guid="1b7cdd48-0fff-4943-a219-102fcd14c755">
-        <File Name="GamUpdate.txt" KeyPath="yes" />
-      </Component>
-''',
-    'cacerts.pem': '''      <Component Id="cacerts_pem" Guid="61fe2b2d-1646-4bed-b844-193965e97727">
-        <File Name="cacerts.pem" KeyPath="yes" />
-      </Component>
-''',
-}
-
-component_xml = ''
-all_files = []
-for root, dirs, files in os.walk(source_dir):
-    for filename in files:
-        relpath = os.path.relpath(root, source_dir)
-        if relpath == '.':
-            all_files.append(filename)
-        else:
-            all_files.append(os.path.join(relpath, filename))
-all_files.sort()
-for filename in all_files:
-    component_xml += existing_components.get(filename,
-                                             f'      <Component>\n        <File Name="{filename}" KeyPath="yes"/>\n      </Component>\n')
-
-with open(template_file, 'r') as f:
-    template = f.read()
-
-full_xml = template.replace('REPLACE_ME_WITH_FILE_COMPONENTS', component_xml)
-
-with open(target_file, 'w') as f:
-    f.write(full_xml)
+rewrite_file = sys.argv[1]

+with open(rewrite_file, 'rb') as f:
+    input_xml = f.read()
+root = etree.fromstring(input_xml)
+for elem in root.getiterator():
+    if 'Guid' in elem.attrib:
+        source = elem.getchildren()[0].attrib['Source']
+        stable_uuid = str(uuid.uuid5(uuid.NAMESPACE_URL, source))
+        elem.attrib['Guid'] = stable_uuid
+with open(rewrite_file, 'w') as f:
+  f.write(etree.tostring(root).decode())
--- a/src/version_info.txt.in
+++ b/src/version_info.txt.in
@@ -0,0 +1,42 @@
+# UTF-8
+#
+# For more details about fixed file info 'ffi' see:
+# http://msdn.microsoft.com/en-us/library/ms646997.aspx
+VSVersionInfo(
+  ffi=FixedFileInfo(
+    # filevers and prodvers should be always a tuple with four items: (1, 2, 3, 4)
+    # Set not needed items to zero 0.
+    filevers={VERSION_TUPLE},
+    prodvers={VERSION_TUPLE},
+    # Contains a bitmask that specifies the valid bits 'flags'r
+    mask=0x3f,
+    # Contains a bitmask that specifies the Boolean attributes of the file.
+    flags=0x0,
+    # The operating system for which this file was designed.
+    # 0x4 - NT and there is no need to change it.
+    OS=0x4,
+    # The general type of file.
+    # 0x1 - the file is an application.
+    fileType=0x2,
+    # The function of the file.
+    # 0x0 - the function is not defined for this fileType
+    subtype=0x0,
+    # Creation date and time stamp.
+    date=(0, 0)
+    ),
+  kids=[
+    StringFileInfo(
+      [
+      StringTable(
+        '040904b0',
+        [StringStruct('CompanyName', 'GAM-team'),
+        StringStruct('FileDescription', 'CLI for Google Workspace admins'),
+        StringStruct('FileVersion', '{VERSION}'),
+        StringStruct('LegalCopyright', 'Copyright (c) 2024 GAM team'),
+        StringStruct('OriginalFilename', 'gam.exe'),
+        StringStruct('ProductName', 'GAM'),
+        StringStruct('ProductVersion', '{VERSION}')])
+      ]),
+    VarFileInfo([VarStruct('Translation', [1033, 1200])])
+  ]
+)
--- a/wiki/00scratch.md
+++ b/wiki/00scratch.md
@@ -0,0 +1,5 @@
+# Scratch Me Wiki
+editing these files shouldn't trigger a regular GitHub Action build.
+
+# Counter
+00010
--- a/wiki/Addresses.md
+++ b/wiki/Addresses.md
@@ -1,12 +1,12 @@
-!# Addresses
+# Addresses
 - [API documentation](#api-documentation)
 - [Display addresses](#display-addresses)

 ## API documentation
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/resources.calendars
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/users
+* [Directory API - Domains](https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains)
+* [Directory API - Groups](https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups)
+* [Directory API - Resources Calendars](https://developers.google.com/admin-sdk/directory/reference/rest/v1/resources.calendars)
+* [Directory API - Users](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users)

 ## Display addresses
 Produces a three column CSV file (headers Type, Email, Target) that displays all group and user primary
--- a/wiki/Administrators.md
+++ b/wiki/Administrators.md
--- a/wiki/Alert-Center.md
+++ b/wiki/Alert-Center.md
@@ -1,5 +1,6 @@
-!# Alert Center
+# Alert Center
 - [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
 - [Definitions](#definitions)
 - [Introduction](#introduction)
 - [Manage alerts](#manage-alerts)
@@ -8,9 +9,11 @@
 - [Display alert feedback](#display-alert-feedback)

 ## API documentation
-* https://developers.google.com/admin-sdk/alertcenter/reference/rest/
-* https://developers.google.com/admin-sdk/alertcenter/guides/query-filters
-* https://developers.google.com/admin-sdk/alertcenter/reference/filter-fields
+* [Alert Center API](https://developers.google.com/admin-sdk/alertcenter/reference/rest/)
+
+## Query documentation
+* [Query Filters](https://developers.google.com/admin-sdk/alertcenter/guides/query-filters)
+* [Query Fields](https://developers.google.com/admin-sdk/alertcenter/reference/filter-fields)

 ## Definitions
 ```
@@ -26,7 +29,7 @@ select alertId and feedbackId.
 To use these commands you must update your gam project and service account authorization.
 ```
 gam update project
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```
 ## Manage alerts
 ```
--- a/wiki/Aliases.md
+++ b/wiki/Aliases.md
@@ -14,11 +14,11 @@
 - [Determine if an address is a user, user alias, group or group alias](#determine-if-an-address-is-a-user-user-alias-group-or-group-alias)

 ## API documentation
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/users.aliases
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups.aliases
+* [Directory API - User Aliases](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users.aliases)
+* [Directory API - Group Aliases](https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups.aliases)

 ## Query documentation
-* https://developers.google.com/admin-sdk/directory/v1/guides/search-users
+* [Search Users](https://developers.google.com/admin-sdk/directory/v1/guides/search-users)

 ## Definitions
 See [Collections of Items](Collections-of-Items)
@@ -32,6 +32,12 @@ See [Collections of Items](Collections-of-Items)
 <EmailAddressEntity> ::= <EmailAddressList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <UniqueID> ::= id:<String>
+
+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
 ```
 ## Create an alias for a target
 ```
@@ -97,7 +103,7 @@ gam print aliases [todrive <ToDriveAttribute>*]
         [limittoou <OrgUnitItem>])
        [user|users <EmailAddressList>] [group|groups <EmailAddressList>]
        [select <UserTypeEntity>]
-        [aliasmatchpattern <RegularExpression>]
+        [aliasmatchpattern <REMatchPattern>]
        [shownoneditable] [nogroups] [nousers]
        [onerowpertarget] [delimiter <Character>]
        [suppressnoaliasrows]
@@ -111,7 +117,7 @@ By default, group and user aliases in all domains in the account are selected; t
 * `user|users <EmailAddressList>` - Print aliases for users in `<EmailAddressList`
 * `select <UserTypeEntity>` - Print aliases for users in `<UserTypeEntity>`
 * `group|groups <EmailAddressList>` - Print aliases for groups in `<EmailAddressList`
-* `aliasmatchpattern <RegularExpression>` - Print aliases that match a pattern
+* `aliasmatchpattern <REMatchPattern>` - Print aliases that match a pattern
 * `nogroups` - Print only user aliases
 * `nousers` - Print only group aliases

@@ -149,7 +155,7 @@ Alias,Target,TargetType

 ## Bulk delete aliases
 You can bulk delete aliases as follows; use `(query <QueryUser>)|(queries <QueryUserList>)` and
-`aliasmatchpattern <RegularExpression>` as desired.
+`aliasmatchpattern <REMatchPattern>` as desired.
 ```
 gam redirect csv ./OldDomainAliases.csv print aliases aliasmatchpattern ".*@olddomain.com" onerowpertarget suppressnoaliasrows
 gam redirect stdout ./DeleteAliases.txt multiprocess redirect stderr stdout csv ./OldDomainAliases.csv gam remove aliases "~Target" "~TargetType" "~Aliases"
@@ -191,4 +197,3 @@ The return code is set based on `<TypeOfEmailItem>`:
 * Group Alias - 23
 * User Invitation - 24
 * Unknown - 59
-
--- a/wiki/Authorization.md
+++ b/wiki/Authorization.md
@@ -1,7 +1,6 @@
 # Authorization
 - [Introduction](#introduction)
 - [Headless computers and Cloud Shells](#headless-computers-and-cloud-shells)
- [Version 5 Update](#version-5-update)
 - [API documentation](#api-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions)
 - [Definitions](#definitions)
@@ -46,6 +45,7 @@
  - [Install GAM on the limited users computer](#install-gam-on-the-limited-users-computer)
  - [Test Client and Service Account access on the non-administrator computer](#test-client-and-service-account-access-on-the-non-administrator-computer)
  - [Unselect limited section on your computer.](#unselect-limited-section-on-your-computer)
+- [Delete old versions of GAM from Configured Apps](#delete-old-versions-of-gam-from-configured-apps)

 ## Introduction
 GAM requires authorization to perform tasks on your domain; the tasks break down into two categories:
@@ -64,6 +64,7 @@ Verify the following steps:
 * If groups are used to authenticate access, make sure the super admin is in one of the groups
 * Collapse "Service status"
 * Expand "Cloud Resource Manager API settings"
+* Select the OU in the left that contains the super admin you'll be using
 * Make sure that "Allow users to create projects" is checked

 Verify that all scopes are available:
@@ -93,19 +94,17 @@ If you run a Google Workspace Education SKU, verify that the super admin you'll

 Based on your domain policies, you may have to mark GAM as a trusted app. These steps are performed after a project is created.
 * Access the admin console and go to Security -> Access and data control -> API controls
-* Check Trust internal, domain-owned apps
-* Click **Manage third-party app access**
-* Click Add app and select **OAuth App Name Or Client ID**
-* Paste client_id value from client_secrets.json
+* Click Manage third-party app access
+* Click Configure new app
+* Paste client_id value from client_secrets.json in Search for app
 * Click Search
-* Click Select at right end of line referencing GAM
-* Check box to the left of the line with GAM client ID
-* Click Select
-* Keep the default scope domain.com (all users) or select an org unit that includes your GAM admin
-* Click Next/Continue
+* Click the line referencing GAM
+* Keep the default scope All in domain.com (all users) or select an org unit that includes your GAM admin
+* Click Continue
 * Click Trusted: App can request access to all Google data
-* Click Next/Continue
+* Click Continue
 * Click Finish
+* Press Confirm if Confirm parental consent pops up

 Verify whether the super admin you'll be using is in an OU where reauthentication is required.
 * Access the admin console and go to Security -> Overview
@@ -114,7 +113,6 @@ Verify whether the super admin you'll be using is in an OU where reauthenticatio
 * If Require reauthentication is selected and Exempt Trusted apps is not checked, you'll have to do `gam oauth create` at whatever frequency is specified
 * If that sounds unappealing, check Exempt Trusted apps
 * Click "OVERRIDE"
-* Follow the steps below to mark GAM as a trusted app

 Additional steps may be required if errors are encountered.
 * [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
@@ -127,25 +125,6 @@ as required by Google for headless computers/cloud shells; this is required as o
 * See: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html
  * OAuth out-of-band (oob) flow will be deprecated

-## Version 5 Update
-GAM version `5.00.00` replaced the deprecated `oauth2client` library with the `google-auth` library.
-This change requires a one-time update of the client access file `oauth2.txt`; GAM will continue
-to use the old version of `oauth2.txt` until you perform the update. There is a small performance
-impact until the update is performed. However, you can't use the updated version of `oauth2.txt`
-in prior versions of GAM; if you want to run GAM `5.00.00` and prior versions of GAM,
-do not perform the update until you no longer need to run the prior versions of GAM.
-
-If you are running any GAM version `4.85.00` or later, perform the following command
-after installing `5.00.00` to perform the update.
-```
-gam oauth refresh
-```
-If you are running any GAM version before `4.85.00`, perform the following command
-after installing `5.00.00` to perform the update.
-```
-gam oauth update
-```
-
 ## API documentation
 * https://cloud.google.com/resource-manager/docs/creating-managing-organization#adding_an_organization_administrator
 * https://cloud.google.com/service-usage/docs/reference/rest
@@ -183,12 +162,11 @@ gam oauth update
 ```
 ## Manage Projects
 In all of the project commands, the Google Workspace admin/GCP project manager `<EmailAddress>` can be omitted; you will be prompted for a value.
-You must enter a full address, i.e., user@domain.com; you will be required to enter the password.
+You must enter a full address, i.e., user@domain.com; you will be required to authenticate.

-For `print|show projects`, you can eliminate the password requirement by enabling the following scope in `gam update serviceaccount`;
-GAM will then use Service Account access to display projects.
+For `print|show projects`, you can eliminate the password prompt and authentication requirement by specifying the super admin emailaddress used in `gam oauth create`.
 ```
-[*]  9)  Cloud Resource Manager API v3
+gam print projects admin admin@domain.com
 ```

 ## Authorize a super admin to create projects
@@ -198,7 +176,7 @@ perform these steps and then retry the create project command.
 * Login as an existing super admin at console.cloud.google.com
 * In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
 * Under IAM & Admin select IAM
-* Click the down arrow in the box to the right of Google Cloud
+* Click in the box to the right of Google Cloud
 * Click the three dots at the right and select IAM/Permissions
 * Now you should be at "Permissions for organization ..."
 * Click on Grant Access
@@ -207,38 +185,45 @@ perform these steps and then retry the create project command.
 * Type project creator in the Filter box
 * Click Project Creator
 * Click + Add Another Role
-* Type organization policy administrator in the Filter box
-* Click Orgainzation Policy Administrator
+* Type orgpolicy.policyAdmin in the Filter box
+* Click Organization Policy Administrator
 * Click Save

 ## Authorize Service Account Key Uploads

-If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxx`,
+If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxxxx`,
 perform these steps and then you should be able to authorize and use your project.

 * Login as an existing super admin at console.cloud.google.com
 * In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
 * Under IAM & Admin select IAM
-* Click the down arrow in the box to the right of Google Cloud
+* Click in the box to the right of Google Cloud
 * Click the three dots at the right and select IAM/Permissions
 * Now you should be at "Permissions for organization ..."
 * Click on Grant Access
 * Enter the new admin address in Principals
 * Click in the Select a role box
-* Type organization policy administrator in the Filter box
+* Type orgpolicy.policyAdmin in the Filter box
 * Click Organization Policy Administrator
 * Click Save
 * In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
 * Under IAM & Admin select IAM
-* Click the down arrow in the box to the right of Google Cloud
+* Click in the box to the right of Google Cloud
 * Click the three dots at the right and select Manage Resources
 * Click the three dots at the end of the line for the GAM project just created
 * Click Settings
 * Click Organization Policies in the left column
 * Now you should be at "Policies for Gam Project"
 * Click in the Filter box
-* Enter iam.disableServiceAccountKeyUpload
-* Click the three dots at the end of the Disable Service Account Key Upload
+* Enter iam.managed.disableServiceAccountKeyUpload
+* Click the three dots at the end of the Disable service account key upload/iam.managed.disableServiceAccountKeyUpload line
+* Choose Edit policy
+* Click Override parent's policy
+* Click Add A Rule
+* Select Enforcement/Off
+* Click Done
+* Click Set Policy
+* Click the three dots at the end of the Disable Service Account Key Upload/iam.disableServiceAccountKeyUpload line
 * Choose Edit policy
 * Click Override parent's policy
 * Click Add A Rule
@@ -293,13 +278,13 @@ You can skip these steps if you know that untrusted third-party apps are allowed

 ### Default values
 * `<AppName>` - "GAM"
-* `<ProjectID>` - "gam-project-abc-def-jki" where "abc-def-ghi" are randomly generated
+* `<ProjectID>` - "gam-project-a1b2c" where "a1b2c" are randomly generated
 * `<ProjectName>` - "GAM Project"
 * `<ServiceAccountName>` - `<ProjectID>`
 * `<ServiceAccountDisplayName>` - `<ProjectName>`
 * `<ServiceAccountDescription>` - `<ServiceAccountDisplayName>`

-### Basic
+### Basic Create
 Create a project with default values for the project and service account.
 ```
 gam create project [<EmailAddress>] [<ProjectID>]
@@ -307,7 +292,7 @@ gam create project [<EmailAddress>] [<ProjectID>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `<ProjectID>` - A new Google project ID; if omitted, a default value will be used

-### Advanced
+### Advanced Create
 Create a project with user-specified values for the project and service account.
 ```
 gam create project [admin <EmailAddress>] [project <ProjectID>]
@@ -342,7 +327,7 @@ Use an existing project to create and download two files: `client_secrets.json`
 * `<ServiceAccountDisplayName>` - `<ProjectName>`
 * `<ServiceAccountDescription>` - `<ServiceAccountDisplayName>`

-### Basic
+### Basic Use
 Use an existing uninitialized/uncredentialed project and configure it to be a GAM project; this typically used when
 the GCP  administrators have created a basic project because project creation is not available for most users.

@@ -354,12 +339,13 @@ gam use project [<EmailAddress>] [project <ProjectID>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `<ProjectID>` - An existing Google project ID; if omitted, you will be prompted for the ID

-### Advanced
+### Advanced Use
 Use an existing project with user-specified values for the service account. If the project is already
 a GAM project you must use `saname <ServiceAccountName>` as the existing service account information
 can not be re-downloaded.
 ```
 gam use project [admin <EmailAddress>] [project <ProjectID>]
+        [appname <String>] [supportemail <EmailAddress>]
        [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
        [sadescription <ServiceAccountDescription>]
        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
@@ -382,7 +368,7 @@ gam update project [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address

 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -394,7 +380,7 @@ gam delete project [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - A Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address

 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -414,7 +400,7 @@ gam show projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>]

 Use these options to select projects.
 * `all` - All projects accessible by the administrator; this is the default
-* `current` - The project referenced in `client_secret.json`
+* `current` - The project referenced in `client_secrets.json`
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -432,7 +418,7 @@ gam print projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>] [todrive <To

 Use these options to select projects.
 * `all` - All projects accessible by the administrator; this is the default
-* `current` - The project referenced in `client_secret.json`
+* `current` - The project referenced in `client_secrets.json`
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -651,8 +637,6 @@ gam select bbb oauth update
 ```

 ## Refresh Client credentials
-If necessary, update `oauth2.txt` from versions of GAM before `5.00.00`.
-
 Refresh the expiration time in `oauth2.txt`.
 ```
 gam oauth refresh
@@ -687,13 +671,9 @@ Export `oauth2.txt` in JSON form.
 ```
 gam oauth|oauth2 export [<FileName>]
 ```
-For GAM version `5.00.00` and later:
 * If `<FileName>` is omitted, the JSON data is written to `oauth2.txt`.
 * If `<FileName>` is `-`, the JSON data is written to stdout.

-For GAM versions before `5.00.00`:
-* If `<FileName>` is omitted, the JSON data is written to stdout.
-
 ## Manage Service Accounts
 In all of the service account commands, the Google Workspace admin/GCP project manager `<EmailAddress>` can be omitted; you will be prompted for a value.
 You must enter a full address, i.e., user@domain.com; you will be required to enter the password.
@@ -718,7 +698,7 @@ gam create|add svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address

 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -741,7 +721,7 @@ gam delete svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address

 Use these options to select projects.
-* `current` - The project referenced in `client_secret.json`; this is the default
+* `current` - The project referenced in `client_secrets.json`; this is the default
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -762,7 +742,7 @@ gam print svcaccts [[admin] <EmailAddress>] [all|<ProjectIDEntity>]

 Use these options to select projects.
 * `all` - All projects accessible by the administrator; this is the default
-* `current` - The project referenced in `client_secret.json`
+* `current` - The project referenced in `client_secrets.json`
 * `gam` - Projects accessible by the administrator that were created by Gam, i.e, their project ID begins with `gam-project-`
 * `<ProjectID>` - A Google API project ID
 * `filter <String>` - A filter to select projects accessible by the administrator; see the API documentation
@@ -994,8 +974,8 @@ gam user user@domain.com update serviceaccount
 [*] 18)  Drive API (supports readonly)
 [*] 19)  Drive API - todrive
 [*] 20)  Drive Activity API v2 - must pair with Drive API
-[*] 21)  Drive Labels API v2beta - Admin (supports readonly)
-[*] 22)  Drive Labels API v2beta - User (supports readonly)
+[*] 21)  Drive Labels API - Admin (supports readonly)
+[*] 22)  Drive Labels API - User (supports readonly)
 [*] 23)  Forms API
 [*] 24)  Gmail API - Basic Settings (Filters,IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read
 [*] 25)  Gmail API - Full Access (Labels, Messages)
@@ -1236,3 +1216,22 @@ Once you have finished setting up authorizations for the limited user, you need
 gam select default save
 gam select <Section> save
 ```
+
+## Delete old versions of GAM from Configured Apps
+
+```
+In the Admin console, go to Security/Access and Data Control/API Controls/MANAGE THIRD-PARTY APP ACCESS
+Click Download list
+Select Comma-separated values (.csv)
+Click Download
+Click Download CSV
+The CSV file will be named: owl_apps.csv
+Remove the rows of apps you want to keep.
+Edit the column Access to UNCONFIGURED for those rows you want to remove.
+Click Bulk update list
+Click Attach CSV file
+Locate owl_apps.csv
+Click Upload
+Click Upload
+Click Confirm
+```
--- a/wiki/BNF-Syntax.md
+++ b/wiki/BNF-Syntax.md
@@ -1,4 +1,4 @@
-!# Syntax
+# Syntax

 ## BNF Syntax
 This Wiki describes the GAM7 command line syntax in modified BNF.
--- a/wiki/Basic-Items.md
+++ b/wiki/Basic-Items.md
@@ -1,4 +1,4 @@
-!# Basic Items
+# Basic Items
 - [Primitives](#primitives)
 - [Items built from primitives](#items-built-from-primitives)
 - [Named items](#named-items)
@@ -252,6 +252,9 @@
        now|today
 <RegularExpression> ::= <String>
        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
 <ProjectID> ::= <String>
        Must match this Python Regular Expression: [a-z][a-z0-9-]{4,28}[a-z0-9]
 <ServiceAccountName> ::= <String>
@@ -274,14 +277,20 @@
        <EmailAddress>|user:<EmailAddress>|group:<EmailAddress>|
        domain:<DomainName>|domain|default
 <CalendarItem> ::= <EmailAddress>
-<GIGroupAlias> ::= <EmailAddress>
-<GIGroupItem> ::= <EmailAddress>|<UniqueID>|groups/<String>
-<CIGroupType> ::= customer|group|other|serviceaccount|user
 <ChannelCustomerID> ::= <String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMessage> ::= spaces/<String>/messages/<String>
 <ChatSpace> ::= spaces/<String> | space <String> | space spaces/<String>
 <ChatThread> ::= spaces/<String>/threads/<String>
+<GIGroupAlias> ::= <EmailAddress>
+<GIGroupItem> ::= <EmailAddress>|<UniqueID>|groups/<String>
+<CIGroupMemberType> ::= cbcmbrowser|chromeosdevice|customer|group|other|serviceaccount|user
+<CIPolicyName> ::= policies/<String>|settings/<String>|<String>
+<ClassificationLabelID> ::= <String>
+<ClassificationLabelFieldID> ::= <String>
+<ClassificationLabelSelectionID> ::= <String>
+<ClassificationLabelName> ::= labels/<ClassificationLabelID>[@latest|@published|@<Number>]
+<ClassificationLabelPermissionName> ::= labels/<ClassificationLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
 <ClassroomInvitationID> ::= <String>
 <ClientID> ::= <String>
 <CommandID> ::= <String>
@@ -351,11 +360,6 @@
 <DriveFilePermissionID> ::= anyone|anyonewithlink|id:<String>
 <DriveFilePermissionIDorEmail> ::= <DriveFilePermissionID>|<EmailAddress>
 <DriveFileRevisionID> ::= <String>
-<DriveLabelID> ::= <String>
-<DriveLabelFieldID> ::= <String>
-<DriveLabelSelectionID> ::= <String>
-<DriveLabelName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]
-<DriveLabelPermissionName> ::= labels/<DriveLabelID>[@latest|@published|@<Number>]/permissions/(audiences|groups|people)/<String>
 <EmailAddress> ::= <String>@<DomainName>
 <EmailItem> ::= <EmailAddress>|<UniqueID>|<String>
 <EmailReplacement> ::= <String>
@@ -371,7 +375,7 @@
 <FloorName> ::= <String>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GroupRole> ::= owner|manager|member
-<GroupType> ::= customer|group|user
+<GroupMemberType> ::= customer|group|user
 <GuardianItem> ::= <EmailAddress>|<UniqueID>|<String>
 <GuardianInvitationID> ::= <String>
 <HoldItem> ::= <UniqueID>|<String>
@@ -533,6 +537,7 @@
        (tdnotify [<Boolean>])|
        (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
        (tdretaintitle [<Boolean>])|
+        (tdreturnidonly [<Boolean>])|
        (tdshare <EmailAddress> commenter|reader|writer)*|
        (tdsheet (id:<Number>)|<String>)|
        (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
--- a/wiki/Bulk-Processing.md
+++ b/wiki/Bulk-Processing.md
@@ -1,4 +1,4 @@
-!# Bulk Processing
+# Bulk Processing
 - [Introduction](#introduction)
 - [Python Regular Expressions](Python-Regular-Expressions)
 - [GAM Configuration](gam.cfg)
@@ -73,13 +73,13 @@ gam redirect stdout ./NewStudents.out redirect stderr ./NewStudents.err tbatch N
 ```
 gam csv <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset <Charset>] [warnifnodata]
        [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>]
-        (matchfield|skipfield <FieldName> <RegularExpression>)* [showcmds [<Boolean>]]
+        (matchfield|skipfield <FieldName> <RESearchPattern>)* [showcmds [<Boolean>]]
        [skiprows <Integer>] [maxrows <Integer>]
        gam <GAMArgumentList>

 gam loop <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset <Charset>] [warnifnodata]
        [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>]
-        (matchfield|skipfield <FieldName> <RegularExpression>)* [showcmds [<Boolean>]]
+        (matchfield|skipfield <FieldName> <RESearchPattern>)* [showcmds [<Boolean>]]
        [skiprows <Integer>] [maxrows <Integer>]
        gam <GAMArgumentList>
 ```
@@ -93,7 +93,7 @@ gam loop <FileName>|-|(gsheet <UserGoogleSheet>)|(gdoc <UserGoogleDoc>) [charset
 * `noescapechar <Boolean>` - Should `\` be ignored as an escape character; if not specified, the value of `csv_input_no_escape_char` from `gam.cfg` will be used
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings.
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `showcmds` - Write `timestamp,command number/number of commands,command` to stderr when each command starts; write `timestamp, command number/numberof commands,complete` to stderr when command completes
 * `skiprows <Integer>` - Skip filtered rows from the CSV file/Google Sheet.
  * `skiprows 0` - All rows are processed, this is the default
--- a/wiki/CSV-Input-Filtering.md
+++ b/wiki/CSV-Input-Filtering.md
@@ -15,7 +15,7 @@ There are two values in `gam.cfg` that can be used to filter the input from `gam
 * `csv_input_row_filter` - A list or JSON dictionary used to include specific rows based on column values
 * `csv_input_row_drop_filter` - A list or JSON dictionary used to exclude specific rows based on column values

-These filters can be used alone or in conjunction with the `matchfield|skipfield <FieldName> <RegularExpression>` options.
+These filters can be used alone or in conjunction with the `matchfield|skipfield <FieldName> <REMatchPattern>` options.
 * https://github.com/GAM-team/GAM/wiki/Bulk-Processing#csv-files

 ## Definitions
@@ -40,8 +40,11 @@ These filters can be used alone or in conjunction with the `matchfield|skipfield
 <Operator> ::= <|<=|>=|>|=|!=
 <RegularExpression> ::= <String>
        See: https://docs.python.org/3/library/re.html>
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>

-<FieldNameFilter> :: = <RegularExpression>
+<FieldNameFilter> :: = <REMatchPattern>
 <RowValueFilter> ::=
        [(any|all):]boolean:<Boolean>|
        [(any|all):]count<Operator><Number>|
@@ -55,10 +58,10 @@ These filters can be used alone or in conjunction with the `matchfield|skipfield
        [(any|all):]lengthrange!=<Number>/<Number>|
        [(any|all):]lengthrange=<Number>/<Number>|
        [(any|all):]notdata:<DataSelector>|
-        [(any|all):]notregex:<RegularExpression>|
-        [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]notregex:<RESearchPattern>|
+        [(any|all):]notregexcs:<RESearchPattern>|
+        [(any|all):]regex:<RESearchPattern>|
+        [(any|all):]regexcs:<RESearchPattern>|
        [(any|all):]text<Operator><String>|
        [(any|all):]textrange!=<String>/<String>|
        [(any|all):]textrange=<String>/<String>|
@@ -82,8 +85,8 @@ Name:value form.
 * `<RowValueFilterList>`, even if it has one element, should be enclosed in `"`.
 * Each `<FieldNameFilter>:<RowValueFilter>` pair should be enclosed in `'`.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
-* If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
-* If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
+* If `<RESearchPattern>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
+* If `<FieldNameFilter>` or `<RESearchPattern>` in `<RowValueFilter>` contain a `\` to escape a special character
 or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,

 Examples:
@@ -186,10 +189,10 @@ These are the row value filter types:
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
  * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
 * `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
+* `notregex:<RESearchPattern>` - Used on fields with text; field value must not match `<RESearchPattern>`; case insensitive
+* `notregexcs:<RESearchPattern>` - Used on fields with text; field value must not match `<RESearchPattern>`; case sensitive
+* `regex:<RESearchPattern>` - Used on fields with text; field value must match `<RESearchPattern>`; case insensitive
+* `regexcs:<RESearchPattern>` - Used on fields with text; field value must match `<RESearchPattern>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
  * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
@@ -205,13 +208,6 @@ These are the row value filter types:
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
  * The field value must be `<` the left `<Time>` or `>` the right `<Time>`

-### **Change in behavior.**
-In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;
-in many cases this is probably not desirable; e.g., matching file names which are case insensitive.
-
-Now, `regex:<RegularExpression>` and `notregex:<RegularExpression>` are processed in a case insensitive manner.
-To get the prior case sensitive processing, use `regexcs:<RegularExpression>` and `notregexcs:<RegularExpression>`.
-
 ### Examples
 You want to process groups with 100 or more direct members.
 ```
@@ -258,7 +254,7 @@ gam selectinputfilter Filter510 csv UserInfo.csv gam user "~primaryEmail" ...
 ```

 ## Validate filters
-Version `6.30.00` added the `gam comment <String>*` command that can be used to validate input row filters.
+The `gam comment <String>*` command that can be used to validate input row filters.
 ```
 $ more Comment.csv 
 col1,col2
@@ -272,4 +268,4 @@ Col1:ccc Col2:333
 $ gam config csv_input_row_filter "col1:regex:bbb"  csv Comment.csv gam comment "Col1:~~col1~~" "Col2:~~col2~~"
 2022-12-18T09:42:26.108-08:00,0/1,Using 1 process...
 Col1:bbb Col2:222
-```
+```
--- a/wiki/CSV-Output-Filtering.md
+++ b/wiki/CSV-Output-Filtering.md
@@ -1,4 +1,4 @@
-!# CSV Output Filtering
+# CSV Output Filtering
 - [Python Regular Expressions](Python-Regular-Expressions) Search function
 - [Definitions](#definitions)
 - [Quoting rules](#quoting-rules)
@@ -11,9 +11,11 @@
 - [Column row limiting](#column-row-limiting)
 - [Saving filters in gam.cfg](#saving-filters-in-gamcfg)

-There are five values in `gam.cfg` that can be used to filter the output from `gam print` commands.
+There are seven values in `gam.cfg` that can be used to filter the output from `gam print` commands.
 * `csv_output_header_filter` - A list of `<RegularExpressions>` used to select specific column headers to include
 * `csv_output_header_drop_filter` - A list of `<RegularExpressions>` used to select specific column headers to exclude
+* `csv_output_header_force` - A list of <Strings> used to specify the exact column headers to include
+* `csv_output_header_order` - A list of <Strings> used to specify the column header order; any headers in the file but not in the list will appear after the headers in the list.
 * `csv_output_row_filter` - A list or JSON dictionary used to include specific rows based on column values
 * `csv_output_row_drop_filter` - A list or JSON dictionary used to exclude specific rows based on column values
 * `csv_output_row_limit` - A limit on the number of rows written
@@ -44,8 +46,11 @@ on all platforms.
 <Operator> ::= <|<=|>=|>|=|!=
 <RegularExpression> ::= <String>
        See: https://docs.python.org/3/library/re.html>
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>

-<FieldNameFilter> :: = <RegularExpression>
+<FieldNameFilter> :: = <REMatchPattern>
 <ColumnFieldNameFilterList> ::= "<FieldNameFilter>(,<FieldNameFilter>)*"
 <RowValueFilter> ::=
        [(any|all):]boolean:<Boolean>|
@@ -60,10 +65,10 @@ on all platforms.
        [(any|all):]lengthrange!=<Number>/<Number>|
        [(any|all):]lengthrange=<Number>/<Number>|
        [(any|all):]notdata:<DataSelector>
-        [(any|all):]notregex:<RegularExpression>|
-        [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]notregex:<RESearchPattern>|
+        [(any|all):]notregexcs:<RESearchPattern>|
+        [(any|all):]regex:<RESearchPattern>|
+        [(any|all):]regexcs:<RESearchPattern>|
        [(any|all):]text<Operator><String>|
        [(any|all):]textrange!=<String>/<String>|
        [(any|all):]textrange=<String>/<String>|
@@ -87,8 +92,8 @@ Name:value form.
 * `<RowValueFilterList>`, even if it has one element, should be enclosed in `"`.
 * Each `<FieldNameFilter>:<RowValueFilter>` pair should be enclosed in `'`.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
-* If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
-* If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
+* If `<RESearchPattern>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
+* If `<FieldNameFilter>` or `<RESearchPattern>` in `<RowValueFilter>` contain a `\` to escape a special character
 or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,

 Examples:
@@ -241,10 +246,10 @@ These are the row value filter types:
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
  * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
 * `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
+* `notregex:<RESearchPattern>` - Used on fields with text; field value must not match `<RESearchPattern>`; case insensitive
+* `notregexcs:<RESearchPattern>` - Used on fields with text; field value must not match `<RESearchPattern>`; case sensitive
+* `regex:<RESearchPattern>` - Used on fields with text; field value must match `<RESearchPattern>`; case insensitive
+* `regexcs:<RESearchPattern>` - Used on fields with text; field value must match `<RESearchPattern>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
  * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
@@ -260,13 +265,6 @@ These are the row value filter types:
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
  * The field value must be `<` the left `<Time>` or `>` the right `<Time>`

-### **Change in behavior.**
-In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;
-in many cases this is probably not desirable; e.g., matching file names which are case insensitive.
-
-Now, `regex:<RegularExpression>` and `notregex:<RegularExpression>` are processed in a case insensitive manner.
-To get the prior case sensitive processing, use `regexcs:<RegularExpression>` and `notregexcs:<RegularExpression>`.
-
 ### Examples
 You want a list of groups with 100 or more direct members.
 ```
@@ -334,7 +332,7 @@ gam config csv_output_row_limit 10 auto_batch_min 1 redirect csv ./BigQuotaFiles
 ```

 ## Saving filters in gam.cfg
-If you define a value for `csv_output_header_filter`, `csv_output_header_drop_filter`, `csv_output_row_filter`, `csv_output_row_drop_filter` or `csv_output_row_limit` in the `[DEFAULT]` section of `gam.cfg`,
+If you define a value for `csv_output_header_filter`, `csv_output_header_drop_filter`, `csv_output_header_force`, `csv_output_header_order`, `csv_output_row_filter`, `csv_output_row_drop_filter` or `csv_output_row_limit` in the `[DEFAULT]` section of `gam.cfg`,
 it will apply to every `gam print` command which is probably not desirable. You can store them in `gam.cfg` in named sections.
 ```
 [Filter510]
--- a/wiki/CSV-Special-Characters.md
+++ b/wiki/CSV-Special-Characters.md
@@ -1,4 +1,4 @@
-!# CSV Special Characters
+# CSV Special Characters
 - [Python CSV documentation](https://docs.python.org/3/library/csv.html#dialects-and-formatting-parameters)

 ## Python variables that control CSV file reading/writing:
--- a/wiki/Calendars-Access.md
+++ b/wiki/Calendars-Access.md
@@ -21,7 +21,7 @@ Calendar ACL roles (as seen in Calendar GUI):
  * `freebusy` & `freebusyreader` - See only free/busy (hide details)

 ## API documentation
-* https://developers.google.com/calendar/v3/reference/acl
+* [Calendar API - ACLs](https://developers.google.com/google-apps/calendar/v3/reference/acl)

 ## Definitions
 ```
--- a/wiki/Calendars-Events.md
+++ b/wiki/Calendars-Events.md
@@ -28,11 +28,17 @@ In general, you should use the following commands to manage user's calendars eve
 Client access works when accessing Resource calendars.

 ## API documentation:
-* https://developers.google.com/calendar/v3/reference/events
-* https://developers.google.com/calendar/v3/reference/events/import
+* [Calendar API - Events](https://developers.google.com/calendar/v3/reference/events)
+* [Calendar API - Import Events](https://developers.google.com/calendar/v3/reference/events/import)

 ## Definitions
 ```
+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
+
 <Year> ::= <Digit><Digit><Digit><Digit>
 <Month> ::= <Digit><Digit>
 <Day> ::= <Digit><Digit>
@@ -66,9 +72,12 @@ Client access works when accessing Resource calendars.
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <DomainName> ::= <String>(.<String>)+
 <EmailAddress> ::= <String>@<DomainName>
-<EmailAddressList> ::= "<EmailAddess>(,<EmailAddress>)*"
-<EmailAddressEntity> ::= <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<EmailAddressList> ::= "<EmailAddress>(,<EmailAddress>)*"
+<EmailAddressEntity> ::=
+        <EmailAddressList> | <FileSelector> | <CSVFileSelector> |
+        <CSVkmdSelector> | <CSVDataSelector>
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
+<iCalUID> ::= <String>

 <EventAttachmentsSubfieldName> ::=
        attachments.fileid|
@@ -201,20 +210,20 @@ Client access works when accessing Resource calendars.
        (matchfield attendeesonlydomainlist <DomainNameList>)|
        (matchfield attendeesdomainlist <DomainNameList>)|
        (matchfield attendeesnotdomainlist <DomainNameList>)|
-        (matchfield attendeespattern <RegularExpression>)|
+        (matchfield attendeespattern <RESearchPattern>)|
        (matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>)|
-        (matchfield creatoremail <RegularExpression>)|
-        (matchfield creatorname <RegularExpression>)|
-        (matchfield description <RegularExpression>)|
-        (matchfield hangoutlink <RegularExpression>)|
-        (matchfield location <RegularExpression>)|
-        (matchfield organizeremail <RegularExpression>)|
-        (matchfield organizername <RegularExpression>)|
+        (matchfield creatoremail <RESearchPattern>)|
+        (matchfield creatorname <RESearchPattern>)|
+        (matchfield description <RESearchPattern>)|
+        (matchfield hangoutlink <RESearchPattern>)|
+        (matchfield location <RESearchPattern>)|
+        (matchfield organizeremail <RESearchPattern>)|
+        (matchfield organizername <RESearchPattern>)|
        (matchfield organizerself <Boolean>)|
-        (matchfield status <RegularExpression>)|
-        (matchfield summary <RegularExpression>)|
-        (matchfield transparency <RegularExpression>)|
-        (matchfield visibility <RegularExpression>)
+        (matchfield status <RESearchPattern>)|
+        (matchfield summary <RESearchPattern>)|
+        (matchfield transparency <RESearchPattern>)|
+        (matchfield visibility <RESearchPattern>)

 <EventIDEntity> ::=
        (id|eventid <EventId>) |
@@ -264,6 +273,7 @@ Client access works when accessing Resource calendars.
        (range <Date> <Date>)|
        (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
        (reminder <Number> email|popup)|
+        (resource <ResourceID>)|
        (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
        (sequence <Integer>)|
        (sharedproperty <PropertyKey> <PropertyValue>)|
@@ -294,9 +304,11 @@ The following attributes are equivalent:
        clearattendees|
        clearhangoutsmeet|
        (clearprivateproperty <PropertyKey>)|
+        clearresources|
        (clearsharedproperty <PropertyKey>)|
        (removeattendee <EmailAddress>)|
-        (replacedescription <RegularExpression> <String>)|
+        (removeresource <ResourceID>)|
+        (replacedescription <REMatchPattern> <RESubstitution>)|
        (selectremoveattendees <UserTypeEntity>)

 <EventNotificationAttribute> ::=
@@ -370,26 +382,26 @@ GAM processes `<EventMatchProperty>*`; you may specify none or multiple properti
 * `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
  * For example, this lets you look for events with attendees not in your internal domains. You should include `resource.calendar.google.com`
    in `<DomainNameList>` if the events use resources.
-* `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
+* `matchfield attendeespattern <RESearchPattern>` - Some attendee's email address must match `<RESearchPattern>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.
    * `<AttendeeAttendance>` - Default is `required`
    * `<AttendanceStatus>` - Default is`needsaction`
-* `matchfield creatoremail <RegularExpression>` - The creator email address must match `<RegularExpression>`
-* `matchfield creatorname <RegularExpression>` - The creator name must match `<RegularExpression>`
-* `matchfield description <RegularExpression>` - The description (summary) must match `<RegularExpression>`
-* `matchfield location <RegularExpression>` - The location must match `<RegularExpression>`
-* `matchfield organizeremail <RegularExpression>` - The organizer email address must match `<RegularExpression>`
-* `matchfield organizername <RegularExpression>` - The orgainzer name must match `<RegularExpression>`
-* `matchfield status <RegularExpression>` - The summary must match `<RegularExpression>`. The API documented values are:
+* `matchfield creatoremail <RESearchPattern>` - The creator email address must match `<RESearchPattern>`
+* `matchfield creatorname <RESearchPattern>` - The creator name must match `<RESearchPattern>`
+* `matchfield description <RESearchPattern>` - The description (summary) must match `<RESearchPattern>`
+* `matchfield location <RESearchPattern>` - The location must match `<RESearchPattern>`
+* `matchfield organizeremail <RESearchPattern>` - The organizer email address must match `<RESearchPattern>`
+* `matchfield organizername <RESearchPattern>` - The orgainzer name must match `<RESearchPattern>`
+* `matchfield status <RESearchPattern>` - The summary must match `<RESearchPattern>`. The API documented values are:
    * `confirmed`
    * `tentative`
    * `cancelled`
-* `matchfield summary <RegularExpression>` - The summary must match `<RegularExpression>`
-* `matchfield transparency <RegularExpression>` - The summary must match `<RegularExpression>`. The API documented values are:
+* `matchfield summary <RESearchPattern>` - The summary must match `<RESearchPattern>`
+* `matchfield transparency <RESearchPattern>` - The summary must match `<RESearchPattern>`. The API documented values are:
    * `opaque` - Busy. The API does not seem to return this value; use `"(^$)|opaque"` to match no value or `opaque`.
    * `transparent` -  Free/Available
-* `matchfield visibility <RegularExpression>` - The summary must match `<RegularExpression>`. The API documented values are:
+* `matchfield visibility <RESearchPattern>` - The summary must match `<RESearchPattern>`. The API documented values are:
    * `default` - The API does not seem to return this value; use `"(^$)|default"` to match no value or `default`.
    * `public` - The API does not seem to return this value if it is the default; use `"(^$)|public"` to match no value or `public`.
    * `private` - The API does not seem to return this value if it is the default; use `"(^$)|private"` to match no value or `private`.
@@ -428,6 +440,7 @@ You can specify attendees in the following ways:
 * `selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>` - Multiple attendees
  * If `<AttendeeAttendance>` is not specified, all attendees are required to attend
  * If `<AttendeeStatus>` is not specified, `needsaction` is chosen
+* `resource <ResourceID>` - Add a resource attendee to the event

 To add an attendee to a single recurring calendar event, you need to specify the ID of that specific event. 
 ```
@@ -452,16 +465,13 @@ You can clear/modify existing attributes:
 * `clearhangoutsmeet` - Clear Hangouts/Meet link
 * `clearprivateproperty <PropertyKey>` - Clear private properties
 * `clearsharedproperty <PropertyKey>` - Clear shared properties
-* `replacedescription <RegularExpression> <String>` - Modify the description
+* `replacedescription <REMatchPattern> <RESubstitution>` - Modify the description

 ## Update calendar attendees
-The default behavior of `gam calendar <CalendarEntity> update events` has been changed regarding attendees.
-In versions of GAM before `5.02.00`, updating attendees in calendar events was complicated because you had to
-supply the complete attendee list even if you just wanted incremental changes.
-The default behavior now is to allow incremental changes to the attendees list;
+The default behavior is to allow incremental changes to the attendees list;
 the current attendee list is downloaded and the specified changes are applied.

-The `replacemode` option invokes the previous behavior from versions before `5.02.00`; the current attendee list is replaced.
+The `replacemode` option causes the current attendee list to be replaced with the specified changes.

 You can add attendees in the following ways:
 * `attendee <EmailAddress>` - The attendee attendance is required with status `needsaction'
@@ -474,11 +484,14 @@ You can add attendees in the following ways:
 * `selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>` - Multiple attendees
  * If `<AttendeeAttendance>` is not specified, all attendees are required to attend
  * If `<AttendeeStatus>` is not specified, `needsaction` is chosen
+* `resource <ResourceID>` - Add a resource attendee to the event

 You can remove attendees in the following ways:
 * `clearattendees` - Clear all current attendees from the attendee list
 * `removeattendee <EmailAddress>` - Remove a single attendee from the attendee list
 * `selectremoveattendees <UserTypeEntity>` - Remove a selected collection of attendees from the attendee list
+* `clearresources` - Clear all resource attendees from the event
+* `removeresource <ResourceID>` - Remove a resource attendee from the event

 For `<UserTypeEntity>` See: [Collections of Users](Collections-of-Users)

@@ -523,7 +536,7 @@ No events are deleted unless you specify the `doit` option; omit `doit` to verif

 ## Move calendar events to another calendar
 Generally you won't move all events from one calendar to another; typically, you'll move events created by the event creator
-using `matchfield creatoremail <RegularExpression>` in conjunction with other `<EventSelectProperty>` and `<EventMatchProperty>` options.
+using `matchfield creatoremail <RESearchPattern>` in conjunction with other `<EventSelectProperty>` and `<EventMatchProperty>` options.
 ```
 gam calendar <CalendarEntity> move event [<EventEntity>] destination|to <CalendarItem> [<EventNotificationAttribute>]
 ```
@@ -554,7 +567,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam calendar <CalendarEntity> show events [<EventEntity>] <EventDisplayProperty>*
        [fields <EventFieldNameList>] [showdayofweek]
-        [countsonly] [formatjson]
+        [countsly] [formatjson]
 ```
 In `<EventEntity>`, any `<EventSelectProperty>` options must precede all other options.

@@ -572,8 +585,9 @@ By default, Gam displays event details, use `countsonly` to display only the num

 ```
 gam calendar <CalendarEntity> print events [<EventEntity>] <EventDisplayProperty>*
-         [fields <EventFieldNameList>] [showdayofweek]
-         [countsonly] [formatjson [quotechar <Character>]] [todrive <ToDriveAttribute>*]
+        [fields <EventFieldNameList>] [showdayofweek]
+        [countsonly [eventrowfilter]]
+        [formatjson [quotechar <Character>]] [todrive <ToDriveAttribute>*]
 ```
 In `<EventEntity>`, any `<EventSelectProperty>` options must precede all other options.

@@ -589,12 +603,28 @@ By default, Gam displays the information as columns of fields; the following opt

 By default, Gam displays event details, use `countsonly` to display only the number of events. `formatjson` does not apply in this case.

+When `countsonly` is specified, the `eventrowfilter` option causes
+GAM to apply `config csv_output_row_filter` to the event details rather than the event counts.
+This will be useful when `<EventSelectProperty>` and `<EventMatchProperty>` do not have the
+capabilty to select the events of interest; e.g., you want to filter based on the event `created` property.
+
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

+### Special character processing
+When outputting events with `formatjson` with the goal of adding the events to another calendar,
+use these options at the beginning of the command:
+```config csv_output_convert_cr_nl false csv_output_no_escape_char true```
+
+On the subsequent command to add the events, use this option at the beginning of the command:
+```config csv_input_no_escape_char true```
+
+These options ensure that newline `\n`, double quote `"`, single quote `'` and backslash `\` are
+properly processed.
+
 ### Old format commands
 These commands are backwards compatible with Legacy GAM.
 ```
@@ -603,6 +633,8 @@ gam calendar <CalendarEntity> deleteevent (id|eventid <EventID>)+ [doit] [<Event
 gam calendar <CalendarEntity> moveevent (id|eventid <EventID>)+ destination <CalendarItem> [<EventNotificationAttribute>]
 gam calendar <CalendarEntity> updateevent <EventID> <EventAttribute>+ [<EventNotificationAttribute>]
 gam calendar <CalendarEntity> wipe
-gam calendar <CalendarEntity> printevents <EventSelectProperty>* <EventDisplayProperty>* [fields <EventFieldNameList>]
-         [formatjson [quotechar <Character>]] [todrive <ToDriveAttribute>*]
+gam calendar <CalendarEntity> printevents <EventSelectProperty>* <EventDisplayProperty>*
+        [fields <EventFieldNameList>]
+        [countsonly [eventrowfilter]]
+        [formatjson [quotechar <Character>]] [todrive <ToDriveAttribute>*]
 ```
--- a/wiki/Calendars.md
+++ b/wiki/Calendars.md
@@ -14,7 +14,7 @@ In general, you should use the following commands to manage user's calendars.
 Client access works when accessing Resource calendars.

 ## API documentation
-* https://developers.google.com/google-apps/calendar/v3/reference/calendars
+* [Calendar API - Calendars](https://developers.google.com/google-apps/calendar/v3/reference/calendars)

 ## Definitions
 ```
--- a/wiki/Chat-Bot.md
+++ b/wiki/Chat-Bot.md
@@ -1,9 +1,8 @@
-!# Chat Bot
-
- [Notes](#notes)
+# Chat Bot
+- [Introduction](#introduction)
+- [Set up a Chat Bot](#set-up-a-chat-bot)
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
- [Set up a Chat Bot](#set-up-a-chat-bot)
 - [Display Rooms and Chats to which your Bot belongs](#display-rooms-and-chats-to-which-your-bot-belongs)
 - [Display Members of a Room or Chat](#display-members-of-a-room-or-chat)
 - [Create a Chat Message](#create-a-chat-message)
@@ -11,8 +10,42 @@
 - [Delete a Chat Message](#delete-a-chat-message)
 - [Display a Chat Message](#display-a-chat-message)

-## Notes
-This Wiki page was built directly from Jay Lee's Wiki page; my sincere thanks for his efforts.
+## Introduction
+To use these commands you must update your service account authorization.
+```
+gam user user@domain.com update serviceaccount
+
+[*]  4)  Chat API - Memberships (supports readonly)
+[*]  5)  Chat API - Memberships Admin (supports readonly)
+[*]  6)  Chat API - Messages (supports readonly)
+[*]  7)  Chat API - Spaces (supports readonly)
+[*]  8)  Chat API - Spaces Admin (supports readonly)
+[*]  9)  Chat API - Spaces Delete
+[*] 10)  Chat API - Spaces Delete Admin
+```
+
+Added `use_chat_admin_access` Boolean variable to `gam.cfg`. 
+```
+* When False, GAM uses user access when making all Chat API calls. For calls that support admin access,
+    this can be overridden with the asadmin command line option.
+* When True, GAM uses admin access for Chat API calls that support admin access; other calls will use user access.
+* Default: False
+```
+
+Google requires that you have a Chat Bot configured in order to use the Chat API; set up a Chat Bot as described in the next section.
+
+## Set up a Chat Bot
+GAM is capable of acting as a Chat Bot and sending messages to Chat Rooms or direct messages to users.
+
+Even if you're not going to use GAM as a Chat Bot, you have to configure a Chat Bot as it is required by the Chat API in [Users - Chat](Users-Chat).
+
+* Run the command `gam setup chat`; it will point you to a URL to configure your Chat Bot.
+* Enter an App name and Description of your choosing.
+* For the Avatar URL you can use `https://dummyimage.com/384x256/4d4d4d/0011ff.png&text=+GAM` or a public URL to an image of your own choosing.
+* In Functionality, uncheck both "Receive 1:1 messages" and "Join spaces and group conversations"
+* In Connection settings, choose "Cloud Pub/Sub" and enter `projects/<ProjectID>/topics/no-topic` for the Topic Name. Replace `<ProjectID>` with your GAM project ID. GAM doesn't yet listen to pub/sub so this option is not used.
+* In Visibility, uncheck "Make this Chat app available to specific people and groups in Domain Workspace".
+* Click Save.

 ## API documentation
 * https://developers.google.com/chat/concepts
@@ -106,19 +139,6 @@ This Wiki page was built directly from Jay Lee's Wiki page; my sincere thanks fo
 <ChatMessageFieldNameList> ::= "<ChatMessageFieldName>(,<ChatMessageFieldName>)*"
 ```

-## Set up a Chat Bot
-Since GAM 6.04.00, GAM is capable of acting as a Chat Bot and sending messages to Chat Rooms or direct messages to users. You first need to configure your Chat Bot.
-
-* Run the command `gam setup chat`; it will point you to a URL to configure your Chat Bot.
-* Enter an App name and Description of your choosing.
-* For the Avatar URL you can use `https://dummyimage.com/384x256/4d4d4d/0011ff.png&text=+GAM` or a public URL to an image of your own choosing.
-* In Functionality, uncheck both "Receive 1:1 messages" and "Join spaces and group conversations"
-* In Connection settings, choose "Cloud Pub/Sub" and enter "no-topic" for the topic name. GAM doesn't yet listen to pub/sub so this option is not used.
-* In Visibility, uncheck "Make this Chat app available to specific people and groups in  Domain Workspace".
-* Click Save.
-
----
-
 ## Display Rooms and Chats to which your Bot belongs
 Display the spaces to which your Chat Bot can send messages.
 A space can be a direct message to a user, a chat group or a chat room.
--- a/wiki/Chrome-AUE-Counts.md
+++ b/wiki/Chrome-AUE-Counts.md
@@ -1,14 +1,11 @@
-!# Chrome Auto Update Expiration Counts
-
- [Chrome Auto Update Expiration Counts](#chrome-auto-update-expiration-counts)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Quoting rules](#quoting-rules)
-  - [Display Chrome auto update expiration counts](#display-chrome-auto-update-expiration-counts)
+# Chrome Auto Update Expiration Counts
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Quoting rules](#quoting-rules)
+- [Display Chrome auto update expiration counts](#display-chrome-auto-update-expiration-counts)

 ## API documentation
-
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeDevicesReachingAutoExpirationDate
+* [Chrome Management API - Count Devices Reaching AUE](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeDevicesReachingAutoExpirationDate)

 ## Notes
 To use these features you must add the `Chrome Management API` to your project and authorize
--- a/wiki/Chrome-Browser-Cloud-Management.md
+++ b/wiki/Chrome-Browser-Cloud-Management.md
@@ -1,27 +1,25 @@
 # Chrome Browser Cloud Management
-
- [Chrome Browser Cloud Management](#chrome-browser-cloud-management)
-  - [API documentation](#api-documentation)
-  - [Query documentation](#query-documentation)
-  - [Definitions](#definitions)
-  - [Manage Chrome browsers](#manage-chrome-browsers)
-    - [Update Chrome browsers](#update-chrome-browsers)
-      - [Example: Add a new note to existing notes](#example-add-a-new-note-to-existing-notes)
-    - [Move Chrome browsers from one OU to another](#move-chrome-browsers-from-one-ou-to-another)
-    - [Delete Chrome browsers](#delete-chrome-browsers)
-  - [Display Chrome browsers](#display-chrome-browsers)
-    - [Examples](#examples)
-  - [Browser Query Searchable Fields](#browser-query-searchable-fields)
-  - [Manage Chrome browser enrollment tokens](#manage-chrome-browser-enrollment-tokens)
-  - [Display Chrome browser enrollment tokens](#display-chrome-browser-enrollment-tokens)
+- [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
+- [Definitions](#definitions)
+- [Raw Fields](#raw-fields)
+- [Manage Chrome browsers](#manage-chrome-browsers)
+  - [Update Chrome browsers](#update-chrome-browsers)
+    - [Example: Add a new note to existing notes](#example-add-a-new-note-to-existing-notes)
+  - [Move Chrome browsers from one OU to another](#move-chrome-browsers-from-one-ou-to-another)
+  - [Delete Chrome browsers](#delete-chrome-browsers)
+- [Display Chrome browsers](#display-chrome-browsers)
+  - [Examples](#examples)
+- [Browser Query Searchable Fields](#browser-query-searchable-fields)
+- [Manage Chrome browser enrollment tokens](#manage-chrome-browser-enrollment-tokens)
+- [Display Chrome browser enrollment tokens](#display-chrome-browser-enrollment-tokens)

 ## API documentation
-
-* https://support.google.com/chrome/a/answer/9681204
-* https://support.google.com/chrome/a/answer/9949706
+* [Chrome Enterprise Core API](https://support.google.com/chrome/a/answer/9681204)
+* [Chrome Browser Enrollment Token API](https://support.google.com/chrome/a/answer/9949706)

 ## Query documentation
-* https://support.google.com/chrome/a/answer/9681204#retrieve_all_chrome_devices_for_an_account
+* [Search Chrome Browser Devices](https://support.google.com/chrome/a/answer/9681204#retrieve_all_chrome_devices_for_an_account)

 ## Definitions
 * [`<CrOSTypeEntity>`](Collections-of-ChromeOS-Devices)
@@ -114,6 +112,74 @@
        tokenpermanentid
 <BrowserTokenFieldNameList> ::= "<BrowseTokenFieldName>(,<BrowserTokenFieldName>)*"
 ```
+## Raw Fields
+
+This is the list of Browser fields showing their subfields.
+You enter `rawfields` like this: the field names must be entered exactly as shown.
+```
+rawfields "deviceId,browsers(profiles(id,name,extensions(appType,name))),lastDeviceUsers(userName),osPlatform,osVersion"
+```
+```
+annotatedAssetId
+annotatedLocation
+annotatedNotes
+annotatedUser
+deviceId
+browserVersions
+browsers
+  browserVersion
+  channel
+  executablePath
+  lastStatusReportTime
+  pendingInstallVersion
+  profiles
+    id
+    chromeSignedInUserEmail
+    lastPolicyFetchTime
+    lastStatusReportTime
+    name
+    extensions
+      appType
+      description
+      extensionId
+      homepageUrl
+      installType
+      manifestVersion
+      name
+      permissions
+      version
+deviceIdentifiersHistory
+  records
+    firstRecordTime
+    identifiers
+      machineName
+    lastActivityTime
+extensionCount
+lastActivityTime
+lastDeviceUser
+lastDeviceUsers
+  lastStatusReportTime
+  userName
+lastPolicyFetchTime
+lastRegistrationTime
+lastStatusReportTime
+machineName
+machinePolicies
+  error
+  name
+  source
+  value
+orgUnitPath
+osArchitecture
+osPlatform
+osPlatformVersion
+osVersion
+policyCount
+safeBrowsingClickThroughCount
+serialNumber
+virtualDeviceId
+```
+
 ## Manage Chrome browsers
 ## Update Chrome browsers
 There are four attributes that can be set for a browser.
@@ -163,7 +229,9 @@ gam delete browser <BrowserDeviceEntity>
 ## Display Chrome browsers
 ```
 gam info browser <BrowserEntity>
-        [basic|full|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
        [formatjson]
 ```
 Select the fields to be displayed:
@@ -171,6 +239,7 @@ Select the fields to be displayed:
 * `basic` - Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePolicies; this is the default
 * `allfields/full` - Display all fields
 * `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
+* `rawfields "<BrowserFieldNameList>"` - Display a selected list of fields

 By default, Gam displays the information as an indented list of keys and values:
 - `formatjson` - Display the fields in JSON format.
@@ -180,7 +249,9 @@ gam show browsers
        ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
        [querytime<String> <Time>]
        [orderby <BrowserOrderByFieldName> [ascending|descending]]
-        [basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
        [formatjson]
 ```

@@ -195,6 +266,7 @@ Select the fields to be displayed:
 * `allfields/full` - Display all fields
 * `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields
+* `rawfields "<BrowserFieldNameList>"` - Display a selected list of fields

 By default, Gam displays the information as an indented list of keys and values:
 - `formatjson` - Display the fields in JSON format.
@@ -208,7 +280,9 @@ gam print browsers [todrive <ToDriveAttribute>*]
        ([ou|org|orgunit|browserou <OrgUnitPath>] [(query <QueryBrowser>)|(queries <QueryBrowserList>))|(select <BrowserEntity>))
        [querytime<String> <Time>]
        [orderby <BrowserOrderByFieldName> [ascending|descending]]
-        [basic|full|allfields|annotated] <BrowserFieldName>* [fields <BrowserFieldNameList>]
+        (basic|full|annotated | 
+         (<BrowserFieldName>* [fields <BrowserFieldNameList>]) |
+         (rawfields "<BrowserFieldNameList>"))
        [sortheaders] [formatjson [quotechar <Character>]]
 ```

@@ -235,6 +309,7 @@ Select the fields to be displayed:
 * `allfields/full` - Display all fields
 * `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields
+* `rawfields "<BrowserFieldNameList>"` - Display a selected list of fields

 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
--- a/wiki/Chrome-Installed-Apps.md
+++ b/wiki/Chrome-Installed-Apps.md
@@ -1,5 +1,4 @@
-!# Chrome Installed Apps Counts
-
+# Chrome Installed Apps Counts
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Quoting rules](#quoting-rules)
@@ -8,9 +7,8 @@
 - [Display Chrome devices with a specific installed application](#display-chrome-devices-with-a-specific-installed-application)

 ## API documentation
-
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countInstalledApps
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/findInstalledAppDevices
+* [Chrome Management API - Count Installed Apps](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countInstalledApps)
+* [Chrome Management API - Find Installed App Devices](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/findInstalledAppDevices)

 ## Notes
 To use these features you must add the `Chrome Management API` to your project and authorize
--- a/wiki/Chrome-Needs-Attention-Counts.md
+++ b/wiki/Chrome-Needs-Attention-Counts.md
@@ -1,14 +1,11 @@
-!# Chrome Device Needs Attention Counts
-
- [Chrome Device Needs Attention Counts](#chrome-device-needs-attention-counts)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Quoting rules](#quoting-rules)
-  - [Display Chrome Device needs attention counts](#display-chrome-device-needs-attention-counts)
+# Chrome Device Needs Attention Counts
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Quoting rules](#quoting-rules)
+- [Display Chrome Device needs attention counts](#display-chrome-device-needs-attention-counts)

 ## API documentation
-
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeDevicesThatNeedAttention
+* [Chrome Management API - Count Devices that Need Attention](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeDevicesThatNeedAttention)

 ## Notes
 To use these features you must add the `Chrome Management API` to your project and authorize
--- a/wiki/Chrome-Policies.md
+++ b/wiki/Chrome-Policies.md
--- a/wiki/Chrome-Printers.md
+++ b/wiki/Chrome-Printers.md
@@ -1,4 +1,4 @@
-!# Chrome Printers
+# Chrome Printers
 - [API documentation](#api-documentation)
 - [Notes](#notes)
 - [Definitions](#definitions)
@@ -9,7 +9,7 @@
 - [Bulk printer updates](#bulk-printer-updates)

 ## API documentation
-* https://developers.google.com/admin-sdk/chrome-printer/reference/rest
+* [Chrome Printer Management API](https://developers.google.com/admin-sdk/chrome-printer/reference/rest)

 ## Notes
 To use these features you must authorize the appropriate scope: `Directory API - Printers (supports readonly)`.
@@ -79,7 +79,7 @@ gam oauth create
                 (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
                [warnifnodata] [columndelimiter <Character>] [quotechar <Character>]
                [endcsv|(fields <FieldNameList>)]
-                (matchfield|skipfield <FieldName> <RegularExpression>)*
+                (matchfield|skipfield <FieldName> <RESearchPattern>)*
                [delimiter <Character>]

 ```
--- a/wiki/Chrome-Profile-Management.md
+++ b/wiki/Chrome-Profile-Management.md
@@ -0,0 +1,195 @@
+# Chrome Profile Management
+- [API documentation](#api-documentation)
+- [Introduction](#introduction)
+- [Definitions](#definitions)
+- [Delete Chrome profiles](#delete-chrome-profiles)
+- [Display Chrome profiles](#display-chrome-profiles)
+- [Profile Query Searchable Fields](#profile-query-searchable-fields)
+
+## Introduction
+These features were added in version 7.01.00.
+
+To use these commands you must update your client authorization.
+```
+gam oauth create
+
+[*]  3)  Chrome Management API - Profiles (supports readonly)
+```
+
+You must enable managed profile reporting, see: https://support.google.com/chrome/a/answer/9301421
+Follow instructions at: Turn on managed profile reporting
+
+## API documentation
+* [Chrome Management API - Profiles](https://developers.google.com/chrome/management/reference/rest/v1/customers.profiles)
+* [Turn on Chrome Browser and Profile Reporting](https://support.google.com/chrome/a/answer/9301421)
+
+## Definitions
+```
+<CustomerID> ::= <String>
+<ChromeProfilePermanentID> ::= <String>
+<ChromeProfileName> ::= customers/<CustomerID>/profiles/<ChromeProfilePermanentID>
+
+<ChromeProfileFieldName> ::=
+        affiliationstate|
+        annotatedlocation|
+        annotateduser|
+        attestationcredential|
+        profilechannel|
+        profileversion|
+        deviceinfo|
+        displayname|
+        extensioncount|
+        firstenrollmenttime|
+        identityprovider|
+        lastactivitytime|
+        lastpolicyfetchtime|
+        lastpolicysynctime|
+        laststatusreporttime|
+        name|
+        osplatformtype|
+        osplatformversion|
+        osversion|
+        policycount|
+        profileid|
+        profilepermanentid|
+        reportingdata|
+        useremail|
+        userid
+<ChromeProfileFieldNameList> ::= "<ChromeProfileFieldName>(,<ChromeProfileFieldName>)*"
+
+<ChromeProfileOrderByFieldName> ::=
+        affiliationstate|
+        profilechannel|
+        profileversion|
+        displayname|
+        extensioncount|
+        firstenrollmenttime|
+        identityprovider|
+        lastactivitytime|
+        lastpolicysynctime|
+        laststatusreporttime|
+        osplatformtype|
+        osversion|
+        policycount|
+        profileid|
+        useremail
+```
+## Delete Chrome profiles
+```
+gam delete chromeprofile <ChromeProfileName>
+```
+
+## Display Chrome profiles
+```
+gam info chromeprofile <ChromeProfileName>
+        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
+        [formatjson]
+```
+Select the fields to be displayed:
+* `<ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]` - Display a selected list of fields
+
+By default, Gam displays the information as an indented list of keys and values:
+- `formatjson` - Display the fields in JSON format.
+
+```
+gam show chromeprofiles
+        [filtertime.* <Time>] [filter <String>]
+        [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]
+        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
+        [formatjson]
+```
+
+Use these options to select Chrome profiles; if none are chosen, all Chrome profiles in the account are selected:
+* `filter <String>` - Limit profiles to those that match a query
+
+Select the fields to be displayed:
+* `<ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]` - Display a selected list of fields
+
+Use the `filtertime<String> <Time>` option to allow times, usually relative, to be substituted into the `filter <String>` option.
+The `filtertime<String> <Time>` value replaces the string `#fiktertime<String>#` in the `filter <String>`.
+The characters following `filtertime` can be any combination of lowercase letters and numbers.
+
+By default, Gam displays the information as an indented list of keys and values:
+- `formatjson` - Display the fields in JSON format.
+
+```
+gam print chromeprofiles [todrive <ToDriveAttribute>*]
+        [filtertime.* <Time>] [filter <String>]
+        [orderby <ChromeProfileOrderByFieldName> [ascending|descending]]
+        <ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]
+        [[formatjson [quotechar <Character>]]
+```
+
+Use these options to select Chrome profiles; if none are chosen, all Chrome profiles in the account are selected:
+* `filter <String>` - Limit profiles to those that match a query
+
+The first two columns will always `name,profileId`; the remaining field names will be sorted if `sortheaders` is specified;
+otherwise, the remaining field names will appear in the order specified.
+
+Select the fields to be displayed:
+* `<ChromeProfileFieldName>* [fields <ChromeProfileFieldNameList>]` - Display a selected list of fields
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+## Profile Query Searchable Fields
+
+These are the fields that can be used in a filter:
+```
+affiliationState
+browserChannel
+browserVersion
+displayName
+extensionCount
+firstEnrollmentTime
+identityProvider
+lastActivityTime
+lastPolicySyncTime
+lastStatusReportTime
+osPlatformType
+osVersion
+ouId
+policyCount
+profileId
+userEmail
+```
+Any of the above fields can be used to specify a filter, and filtering by multiple fields is supported with AND operator.
+String type fields and enum type fields support '=' and '!=' operators. Wildcard '*' can be used with a string type field filter.
+The integer type and the timestamp type fields support '=', '!=', '<', '>', '<=' and '>=' operators.
+Timestamps expect an RFC-3339 formatted string (e.g. 2012-04-21T11:30:00-04:00).
+In addition, string literal filtering is also supported, for example, 'ABC' as a filter maps to a filter that checks if any of the filterable string type fields contains 'ABC'.
+
+Organization unit number can be used as a filtering criteria here by specifying 'ouId = <String>', please note that only single OU ID matching is supported.
+
+### Examples
+
+For Windows PowerShell, replace `\"` with ``` `" ```.
+
+Print information about Chrome profiles synced more than 30 days ago:
+
+```
+gam print chromeprofiles filter "lastPolicySyncTime < \"#filtertime1#\"" filtertime1 -30d
+```
+
+Print information about Chrome profiles synced in the last 30 days:
+
+```
+gam print chromeprofiles filter "lastPolicySyncTime >= \"#filtertime1#\"" filtertime1 -30d
+```
+
+Print information about Chrome profiles synced between 45 days ago and 30 days ago:
+
+```
+gam print chromeprofiles filter "lastPolicySyncTime >= \"#filtertime1#\" lastPolicySyncTime <= \"#filtertime2#\"" filtertime1 -45d filtertime2 -30d
+```
+
+Print information about Chrome profiles on Windows.
+```
+gam print chromeprofiles filter "osPlatformType=WINDOWS"
+```
--- a/wiki/Chrome-Version-Counts.md
+++ b/wiki/Chrome-Version-Counts.md
@@ -1,14 +1,11 @@
-!# Chrome Version Counts
-
- [Chrome Version Counts](#chrome-version-counts)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Quoting rules](#quoting-rules)
-  - [Display Chrome version counts](#display-chrome-version-counts)
+# Chrome Version Counts
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Quoting rules](#quoting-rules)
+- [Display Chrome version counts](#display-chrome-version-counts)

 ## API documentation
-
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeVersions
+* [Chrome Management API - Count Chrome Versions](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countChromeVersions)

 ## Notes
 To use these features you must add the `Chrome Management API` to your project and authorize
--- a/wiki/Chrome-Version-History.md
+++ b/wiki/Chrome-Version-History.md
@@ -1,18 +1,15 @@
-!# Chrome Version History
-
- [Chrome Version History](#chrome-version-history)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Display Chrome platforms](#display-chrome-platforms)
-  - [Display Chrome channels](#display-chrome-channels)
-  - [Display Chrome versions](#display-chrome-versions)
-  - [Display Chrome releases](#display-chrome-releases)
+# Chrome Version History
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Display Chrome platforms](#display-chrome-platforms)
+- [Display Chrome channels](#display-chrome-channels)
+- [Display Chrome versions](#display-chrome-versions)
+- [Display Chrome releases](#display-chrome-releases)

 ## API documentation
-
-* https://developer.chrome.com/docs/versionhistory/guide/
-* https://developer.chrome.com/docs/versionhistory/reference/#filter
-* https://developer.chrome.com/docs/versionhistory/reference/#order
+* [Version History API](https://developer.chrome.com/docs/versionhistory/guide)
+* [Version Filter](https://developer.chrome.com/docs/versionhistory/reference/#filter)
+* [Version Orderby](https://developer.chrome.com/docs/versionhistory/reference/#order)

 ## Definitions
 ```
--- a/wiki/ChromeOS-Devices.md
+++ b/wiki/ChromeOS-Devices.md
@@ -1,45 +1,42 @@
 # ChromeOS Devices
-
- [ChromeOS Devices](#chromeos-devices)
-  - [API documentation](#api-documentation)
-  - [Query documentation](#query-documentation)
-  - [Notes](#notes)
-  - [Definitions](#definitions)
-  - [CrOS Query Searchable Fields](#cros-query-searchable-fields)
-  - [ChromeOS device update OU error handling](#chromeos-device-update-ou-error-handling)
-  - [Manage ChromeOS devices](#manage-chromeos-devices)
-    - [Example: Move CrOS devices from one OU to another](#example-move-cros-devices-from-one-ou-to-another)
-    - [Example: Add a new note to existing notes](#example-add-a-new-note-to-existing-notes)
-  - [Add ChromeOS devices to an organizational unit](#add-chromeos-devices-to-an-organizational-unit)
-    - [Example: Add ChromeOS devices to a single OU](#example-add-chromeos-devices-to-a-single-ou)
-    - [Example: Add ChromeOS devices to multiple OUs](#example-add-chromeos-devices-to-multiple-ous)
-  - [Action ChromeOS devices](#action-chromeos-devices)
-  - [Send remote commands to ChromeOS devices](#send-remote-commands-to-chromeos-devices)
-    - [Action Examples](#action-examples)
-  - [ChromeOS device lists](#chromeos-device-lists)
-  - [Display information about ChromeOS devices](#display-information-about-chromeos-devices)
-  - [Print ChromeOS devices](#print-chromeos-devices)
-    - [Print no header row and deviceId for specified CrOS devices](#print-no-header-row-and-deviceid-for-specified-cros-devices)
-    - [Print a header row and fields for selected CrOS devices](#print-a-header-row-and-fields-for-selected-cros-devices)
-    - [Print a header row and fields for specified CrOS devices](#print-a-header-row-and-fields-for-specified-cros-devices)
-    - [Display Examples](#display-examples)
-    - [Display CrOS device counts](#display-cros-device-counts)
-  - [Print ChromeOS device activity](#print-chromeos-device-activity)
-    - [Print a header row and activity for selected CrOS devices](#print-a-header-row-and-activity-for-selected-cros-devices)
-    - [Print a header row and activity for specified CrOS devices](#print-a-header-row-and-activity-for-specified-cros-devices)
-  - [Download a ChromeOS device file](#download-a-chromeos-device-file)
-    - [Download Examples](#download-examples)
-  - [Display ChromeOS telemetry data](#display-chromeos-telemetry-data)
-  - [Check ChromeOS device serial number validity](#check-chromeos-device-serial-number-validity)
+- [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
+- [Notes](#notes)
+- [Definitions](#definitions)
+- [CrOS Query Searchable Fields](#cros-query-searchable-fields)
+- [ChromeOS device update OU error handling](#chromeos-device-update-ou-error-handling)
+- [Manage ChromeOS devices](#manage-chromeos-devices)
+  - [Example: Move CrOS devices from one OU to another](#example-move-cros-devices-from-one-ou-to-another)
+  - [Example: Add a new note to existing notes](#example-add-a-new-note-to-existing-notes)
+- [Add ChromeOS devices to an organizational unit](#add-chromeos-devices-to-an-organizational-unit)
+  - [Example: Add ChromeOS devices to a single OU](#example-add-chromeos-devices-to-a-single-ou)
+  - [Example: Add ChromeOS devices to multiple OUs](#example-add-chromeos-devices-to-multiple-ous)
+- [Action ChromeOS devices](#action-chromeos-devices)
+- [Send remote commands to ChromeOS devices](#send-remote-commands-to-chromeos-devices)
+  - [Action Examples](#action-examples)
+- [ChromeOS device lists](#chromeos-device-lists)
+- [Display information about ChromeOS devices](#display-information-about-chromeos-devices)
+- [Print ChromeOS devices](#print-chromeos-devices)
+  - [Print no header row and deviceId for specified CrOS devices](#print-no-header-row-and-deviceid-for-specified-cros-devices)
+  - [Print a header row and fields for selected CrOS devices](#print-a-header-row-and-fields-for-selected-cros-devices)
+  - [Print a header row and fields for specified CrOS devices](#print-a-header-row-and-fields-for-specified-cros-devices)
+  - [Display Examples](#display-examples)
+  - [Display CrOS device counts](#display-cros-device-counts)
+- [Print ChromeOS device activity](#print-chromeos-device-activity)
+  - [Print a header row and activity for selected CrOS devices](#print-a-header-row-and-activity-for-selected-cros-devices)
+  - [Print a header row and activity for specified CrOS devices](#print-a-header-row-and-activity-for-specified-cros-devices)
+- [Download a ChromeOS device file](#download-a-chromeos-device-file)
+  - [Download Examples](#download-examples)
+- [Display ChromeOS telemetry data](#display-chromeos-telemetry-data)
+- [Check ChromeOS device serial number validity](#check-chromeos-device-serial-number-validity)

 ## API documentation
-
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/chromeosdevices
-* https://developers.google.com/chrome/management/reference/rest/v1/customers.telemetry.devices
+* [Directory API ChromeOS Devices](https://developers.google.com/admin-sdk/directory/reference/rest/v1/chromeosdevices)
+* [Chrome Management API - Device Telemetry](https://developers.google.com/chrome/management/reference/rest/v1/customers.telemetry.devices)

 ## Query documentation
-* https://developers.google.com/admin-sdk/directory/v1/list-query-operators
-* https://support.google.com/chrome/a/answer/1698333
+* [Search ChromeOS Devices](https://developers.google.com/admin-sdk/directory/v1/list-query-operators)
+* [View ChromeOS Device List and Details](https://support.google.com/chrome/a/answer/1698333)

 Undocumented API query terms.
 ```
@@ -58,7 +55,8 @@ update_status:default_os_up_to_date|pending_update|os_image_download_not_started
 ```
 ## Notes

-The `crostelemetry` commands were added in 6.13.04; to use them you must authorize an additional scope:
+To use the `crostelemetry` commands you must authorize an additional scope:
+
 * `Chrome Management API - Telemetry read only`
 ```
 gam oauth create
@@ -108,12 +106,14 @@ The second form is backwards compatible with Legacy GAM and selection with `<CrO
        autoupdatethrough|
        backlightinfo|
        bootmode|
+        chromeostype|
        cpuinfo|
        cpustatusreports|
        deprovisionreason|
        devicefiles|
        deviceid|
        devicelicensetype|
+        diskspaceusage|
        diskvolumereports|
        dockmacaddress|
        ethernetmacaddress|
@@ -121,6 +121,7 @@ The second form is backwards compatible with Legacy GAM and selection with `<CrO
        extendedsupporteligible|
        extendedsupportstart|
        extendedsupportenabled|
+        faninfo|
        firmwareversion|
        firstenrollmenttime|
        lastdeprovisiontimestamp|
@@ -476,7 +477,7 @@ Remove profiles using the annotatedAssetID, which is a user editable field, in t
 ```
 gam cros_query "asset_id:CB1234" issuecommand command wipe_users doit
 ```
-For multiple devices you can sepatete each asset ID with a comma 
+For multiple devices you can separate each asset ID with a comma 
 ```
 gam cros_queries "asset_id:CB1234,asset_id:CB5678" issuecommand command wipe_users doit
 ```
--- a/wiki/Classroom-Courses.md
+++ b/wiki/Classroom-Courses.md
@@ -18,14 +18,14 @@
 - [Display course submissions](#display-course-submissions)

 ## API documentation
-* https://developers.google.com/classroom/reference/rest/
-* https://developers.google.com/classroom/reference/rest/v1/courses.students
-* https://developers.google.com/classroom/reference/rest/v1/courses.teachers
-* https://developers.google.com/classroom/reference/rest/v1/courses.announcements/list
-* https://developers.google.com/classroom/reference/rest/v1/courses.topics/list
-* https://developers.google.com/classroom/reference/rest/v1/courses.courseWork/list
-* https://developers.google.com/classroom/reference/rest/v1/courses.courseWorkMaterials/list
-* https://developers.google.com/classroom/reference/rest/v1/courses.courseWork.studentSubmissions/list
+* [Google Classroom API](https://developers.google.com/classroom/reference/rest)
+* [Google Classroom API - Courses Students](https://developers.google.com/classroom/reference/rest/v1/courses.students)
+* [Google Classroom API - Courses Teachers](https://developers.google.com/classroom/reference/rest/v1/courses.teachers)
+* [Google Classroom API - Announcements](https://developers.google.com/classroom/reference/rest/v1/courses.announcements/list)
+* [Google Classroom API - Topics](https://developers.google.com/classroom/reference/rest/v1/courses.topics/list)
+* [Google Classroom API - Course Work](https://developers.google.com/classroom/reference/rest/v1/courses.courseWork/list)
+* [Google Classroom API - Course Work Materials](https://developers.google.com/classroom/reference/rest/v1/courses.courseWorkMaterials/list)
+* [Google Classroom API - Course Work Student Submissions](https://developers.google.com/classroom/reference/rest/v1/courses.courseWork.studentSubmissions/list)

 ## Notes
 In this document, `course materials` refers to stand-alone materials, not the materials associated with
@@ -44,6 +44,12 @@ gam user user@domain.com check|update serviceaccount
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>

+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
+
 <CourseAlias> ::= <String>
 <CourseAliasList> ::= "<CourseAlias>(,<CourseAlias>)*"
 <CourseAliasEntity> ::=
@@ -239,24 +245,14 @@ See: [Lists and Collections](Lists-and-Collections)
 When updating a course owner, the Classroom API generates an error if the new owner is not a co-teacher
 or is the current owner.

-Prior to version 5.31.08, if `<UserItem>` was not a co-teacher, you got this error:
-```
-$ gam update course 123929046789 teacher newteacher@domain.com
-Course: 123929046789, Update Failed: @IneligibleOwner Only a co-teacher can be invited as owner of the course
-```
-GAM now adds `<UserItem>` as a co-teacher of the course, pauses 10 seconds, and then updates them to be the owner.
+If `<UserItem>` is not a co-teacher, GAM adds `<UserItem>` as a co-teacher of the course,
+pauses 10 seconds, and then updates them to be the owner.
 ```
 $ gam update course 123929046789 teacher newteacher@domain.com
 Course Name: Test, Course: 123929046789, Updated with new teacher as owner: newteacher@domain.com
 ```

-Prior to version 5.31.08, if `<UserItem>` is the current owner, you got this error:
-```
-$ gam update course 123929046789 teacher newteacher@domain.com
-Course: 123929046789, Update Failed: @UserAlreadyOwner Cannot transfer course to the user who is already the owner
-
-```
-GAM now reports that the current owner was retained.
+If `<UserItem>` is the current owner, GAM now reports that the current owner was retained.
 ```
 $ gam update course 123929046789 teacher newteacher@domain.com
 Course Name: Test, Course: 123929046789, Updated with current owner: newteacher@domain.com
@@ -413,7 +409,7 @@ gam info courses <CourseEntity> [owneremail] [alias|aliases] [show all|students|

 gam print courses [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
-        [owneremail] [owneremailmatchpattern <RegularExpression>]
+        [owneremail] [owneremailmatchpattern <REMatchPattern>]
        [alias|aliases|aliasesincolumns [delimiter <Character>]]
        [show all|students|teachers] [countsonly]
        [fields <CourseFieldNameList>] [skipfields <CourseFieldNameList>] [formatjson [quotechar <Character>]]
@@ -424,7 +420,7 @@ By default, the `print courses` command displays information about all courses.
 To get information about a specific set of courses, use the following option; it can be repeated to select multiple courses.
 * `(course|class <CourseEntity>)*` - Display courses with the IDs specified in `<CourseEntity>`.

-To get information about courses based on its owner's emailaddress, use the `owneremailmatchpattern <RegularExpression>` option.
+To get information about courses based on its owner's emailaddress, use the `owneremailmatchpattern <REMatchPattern>` option.
 * `foo@bar.com` - Display courses with a specific owner emailaddress.
 * `.*test.*` - Display courses with an owner emailaddress that matches a pattern.
 * `Unknown user` - Display courses where the owner emailaddress has been deleted.
@@ -467,7 +463,7 @@ Display the number of courses.
 ```
 gam print courses
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] [states <CourseStateList>])
-        [owneremailmatchpattern <RegularExpression>]
+        [owneremailmatchpattern <REMatchPattern>]
        showitemcountonly
 ```
 Example
--- a/wiki/Classroom-Guardians.md
+++ b/wiki/Classroom-Guardians.md
@@ -10,8 +10,8 @@
 - [Display guardians, CSV format](#display-guardians-csv-format)

 ## API documentation
-* https://developers.google.com/classroom/reference/rest/v1/userProfiles.guardianInvitations
-* https://developers.google.com/classroom/reference/rest/v1/userProfiles.guardians
+* [Classroom API - User Profile Guardian Invitations](https://developers.google.com/classroom/reference/rest/v1/userProfiles.guardianInvitations)
+* [Classroom API - User Profile Guardians](https://developers.google.com/classroom/reference/rest/v1/userProfiles.guardians)

 ## Definitions
 ```
--- a/wiki/Classroom-Invitations.md
+++ b/wiki/Classroom-Invitations.md
@@ -10,18 +10,18 @@
 - [Display classroom invitations by course](#display-classroom-invitations-by-course)

 ## API documentation
-* https://developers.google.com/classroom/reference/rest/v1/invitations
+* [Classroom API - Invitations](https://developers.google.com/classroom/reference/rest/v1/invitations)

 ## Notes

 You must authorize an additional Service Account scope to use these commands.
 Do this command; sustitute a valid email address for user@domain.com.
 ```
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```
-You should see the following scope fail:
+You should enable:
 ```
-Scope: https://www.googleapis.com/auth/classroom.rosters           , Checked: FAIL (6/15)
+[*] 17)  Classroom API - Rosters (supports readonly)
 ```
 Follow the directions to authorize the Service Account scopes.

--- a/wiki/Classroom-Membership.md
+++ b/wiki/Classroom-Membership.md
@@ -9,9 +9,9 @@
 - [Display course membership counts](#display-course-membership-counts)

 ## API documentation
-* https://developers.google.com/classroom/reference/rest/
-* https://developers.google.com/classroom/reference/rest/v1/courses.students
-* https://developers.google.com/classroom/reference/rest/v1/courses.teachers
+* [Google Classroom API](https://developers.google.com/classroom/reference/rest)
+* [Google Classroom API - Courses Students](https://developers.google.com/classroom/reference/rest/v1/courses.students)
+* [Google Classroom API - Courses Teachers](https://developers.google.com/classroom/reference/rest/v1/courses.teachers)

 ## Definitions
 ```
--- a/wiki/Cloud-Channel.md
+++ b/wiki/Cloud-Channel.md
@@ -1,4 +1,4 @@
-!# Cloud Channel
+# Cloud Channel
 - [API documentation](#api-documentation)
 - [Notes](#notes)
 - [Definitions](#definitions)
@@ -9,8 +9,8 @@
 - [Display Channel SKUs](#display-channel-skus)

 ## API documentation
-* https://cloud.google.com/channel/docs/reference/rest
-* https://cloud.google.com/channel/docs/concepts/google-cloud/filter-customers
+* [Cloud Channel API](https://cloud.google.com/channel/docs/reference/rest)
+* [Filter Customers](https://cloud.google.com/channel/docs/concepts/google-cloud/filter-customers)

 ## Notes
 To use these commands you must add the 'Cloud Channel API' to your project and update your client authorization.
--- a/wiki/Cloud-Identity-Devices.md
+++ b/wiki/Cloud-Identity-Devices.md
@@ -1,4 +1,5 @@
-!# Cloud Identity Devices
+# Cloud Identity Devices
+- [Notes](#notes)
 - [API documentation](#api-documentation)
 - [Query documentation](#query-documentation)
 - [Definitions](#definitions)
@@ -20,15 +21,24 @@
 - [Display device user client state](#display-device-user-client-state)
 - [Update device user client state](#update-device-user-client-state)

+## Notes
+These commands use service account access with `admin_email` (if defined) from `gam.cfg` or
+the admin from `oauth2.txt` (specified in `gam oauth create`).
+
+Use `gam user user@domain.com update serviceaccount` and make sure that the following is specified:
+```
+[*] 17)  Cloud Identity Devices API (supports readonly)
+```
+
 ## API documentation
-* https://cloud.google.com/identity/docs/reference/rest/v1/devices
-* https://cloud.google.com/identity/docs/reference/rest/v1/devices.deviceUsers
-* https://cloud.google.com/identity/docs/reference/rest/v1/devices.deviceUsers.clientStates
-* https://cloud.google.com/endpoint-verification/docs/overview
+* [Cloud Identity API - Devices](https://cloud.google.com/identity/docs/reference/rest/v1/devices)
+* [Cloud Identity API - Device Users](https://cloud.google.com/identity/docs/reference/rest/v1/devices.deviceUsers)
+* [Cloud Identity API - Device User Client States](https://cloud.google.com/identity/docs/reference/rest/v1/devices.deviceUsers.clientStates)
+* [Endpoint Verification](https://cloud.google.com/endpoint-verification/docs/overview)

 ## Query documentation
-* https://developers.google.com/admin-sdk/directory/v1/search-operators
-* https://support.google.com/a/answer/7549103
+* [Filters](https://support.google.com/a/answer/7549103)
+* [Device Search Fields](https://developers.google.com/admin-sdk/directory/v1/search-operators)

 ## Definitions
 ```
@@ -57,11 +67,13 @@
        buildnumber|
        compromisedstate|
        createtime|
+        deviceid|
        devicetype|
        enableddeveloperoptions|
        enabledusbdebugging|
        endpointverificationspecificattributes|
        encryptionstate|
+        hostname|
        imei|
        kernelversion|
        lastsynctime|
@@ -77,6 +89,7 @@
        releaseversion|
        securitypatchtime|
        serialnumber|
+        unifieddeviceid|
        wifimacaddresses
 <DeviceFieldNameList> ::= "<DeviceFieldName>(,<DeviceFieldName>)*"

@@ -197,7 +210,7 @@ gam print devices [todrive <ToDriveAttribute>*]
        <DeviceFieldName>* [fields <DeviceFieldNameList>] [userfields <DeviceUserFieldNameList>]
        [orderby <DeviceOrderByFieldName> [ascending|descending]]
        [all|company|personal|nocompanydevices|nopersonaldevices]
-        [nodeviceusers]
+        [nodeviceusers|oneuserperrow]
        [formatjson [quotechar <Character>]]
 ```
 By default, all devices are displayed; use the query options to limit the display.
@@ -218,6 +231,9 @@ Select the view of devices to display:
 By default, Gam makes additional API calls to display the device users for the devices;
 use `nodeviceuser` to suppress making the additional calls.

+By default, when device users are displayed, they are all displayed on one row;
+use `oneuserperrow` to have each of a device's users displayed on a separate row with all of the other device fields.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

--- a/wiki/Cloud-Identity-Groups-Membership.md
+++ b/wiki/Cloud-Identity-Groups-Membership.md
@@ -1,8 +1,6 @@
 # Cloud Identity Groups - Membership
 - [API documentation](#api-documentation)
 - [Query documentation](#query-documentation)
- [Cloud Identity Group Documentation](#cloud-identity-group-documentation)
- [Security Group Documentation](#security-group-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [Notes](#Notes)
@@ -18,18 +16,15 @@
 - [Display group membership in hierarchical format](#display-group-membership-in-hierarchical-format)

 ## API documentation
-* https://cloud.google.com/identity/docs/groups
-* https://cloud.google.com/identity/docs/reference/rest/v1/groups
-* https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships
+* [Cloud Identity Groups Overview](https://cloud.google.com/identity/docs/groups)
+* [Cloud Identity Groups API - Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups)
+* [Cloud Identity Groups API - Membership](https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships)
+* [Cloud Identity Groups](https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html)
+* [Security Groups](https://gsuiteupdates.googleblog.com/2020/09/security-groups-beta.html)

 ## Query documentation
-* https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
-
-## Cloud Identity Group Documentation
-* https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
-
-## Security Group Documentation
-* https://gsuiteupdates.googleblog.com/2020/09/security-groups-beta.html
+* [Cloud Identity Groups API - Search Dynamic Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery)
+* [Member Restrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)

 ## Notes

@@ -56,6 +51,10 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require

 ## Definitions
 ```
+<DeviceId> ::= <String>
+<CBCMBrowser> ::= id:cbcm-browser.<DeviceId>
+<ChromeOSDevice> ::= id:chrome-os-device.<DeviceId>
+<BrowserDeviceList> ::= "(<CBCMBrowser>|<ChromeOSDevice>)(,(<CBCMBrowser>|<ChromeOSDevice>))*"
 <DomainName> ::= <String>(.<String>)+
 <EmailAddress> ::= <String>@<DomainName>
 <UniqueID> ::= id:<String>
@@ -66,24 +65,30 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <GroupRole> ::= owner|manager|member
 <GroupRoleList> ::= "<GroupRole>(,<GroupRole>)*"
-<CIGroupType> ::= customer|group|other|serviceaccount|user
-<CIGroupTypeList> ::= "<CIGroupType>(,<CIGroupType>)*"
+<CIGroupMemberType> ::= cbcmbrowser|chromeosdevice|customer|group|other|serviceaccount|user
+<CIGroupMemberTypeList> ::= "<CIGroupMemberType>(,<CIGroupMemberType>)*"

 <CIGroupMembersFieldName> ::=
        createtime
+        email|useremail|
        expiretime|
        memberkey|
        name|
        preferredmemberkey|
        role|
        type|
-        updatetime|
-        useremail
+        updatetime
 <CIGroupMembersFieldNameList> ::= "<CIGroupMembersFieldName>(,<CIGroupMembersFieldName>)*"
+
+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
 ```

 ## Collections of Users
-Group membership commands involve specifying collections of users;
+Group membership commands involve specifying collections of users or lists of browsers/devices;
 for `<UserTypeEntity>`, see: [Collections of Users](Collections-of-Users)

 ## Add members to a group
@@ -92,7 +97,7 @@ gam update cigroups <GroupEntity> create|add [<GroupRole>]
        [usersonly|groupsonly]
        [notsuspended|suspended] [notarchived|archived]
        [expire|expires <Time>] [preview] [actioncsv]
-        <UserTypeEntity>
+        <UserTypeEntity>|<BrowserDeviceList>
 ```
 When `<UserTypeEntity>` specifies a group or groups:
 * `usersonly` - Only the user members from the specified groups are added
@@ -136,7 +141,7 @@ gam update cigroups <GroupEntity> delete|remove [<GroupRole>]
        [usersonly|groupsonly]
        [notsuspended|suspended] [notarchived|archived]
        [preview] [actioncsv]
-        <UserTypeEntity>
+        <UserTypeEntity>|<BrowserDeviceList>
 ```
 `<GroupRole>` is ignored, deletions take place regardless of role.

@@ -263,7 +268,7 @@ testgroup@domain.com,testuser4@domain.com,MEMBER,Added,Success
 ```
 gam update cigroups <GroupEntity> clear [member] [manager] [owner]
        [usersonly|groupsonly]
-        [emailclearpattern|emailretainpattern <RegularExpression>]
+        [emailclearpattern|emailretainpattern <REMatchPattern>]
        [preview] [actioncsv]
 ```
 If none of `member`, `manager`, or `owner` are specified, `member` is assumed.
@@ -273,8 +278,8 @@ By default, when clearing members from a group, all members, whether users or gr
 * `groupsonly` - Clear only the group members

 Members that have met the above qualifications to be cleared can be further qualifed by their email address.
-* `emailclearpattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be cleared; others will be retained
-* `emailretainpattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be retained; others will be cleared
+* `emailclearpattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be cleared; others will be retained
+* `emailretainpattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be retained; others will be cleared

 If `preview` is specified, the deletes will be previewed but not executed.

@@ -346,13 +351,14 @@ gam info cimember <UserTypeEntity> <GroupEntity>
 ```
 gam print cigroup-members [todrive <ToDriveAttribute>*]
        [(cimember|showownedby <UserItem>)|(cigroup <GroupItem>)|(select <GroupEntity>)]
-        [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
-        [descriptionmatchpattern [not] <RegularExpression>]
+        [emailmatchpattern [not] <REMatchPattern>] [namematchpattern [not] <REMatchPattern>]
+        [descriptionmatchpattern [not] <REMatchPattern>]
        [roles <GroupRoleList>] [members] [managers] [owners]
-        [types <CIGroupTypeList>]
+        [types <CIGroupMemberTypeList>]
        <CIGroupMembersFieldName>* [fields <CIGroupMembersFieldNameList>]
-        [(recursive [noduplicates])||includederivedmembership] [nogroupeemail]
-        [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
+        [minimal|basic|full]
+        [(recursive [noduplicates]) | |includederivedmembership] [nogroupeemail]
+        [memberemaildisplaypattern|memberemailskippattern <REMatchPattern>]
 ```
 By default, the group membership of all groups in the account are displayed, these options allow selection of subsets of groups:
 * `cimember <UserItem>` - Limit display to groups that contain `<UserItem>` as a member
@@ -361,12 +367,12 @@ By default, the group membership of all groups in the account are displayed, the
 * `select <GroupEntity>` - Limit display to the groups specified in `<GroupEntity>`

 These options further limit the list of groups selected above:
-* `emailmatchpattern <RegularExpression>` - Limit display to groups whose email address matches `<RegularExpression>`
-* `emailmatchpattern not <RegularExpression>` - Limit display to groups whose email address does not match `<RegularExpression>`
-* `namematchpattern <RegularExpression>` - Limit display to groups whose name matches `<RegularExpression>`
-* `namematchpattern not <RegularExpression>` - Limit display to groups whose name does not match `<RegularExpression>`
-* `descriptionmatchpattern <RegularExpression>` - Limit display to groups whose description matches `<RegularExpression>`
-* `descriptionmatchpattern not <RegularExpression>` - Limit display to groups whose description does not match `<RegularExpression>`
+* `emailmatchpattern <REMatchPattern>` - Limit display to groups whose email address matches `<REMatchPattern>`
+* `emailmatchpattern not <REMatchPattern>` - Limit display to groups whose email address does not match `<REMatchPattern>`
+* `namematchpattern <REMatchPattern>` - Limit display to groups whose name matches `<REMatchPattern>`
+* `namematchpattern not <REMatchPattern>` - Limit display to groups whose name does not match `<REMatchPattern>`
+* `descriptionmatchpattern <REMatchPattern>` - Limit display to groups whose description matches `<REMatchPattern>`
+* `descriptionmatchpattern not <REMatchPattern>` - Limit display to groups whose description does not match `<REMatchPattern>`

 By default, all members, managers and owners in the group are displayed; these options modify that behavior:
 * `roles <GroupRoleList>` - Display specified roles
@@ -374,26 +380,31 @@ By default, all members, managers and owners in the group are displayed; these o
 * `managers` - Display managers
 * `owners` - Display owners

-By default, all types of members (customer, group, serviceaccoun, user) in the group are displayed; when `recursive` is specified,
-the default is to only display type user members. This option modifies those behaviors:
-* `types <CIGroupTypeList>` - Display specified types
+By default, all types of members (cbcmbrowser, chromeosdevice, customer, group, serviceaccount, user) in the group are displayed; this option modifies that behavior:
+* `types <CIGroupMemberTypeList>` - Display specified types
+
+By default, members that are groups are displayed as a single entry of type GROUP; this option recursively expands group members to display their user members.
+* `recursive` - Recursively expand group members
+
+When `recursive` is specified, the default is to only display type user members; this option modifies those behaviors:
+* `types <GroupMemberTypeList>` - Display specified types

 Members that have met the above qualifications to be displayed can be further qualifed by their email address.
-* `memberemaildisplaypattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be displayed; others will not be displayed
-* `memberemailskippattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will not be displayed; others will be displayed
+* `memberemaildisplaypattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be displayed; others will not be displayed
+* `memberemailskippattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will not be displayed; others will be displayed

 By default, the ID, role, email address, type, createTime, updateTime and expireTime of each member is displayed along with the group email address;
 these options specify which fields to display:
 * `<CIGroupMembersFieldName>*` - Individual field names
 * `fields <CIGroupMembersFieldNameList>` - A comma separated list of field names

+You can control the fields displayed:
+* `minimal` - Fields displayed: group, id, role, email
+* `basic` - Fields displayed: group, type, id, role, email, expireTime
+* `full` - Fields displayed: group, type, id, role, email, createTime, updateTime, expireTime; this is the default
+
 By default, the group email address is always shown, you can suppress it with the `nogroupemail` option.

-By default, members that are groups are displayed as a single entry of type GROUP; this option recursively expands group members to display their user members.
-* `recursive` - Recursively expand group members
-
-The `recursive` option does not expand or display members of type CUSTOMER.
-
 The `recursive` option adds two columns, level and subgroup, to the output:
 * `level` - At what level of the expansion does the user appear; level 0 is the top level
 * `subgroup` - The group that contained the user
@@ -421,13 +432,13 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ```
 gam show cigroup-members
        [(cimember|showownedby <UserItem>)|(cigroup <GroupItem>)|(select <GroupEntity>)]
-        [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
-        [descriptionmatchpattern [not] <RegularExpression>]
-        [roles <GroupRoleList>] [members] [managers] [owners] [depth <Number>]
-        [types <CIGroupTypeList>]
-        [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
-        [includederivedmembership]
-        [formatjson [quotechar <Character>]]
+        [emailmatchpattern [not] <REMatchPattern>] [namematchpattern [not] <REMatchPattern>]
+        [descriptionmatchpattern [not] <REMatchPattern>]
+        [roles <GroupRoleList>] [members] [managers] [owners]
+        [types <CIGroupMemberTypeList>]
+        [memberemaildisplaypattern|memberemailskippattern <REMatchPattern>]
+        [minimal|basic|full]
+        [(depth <Number>) | includederivedmembership]
 ```
 By default, the group membership of all groups in the account are displayed, these options allow selection of subsets of groups:
 * `cimember <UserItem>` - Limit display to groups that contain `<UserItem>` as a member
@@ -436,12 +447,12 @@ By default, the group membership of all groups in the account are displayed, the
 * `select <GroupEntity>` - Limit display to the groups specified in `<GroupEntity>`

 These options further limit the list of groups selected above:
-* `emailmatchpattern <RegularExpression>` - Limit display to groups whose email address matches `<RegularExpression>`
-* `emailmatchpattern not <RegularExpression>` - Limit display to groups whose email address does not match `<RegularExpression>`
-* `namematchpattern <RegularExpression>` - Limit display to groups whose name matches `<RegularExpression>`
-* `namematchpattern not <RegularExpression>` - Limit display to groups whose name does not match `<RegularExpression>`
-* `descriptionmatchpattern <RegularExpression>` - Limit display to groups whose description matches `<RegularExpression>`
-* `descriptionmatchpattern not <RegularExpression>` - Limit display to groups whose description does not match `<RegularExpression>`
+* `emailmatchpattern <REMatchPattern>` - Limit display to groups whose email address matches `<REMatchPattern>`
+* `emailmatchpattern not <REMatchPattern>` - Limit display to groups whose email address does not match `<REMatchPattern>`
+* `namematchpattern <REMatchPattern>` - Limit display to groups whose name matches `<REMatchPattern>`
+* `namematchpattern not <REMatchPattern>` - Limit display to groups whose name does not match `<REMatchPattern>`
+* `descriptionmatchpattern <REMatchPattern>` - Limit display to groups whose description matches `<REMatchPattern>`
+* `descriptionmatchpattern not <REMatchPattern>` - Limit display to groups whose description does not match `<REMatchPattern>`

 By default, all members, managers and owners in the group are displayed; these options modify that behavior:
 * `roles <GroupRoleList>` - Display specified roles
@@ -449,12 +460,12 @@ By default, all members, managers and owners in the group are displayed; these o
 * `managers` - Display managers
 * `owners` - Display owners

-By default, all types of members (customer, group, serviceaccount, user) in the group are displayed; this option modifies that behavior:
-* `types <CIGroupTypeList>` - Display specified types
+By default, all types of members (cbcmbrowser, chromeosdevice, customer, group, serviceaccount, user) in the group are displayed; this option modifies that behavior:
+* `types <CIGroupMemberTypeList>` - Display specified types

 Members that have met the above qualifications to be displayed can be further qualifed by their email address.
-* `memberemaildisplaypattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be displayed; others will not be displayed
-* `memberemailskippattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will not be displayed; others will be displayed
+* `memberemaildisplaypattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be displayed; others will not be displayed
+* `memberemailskippattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will not be displayed; others will be displayed

 By default, members of type GROUP are recursively expanded to show their constituent members. (Members of
 type CUSTOMER are not expanded.) The `depth <Number>` argument controls the depth to which nested groups are displayed.
@@ -469,6 +480,11 @@ has in any constituent group, it is not necessarily its role in the top group.
 The options `types user` and `includederivedmembership types user` return the same list of users.
 The `includederivedmembership` option makes less API calls but doesn't show hierarchy.

+You can control the fields displayed:
+* `minimal` - Fields displayed: role, email
+* `basic` - Fields displayed: type, role, email, expireTime
+* `full` - Fields displayed: type, role, email, createTime, updateTime, expireTime; this is the default
+
 ### Display group structure
 To see a group's structure of nested groups use the `type group` option.
 ```
@@ -482,5 +498,5 @@ Group: testgroup5@domain.com
 ```
 To show the structure of all groups you can do the following; it will be time consuming for a large number of groups.
 ```
-gam redirect stdout ./groups.txt show group-members types group
-```
+gam redirect stdout ./groups.txt show cigroup-members types group
+```
--- a/wiki/Cloud-Identity-Groups.md
+++ b/wiki/Cloud-Identity-Groups.md
@@ -1,9 +1,7 @@
 # Cloud Identity Groups
 - [API documentation](#api-documentation)
- [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Query documentation](#query-documentation)
- [Cloud Identity Group Documentation](#cloud-identity-group-documentation)
- [Security Group Documentation](#security-group-documentation)
+- [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Notes](#Notes)
 - [Definitions](#definitions)
 - [Manage groups](#manage-groups)
@@ -12,24 +10,29 @@
 - [Display group counts](#display-group-counts)

 ## API documentation
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups
-* https://developers.google.com/admin-sdk/groups-settings/v1/reference/groups
-* https://cloud.google.com/identity/docs/groups
-* https://cloud.google.com/identity/docs/reference/rest/v1/groups
-* https://support.google.com/a/answer/11192679
+* [Cloud Identity Groups Overview](https://cloud.google.com/identity/docs/groups)
+* [Create and Manage Groups uning API](https://support.google.com/a/answer/10427204)
+* [Cloud Identity Groups API - Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups)
+* [Restrict Group Membership](https://support.google.com/a/answer/11192679)
+* [Lock Groups Beta](https://workspaceupdates.googleblog.com/2024/12/locked-groups-open-beta.html)
+* [Cloud Identity Groups](https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html)
+* [Security Groups](https://gsuiteupdates.googleblog.com/2020/09/security-groups-beta.html)

 ## Query documentation
-* https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
-* https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction
-
-## Cloud Identity Group Documentation
-* https://gsuiteupdates.googleblog.com/2020/08/new-api-cloud-identity-groups-google.html
-
-## Security Group Documentation
-* https://gsuiteupdates.googleblog.com/2020/09/security-groups-beta.html
+* [Cloud Identity Groups API - Search Dynamic Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery)
+* [Member REstrictions](https://cloud.google.com/identity/docs/reference/rest/v1/SecuritySettings#MemberRestriction)

 ## Notes

+In version 7.02.01 options `locked` and `unlocked` wre added to `gam update cigroups` that allow locking groups.
+
+* See: https://workspaceupdates.googleblog.com/2024/12/locked-groups-open-beta.html
+
+You'll have to do a `gam oauth create` and enable the following scope to use these options:
+```
+[*] 22)  Cloud Identity Groups API Beta (Enables group locking/unlocking)
+```
+
 In the Admin Directory API a group has the following characteristics:
 * `id` - The unique ID of a group
 * `email` - The group's email address
@@ -63,8 +66,8 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <GroupRole> ::= owner|manager|member
 <GroupRoleList> ::= "<GroupRole>(,<GroupRole>)*"
-<CIGroupType> ::= customer|group|other|serviceaccount|user
-<CIGroupTypeList> ::= "<CIGroupType>(,<CIGroupType>)*"
+<CIGroupMemberType> ::= cbcmbrowser|customer|group|other|serviceaccount|user
+<CIGroupMemberTypeList> ::= "<CIGroupMemberType>(,<CIGroupMemberType>)*"
 <QueryDynamicGroup> ::= <String>
        See: https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
 <QueryMemberRestrictions> ::= <String>
@@ -72,6 +75,12 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require

 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |

+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
+
 <GroupSettingsAttribute> ::=
        (allowexternalmembers <Boolean>)|
        (allowwebposting <Boolean>)|
@@ -231,11 +240,17 @@ and Cloud Identity Premium accounts. Unfortunately, even if you have the require
 These commands allow you to create, update and delete groups. They use the Admin SDK Groups Settings API
 to set `<GroupAttribute>`.
 ```
-gam create cigroup <EmailAddress> [copyfrom <GroupItem>] <GroupAttribute>
-        [makeowner]
-        [alias|aliases <EmailAddressList>] [dynamic <QueryDynamicGroup>]
+gam create cigroup <EmailAddress>
+        [copyfrom <GroupItem>] <GroupAttribute>*
+        [makeowner] [alias|aliases <CIGroupAliasList>]
+        [security|makesecuritygroup]
+        [dynamic <QueryDynamicGroup>]
 gam update cigroup <GroupEntity> [copyfrom <GroupItem>] <GroupAttribute>
-        [makesecuritygroup|security] [makedynamicsecuritygroup|dynamicsecurity] [dynamic <QueryDynamicGroup>]
+        [security|makesecuritygroup|
+         dynamicsecurity|makedynamicsecuritygroup|
+         lockedsecurity|makelockedsecuritygroup]
+        [locked|unlocked]
+        [dynamic <QueryDynamicGroup>]
        [memberrestrictions <QueryMemberRestrictions>]
 gam delete cigroups <GroupEntity>
 ```
@@ -259,8 +274,9 @@ gam info cigroups <GroupEntity>
        [nosecurity|nosecuritysettings]
        [allfields|<CIGroupFieldName>*|(fields <CIGroupFieldNameList>)]
        [roles <GroupRoleList>] [members] [managers] [owners]
-        [types <CIGroupTypeList>]
-        [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
+        [internal] [internaldomains <DomainNameList>] [external]
+        [types <CIGroupMemberTypeList>]
+        [memberemaildisplaypattern|memberemailskippattern <REMatchPattern>]
        [formatjson]
 ```

@@ -272,11 +288,19 @@ By default, all direct members, managers and owners in the group are displayed;
 * `membertree` - Display all roles; expand all groups

 By default, when displaying members from a group, all types of members (customer, group, serviceaccount, user) in the group are displayed; this option modifies that behavior:
-* `types <CIGroupTypeList>` - Display specified types
+* `types <CIGroupMemberTypeList>` - Display specified types
+
+By default, when listing group members, GAM does not take the domain of the member into account.
+* `internal internaldomains <DomainNameList>` - Display members whose domain is in `<DomainNameList>`
+* `external internaldomains <DomainNameList>` - Display members whose domain is not in `<DomainNameList>`
+* `internal external internaldomains <DomainNameList>` - Display all members, indicate their category: internal or external
+* `internaldomains <DomainNameList>` - Defaults to value of `domain` in `gam.cfg`
+
+Members without an email address, e.g. `customer`, `chrome-os-device` and `cbcm-browser` are considered internal.

 Members that have met the above qualifications to be displayed can be further qualifed by their email address.
-* `memberemaildisplaypattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be displayed; others will not be displayed
-* `memberemailskippattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will not be displayed; others will be displayed
+* `memberemaildisplaypattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be displayed; others will not be displayed
+* `memberemailskippattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will not be displayed; others will be displayed

 By default, all group aliases are displayed, these options modify that behavior:
 * `noaliases` or `quick` - Do not display group aliases
@@ -296,13 +320,14 @@ This command displays information in CSV format.
 ```
 gam print cigroups [todrive <ToDriveAttribute>*]
        [(cimember|showownedby <UserItem>)|(select <GroupEntity>)|(query <String>)]
-        [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
-        [descriptionmatchpattern [not] <RegularExpression>]
+        [emailmatchpattern [not] <REMatchPattern>] [namematchpattern [not] <REMatchPattern>]
+        [descriptionmatchpattern [not] <REMatchPattern>]
        [basic|allfields|(<CIGroupFieldName>* [fields <CIGroupFieldNameList>])]
        [roles <GroupRoleList>] [memberrestrictions]
+        [internal] [internaldomains <DomainNameList>] [external]
        [members|memberscount] [managers|managerscount] [owners|ownerscount] [totalcount] [countsonly]
-        [types <CIGroupTypeList>]
-        [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
+        [types <CIGroupMemberTypeList>]
+        [memberemaildisplaypattern|memberemailskippattern <REMatchPattern>]
        [convertcrnl] [delimiter <Character>]
        [formatjson [quotechar <Character>]]
 ```
@@ -313,12 +338,12 @@ By default, all groups in the account are displayed, these options allow selecti
 * `query <String>` - Limit display to the groups that match the query

 These options further limit the list of groups selected above:
-* `emailmatchpattern <RegularExpression>` - Limit display to groups whose email address matches `<RegularExpression>`
-* `emailmatchpattern not <RegularExpression>` - Limit display to groups whose email address does not match `<RegularExpression>`
-* `namematchpattern <RegularExpression>` - Limit display to groups whose name matches `<RegularExpression>`
-* `namematchpattern not <RegularExpression>` - Limit display to groups whose name does not match `<RegularExpression>`
-* `descriptionmatchpattern <RegularExpression>` - Limit display to groups whose description matches `<RegularExpression>`
-* `descriptionmatchpattern not <RegularExpression>` - Limit display to groups whose description does not match `<RegularExpression>`
+* `emailmatchpattern <REMatchPattern>` - Limit display to groups whose email address matches `<REMatchPattern>`
+* `emailmatchpattern not <REMatchPattern>` - Limit display to groups whose email address does not match `<REMatchPattern>`
+* `namematchpattern <REMatchPattern>` - Limit display to groups whose name matches `<REMatchPattern>`
+* `namematchpattern not <REMatchPattern>` - Limit display to groups whose name does not match `<REMatchPattern>`
+* `descriptionmatchpattern <REMatchPattern>` - Limit display to groups whose description matches `<REMatchPattern>`
+* `descriptionmatchpattern not <REMatchPattern>` - Limit display to groups whose description does not match `<REMatchPattern>`

 By default, GAM does not make an additional API call todisplay the member restrictions from `SecuritySettings`.
 * `memberrestrictions` - Make an additional API call and display the member restrictions from `SecuritySettings`
@@ -353,11 +378,19 @@ By default, no members, managers or owners in the group are displayed; these opt
 * `totalcount` - Display sum of counts of members, managers, owners.

 By default, when displaying members from a group, all types of members (customer, group, serviceaccount, user) in the group are displayed; this option modifies that behavior:
-* `types <CIGroupTypeList>` - Display specified types
+* `types <CIGroupMemberTypeList>` - Display specified types
+
+By default, when listing group members, GAM does not take the domain of the member into account.
+* `internal internaldomains <DomainNameList>` - Display members whose domain is in `<DomainNameList>`
+* `external internaldomains <DomainNameList>` - Display members whose domain is not in `<DomainNameList>`
+* `internal external internaldomains <DomainNameList>` - Display all members, indicate their category: internal or external
+* `internaldomains <DomainNameList>` - Defaults to value of `domain` in `gam.cfg`
+
+Members without an email address, e.g. `customer`, `chrome-os-device` and `cbcm-browser` are considered internal.

 Members that have met the above qualifications to be displayed can be further qualifed by their email address.
-* `memberemaildisplaypattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will be displayed; others will not be displayed
-* `memberemailskippattern <RegularExpression>` - Members with email addresses that match `<RegularExpression>` will not be displayed; others will be displayed
+* `memberemaildisplaypattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will be displayed; others will not be displayed
+* `memberemailskippattern <REMatchPattern>` - Members with email addresses that match `<REMatchPattern>` will not be displayed; others will be displayed

 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
@@ -368,6 +401,37 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

+### Display member count examples
+```
+gam print cigroup select testgroup roles member,manager,owner countsonly totalcount                  
+Getting Cloud Identity Groups for testgroup@domain.com
+Getting Members, Managers, Owners for testgroup@domain.com
+Got 9 Members, Managers, Owners...
+email,TotalCount,ManagersCount,MembersCount,OwnersCount
+testgroup@domain.com,9,0,7,2
+
+gam print cigroup select testgroup roles member,manager,owner countsonly totalcount internal
+Getting Cloud Identity Groups for testgroup@domain.com
+Getting Members, Managers, Owners for testgroup@domain.com
+Got 9 Members, Managers, Owners...
+email,TotalCount,TotalInternalCount,InternalManagersCount,InternalMembersCount,InternalOwnersCount
+testgroup@domain.com,7,7,0,5,2
+
+gam print cigroup select testgroup roles member,manager,owner countsonly totalcount external
+Getting Cloud Identity Groups for testgroup@domain.com
+Getting Members, Managers, Owners for testgroup@domain.com
+Got 9 Members, Managers, Owners...
+email,TotalCount,TotalExternalCount,ExternalManagersCount,ExternalMembersCount,ExternalOwnersCount
+testgroup@domain.com,2,2,0,2,0
+
+gam print cigroup select testgroup roles member,manager,owner countsonly totalcount external internal
+Getting Cloud Identity Groups for testgroup@domain.com
+Getting Members, Managers, Owners for testgroup@domain.com
+Got 9 Members, Managers, Owners...
+email,TotalCount,TotalInternalCount,InternalManagersCount,InternalMembersCount,InternalOwnersCount,TotalExternalCount,ExternalManagersCount,ExternalMembersCount,ExternalOwnersCount
+testgroup@domain.com,9,7,0,5,2,2,0,2,0
+```
+
 ### Display dynamic groups
 ```
 gam print cigroups query "'cloudidentity.googleapis.com/groups.dynamic' in labels"
@@ -383,8 +447,8 @@ Display the number of groups.
 ```
 gam print cigroups
        [(cimember|showownedby <UserItem>)|(select <GroupEntity>)|(query <String>)]
-        [emailmatchpattern [not] <RegularExpression>] [namematchpattern [not] <RegularExpression>]
-        [descriptionmatchpattern [not] <RegularExpression>]
+        [emailmatchpattern [not] <REMatchPattern>] [namematchpattern [not] <REMatchPattern>]
+        [descriptionmatchpattern [not] <REMatchPattern>]
        showitemcountonly
 ```
 Example
--- a/wiki/Cloud-Identity-Policies.md
+++ b/wiki/Cloud-Identity-Policies.md
@@ -0,0 +1,402 @@
+# Cloud Identity Policies
+- [API documentation](#api-documentation)
+- [Notes](#notes)
+- [Python Regular Expressions](Python-Regular-Expressions) Match function
+- [Definitions](#definitions)
+- [Policies](#policies)
+- [Display Cloud Identity Policies](#display-cloud-identity-policies)
+
+## API documentation
+* [Policy API](https://cloud.google.com/identity/docs/reference/rest/v1/policies)
+* [Policy Settings](https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings)
+
+## Notes
+To use these commands you must update your client access authentication.
+You'll enter 19R to turn on the Cloud Identity Policy scope; then continue
+with authentication.
+```
+gam oauth delete
+gam oauth create
+...
+[R] 19)  Cloud Identity - Policy
+```
+
+## Definitions
+```
+<CIPolicyName> ::= policies/<String>|settings/<String>|<String>
+<CIPolicyNameList> ::= "<CIPolicyName>(,<CIPolicyName>)*"
+<CIPolicyNameEntity> ::=
+        <CIPolicyNameList> | <FileSelector> | <CSVFileSelector>
+
+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
+```
+
+## Policies
+These are the supported policies GAM can show today.
+
+See: https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings
+```
+user_takeout_status (is takeout enabled for service)
+  blogger.user_takeout
+  books.user_takeout
+  location_history.user_takeout
+  maps.user_takeout
+  pay.user_takeout
+  photos.user_takeout
+  play.user_takeout
+  play_console.user_takeout
+  youtube.user_takeout
+service_status (is service enabled)
+  ad_manager
+  ads
+  adsense
+  alerts
+  analytics
+  applied_digital_skills
+  appsheet
+  arts_and_culture
+  beyondcorp_enterprise
+  blogger
+  bookmarks
+  books
+  calendar
+  campaign_manager
+  chat
+  chrome_canvas
+  chrome_remote_desktop
+  chrome_sync
+  chrome_web_store
+  classroom
+  cloud
+  cloud_search
+  colab
+  cs_first
+  data_studio
+  developers
+  domains
+  drive_and_docs
+  earth
+  enterprise_service_restrictions
+  experimental_apps
+  feedburner
+  fi
+  gmail
+  groups
+  groups_for_business
+  jamboard
+  keep
+  location_history
+  managed_play
+  maps
+  material_gallery
+  meet
+  merchant_center
+  messages
+  migrate
+  my_business
+  my_maps
+  news
+  partner_dash
+  pay
+  pay_for_business
+  photos
+  pinpoint
+  play
+  play_books_partner_center
+  play_console
+  public_data
+  question_hub
+  scholar_profiles
+  search_ads_360
+  search_and_assistant
+  search_console
+  sites
+  socratic
+  takeout
+  tasks
+  third_party_app_backups
+  translate
+  trips
+  vault
+  voice
+  work_insights
+  youtube
+calendar.appointment_schedules
+  enablePayments
+chat.chat_apps_access
+  enableApps
+  enableWebhooks
+chat.chat_file_sharing
+  externalFileSharing
+  internalFileSharing
+chat.chat_history
+  enableChatHistory
+  historyOnByDefault
+  allowUserModification
+chat.external_chat_restriction
+  allowExternalChat
+chat.space_history
+  historyState
+classroom.api_data_access
+  enableApiAccess
+classroom.class_membership
+  whoCanJoinClasses
+  whichClassesCanUsersJoin
+classroom.guardian_access
+  allowAccess
+  whoCanManageGuardianAccess
+classroom.originality_reports
+  enableOriginalityReportsSchoolMatches
+classroom.roster_import
+  rosterImportOption
+classroom.student_unenrollment
+  whoCanUnenrollStudents
+classroom.teacher_permissions
+  whoCanCreateClasses
+cloud_sharing_options.cloud_data_sharing
+  sharingOptions
+detector.regular_expression
+  displayName
+  regularExpression
+  createTime
+  updateTime
+detector.word_list
+  displayName
+  wordList
+  createTime
+  updateTime
+  description
+drive_and_docs.drive_for_desktop
+  allowDriveForDesktop
+  restrictToAuthorizedDevices
+  showDownloadLink
+  allowRealTimePresence
+drive_and_docs.external_sharing
+  externalSharingMode
+  allowReceivingExternalFiles
+  warnForSharingOutsideAllowlistedDomains
+  allowReceivingFilesOutsideAllowlistedDomains
+  allowNonGoogleInvitesInAllowlistedDomains
+  warnForExternalSharing
+  allowNonGoogleInvites
+  allowPublishingFiles
+  accessCheckerSuggestions
+  allowedPartiesForDistributingContent
+drive_and_docs.file_security_update
+  securityUpdate
+  allowUsersToManageUpdate
+drive_and_docs.shared_drive_creation
+  allowSharedDriveCreation
+  orgUnitForNewSharedDrives
+  customOrgUnit
+  allowManagersToOverrideSettings
+  allowExternalUserAccess
+  allowNonMemberAccess
+  allowedPartiesForDownloadPrintCopy
+  allowContentManagersToShareFolders
+gmail.auto_forwarding
+  enableAutoForwarding
+gmail.confidential_mode
+  enableConfidentialMode
+gmail.email_attachment_safety
+  enableEncryptedAttachmentProtection
+  encryptedAttachmentProtectionConsequence
+  enableAttachmentWithScriptsProtection
+  attachmentWithScriptsProtectionConsequence
+  enableAnomalousAttachmentProtection
+  anomalousAttachmentProtectionConsequence
+  allowedAnomalousAttachmentFiletypes
+  applyFutureRecommendedSettingsAutomatically
+  encryptedAttachmentProtectionQuarantineId
+  attachmentWithScriptsProtectionQuarantineId
+  anomalousAttachmentProtectionQuarantineId
+gmail.email_image_proxy_bypass
+  imageProxyBypassPattern
+  enableImageProxy
+gmail.enhanced_pre_delivery_message_scanning
+  enableImprovedSuspiciousContentDetection
+gmail.enhanced_smime_encryption
+  enableSmimeEncryption
+  allowUserToUploadCertificates
+gmail.gmail_name_format
+  allowCustomDisplayNames
+  defaultDisplayNameFormat
+gmail.imap_access
+  enableImapAccess
+gmail.links_and_external_images
+  enableShortenerScanning
+  enableExternalImageScanning
+  enableAggressiveWarningsOnUntrustedLinks
+  applyFutureSettingsAutomatically
+gmail.per_user_outbound_gateway
+  allowUsersToUseExternalSmtpServers
+gmail.pop_access
+  enablePopAccess
+gmail.spoofing_and_authentication
+  detectDomainNameSpoofing
+  detectEmployeeNameSpoofing
+  detectDomainSpoofingFromUnauthenticatedSenders
+  detectUnauthenticatedEmails
+  domainNameSpoofingConsequence
+  employeeNameSpoofingConsequence
+  domainSpoofingConsequence
+  unauthenticatedEmailConsequence
+  detectGroupsSpoofing
+  groupsSpoofingVisibilityType
+  groupsSpoofingConsequence
+  applyFutureSettingsAutomatically
+  domainNameSpoofingQuarantineId
+  employeeNameSpoofingQuarantineId
+  domainSpoofingQuarantineId
+  unauthenticatedEmailQuarantineId
+  groupsSpoofingQuarantineId
+gmail.user_email_uploads
+  enableMailAndContactsImport
+gmail.workspace_sync_for_outlook
+  enableGoogleWorkspaceSyncForMicrosoftOutlook
+groups_for_business.groups_sharing
+  ownersCanAllowIncomingMailFromPublic
+  collaborationCapability
+  createGroupsAccessLevel
+  ownersCanAllowExternalMembers
+  ownersCanHideGroups
+  newGroupsAreHidden
+  viewTopicsDefaultAccessLevel
+meet.safety_access
+  meetingsAllowedToJoin
+meet.safety_domain
+  usersAllowedToJoin
+meet.safety_external_participants
+  enableExternalLabel
+meet.safety_host_management
+  enableHostManagement
+meet.video_recording
+  enableRecording
+rule.dlp
+  displayName
+  description
+  triggers
+  condition
+  action
+  state
+  createTime
+  updateTime
+  ruleTypeMetadata
+rule.system_defined_alerts
+  displayName
+  description
+  action
+  state
+  createTime
+  updateTime
+security.advanced_protection_program
+  enableAdvancedProtectionSelfEnrollment
+  securityCodeOption
+security.less_secure_apps
+  allowLessSecureApps
+security.login_challenges
+  enableEmployeeIdChallenge
+security.password
+  allowedStrength
+  minimumLength
+  maximumLength
+  enforceRequirementsAtLogin
+  allowReuse
+  expirationDuration
+security.session_controls
+  webSessionDuration
+security.super_admin_account_recovery
+  enableAccountRecovery
+security.user_account_recovery
+  enableAccountRecovery
+sites.sites_creation_and_modification
+  allowSitesCreation
+  allowSitesModification
+workspace_marketplace.apps_allowlist
+  apps
+```
+## Display Cloud Identity Policies
+Display selected policies.
+```
+gam info policies <CIPolicyEntity>
+        [nowarnings] [noappnames]
+        [formatjson]
+```
+
+Select policies::
+* `polices/<String>` - A policy name, `policies/ahv4hg7qc24kvaghb7zihwf4riid4`
+* `settings/<String>` - A policy setting type, `settings/workspace_marketplace.apps_allowlist`
+* `<String>` - A policy setting type, `workspace_marketplace.apps_allowlist`
+
+By default, policy warnings are displayed, use the 'nowarnings` option to suppress their display.
+
+By default,  additional API calls are made for `settings/workspace_marketplace.apps_allowlist`
+to get the application name for the application ID. Use option `noappnames` to suppress these calls.
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+Display all or filtered policies.
+```
+gam show policies
+        [filter <String>] [nowarnings] [noappnames]
+        [group <REMatchPattern>] [ou|org|orgunit <REMatchPattern>]
+        [formatjson]
+```
+By default, all policies are displayed.
+* `filter <String>` - Display filtered policies, See https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/list
+* `group <REMatchPattern>` - Only display policies whose group email address matches the `<REMatchPattern>`
+* `ou|org|orgunit <REMatchPattern>` - Only display policies whose OU path matches the `<REMatchPattern>`
+
+By default, policy warnings are displayed, use the `nowarnings` option to suppress their display.
+
+By default,  additional API calls are made for `settings/workspace_marketplace.apps_allowlist`
+to get the application name for the application ID. Use option `noappnames` to suppress these calls.
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam print policies [todrive <ToDriveAttribute>*]
+        [filter <String>] [nowarnings] [noappnames]
+        [group <REMatchPattern>] [ou|org|orgunit <REMatchPattern>]
+        [formatjson [quotechar <Character>]]
+```
+By default, all policies are displayed:
+* `filter <String>` - Display filtered policies, See https://cloud.google.com/identity/docs/reference/rest/v1beta1/policies/list
+* `group <REMatchPattern>` - Only display policies whose group email address matches the `<REMatchPattern>`
+* `ou|org|orgunit <REMatchPattern>` - Only display policies whose OU path matches the `<REMatchPattern>`
+
+By default, policy warnings are displayed, use the `nowarnings` option to suppress their display.
+
+By default,  additional API calls are made for `settings/workspace_marketplace.apps_allowlist`
+to get the application name for the application ID. Use option `noappnames` to suppress these calls.
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+### Examples
+Print all service status policies.
+```
+gam redirect csv ./ServiceStatusPolicies.csv print policies filter "setting.type.matches('.*service_status')"
+```
+
+Print all polices that apply directly to the OU "/Staff".
+```
+gam redirect csv ./StaffPolicies.csv print policies ou "^/Staff$"
+```
+
+Print all polices that apply to the OU "/Staff" and its sub-OUs.
+```
+gam redirect csv ./StaffPolicies.csv print policies ou "^/Staff"
+```
--- a/wiki/Cloud-Storage.md
+++ b/wiki/Cloud-Storage.md
@@ -1,11 +1,11 @@
-!# Cloud Storage
+# Cloud Storage
 - [API documentation](#api-documentation)
 - [Notes](#notes)
 - [Definitions](#definitions)
 - [Download a Cloud Storage Bucket Object](#download-a-cloud-storage-bucket-object)

 ## API documentation
-* https://cloud.google.com/storage/docs/json_api/v1/objects
+* [Cloud Storage API - Objects](https://cloud.google.com/storage/docs/json_api/v1/objects)

 ## Notes
 To use these commands you must add the 'Cloud Storage API' to your project and update your client access authorization.
--- a/wiki/Collections-of-ChromeOS-Devices.md
+++ b/wiki/Collections-of-ChromeOS-Devices.md
@@ -1,5 +1,5 @@
-!# Collections of ChromeOS Devices
- [Python Regular Expressions](Python-Regular-Expressions) Match function
+# Collections of ChromeOS Devices
+- [Python Regular Expressions](Python-Regular-Expressions) Search function
 - [Definitions](#definitions)
 - [Organization Unit Quoting](#organization-unit-quoting)
 - [Query Quoting](#query-quoting)
@@ -94,7 +94,7 @@
             (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
            [endcsv|(fields <FieldNameList>)]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [delimiter <Character>])|
        (croscsvfile_sn
            ((<FileName>(:<FieldName>)+ [charset <Charset>] )|
@@ -104,7 +104,7 @@
             (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
            [endcsv|(fields <FieldNameList>)]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [delimiter <Character>])|
        (datafile
            cros|cros_sn|cros_ous|cros_ous_and_children
@@ -121,7 +121,7 @@
              (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
            [endcsv|(fields <FieldNameList>)]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [delimiter <Character>])|
        (csvkmd
            cros|cros_sn|cros_ous|cros_ous_and_children
@@ -131,9 +131,9 @@
              (gcscsv <StorageBucketObjectName>)|
              (gcsdoc <StorageBucketObjectName>))
             [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>])
-            keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-            subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+            subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [datafield <FieldName>(:<FieldName>)* [delimiter <Character>]])
        (croscsvdata <FieldName>(:<FieldName>*))
 ```
@@ -141,17 +141,12 @@
 * `<OrgUnitItem>` should be enclosed in `"` if it contains a space, comma or single quote.
 * `<OrgUnitList>` may require special quoting based on whether the OUs contain spaces, commas or single quotes.

-For quoting rules, see: [List Items](List-Items)
+For quoting rules, see: [List Quoting Rules](Command-Line-Parsing)

 ## Query Quoting
 `<QueryCrOSList>` may require special quoting based on whether the queries contain spaces, commas or single quotes.

-* Surround `<QueryCrOSList>` with `" "`
-* Surround each query with `\" \"`, separate the queries with commas.
-
-```
-queries "\"orgUnitPath='/Path/To/OU 1'\",\"orgUnitPath='/Path/To/OU 2'\",\"orgUnitPath='/Path/To/OU 3'\""
-```
+For quoting rules, see: [List Quoting Rules](Command-Line-Parsing)

 ## Query Notes

@@ -267,7 +262,7 @@ croscsvfile
    (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
   [endcsv|(fields <FieldNameList>)]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
   [delimiter <Character>]
 ```
 * `<FileName>(:<FieldName>)+` - A CSV file and the one or more columns that contain ChromeOS deviceIds
@@ -282,7 +277,7 @@ croscsvfile
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `delimiter <Character>` - There are multiple deviceIds per column separated by `<Character>`; if not specified, there is single deviceId per column

 ## Selected ChromeOS serial numbers in a CSV file/Google Sheet/Google Doc/Google Cloud Storage Object
@@ -295,7 +290,7 @@ croscsvfile_sn
    (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
   [endcsv|(fields <FieldNameList>)]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
   [delimiter <Character>]
 ```
 * `<FileName>(:<FieldName>)+` - A CSV file and the one or more columns that contain ChromeOS serial numbers
@@ -310,7 +305,7 @@ croscsvfile_sn
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `delimiter <Character>` - There are multiple serial numbers per column separated by `<Character>`; if not specified, there is single deviceId per column

 ## ChromeOS devices from OUs in a flat file/Google Doc/Google Cloud Storage Object
@@ -340,7 +335,7 @@ csvdatafile
     (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
   [endcsv|(fields <FieldNameList>)]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
   [delimiter <Character>]
 ```
 * `cros|cros_ous|cros_ous_and_children` - The type of item in the file
@@ -356,7 +351,7 @@ csvdatafile
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `delimiter <Character>` - There are multiple deviceIds per column separated by `<Character>`; if not specified, there is single deviceId per column

 ## ChromeOS devices directly in or from OUs in a CSV file/Google Sheet/Google Doc/Google Cloud Storage Object
@@ -369,9 +364,9 @@ csvkmd
     (gcscsv <StorageBucketObjectName>)|
     (gcsdoc <StorageBucketObjectName>))
    [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>])
-   keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-   subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+   subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
   [datafield <FieldName>(:<FieldName>)* [delimiter <Character>]]
 ```
 * `cros|cros_sn|cros_ous|cros_ous_and_children` - The type of item in the file
@@ -385,15 +380,15 @@ csvkmd
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>])+`
+* `(keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>])+`
    * `keyfield <FieldName>` - The column containing key values
-    * `[keypattern <RegularExpression>] [keyvalue <String>]` - Allows transforming the value(s) in the `keyfield` column. If only `keyvalue <String>` is specified, all instances of `<FieldName>` in `keyvalue <String>` will be replaced by the item value. If `keypattern <RegularExpression>` is specified, the item value is matched against `<RegularExpression>` and the matched segments are substituted into `keyvalue <String>`
+    * `[keypattern <RESearchPattern>] [keyvalue <RESubstitution>]` - Allows transforming the value(s) in the `keyfield` column. If only `keyvalue <RESubstitution>` is specified, all instances of `<FieldName>` in `keyvalue <RESubstitution>` will be replaced by the item value. If `keypattern <RESearchPattern>` is specified, the item value is matched against `<RESearchPattern>` and the matched segments are substituted into `keyvalue <RESubstitution>`
    * `delimiter <Character>` - There are multiple values per keyfield column separated by `<Character>`; if not specified, there is single value per keyfield column
-* `(subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>])*`
+* `(subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>])*`
    * `subkeyfield <FieldName>` - The column containing subkey values
-    * `[keypattern <RegularExpression>] [keyvalue <String>]` - Allows transforming the value(s) in the `subkeyfield` column. If only `keyvalue <String>` is specified, all instances of `<FieldName>` in `keyvalue <String>` will be replaced by the item value. If `keypattern <RegularExpression>` is specified, the item value is matched against `<RegularExpression>` and the matched segments are substituted into `keyvalue <String>`
+    * `[keypattern <RESearchPattern>] [keyvalue <RESubstitution>]` - Allows transforming the value(s) in the `subkeyfield` column. If only `keyvalue <RESubstitution>` is specified, all instances of `<FieldName>` in `keyvalue <RESubstitution>` will be replaced by the item value. If `keypattern <RESearchPattern>` is specified, the item value is matched against `<RESearchPattern>` and the matched segments are substituted into `keyvalue <RESubstitution>`
    * `delimiter <Character>` - There are multiple values per subkeyfield column separated by `<Character>`; if not specified, there is single value per subkeyfield column
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `(datafield <FieldName>(:<FieldName)* [delimiter <Character>])*`
    * `datafield <FieldName>(:<FieldName)*` - The column(s) containing data values
    * `delimiter <Character>` - There are multiple values per datafield column separated by `<Character>`; if not specified, there is single value per datafield column
@@ -462,5 +457,3 @@ This is equivaluent to:
 ```
 gam cros_ous "'/Students/Middle School/2021','/Students/Middle School/2020'" print cros allfields nolists
 ```
-
-
--- a/wiki/Collections-of-Items.md
+++ b/wiki/Collections-of-Items.md
@@ -1,5 +1,5 @@
-!# Collections of Items
- [Python Regular Expressions](Python-Regular-Expressions) Match function
+# Collections of Items
+- [Python Regular Expressions](Python-Regular-Expressions) Search function
 - [Definitions](#definitions)
 - [ListSelector](#listselector)
 - [FileSelector](#fileselector)
@@ -65,7 +65,7 @@ A CSV file with one or more columns per row that contain Items.
                 (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
                [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
                [endcsv|(fields <FieldNameList>)]
-                (matchfield|skipfield <FieldName> <RegularExpression>)*
+                (matchfield|skipfield <FieldName> <RESearchPattern>)*
                [delimiter <Character>]
 ```
 * `<FileName>(:<FieldName>)+` - A CSV file and the one or more columns that contain Items
@@ -79,7 +79,7 @@ A CSV file with one or more columns per row that contain Items.
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `delimiter <Character>` - There are multiple Items per column separated by `<Character>`; if not specified, there is single item per column

 ## CSVkmdSelector
@@ -92,9 +92,9 @@ A CSV file with a key column that contains an Item and optional subkey and data
                 (gcscsv <StorageBucketObjectName>)|
                 (gcsdoc <StorageBucketObjectName>))
                 [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>] [fields <FieldNameList>])
-                keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-                subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-                (matchfield|skipfield <FieldName> <RegularExpression>)*
+                keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+                subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+                (matchfield|skipfield <FieldName> <RESearchPattern>)*
                [datafield <FieldName>(:<FieldName>)* [delimiter <Character>]]
 ```
 * `<FileName>` - A CSV file containing rows with columns of items
@@ -107,15 +107,15 @@ A CSV file with a key column that contains an Item and optional subkey and data
 * `quotechar <Character>` - The column quote characer is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>])+`
+* `(keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>])+`
    * `keyfield <FieldName>` - The column containing key values
-    * `[keypattern <RegularExpression>] [keyvalue <String>]` - Allows transforming the value(s) in the `keyfield` column. If only `keyvalue <String>` is specified, all instances of `<FieldName>` in `keyvalue <String>` will be replaced by the item value. If `keypattern <RegularExpression>` is specified, the item value is matched against `<RegularExpression>` and the matched segments are substituted into `keyvalue <String>`
+    * `[keypattern <RESearchPattern>] [keyvalue <RESubstitution>]` - Allows transforming the value(s) in the `keyfield` column. If only `keyvalue <RESubstitution>` is specified, all instances of `<FieldName>` in `keyvalue <RESubstitution>` will be replaced by the item value. If `keypattern <RESearchPattern>` is specified, the item value is matched against `<RESearchPattern>` and the matched segments are substituted into `keyvalue <RESubstitution>`
    * `delimiter <Character>` - There are multiple values per keyfield column separated by `<Character>`; if not specified, there is single value per keyfield column
-* `(subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>])*`
+* `(subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>])*`
    * `subkeyfield <FieldName>` - The column containing subkey values
-    * `[keypattern <RegularExpression>] [keyvalue <String>]` - Allows transforming the value(s) in the `subkeyfield` column. If only `keyvalue <String>` is specified, all instances of `<FieldName>` in `keyvalue <String>` will be replaced by the item value. If `keypattern <RegularExpression>` is specified, the item value is matched against `<RegularExpression>` and the matched segments are substituted into `keyvalue <String>`
+    * `[keypattern <RESearchPattern>] [keyvalue <RESubstitution>]` - Allows transforming the value(s) in the `subkeyfield` column. If only `keyvalue <RESubstitution>` is specified, all instances of `<FieldName>` in `keyvalue <RESubstitution>` will be replaced by the item value. If `keypattern <RESearchPattern>` is specified, the item value is matched against `<RESearchPattern>` and the matched segments are substituted into `keyvalue <RESubstitution>`
    * `delimiter <Character>` - There are multiple values per subkeyfield column separated by `<Character>`; if not specified, there is single value per subkeyfield column
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `(datafield <FieldName>(:<FieldName)* [delimiter <Character>])*`
    * `datafield <FieldName>(:<FieldName)*` - The column(s) containing data values
    * `delimiter <Character>` - There are multiple values per datafield column separated by `<Character>`; if not specified, there is single value per datafield column
@@ -144,6 +144,12 @@ Data fields identified in a `csvkmd` argument.
        <CalendarACLScopeList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <CalendarEntity> ::=
        <CalendarList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
+<CIPolicyNameEntity> ::=
+        <CIPolicyNameList> | <FileSelector> | <CSVFileSelector>
+<ClassificationLabelNameEntity> ::=
+        <ClassificationLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
+<ClassificationLabelPermissionNameEntity> ::=
+        <ClassificationLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 <ClassroomInvitationIDEntity> ::=
        <ClassroomInvitationIDList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <ContactEntity> ::=
@@ -265,10 +271,6 @@ Data fields identified in a `csvkmd` argument.
        (first|last|allexceptfirst|allexceptlast <Number>)|
        (before|after <Time>) | (range <Time> <Time>)|
        <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
-<DriveLabelNameEntity> ::=
-        <DriveLabelNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
-<DriveLabelPermissionNameEntity> ::=
-        <DriveLabelPermissionNameList> | <FileSelector> | <CSVFileSelector> | <CSVDataSelector>
 <EmailAddressEntity> ::=
        <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
 <FilterIDEntity> ::=
--- a/wiki/Collections-of-Users.md
+++ b/wiki/Collections-of-Users.md
@@ -1,7 +1,6 @@
-!# Collections of Users
- [Python Regular Expressions](Python-Regular-Expressions) Match function
+# Collections of Users
+- [Python Regular Expressions](Python-Regular-Expressions) Search function
 - [Definitions](#definitions)
- [List quoting rules](#list-quoting-rules)
 - [User Type Entity](#user-type-entity)
  - [All non-suspended Users](#all-non-suspended-users)
  - [All suspended Users](#all-suspended-Users)
@@ -129,7 +128,7 @@
             (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>]
            [endcsv|(fields <FieldNameList>)]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [delimiter <Character>])|
        (datafile
            users|groups|groups_ns|groups_susp|groups_inde|ous|ous_ns|ous_susp|
@@ -150,7 +149,7 @@
              (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
            [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>]
            [endcsv|(fields <FieldNameList>)]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [delimiter <Character>])|
        (csvkmd
            users|groups|groups_ns|groups_susp|groups_inde|ous|ous_ns|ous_susp|
@@ -162,26 +161,13 @@
              (gcscsv <StorageBucketObjectName>)|
              (gcsdoc <StorageBucketObjectName>))
             [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>] [fields <FieldNameList>])
-            keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-            subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-            (matchfield|skipfield <FieldName> <RegularExpression>)*
+            keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+            subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+            (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [datafield <FieldName>(:<FieldName>)* [delimiter <Character>]])
        (csvdata <FieldName>(:<FieldName>*))
 ```
-## List quoting rules
-Items in a list can be separated by commas or spaces; if an item itself contains a comma, a space or a single quote, special quoting must be used.
-Typically, you will enclose the entire list in double quotes and quote each item in the list as detailed below.

- Items, separated by commas, without spaces, commas or single quotes in the items themselves
-   * ```"item,item,item"```
- Items, separated by spaces, without spaces, commas or single quotes in the items themselves
-   * ```"item item item"```
- Items, separated by commas, with spaces, commas or single quotes in the items themselves
-   * ```"'it em','it,em',\"it'em\""```
- Items, separated by spaces, with spaces, commas or single quotes in the items themselves
-   * ```"'it em' 'it,em' \"it'em\""```
-
-Typical places where these rules apply are lists of OUs and Contact Groups.
 ## User Type Entity

 Use these options to select users for GAM commands.
@@ -292,7 +278,7 @@ Use these options to select users for GAM commands.

 `<OrgUnitList>` may require special quoting based on whether the OUs contain spaces, commas or single quotes.

-For quoting rules, see: [List Items](List-Items)
+For quoting rules, see: [List Quoting Rules](Command-Line-Parsing)

 ## Users in the Organization Units `<OrgUnitList>` and all of their sub Organization Units
 * `ous_and_children|ous_and_children_ns|ous_and_children_susp <OrgUnitList>` - Users in the Organization Units `<OrgUnitList>` and all of their sub Organization Units
@@ -302,7 +288,7 @@ For quoting rules, see: [List Items](List-Items)

 `<OrgUnitList>` may require special quoting based on whether the OUs contain spaces, commas or single quotes.

-For quoting rules, see: [List Items](List-Items)
+For quoting rules, see: [List Quoting Rules](Command-Line-Parsing)

 ## All of the students and teachers in the courses specified in `<CourseIDList>`
 * `courseparticipants <CourseIDList>`
@@ -328,16 +314,10 @@ See https://developers.google.com/admin-sdk/directory/v1/guides/search-users

 `<QueryUserList>` may require special quoting based on whether the queries contain spaces, commas or single quotes.

-* Surround `<QueryCrOSList>` with `" "`
-* Surround each query with `\" \"`, separate the queries with commas.
+For quoting rules, see: [List Quoting Rules](Command-Line-Parsing)

-```
-queries "\"orgUnitPath='/Path/To/OU 1' isSuspended=False\",\"orgUnitPath='/Path/To/OU 2' isSuspended=False\",\"orgUnitPath='/Path/To/OU 3' isSuspended=False\""
-```
 Note that the results are all users who match one or more of the queries. In other words this is "OR" logic, and you get the union of all matching results.

-For quoting rules, see: [List Items](List-Items)
-
 ## Users in a flat file/Google Doc/Google Cloud Storage Object
 ```
 file
@@ -362,7 +342,7 @@ csvfile
    (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>]
   [endcsv|(fields <FieldNameList>)]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
   [delimiter <Character>]
 ```
 * `<FileName>(:<FieldName>)+` - A CSV file and the one or more columns that contain Users
@@ -377,7 +357,7 @@ csvfile
 * `quotechar <Character>` - The column quote character is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `delimiter <Character>` - There are multiple Users per column separated by `<Character>`; if not specified, there is single user per column

 ## Users from groups/OUs/courses in a flat file/Google Doc/Google Cloud Storage Object
@@ -411,7 +391,7 @@ csvdatafile
     (gcsdoc(:<FieldName>)+ <StorageBucketObjectName>))
   [warnifnodata] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>]
   [endcsv|(fields <FieldNameList>)]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
   [delimiter <Character>]
 ```
 * `users|groups|groups_ns|groups_susp|groups_inde|ous|ous_ns|ous_susp|ous_and_children|ous_and_children_ns|ous_and_children_susp|courseparticipants|students|teachers` - The type of item in the file
@@ -427,7 +407,7 @@ csvdatafile
 * `quotechar <Character>` - The column quote character is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `delimiter <Character>` - There are multiple Users per column separated by `<Character>`; if not specified, there is single user per column

 ## Users directly in or from groups/OUs/courses in a CSV file/Google Sheet/Google Doc/Google Cloud Storage Object
@@ -442,9 +422,9 @@ csvkmd
     (gcscsv <StorageBucketObjectName>)|
     (gcsdoc <StorageBucketObjectName>))
    [charset <Charset>] [columndelimiter <Character>] [noescapechar <Boolean>][quotechar <Character>] [fields <FieldNameList>])
-   keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-   subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>]
-   (matchfield|skipfield <FieldName> <RegularExpression>)*
+   keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+   subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>]
+   (matchfield|skipfield <FieldName> <RESearchPattern>)*
            [datafield <FieldName>(:<FieldName>)* [delimiter <Character>]]
 ```
 * `users|groups|groups_ns_|groups_susp|groups_inde|ous|ous_ns|ous_susp|ous_and_children|ous_and_children_ns|ous_and_children_susp|courseparticipants|students|teachers` - The type of item in the file
@@ -460,15 +440,15 @@ csvkmd
 * `quotechar <Character>` - The column quote character is `<Character>`; if not specified, the value of `csv_input_quote_char` from `gam.cfg` will be used
 * `endcsv` - Use this option to signal the end of the csvfile parameters in the case that the next argument on the command line is `fields` but is specifying the output field list for the command not column headings
 * `fields <FieldNameList>` - The column headings of a CSV file that does not contain column headings
-* `(keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>])+`
+* `(keyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>])+`
    * `keyfield <FieldName>` - The column containing key values
-    * `[keypattern <RegularExpression>] [keyvalue <String>]` - Allows transforming the value(s) in the `keyfield` column. If only `keyvalue <String>` is specified, all instances of `<FieldName>` in `keyvalue <String>` will be replaced by the item value. If `keypattern <RegularExpression>` is specified, the item value is matched against `<RegularExpression>` and the matched segments are substituted into `keyvalue <String>`
+    * `[keypattern <RESearchPattern>] [keyvalue <RESubstitution>]` - Allows transforming the value(s) in the `keyfield` column. If only `keyvalue <RESubstitution>` is specified, all instances of `<FieldName>` in `keyvalue <RESubstitution>` will be replaced by the item value. If `keypattern <RESearchPattern>` is specified, the item value is matched against `<RESearchPattern>` and the matched segments are substituted into `keyvalue <RESubstitution>`
    * `delimiter <Character>` - There are multiple values per keyfield column separated by `<Character>`; if not specified, there is single value per keyfield column
-* `(subkeyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <Character>])*`
+* `(subkeyfield <FieldName> [keypattern <RESearchPattern>] [keyvalue <RESubstitution>] [delimiter <Character>])*`
    * `subkeyfield <FieldName>` - The column containing subkey values
-    * `[keypattern <RegularExpression>] [keyvalue <String>]` - Allows transforming the value(s) in the `subkeyfield` column. If only `keyvalue <String>` is specified, all instances of `<FieldName>` in `keyvalue <String>` will be replaced by the item value. If `keypattern <RegularExpression>` is specified, the item value is matched against `<RegularExpression>` and the matched segments are substituted into `keyvalue <String>`
+    * `[keypattern <RESearchPattern>] [keyvalue <RESubstitution>]` - Allows transforming the value(s) in the `subkeyfield` column. If only `keyvalue <RESubstitution>` is specified, all instances of `<FieldName>` in `keyvalue <RESubstitution>` will be replaced by the item value. If `keypattern <RESearchPattern>` is specified, the item value is matched against `<RESearchPattern>` and the matched segments are substituted into `keyvalue <RESubstitution>`
    * `delimiter <Character>` - There are multiple values per subkeyfield column separated by `<Character>`; if not specified, there is single value per subkeyfield column
-* `(matchfield|skipfield <FieldName> <RegularExpression>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
+* `(matchfield|skipfield <FieldName> <RESearchPattern>)*` - The criteria to select rows from the CSV file; can be used multiple times; if not specified, all rows are selected
 * `(datafield <FieldName>(:<FieldName)* [delimiter <Character>])*`
    * `datafield <FieldName>(:<FieldName)*` - The column(s) containing data values
    * `delimiter <Character>` - There are multiple values per datafield column separated by `<Character>`; if not specified, there is single value per datafield column
--- a/wiki/Command-Data-From-Google-Docs-Sheets-Storage.md
+++ b/wiki/Command-Data-From-Google-Docs-Sheets-Storage.md
@@ -1,4 +1,4 @@
-!# Command data from Google Docs, Sheets and Cloud Storage
+# Command data from Google Docs, Sheets and Cloud Storage
 - [Introduction](#introduction)
 - [Definitions](#definitions)
 - [Read data from a Google Doc or Drive File](#read-data-from-a-google-doc-or-drive-file)
--- a/wiki/Command-Line-Parsing.md
+++ b/wiki/Command-Line-Parsing.md
@@ -1,4 +1,4 @@
-!# Command Line Parsing
+# Command Line Parsing
 - [Linux and MacOS](#linux-and-macos)
 - [Windows Command Prompt](#windows-command-prompt)
 - [Windows PowerShell](#windows-powershell)
@@ -56,9 +56,11 @@ Typically, you will enclose the entire list in double quotes and quote each item
 - Items, separated by spaces, without spaces, commas or single quotes in the items themselves
   * ```"item item item"```
 - Items, separated by commas, with spaces, commas or single quotes in the items themselves
-   * ```"'it em','it,em',\"it'em\""```
+   * ```"'it em','it,em',\"it'em\""``` - Linux, MacOS, Windows Command Prompt
+   * ```"'it\ em','it,em',`"it\'em`""``` - Windows Power Shell
 - Items, separated by spaces, with spaces, commas or single quotes in the items themselves
-   * ```"'it em' 'it,em' \"it'em\""```
+   * ```"'it em' 'it,em' \"it'em\""``` - Linux, MacOS, Windows Command Prompt
+   * ```"'it\ em' 'it,em' `"it\'em`""``` - Windows Power Shell

 Typical places where these rules apply are lists of OUs and Contact Groups.

--- a/wiki/Command-Logging-Progress.md
+++ b/wiki/Command-Logging-Progress.md
@@ -1,14 +1,8 @@
-!# Command Logging and Progress
- [Introduction](#introduction)
+# Command Logging and Progress
 - [GAM Configuration](gam.cfg)
 - [Command Logging](#command-logging)
 - [Command Progress](#command-progress)

-## Introduction
-Starting with version 6.07.00, GAM can log its commands to a file.
-
-Display of `gam batch|tbatch|csv|loop` progress messages has been improved.
-
 ## Command Logging
 The following keywords in `gam.cfg` control logging of GAM commands.
 ```
--- a/wiki/Context-Aware-Access-Levels.md
+++ b/wiki/Context-Aware-Access-Levels.md
@@ -1,13 +1,13 @@
 # Context-Aware Access Levels

 - [Notes](#Notes)
- [Context-Aware Access documentation](https://support.google.com/a/answer/9275380)
 - [API documentation](#api-documentation)
 - [Grant Service Account Rights to Manage CAA](#grant-service-account-rights-to-manage-caa)
 - [Definitions](#definitions)
 - [Parameters for Basic Levels](#parameters-for-basic-levels)
 - [Create an Access Level](#create-an-access-level)
 - [Update an Access Level](#update-an-access-level)
+- [Update Access Levels with JSON](#update-access-levels-with-json)
 - [Delete an Access Level](#delete-an-access-level)
 - [Display all Access Levels](#display-all-access-levels)
 - [CAA Region Codes](#caa-region-codes)
@@ -23,7 +23,8 @@ gam update project
 ```

 ## API documentation
-* https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies
+* [Context-Aware Access documentation](https://support.google.com/a/answer/9275380)
+* [Access Context Manager API - Access Policies](https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies)

 ## Grant Service Account Rights to Manage CAA
 In order for GAM to manage CAA access levels, you need to grant your service account a special role for your GCP organization.
@@ -177,6 +178,27 @@ This example adds UK to the allowed regions for CORP_COUNTRIES
 gam update caalevel CORP_COUNTRIES basic condition regions US,CA,UK endcondition
 ```

+## Update Access Levels with JSON
+Update existing CAA levels via their JSON data; create a CSV file of CAA levels.
+```
+gam redirect csv ./CAAlevels.csv print caalevels formatjson quotechar "'"
+```
+Edit the JSON column for the desired CAA level(s) in CAAlevels.csv.
+Update the desired CAA level by selecting the row by it's title; repeat for each title to update.
+```
+gam config csv_input_row_filter "title:text='Example Title'" csv CAAlevels.csv quotechar "'" gam update caalevel "~name" json "~JSON"
+```
+
+## Example
+Edit CAAlevels.csv and add UK to the allowed regions for CORP_COUNTRIES
+```
+{"regions": ["US", "CA", "UK"]}
+```
+Do the update.
+```
+gam config csv_input_row_filter "title:text='CORP_COUNTRIES'" csv CAAlevels.csv quotechar "'" gam update caalevel "~name" json "~JSON"
+```
+
 ## Delete an Access Level
 Deletes the specified access level.
 ```
--- a/wiki/Customer.md
+++ b/wiki/Customer.md
@@ -1,4 +1,4 @@
-!# Customer
+# Customer
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Update customer](#update-customer)
@@ -6,7 +6,7 @@
 - [Display instance](#display-instance)

 ## API documentation
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/customers
+* [Directory API - Customers](https://developers.google.com/admin-sdk/directory/reference/rest/v1/customers)

 ## Definitions
 ```
--- a/wiki/Domain-People-Contacts-Profiles.md
+++ b/wiki/Domain-People-Contacts-Profiles.md
@@ -7,11 +7,11 @@
 - [Display Domain Profiles](#display-domain-profiles)

 ## API documentation
-* https://developers.google.com/contacts/v3/announcement
-* https://developers.google.com/people/contacts-api-migration
-* https://developers.google.com/people
-* https://developers.google.com/people/api/rest/v1/people/listDirectoryPeople
-* https://developers.google.com/people/api/rest/v1/people/searchDirectoryPeople
+* [Contacts API Migration](https://developers.google.com/people/contacts-api-migration)
+* [People API Migration](https://developers.google.com/people)
+* [People API](https://developers.google.com/people/api/rest)
+* [People API - List Directory People](https://developers.google.com/people/api/rest/v1/people/listDirectoryPeople)
+* [People API - Search Directory People](https://developers.google.com/people/api/rest/v1/people/searchDirectoryPeople)

 ## Notes
 To use these features you must add the `People API` to your project and authorize the appropriate scopes:
@@ -22,7 +22,7 @@ To use these features you must add the `People API` to your project and authoriz
 ```
 gam update project
 gam oauth create
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```

 ## Definitions
--- a/docs/Domain-SharedContacts-GAL.md
+++ b/docs/Domain-SharedContacts-GAL.md
@@ -1,6 +1,5 @@
-# Domain Shared Contacts - Global Address List
+# Domain Shared Contacts
 - [API documentation](#api-documentation)
- [Query documentation](#query-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [Create domain shared contacts](#create-domain-shared-contacts)
@@ -14,10 +13,7 @@
 - [Display global address list](#display-global-address-list)

 ## API documentation
-* https://developers.google.com/admin-sdk/domain-shared-contacts/
-
-## Query documentation
-* https://developers.google.com/google-apps/contacts/v3/reference#contacts-query-parameters-reference
+* [Domain Shared Contacts API](https://developers.google.com/admin-sdk/domain-shared-contacts)

 ## Definitions
 * [Command data from Google Docs/Sheets/Storage](Command-Data-From-Google-Docs-Sheets-Storage)
@@ -51,6 +47,12 @@

 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |

+<RegularExpression> ::= <String>
+        See: https://docs.python.org/3/library/re.html
+<REMatchPattern> ::= <RegularExpression>
+<RESearchPattern> ::= <RegularExpression>
+<RESubstitution> ::= <String>>
+
 <ContactID> ::= <String>
 <ContactIDList> ::= "<ContactID>(,<ContactID>)*"
 <ContactEntity> ::=
@@ -58,7 +60,7 @@
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <ContactSelection> ::=
        [query <QueryContact>]
-        [emailmatchpattern <RegularExpression> [emailmatchtype work|home|other|<String>]]
+        [emailmatchpattern <REMatchPattern> [emailmatchtype work|home|other|<String>]]
        [updated_min <Date>]
 ```
 ```
@@ -211,13 +213,13 @@ You specify contacts by ID or by selection qualifiers.
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
 <ContactSelection> ::=
        [query <QueryContact>]
-        [emailmatchpattern <RegularExpression> [emailmatchtype work|home|other|<String>]]
+        [emailmatchpattern <REMatchPattern> [emailmatchtype work|home|other|<String>]]
        [updated_min <Date>]
 ```
 Selection qualifiers may be combined.
 * `query <QueryContact>` - Fulltext query on contacts data fields. See: https://developers.google.com/contacts/v3/reference#contacts-query-parameters-reference
-* `emailmatchpattern <RegularExpression>` - Select contacts that have an email address matching `<RegularExpression>`
-* `emailmatchpattern <RegularExpression> emailmatchtype work|home|other|<String>` - Select contacts that have an email address matching `<RegularExpression>` and a specific type
+* `emailmatchpattern <REMatchPattern>` - Select contacts that have an email address matching `<REMatchPattern>`
+* `emailmatchpattern <REMatchPattern> emailmatchtype work|home|other|<String>` - Select contacts that have an email address matching `<REMatchPattern>` and a specific type
 * `emailmatchpattern ".*" emailmatchtype work|home|other|<String>` - Select contacts that have any email address with a specific type
 * `updated_min <Date>` - Select contacts updated since `<Date>`

@@ -232,15 +234,15 @@ gam delete contacts <ContactEntity>|<ContactSelection>
 ## Clear old email addresses from contacts
 ```
 gam clear contacts <ContactEntity>|<ContactSelection>
-        [emailclearpattern <RegularExpression> [emailcleartype work|home|other|<String>]]
+        [emailclearpattern <REMatchPattern> [emailcleartype work|home|other|<String>]]
        [delete_cleared_contacts_with_no_emails]
 ```
-Typically, you would select contacts by `emailmatchpattern <RegularExpression>` (and optionally `emailmatchtype work|home|other|<String>`),
+Typically, you would select contacts by `emailmatchpattern <REMatchPattern>` (and optionally `emailmatchtype work|home|other|<String>`),
 then the matching email addresses will be cleared from the domiain contact's email list. The contact itself is updated, not deleted.
 Email addresses that don't match will be unaffected. If you want to clear all email addresses of a particular type,
 use `emailmatchpattern ".*" emailmatchtype work|home|other|<String>`.

-You can specify `emailclearpattern <RegularExpression>` (and optionally `emailcleartype work|home|other|<String>`) if you want to
+You can specify `emailclearpattern <REMatchPattern>` (and optionally `emailcleartype work|home|other|<String>`) if you want to
 clear email addresses other than the ones used to match the contacts or if you specify `<ContactEntity>`.

 A contact may contain no email addresses after matching email addresses are cleared. If you do not want to keep contacts with no
@@ -258,11 +260,13 @@ By default, the email type `work|home|other|<String>` is ignored, all duplicates
 will be deleted. If `matchtype` is true, only duplicate email addresses with the same type will be deleted.

 ## Manage domain contact photos
+Due to an API change by Google, only the `get contactphotos` command works; I've reported this
+to Google but they've done nothing to make `update|delete contactphotos` work.
 ```
-gam update contactphotos <ContactEntity>|<ContactSelection>
-        [drivedir|(sourcefolder <FilePath>)] [filename <FileNamePattern>]
 gam get contactphotos <ContactEntity>|<ContactSelection>
        [drivedir|(targetfolder <FilePath>)] [filename <FileNamePattern>]
+gam update contactphotos <ContactEntity>|<ContactSelection>
+        [drivedir|(sourcefolder <FilePath>)] [filename <FileNamePattern>]
 gam delete contactphotos <ContactEntity>|<ContactSelection>
 ```
 The default directory is the current working directory, `drivedir` specifies the value of drive_dir from gam.cfg and
@@ -306,26 +310,10 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

 ## Display global address list
-```
-gam info gal <ContactEntity>
-        [basic|full]
-        [fields <ContactFieldNameList>] [formatjson]
-gam show gal <ContactSelection>
-        [basic|full] [orderby <ContactOrderByFieldName> [ascending|descending]]
-        [fields <ContactFieldNameList>] [formatjson]
-```
-By default, Gam displays the information as an indented list of keys and values.
-* `formatjson` - Display the fields in JSON format.
-```
-gam print gal [todrive <ToDriveAttribute>*] <ContactSelection>
-        [basic|full] [orderby <ContactOrderByFieldName> [ascending|descending]]
-        [fields <ContactFieldNameList>] [formatjson [quotechar <Character>]]
-```
-By default, Gam displays the information as columns of fields.
-* `formatjson` - Display the fields in JSON format.
+As of mid-October 2024, Google deprecated the API that retrieved the Global Address List.

-By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
-the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
-When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
-The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
-`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+These commands are a work-around.
+```
+gam config csv_output_row_filter "includeInGlobalAddressList:boolean:true" redirect csv ./UserGAL.csv print users fields name,gal
+gam config csv_output_row_filter "includeInGlobalAddressList:boolean:true" batch_size 25 redirect csv ./GroupGAL.csv print groups fields name,gal
+```
--- a/wiki/Domains-Verification.md
+++ b/wiki/Domains-Verification.md
@@ -1,4 +1,4 @@
-!# Domains - Verification
+# Domains - Verification
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Introduction](#introduction)
@@ -7,8 +7,8 @@
 - [Display site verification information](#display-site-verification-information)

 ## API documentation
-* https://developers.google.com/site-verification/v1/getting_started
-* https://developers.google.com/site-verification/v1/
+* [Getting Sarted](https://developers.google.com/site-verification/v1/getting_started)
+* [Site Verification API](https://developers.google.com/site-verification/v1)

 ## Definitions
 ```
--- a/wiki/Domains.md
+++ b/wiki/Domains.md
@@ -1,4 +1,4 @@
-!# Domains
+# Domains
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Create a domain](#create-a-domain)
@@ -11,7 +11,7 @@
 - [Display domain aliases count](#display-domain-aliases-count)

 ## API documentation
-* https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains
+* [Directory API - Domains](https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains)

 ## Definitions
 ```
--- a/wiki/Downloads-Installs.md
+++ b/wiki/Downloads-Installs.md
@@ -1,7 +1,9 @@
-!# Downloads-Installs-GAM7
+# Downloads-Installs-GAM7
 You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
 Choose one of the following:

+## Executable, Automatic
+
 * Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
  - Start a terminal session and execute one of the following commands:
  - New install, default path `$HOME/bin`
@@ -16,26 +18,38 @@ Choose one of the following:
 By default, a folder, `gam7`, is created in the default or specified path and the files are downloaded into that folder.
 Add the `-s` option to the end of the above commands to suppress creating the `gam7` folder; the files are downloaded directly into the default or specified path.

+If, when executing one of the above commands, you get an error message stating that Python is not installed,
+go here [Python](https://www.python.org/downloads/) and download/install Python. When the installation is complete,
+start a new terminal session and reissue the command from above.
+
+## Executable, Manual
+
 * Executable Archive, Manual, Linux/Google Cloud Shell
  - `gam-7.wx.yz-linux-x86_64-glibc2.35.tar.xz`
-  - `gam-7.wx.yz-linux-x86_64-glibc2.31.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-glibc2.39.tar.xz`
  - `gam-7.wx.yz-linux-x86_64-legacy.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

 * Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
-  - `gam-7.wx.yz-linux-aarch-glibc2.31.tar.xz`
-  - `gam-7.wx.yz-linux-aarch-legacy.tar.xz`
+  - `gam-7.wx.yz-linux-arm64-glibc2.35.tar.xz`
+  - `gam-7.wx.yz-linux-arm64-glibc2.39.tar.xz`
+  - `gam-7.wx.yz-linux-arm64-legacy.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

-* Executable Archive, Manual, Mac OS versions Big Sur, Monterey, Ventura - M1/M2
-  - `gam-7.wx.yz-macos-aarch.tar.xz`
+* Executable Archive, Manual, Mac OS versions Sonoma, Sequoia - M1/M2
+  - `gam-7.wx.yz-macos14.7-arm64.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

-* Executable Archive, Manual, Mac OS, versions Big Sur, Monterey, Ventura - Intel
-  - `gam-7.wx.yz-macos-x86_64.tar.xz`
+* Executable Archive, Manual, Mac OS versions Sequoia - M3
+  - `gam-7.wx.yz-macos15.4-arm64.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS, versions Ventura, Sonoma, Sequoia - Intel
+  - `gam-7.wx.yz-macos13.7-x86_64.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

@@ -49,6 +63,18 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
  - Download the installer and run it.
  - Start a Command Prompt/PowerShell session.

+* Executable Archive, Manual, Windows 11 ARM
+  - `gam-7.wx.yz-windows-arm64.zip`
+  - Download the archive, extract the contents into some directory.
+  - Start a Command Prompt/PowerShell session.
+
+* Executable Installer, Manual, Windows 11 ARM
+  - `gam-7.wx.yz-windows-arm64.msi`
+  - Download the installer and run it.
+  - Start a Command Prompt/PowerShell session.
+
+## Source
+
 * Source, all platforms
  - `Source code(zip)`
  - `Source code(tar.gz)`
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`Need more help? Ask on the [GAM Discussion Group](https://groups.google.com/forum/#!forum/google-apps-manager)`