Updated gam print group-members ... recursive and gam print cigroup-members ... recursive

checkconn now works from a base set of hosts and then builds it's full
list based on our discovery APIs and the host in their discovery document.

.github/actions/decrypt.sh

@@ -1,38 +1,19 @@
 #!/bin/sh
-credspath="$3"
+credspath="$1"
 if [ ! -d "$credspath" ]; then
     echo "creating ${credspath}"
     mkdir -p "$credspath"
 fi
-gpgfile="$1"
-if [ -f "$gpgfile" ]; then
-    echo "source file is ${gpgfile}"
+credsfile="${credspath}/oauth2.txt"
+echo "$oa2" > "$credsfile"
+echo "File size:"
+wc -c "$credsfile"
+echo "File type:"
+file "$credsfile"
+echo "Validation:"
+jq -e . "$credsfile" > /dev/null
+if [ $? -eq 0 ]; then
+  echo "Valid JSON"
 else
-    echo "ERROR: ${gpgfile} does not exist"
-    exit 1
+  echo "Invalid JSON"
 fi
-credsfile="$2"
-echo "target file is ${credsfile}"
-if [ -z ${PASSCODE+x} ]; then
-  echo "ERROR: PASSCODE is unset";
-  exit 2
-else
-  echo "PASSCODE is set";
-fi
-
-gpg --batch \
-    --yes \
-    --decrypt \
-    --passphrase="$PASSCODE" \
-    --output "$credsfile" \
-    "$gpgfile"
-
-if [[ "$RUNNER_OS" == "macOS" ]]; then
-  tar="gtar"
-else
-  tar="tar"
-fi
-
-"$tar" xlvvf "$credsfile" --directory "$credspath"
-rm -rvf "$gpgfile"
-rm -rvf "$credsfile"

.github/workflows/build.yml

@@ -22,12 +22,14 @@ defaults:
     working-directory: src
 
 env:
-  SCRATCH_COUNTER: 13
+  SCRATCH_COUNTER: 14
   OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
   OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
   OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
   PYTHON_INSTALL_PATH: ${{ github.workspace }}/bin/python
   PYTHON_SOURCE_PATH: ${{ github.workspace }}/src/cpython
+  CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY: 1
+  CRYPTOGRAPHY_OPENSSL_NO_LEGACY: 1
 
 jobs:
   build:
@@ -39,79 +41,69 @@ jobs:
           - os: ubuntu-22.04
             jid: 1
             goal: build
-            arch: x86_64
-            openssl_archs: linux-x86_64
+            name: Build Intel Ubuntu Jammy
           - os: ubuntu-24.04
             jid: 2
             goal: build
-            arch: x86_64
-            openssl_archs: linux-x86_64
+            name: Build Intel Ubuntu Noble
           - os: ubuntu-24.04-arm
             jid: 3
             goal: build
-            arch: aarch64
-            openssl_archs: linux-aarch64
+            name: Build Arm Ubuntu Noble
           - os: ubuntu-22.04-arm
             jid: 4
             goal: build
-            arch: aarch64
-            openssl_archs: linux-aarch64
+            name: Build Arm Ubuntu Jammy
           - os: ubuntu-22.04
             jid: 5
             goal: build
-            arch: x86_64
-            openssl_archs: linux-x86_64
             staticx: yes
+            name: Build Intel StaticX Legacy
           - os: ubuntu-22.04-arm
             jid: 6
             goal: build
-            arch: aarch64
-            openssl_archs: linux-aarch64
             staticx: yes
+            name: Build Arm StaticX Legacy
           - os: macos-13
             jid: 7
             goal: build
-            arch: x86_64
-            openssl_archs: darwin64-x86_64
+            name: Build Intel MacOS
           - os: macos-14
             jid: 8
             goal: build
-            arch: aarch64
-            openssl_archs: darwin64-arm64
+            name: Build Arm MacOS 14
           - os: macos-15
             jid: 9
             goal: build
-            arch: aarch64
-            openssl_archs: darwin64-arm64
+            name: Build Arm MacOS 15
           - os: windows-2022
             jid: 10
             goal: build
-            arch: Win64
-            openssl_archs: VC-WIN64A
-          # disable 3.9 test for now since it's oldest and due
-          # for removal in Oct 2025. We only have 13 jid accounts
-          # so we need this one off but can re-enable at some point
-          # if we feel the need.
-          #- os: ubuntu-24.04
-          #  goal: test
-          #  python: "3.9"
-          #  jid: 11
-          #  arch: x86_64
+            name: Build Intel Windows
+          - os: windows-11-arm
+            jid: 11
+            goal: build
+            name: Build Arm Windows
           - os: ubuntu-24.04
             goal: test
             python: "3.10"
-            jid: 11
-            arch: x86_64
+            jid: 12
+            name: Test Python 3.10
           - os: ubuntu-24.04
             goal: test
             python: "3.11"
-            jid: 12
-            arch: x86_64
+            jid: 13
+            name: Test Python 3.11
           - os: ubuntu-24.04
             goal: test
             python: "3.12"
-            jid: 13
-            arch: x86_64
+            jid: 14
+            name: Test Python 3.12
+          - os: ubuntu-24.04
+            goal: test
+            python: "3.14-dev"
+            jid: 15
+            name: Test Python 3.14-dev
 
     steps:
 
@@ -134,7 +126,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250408-01
+          key: gam-${{ matrix.jid }}-20250422
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -148,15 +140,25 @@ jobs:
         with:
           python-version: ${{ matrix.python }}
           allow-prereleases: true
+          check-latest: true
 
       - name: common variables for all runs
         env:
-          arch: ${{ matrix.arch }}
           JID: ${{ matrix.jid }}
           ACTIONS_CACHE: ${{ steps.cache-python-ssl.outputs.cache-hit }}
           ACTIONS_GOAL: ${{ matrix.goal }}
         run: |
-          echo "arch=${arch}" >> $GITHUB_ENV
+          case $RUNNER_ARCH in
+            X64)
+              echo "arch=x86_64" >> $GITHUB_ENV
+              ;;
+            ARM64)
+              echo "arch=arm64" >> $GITHUB_ENV
+              ;;
+            *)
+              echo "arch=${RUNNER_ARCH}" >> $GITHUB_ENV
+              ;;
+          esac 
           echo "JID=${JID}" >> $GITHUB_ENV
           echo "ACTIONS_CACHE=${ACTIONS_CACHE}" >> $GITHUB_ENV
           echo "ACTIONS_GOAL=${ACTIONS_GOAL}" >> $GITHUB_ENV
@@ -170,20 +172,12 @@ jobs:
           echo "curl_retry=${curl_retry}" >> $GITHUB_ENV
           # GAMCFGDIR should be recreated on every run
           GAMCFGDIR="${RUNNER_TEMP}/.gam"
-          if [ "$arch" == "Win64" ]; then
+          if [ "$RUNNER_OS" == "Windows" ]; then
             GAMCFGDIR=$(cygpath -u "$GAMCFGDIR")
           fi
           echo "GAMCFGDIR=${GAMCFGDIR}" >> $GITHUB_ENV
           echo "GAMCFGDIR is: ${GAMCFGDIR}"
-          if [[ "${RUNNER_OS}" == "macOS" ]]; then
-            GAMOS="macos"
-          elif [[ "${RUNNER_OS}" == "Linux" ]]; then
-            GAMOS="linux"
-          elif [[ "${RUNNER_OS}" == "Windows" ]]; then
-            GAMOS="windows"
-          else
-           GAMOS='unknown'
-          fi
+          export GAMOS=$(echo "$RUNNER_OS" | tr '[:upper:]' '[:lower:]')
           echo "GAMOS=${GAMOS}" >> $GITHUB_ENV
           echo "GAMOS is: ${GAMOS}"
 
@@ -205,7 +199,7 @@ jobs:
         run: |
           echo "RUNNING: apt update..."
           sudo apt-get -qq --yes update
-          sudo apt-get -qq --yes install swig libpcsclite-dev libxslt1-dev libsqlite3-dev
+          sudo apt-get -qq --yes install swig libpcsclite-dev libxslt1-dev libsqlite3-dev libffi-dev pkg-config
 
       - name: MacOS install tools
         if: runner.os == 'macOS'
@@ -232,23 +226,15 @@ jobs:
         uses: ilammy/msvc-dev-cmd@v1
         if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         with:
-          arch: ${{ matrix.arch }}
+          arch: ${{ runner.arch }}
 
       - name: Set Env Variables for build
         if: matrix.goal == 'build'
         env:
-          openssl_archs: ${{ matrix.openssl_archs }}
           staticx: ${{ matrix.staticx }}
         run: |
           echo "We are running on ${RUNNER_OS}"
           LD_LIBRARY_PATH="${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib:/usr/local/lib"
-          if [[ "${arch}" == "Win64" ]]; then
-            PYEXTERNALS_PATH="amd64"
-            PYBUILDRELEASE_ARCH="x64"
-            GAM_ARCHIVE_ARCH="x86_64"
-            WIX_ARCH="x64"
-            CHOC_OPS=""
-          fi
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
             MAKE=make
             MAKEOPT="-j$(sysctl -n hw.logicalcpu)"
@@ -266,9 +252,17 @@ jobs:
             MAKE=nmake
             MAKEOPT=""
             PERL="c:\strawberry\perl\bin\perl.exe"
+            if [[ "$RUNNER_ARCH" == "ARM64" ]]; then
+              PYEXTERNALS_PATH="arm64"
+              WIX_ARCH="arm64"
+              CHOC_OPS=""
+            elif [[ "$RUNNER_ARCH" == "X64" ]]; then
+              PYEXTERNALS_PATH="amd64"
+              WIX_ARCH="x64"
+              CHOC_OPS=""
+            fi
             LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}"
             echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}/python.exe" >> $GITHUB_ENV
-            echo "GAM_ARCHIVE_ARCH=${GAM_ARCHIVE_ARCH}" >> $GITHUB_ENV
             echo "WIX_ARCH=${WIX_ARCH}" >> $GITHUB_ENV
           fi
           echo "We'll run make with: ${MAKEOPT}"
@@ -278,8 +272,6 @@ jobs:
           echo "MAKEOPT=${MAKEOPT}" >> $GITHUB_ENV
           echo "PERL=${PERL}" >> $GITHUB_ENV
           echo "PYEXTERNALS_PATH=${PYEXTERNALS_PATH}" >> $GITHUB_ENV
-          echo "PYBUILDRELEASE_ARCH=${PYBUILDRELEASE_ARCH}" >> $GITHUB_ENV
-          echo "openssl_archs=${openssl_archs}" >> $GITHUB_ENV
 
       - name: Get latest stable OpenSSL source
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -293,29 +285,21 @@ jobs:
           git checkout "${LATEST_STABLE_TAG}"
           export COMPILED_OPENSSL_VERSION=${LATEST_STABLE_TAG:8} # Trim the openssl- prefix
           echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            for openssl_arch in $openssl_archs; do
-              ssldir="${OPENSSL_SOURCE_PATH}-${openssl_arch}"
-              mkdir -v "${ssldir}"
-              cp -vrf ${OPENSSL_SOURCE_PATH}/* "${ssldir}/"
-            done
-            rm -vrf "${OPENSSL_SOURCE_PATH}"
-          else
-            mv -v "${OPENSSL_SOURCE_PATH}" "${OPENSSL_SOURCE_PATH}-${openssl_archs}"
-          fi
 
       - name: Windows NASM Install
         uses: ilammy/setup-nasm@v1
-        if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
+        if: matrix.goal == 'build' && runner.os == 'Windows' && runner.arch == 'X64' && steps.cache-python-ssl.outputs.cache-hit != 'true'
 
       - name: Config OpenSSL
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
-          for openssl_arch in $openssl_archs; do
-            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
-            # --libdir=lib is needed so Python can find OpenSSL libraries
-            "${PERL}" ./Configure "${openssl_arch}" --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS
-          done
+          cd "${OPENSSL_SOURCE_PATH}"
+          # TODO: remove this once https://github.com/openssl/openssl/issues/26239 is fixed.
+          if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
+            export CFLAGS=-DNO_INTERLOCKEDOR64
+          fi
+          # --libdir=lib is needed so Python can find OpenSSL libraries
+          "${PERL}" ./Configure --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS
 
       - name: Rename GNU link on Windows
         if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -326,53 +310,29 @@ jobs:
       - name: Make OpenSSL
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
-          for openssl_arch in $openssl_archs; do
-            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
-            $MAKE "${MAKEOPT}"
-          done
+          cd "${OPENSSL_SOURCE_PATH}"
+          # TODO: remove this once https://github.com/openssl/openssl/issues/26239 is fixed.
+          if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
+            export CFLAGS=-DNO_INTERLOCKEDOR64
+          fi
+          $MAKE "$MAKEOPT"
 
       - name: Install OpenSSL
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            for openssl_arch in $openssl_archs; do
-              cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
-              # install_sw saves us ages processing man pages :-)
-              $MAKE install_sw
-              mv -v "${OPENSSL_INSTALL_PATH}" "${GITHUB_WORKSPACE}/bin/ssl-${openssl_arch}"
-            done
-            mkdir -vp "${OPENSSL_INSTALL_PATH}/lib"
-            mkdir -vp "${OPENSSL_INSTALL_PATH}/bin"
-            for archlib in libcrypto.3.dylib libssl.3.dylib libcrypto.a libssl.a; do
-              lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/lib/${archlib}" \
-                           "${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/lib/${archlib}" \
-                   -output "${GITHUB_WORKSPACE}/bin/ssl/lib/${archlib}"
-            done
-            mv ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/include ${GITHUB_WORKSPACE}/bin/ssl/
-            lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/bin/openssl" \
-                         "${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/bin/openssl" \
-                 -output "${GITHUB_WORKSPACE}/bin/ssl/bin/openssl"
-            rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64
-            rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64
-          else
-            cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_archs}"
-            # install_sw saves us ages processing man pages :-)
-            $MAKE install_sw
-          fi
+          cd "${OPENSSL_SOURCE_PATH}"
+          # install_sw saves us ages processing man pages :-)
+          $MAKE install_sw
           if [[ "${RUNNER_OS}" != "Windows" ]]; then
             echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
           fi
           echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
-          case $arch in
-            universal2)
-              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include -arch arm64 -arch x86_64 ${CFLAGS}" >> $GITHUB_ENV
-              echo "ARCHFLAGS=-arch x86_64 -arch arm64" >> $GITHUB_ENV
-              ;;
-            x86_64)
+          case $RUNNER_ARCH in
+            X64)
               echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
               echo "ARCHFLAGS=-arch x86_64" >> $GITHUB_ENV
               ;;
-            aarch64)
+            ARM64)
               echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
               echo "ARCHFLAGS=-arch arm64" >> $GITHUB_ENV
               ;;
@@ -399,18 +359,12 @@ jobs:
         if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         run: |
           cd "${PYTHON_SOURCE_PATH}"
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            extra_args=( "--enable-universalsdk" "--with-universal-archs=universal2" )
-          else
-            extra_args=( )
-          fi
           ./configure --with-openssl="${OPENSSL_INSTALL_PATH}" \
                       --prefix="${PYTHON_INSTALL_PATH}" \
                       --enable-shared \
                       --with-ensurepip=upgrade \
                       --enable-optimizations \
-                      --with-lto \
-                      "${extra_args[@]}" || : # exit 0
+                      --with-lto || : # exit 0
           cat config.log
 
       - name: Windows Get External Python deps
@@ -430,10 +384,15 @@ jobs:
           Remove-Item -recurse -force "${env:OPENSSL_EXT_PATH}*"
           # Emulate what this script does:
           # https://github.com/python/cpython/blob/main/PCbuild/openssl.vcxproj
-          $env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}${env:PYEXTERNALS_PATH}"
+          if (${env:RUNNER_ARCH} -eq "X64") {
+            $env:ossl_path = "amd64"
+          } elseif (${env:RUNNER_ARCH} -eq "ARM64") {
+            $env:ossl_path =  "arm64"
+          }
+          $env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}${env:ossl_path}"
           echo "Copying our OpenSSL to ${env:OPENSSL_EXT_TARGET_PATH}"
           mkdir "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
-          Copy-Item -Path "${env:GITHUB_WORKSPACE}/src/openssl-${env:openssl_archs}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE" -Verbose
+          Copy-Item -Path "${env:OPENSSL_SOURCE_PATH}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE"
           cp -v "$env:OPENSSL_INSTALL_PATH\lib\*" "${env:OPENSSL_EXT_TARGET_PATH}"
           cp -v "$env:OPENSSL_INSTALL_PATH\bin\*" "${env:OPENSSL_EXT_TARGET_PATH}"
           cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\*" "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
@@ -454,8 +413,15 @@ jobs:
           cd "${env:PYTHON_SOURCE_PATH}"
           # We need out custom openssl.props which uses OpenSSL 3 DLL names
           Copy-Item -Path "${env:GITHUB_WORKSPACE}\src\tools\openssl.props" -Destination PCBuild\ -Verbose
-          echo "Building for ${env:PYBUILDRELEASE_ARCH}..."
-          PCBuild\build.bat -m --pgo -c Release -p "${env:PYBUILDRELEASE_ARCH}"
+          if (${env:RUNNER_ARCH} -eq "X64") {
+            $env:arch = "x64"
+            PCBuild\build.bat -c Release -p $env:arch --pgo
+          } elseif (${env:RUNNER_ARCH} -eq "ARM64") {
+            $env:arch =  "ARM64"
+            # TODO: figure out why Windows ARM64 isn't compat with PGO optimiazation
+            # causes 10-20% slowdown in Python
+            PCBuild\build.bat -c Release -p $env:arch
+          }
 
       - name: Mac/Linux Build Python
         if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -482,46 +448,43 @@ jobs:
       - name: Upgrade pip, wheel, etc
         run: |
           curl $curl_retry -O https://bootstrap.pypa.io/get-pip.py
-          "${PYTHON}" get-pip.py
-          "${PYTHON}" -m pip install --upgrade pip
-          "${PYTHON}" -m pip install --upgrade wheel
-          "${PYTHON}" -m pip install --upgrade setuptools
+          "$PYTHON" get-pip.py
+          "$PYTHON" -m pip install --upgrade pip
+          "$PYTHON" -m pip install --upgrade wheel
+          "$PYTHON" -m pip install --upgrade setuptools
+          "$PYTHON" -m pip install --upgrade importlib-metadata
+          "$PYTHON" -m pip install --upgrade setuptools-scm
+          "$PYTHON" -m pip list
+
+      - name: Custom wheels for Win arm64
+        if: runner.os == 'Windows' && runner.arch == 'ARM64'
+        run: |
+          latest_lxml_whl=$(curl https://api.github.com/repos/GAM-team/lxml-wheel/releases/latest -s | jq -r .assets.[0].browser_download_url)
+          echo "Downloading ${latest_lxml_whl}..."
+          curl -O -L "$latest_lxml_whl"
+          "$PYTHON" -m pip install lxml*.whl
+          latest_crypt_whl=$(curl https://api.github.com/repos/jay0lee/cryptography/releases/latest -s | jq -r .assets.[0].browser_download_url)
+          echo "Downloading ${latest_crypt_whl}..."
+          curl -O -L "$latest_crypt_whl"
+          "$PYTHON" -m pip install cryptography*.whl
+
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+
+     # - name: Compile cryptography from source (no legacy)
+     #   if: runner.os != 'Windows' || runner.arch != 'ARM64'
+     #   run: |
+     #     pip install --no-binary ":all:" --force cryptography
 
       - name: Install pip requirements
         run: |
           echo "before anything..."
-          "${PYTHON}" -m pip list
-          if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
-            # cffi is a dep of cryptography and doesn't ship
-            # a universal2 wheel so we must build one ourself :-/
-            export CFLAGS="-arch x86_64 -arch arm64"
-            export ARCHFLAGS="-arch x86_64 -arch arm64"
-            "${PYTHON}" -m pip install --upgrade --force-reinstall --no-binary :all: \
-                              --no-cache-dir --no-deps --use-pep517 \
-                              --use-feature=no-binary-enable-wheel-cache \
-                              cffi 
-            echo "before cryptography..."
-            "${PYTHON}" -m pip list
-            # cryptography has a universal2 wheel but getting it installed
-            # on x86-64 MacOS is a royal pain in the keester.
-            "${PYTHON}" -m pip download --only-binary :all: \
-                                          --dest . \
-                                          --no-cache \
-                                          --no-deps \
-                                          --platform macosx_10_15_universal2 \
-                                          cryptography
-            "${PYTHON}" -m pip install --force-reinstall --no-deps cryptography*.whl
-            echo "after cryptography..."
-            "${PYTHON}" -m pip list
-            "${PYTHON}" -m pip install --upgrade --no-binary :all: -r requirements.txt
-          else
-            "${PYTHON}" -m pip install --upgrade -r requirements.txt
-            echo "after requirements..."
-            "${PYTHON}" -m pip list
-            "${PYTHON}" -m pip install --force-reinstall --no-deps --upgrade cryptography
-          fi
+          "$PYTHON" -m pip list
+          "$PYTHON" -m pip install --upgrade -r requirements.txt
+          echo "after requirements..."
+          "$PYTHON" -m pip list
+          #"$PYTHON" -m pip install --force-reinstall --no-deps --upgrade cryptography
           echo "after everything..."
-          "${PYTHON}" -m pip list
+          "$PYTHON" -m pip list
 
       - name: Install PyInstaller
         if: matrix.goal == 'build'
@@ -534,14 +497,7 @@ jobs:
           # remove pre-compiled bootloaders so we fail if bootloader compile fails
           rm -rvf PyInstaller/bootloader/*-*/*
           cd bootloader
-          export PYINSTALLER_BUILD_ARGS=""
-          case "${arch}" in
-            "Win64")
-              export PYINSTALLER_BUILD_ARGS="--target-arch=64bit"
-              ;;
-          esac
-          echo "PyInstaller build arguments: ${PYINSTALLER_BUILD_ARGS}"
-          "${PYTHON}" ./waf all $PYINSTALLER_BUILD_ARGS
+          "${PYTHON}" ./waf all
           cd ..
           echo "---- Installing PyInstaller ----"
           "${PYTHON}" -m pip install .
@@ -652,14 +608,12 @@ jobs:
           echo "GAM Version ${GAMVERSION}"
           echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV
 
-      - name: Configure service account auth
+      - name: Configure user and service account auth
         id: configserviceaccount
         env:
-          PASSCODE: ${{ secrets.PASSCODE }}
+          oa2: ${{ secrets[format('GAM_GHA_{0}', matrix.jid)] }}
         run: |
-          source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz "${GAMCFGDIR}"
-          mv -v "${GAMCFGDIR}/oauth2.txt-gam-gha-${JID}" "${GAMCFGDIR}/oauth2.txt"
-          rm -v $GAMCFGDIR/oauth2.txt-gam*
+          ../.github/actions/decrypt.sh "${GAMCFGDIR}"
           $gam create signjwtserviceaccount
 
       - name: Upload gam.exe Windows for signing
@@ -707,22 +661,29 @@ jobs:
             else
               libver="glibc$(ldd --version | awk '/ldd/{print $NF}')"
             fi
-            GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-linux-$(arch)-${libver}.tar.xz"
+            GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-linux-${arch}-${libver}.tar.xz"
           fi
           echo "GAM Archive ${GAM_ARCHIVE}"
           tar -C "${gampath}/.." --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam7
 
-      - name: Windows package
+      - name: Install Wix on Win ARM64
+        if: runner.os == 'Windows' && runner.arch == 'ARM64'
+        run: |
+          choco install wixtoolset
+
+      - name: Windows package zip
         if: runner.os == 'Windows' && matrix.goal != 'test'
         run: |
           echo "started in $(pwd)"
           cd "${gampath}/.."
           echo "moved to $(pwd)"
-          GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.zip"
+          GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${arch}.zip"
           /c/Program\ Files/7-Zip/7z.exe a -tzip "$GAM_ARCHIVE" gam7 "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3
-          cd ../..
-          echo "moved to $(pwd)"
-          export MSI_FILENAME="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.msi"
+
+      - name: Windows package MSI
+        if: runner.os == 'Windows' && matrix.goal != 'test'
+        run: |
+          export MSI_FILENAME="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${arch}.msi"
           # auto-generate a lib.wxs based on the files PyInstaller created for the lib/ directory
           /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/heat.exe dir "${gampath}/lib" -ke -srd -cg Lib -gg -dr lib -directoryid lib -out lib.wxs
           $PYTHON tools/gen-wix-xml-filelist.py lib.wxs

.github/workflows/pypi.yml

@@ -31,3 +31,5 @@ jobs:
 
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestation: true

pyproject.toml

@@ -7,19 +7,21 @@ authors = [
     { name="Jay Lee", email="jay0lee@gmail.com" },
     { name="Ross Scroggs", email="Ross.Scroggs@gmail.com" },
 ]
+# # The following files should be edited to match: setup.cfg, requirements.txt
 dependencies = [
-    "chardet",
-    "cryptography",
+    "chardet>=5.2.0",
+    "cryptography>=44.0.2",
     "distro; sys_platform=='linux'",
-    "filelock",
-    "google-api-python-client>=2.1",
-    "google-auth-httplib2",
-    "google-auth-oauthlib>=0.4.1",
-    "google-auth>=2.3.2",
-    "httplib2>=0.17.0",
-    "lxml",
-    "passlib>=1.7.2",
-    "pathvalidate",
+    "filelock>=3.18.0",
+    "google-api-python-client>=2.167.0",
+    "google-auth-httplib2>=0.2.0",
+    "google-auth-oauthlib>=1.2.2",
+    "google-auth>=2.39.0",
+    "httplib2>=0.22.0",
+    "lxml>=5.4.0",
+    "passlib>=1.7.4",
+    "pathvalidate>=3.2.3",
+    "pyscard==2.2.1",
     "python-dateutil",
 ]
 description = "CLI tool to manage Google Workspace"
@@ -39,7 +41,7 @@ license = {text = "Apache License (2.0)"}
 license-files = ["LICEN[CS]E*"]
 
 [project.optional-dependencies]
-yubikey = ["yubikey-manager>=5.0"]
+yubikey = ["yubikey-manager>=5.6.1"]
 
 [project.scripts]
 gam = "gam.__main__:main"

src/GamCommands.txt

@@ -322,7 +322,8 @@ If an item contains spaces, it should be surrounded by ".
         wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 | Google Workspace Essentials |
         wsessplus | workspaceessentialsplus | 1010060005 | Google Workspace Essentials Plus |
         wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 | Google Workspace Frontline Starter |
-        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031 | Google Workspace Frontline Standard
+        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031 | Google Workspace Frontline Standard |
+        wsflwplus | workspacefrontlineplus | workspacefrontlineworkerplus | 1010020034 | Google Workspace Frontline Plus
 
 ## Items built from primitives
 
@@ -782,7 +783,7 @@ Items, separated by spaces, with spaces, commas or single quotes in the items th
 
 ## Collections of ChromeOS Devices
 
-Specify a collection of ChromeOS devices by directly specifying them or by specifiying items that will yield a list of ChromeOS devices.
+Specify a collection of ChromeOS devices by directly specifying them or by specifying items that will yield a list of ChromeOS devices.
 
 <CrOSTypeEntity> ::=
         (all cros)|
@@ -865,7 +866,7 @@ Specify a collection of ChromeOS devices by directly specifying them or by speci
 
 ## Collections of Users
 
-Specify a collection of Users by directly specifying them or by specifiying items that will yield a list of users.
+Specify a collection of Users by directly specifying them or by specifying items that will yield a list of users.
 
 <UserTypeEntity> ::=
         (all users|users_ns|users_susp|users_ns_susp)|
@@ -1522,17 +1523,6 @@ gam print alias|aliases [todrive <ToDriveAttribute>*]
 
 gam whatis <EmailItem> [noinfo] [noinivitablecheck]
 
-# Analytics UA
-
-gam <UserTypeEntity> print analyticuaproperties [todrive <ToDriveAttribute>*]
-        accountid [accounts/]<String>
-        [maxresults <Integer>]
-        [formatjson [quotechar <Character>]]
-gam <UserTypeEntity> show analyticuaproperties
-        accountid [accounts/]<String>
-        [maxresults <Integer>]
-        [formatjson]
-
 # Analytics Admin
 
 gam <UserTypeEntity> print analyticaccounts [todrive <ToDriveAttribute>*]
@@ -4458,6 +4448,7 @@ gam report usage customer [todrive <ToDriveAttribute>*]
         domain|
         drive|doc|docs|
         gcp|
+        gemini|geminiforworkspace|
         groups|group|
         groupsenterprise|enterprisegroups|
         jamboard|

src/GamUpdate.txt

@@ -1,3 +1,66 @@
+7.06.13
+
+Updated `gam print group-members ... recursive` and `gam print cigroup-members ... recursive`
+to expand groups representing chat spaces.
+
+7.06.12
+
+Deleted commands to display Analytic UA properties; the API has been deprecated.
+```
+gam <UserTypeEntity> print|show analyticuaproperties
+```
+
+7.06.11
+
+Improved `gam checkconn`.
+
+Updated `gam print group-members` and `gam print cigroup-members` to recognize members
+that are groups representing chat spaces. For now, these groups are not expanded when
+`recursive` is specified.
+
+7.06.10
+
+Added the following license SKU.
+```
+1010020034 - Google Workspace Frontline Plus
+```
+
+7.06.09
+
+Added `gemini` and `geminiforworkspace` to `<ActivityApplicationName>` for use in
+`gam report <ActivityApplicationName>`.
+
+7.06.08
+
+Fixed problem where Yubikeys caused a trap.
+
+7.06.07
+
+Updated private key rotation progress messages in `gam create|use|update project`
+and `gam upload sakey`.
+
+Updated `gam use project` to display the following error message when the specifed project
+already has a service account.
+```
+Re-run the command specify a new service account name with: saname <ServiceAccountName>'
+```
+
+7.06.06
+
+Native support for Windows 11 Arm-based devices.
+
+Renamed some MacOS and Linux binary installer files to align on terminology. Everything is "arm64" now, no "aarch64".
+
+7.06.05
+
+Updated code in `gam delete|update chromepolicy` to handle the `policyTargetKey[additionalTargetKeys]`
+field in a more general manner for future use.
+
+7.06.04
+
+Fixed bug in `gam report <ActivityApplictionName>` where a report with no activities
+was not displaying any output.
+
 7.06.03
 
 Fixed bug in `gam <UserTypeEntity> print|show drivelastmodification` that caused a trap

src/gam-install.sh

@@ -8,7 +8,7 @@ GAM installation script.
 OPTIONS:
    -h      show help.
    -d      Directory where gam folder will be installed. Default is \$HOME/bin/
-   -a      Architecture to install (i386, x86_64, x86_64_legacy, arm, arm64). Default is to detect your arch with "uname -m".
+   -a      Architecture to install (x86_64, arm64). Default is to detect your arch with "uname -m".
    -o      OS we are running (linux, macos). Default is to detect your OS with "uname -s".
    -b      OS version. Default is to detect on MacOS and Linux.
    -l      Just upgrade GAM to latest version. Skips project creation and auth.
@@ -194,7 +194,7 @@ fi
 case $gamos in
   [lL]inux)
     gamos="linux"
-    download_urls=$(echo -e "$download_urls" | grep "\-linux-")
+    download_urls=$(echo -e "$download_urls" | grep -e "-linux-")
     if [ "$osversion" == "" ]; then
       this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
     else
@@ -203,7 +203,7 @@ case $gamos in
     echo "This Linux distribution uses glibc $this_glibc_ver"
     case $gamarch in
       x86_64)
-	download_urls=$(echo -e "$download_urls" | grep "\-x86_64-")
+	download_urls=$(echo -e "$download_urls" | grep -e "-x86_64-")
 	gam_x86_64_glibc_vers=$(echo -e "$download_urls" | \
 		grep --only-matching 'glibc[0-9\.]*\.tar\.xz$' \
 	        | cut -c 6-9 )
@@ -218,7 +218,7 @@ case $gamos in
         download_url=$(echo -e "$download_urls" | grep "$useglibc")
 	;;
       arm|arm64|aarch64)
-        download_urls=$(echo -e "$download_urls" | grep "\-aarch64-")
+        download_urls=$(echo -e "$download_urls" | grep -e "-arm64-\|-aarch64-")
         gam_arm64_glibc_vers=$(echo -e "$download_urls" | \
                 grep --only-matching 'glibc[0-9\.]*\.tar\.xz$' | \
                 cut -c 6-9)
@@ -243,13 +243,13 @@ case $gamos in
     # override osversion only if it wasn't set by cli arguments
     osversion=${osversion:-${currentversion}}
     # override osversion only if it wasn't set by cli arguments
-    download_urls=$(echo -e "$download_urls" | grep "\-macos")
+    download_urls=$(echo -e "$download_urls" | grep -e "-macos")
     case $gamarch in
       x86_64)
-        archgrep="\-x86_64"
+        archgrep="-x86_64"
 	;;
       arm|arm64|aarch64)
-        archgrep="\-aarch64"
+        archgrep="-arm64\|-aarch64"
         ;;
       *)
         echo_red "ERROR: this installer currently only supports x86_64 and arm64 MacOS. Looks like you're running on ${gamarch}. Exiting."
@@ -257,13 +257,13 @@ case $gamos in
 	;;
     esac
     gam_macos_urls=$(echo -e "$download_urls" | \
-                     grep "$archgrep")
+                     grep -e $archgrep)
     versionless_urls=$(echo -e "$gam_macos_urls" | \
-                       grep "\-macos-")
+                       grep -e "-macos-")
     if [ "$versionless_urls" == "" ]; then
         # versions after 7.00.38 include MacOS version info
         gam_macos_vers=$(echo -e "$gam_macos_urls" | \
-                         grep --only-matching '\-macos[0-9\.]*' | \
+                         grep --only-matching -e '-macos[0-9\.]*' | \
                          cut -c 7-10)
         for gam_mac_ver in $gam_macos_vers; do
             if version_gt $currentversion $gam_mac_ver; then
@@ -281,13 +281,12 @@ case $gamos in
         case $gamarch in
             x86_64)
 	        minimum_version=13
-                download_url=$(echo -e "$download_urls" | grep "\-x86_64")
                 ;;
             arm|arm64|aarch64)
-                download_url=$(echo -e "$download_urls" | grep "\-aarch64")
 	        minimum_version=14
                 ;;
         esac
+        download_url=$(echo -e "$download_urls" | grep -e $archgrep)
         if version_gt "$osversion" "$minimum_version"; then
             echo_green "You are running MacOS ${osversion}, good. Downloading GAM from ${download_url}."
         else
@@ -304,7 +303,7 @@ case $gamos in
     gamos="windows"
     echo "You are running Windows"
     download_url=$(echo -e "$download_urls" | \
-                   grep "\-windows-" | \
+                   grep -e "-windows-" | \
                    grep ".zip")
     ;;
   *)

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.06.03'
+__version__ = '7.06.13'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -95,6 +95,8 @@ import wsgiref.simple_server
 import wsgiref.util
 import zipfile
 
+# disable legacy stuff we don't use and isn't secure
+os.environ['CRYPTOGRAPHY_OPENSSL_NO_LEGACY'] = "1"
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
@@ -5979,7 +5981,7 @@ def getCIGroupMemberRoleFixType(member):
     else:
       member['type'] = Ent.TYPE_OTHER
   roles = {}
-  memberRoles = member.get('roles', [{'name': Ent.MEMBER}])
+  memberRoles = member.get('roles', [{'name': Ent.ROLE_MEMBER}])
   for role in memberRoles:
     roles[role['name']] = role
   for a_role in [Ent.ROLE_OWNER, Ent.ROLE_MANAGER, Ent.ROLE_MEMBER]:
@@ -6017,7 +6019,7 @@ def getCIGroupTransitiveMemberRoleFixType(groupName, tmember):
         trole['name'] = Ent.ROLE_MANAGER
       memberRoles.append(trole)
   else:
-    memberRoles = [{'name': Ent.MEMBER}]
+    memberRoles = [{'name': Ent.ROLE_MEMBER}]
   roles = {}
   for role in memberRoles:
     roles[role['name']] = role
@@ -9358,32 +9360,9 @@ def getOSPlatform():
 
 # gam checkconnection
 def doCheckConnection():
-  hosts = ['api.github.com',
-           'raw.githubusercontent.com',
-           'accounts.google.com',
-           'workspace.google.com',
-           'oauth2.googleapis.com',
-           'www.googleapis.com']
-  fix_hosts = {'calendar-json.googleapis.com': 'www.googleapis.com',
-               'storage-api.googleapis.com': 'storage.googleapis.com'}
-  api_hosts = ['apps-apis.google.com',
-               'sites.google.com',
-               'versionhistory.googleapis.com',
-               'www.google.com']
-  for host in API.PROJECT_APIS:
-    host = fix_hosts.get(host, host)
-    if host not in api_hosts and host not in hosts:
-      api_hosts.append(host)
-  hosts.extend(sorted(api_hosts))
-  host_count = len(hosts)
-  httpObj = getHttpObj(timeout=30)
-  httpObj.follow_redirects = False
-  headers = {'user-agent': GAM_USER_AGENT}
-  okay = createGreenText('OK')
-  not_okay = createRedText('ERROR')
-  try_count = 0
-  success_count = 0
-  for host in hosts:
+
+  def check_host(host):
+    nonlocal try_count, okay, not_okay, success_count
     try_count += 1
     dns_err = None
     ip = 'unknown'
@@ -9393,12 +9372,12 @@ def doCheckConnection():
       dns_err = f'{not_okay}\n   DNS failure: {str(e)}\n'
     except Exception as e:
       dns_err = f'{not_okay}\n   Unknown DNS failure: {str(e)}\n'
-    check_line = f'Checking {host} ({ip}) ({try_count}/{host_count})...'
+    check_line = f'Checking {host} ({ip}) ({try_count})...'
     writeStdout(f'{check_line:<100}')
     flushStdout()
     if dns_err:
       writeStdout(dns_err)
-      continue
+      return
     gen_firewall = 'You probably have security software or a firewall on your machine or network that is preventing GAM from making Internet connections. Check your network configuration or try running GAM on a hotspot or home network to see if the problem exists only on your organization\'s network.'
     try:
       if host.startswith('http'):
@@ -9427,7 +9406,54 @@ def doCheckConnection():
       writeStdout(f'{not_okay}\n    Timed out trying to connect to host\n')
     except Exception as e:
       writeStdout(f'{not_okay}\n    {str(e)}\n')
-  if success_count == host_count:
+
+  try_count = 0
+  httpObj = getHttpObj(timeout=30)
+  httpObj.follow_redirects = False
+  headers = {'user-agent': GAM_USER_AGENT}
+  okay = createGreenText('OK')
+  not_okay = createRedText('ERROR')
+  success_count = 0
+  initial_hosts = ['api.github.com',
+           'raw.githubusercontent.com',
+           'accounts.google.com',
+           'oauth2.googleapis.com',
+           'www.googleapis.com']
+  for host in initial_hosts:
+    check_host(host)
+  api_hosts = ['apps-apis.google.com',
+               'www.google.com']
+  for host in api_hosts:
+    check_host(host)
+  # For v2 discovery APIs, GAM gets discovery file from <api>.googleapis.com so
+  # add those domains.
+  disc_hosts = []
+  for api, config in API._INFO.items():
+    if config.get('v2discovery') and not config.get('localdiscovery'):
+      if mapped_api := config.get('mappedAPI'):
+        api = mapped_api
+      host = f'{api}.googleapis.com'
+      if host not in disc_hosts:
+        disc_hosts.append(host)
+  for host in disc_hosts:
+    check_host(host)
+  checked_hosts = initial_hosts + api_hosts + disc_hosts
+  # now we need to "build" each API and check it's base URL host
+  # if we haven't already. This may not be any hosts at all but
+  # to ensure we are checking all hosts GAM may use we should
+  # keep this.
+  for api in API._INFO:
+    if api in [API.CONTACTS, API.EMAIL_AUDIT]:
+      continue
+    svc = getService(api, httpObj)
+    base_url = svc._rootDesc.get('baseUrl')
+    parsed_base_url = urlparse(base_url)
+    base_host = parsed_base_url.netloc
+    if base_host not in checked_hosts:
+      writeStdout(f'Checking {base_host} for {api}\n')
+      check_host(base_host)
+      checked_hosts.append(base_host)
+  if success_count == try_count:
     writeStdout(createGreenText('All hosts passed!\n'))
   else:
     systemErrorExit(3, createYellowText('Some hosts failed to connect! Please follow the recommendations for those hosts to correct any issues and try again.'))
@@ -11384,25 +11410,26 @@ def _waitForSvcAcctCompletion(i):
     sys.stdout.write(Msg.WAITING_FOR_ITEM_CREATION_TO_COMPLETE_SLEEPING.format(Ent.Singular(Ent.SVCACCT), sleep_time))
   time.sleep(sleep_time)
 
-def _grantRotateRights(iam, projectId, service_account, email, account_type='serviceAccount'):
+def _grantRotateRights(iam, projectId, service_account, account_type='serviceAccount'):
   body = {'policy': {'bindings': [{'role': 'roles/iam.serviceAccountKeyAdmin',
-                                   'members': [f'{account_type}:{email}']}]}}
+                                   'members': [f'{account_type}:{service_account}']}]}}
   maxRetries = 10
-  printEntityMessage([Ent.PROJECT, projectId, Ent.SVCACCT, email],
-                     Msg.HAS_RIGHTS_TO_ROTATE_OWN_PRIVATE_KEY.format(email, service_account))
+  kvList = [Ent.PROJECT, projectId, Ent.SVCACCT, service_account]
+  printEntityMessage(kvList, Msg.GRANTING_RIGHTS_TO_ROTATE_ITS_OWN_PRIVATE_KEY.format('Granting'))
   for retry in range(1, maxRetries+1):
     try:
       callGAPI(iam.projects().serviceAccounts(), 'setIamPolicy',
                throwReasons=[GAPI.INVALID_ARGUMENT],
                resource=f'projects/{projectId}/serviceAccounts/{service_account}', body=body)
+      printEntityMessage(kvList, Msg.GRANTING_RIGHTS_TO_ROTATE_ITS_OWN_PRIVATE_KEY.format('Granted'))
       return True
     except GAPI.invalidArgument as e:
-      entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, service_account], str(e))
+      entityActionFailedWarning(kvList, str(e))
       if 'does not exist' not in str(e) or retry == maxRetries:
         return False
       _waitForSvcAcctCompletion(retry)
     except Exception as e:
-      entityActionFailedWarning([Ent.PROJECT, projectId, Ent.SVCACCT, service_account], str(e))
+      entityActionFailedWarning(kvList, str(e))
       return False
 
 def _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo, create_key=True):
@@ -11420,6 +11447,7 @@ def _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo, create_key=True)
     return False
   except GAPI.alreadyExists as e:
     entityActionFailedWarning([Ent.PROJECT, projectInfo['projectId'], Ent.SVCACCT, svcAcctInfo['name']], str(e))
+    writeStderr(Msg.RERUN_THE_COMMAND_AND_SPECIFY_A_NEW_SANAME)
     return False
   GM.Globals[GM.SVCACCT_SCOPES_DEFINED] = False
   if create_key and not doProcessSvcAcctKeys(mode='retainexisting', iam=iam,
@@ -11428,7 +11456,7 @@ def _createOauth2serviceJSON(httpObj, projectInfo, svcAcctInfo, create_key=True)
                                              clientId=service_account['uniqueId']):
     return False
   sa_email = service_account['name'].rsplit('/', 1)[-1]
-  return _grantRotateRights(iam, projectInfo['projectId'], sa_email, sa_email)
+  return _grantRotateRights(iam, projectInfo['projectId'], sa_email)
 
 def _createClientSecretsOauth2service(httpObj, login_hint, appInfo, projectInfo, svcAcctInfo, create_key=True):
   def _checkClientAndSecret(csHttpObj, client_id, client_secret):
@@ -11921,9 +11949,7 @@ def doUpdateProject():
       continue
     iam = getAPIService(API.IAM, httpObj)
     _getSvcAcctData() # needed to read in GM.OAUTH2SERVICE_JSON_DATA
-    _grantRotateRights(iam, projectId,
-                       GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_email'],
-                       GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_email'])
+    _grantRotateRights(iam, projectId, GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_email'])
   Ind.Decrement()
 
 # gam delete project [[admin] <EmailAddress>] [<ProjectIDEntity>]
@@ -12786,7 +12812,7 @@ def doUploadSvcAcctKeys():
   iam = getAPIService(API.IAM, httpObj)
   if doProcessSvcAcctKeys(mode='upload', iam=iam):
     sa_email = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_email']
-    _grantRotateRights(iam, GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['project_id'], sa_email, sa_email)
+    _grantRotateRights(iam, GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['project_id'], sa_email)
     sys.stdout.write(Msg.YOUR_GAM_PROJECT_IS_CREATED_AND_READY_TO_USE)
 
 # gam delete sakeys <ServiceAccountKeyList>
@@ -13491,6 +13517,8 @@ REPORT_CHOICE_MAP = {
   'drive': 'drive',
   'enterprisegroups': 'groups_enterprise',
   'gcp': 'gcp',
+  'gemini': 'gemini_for_workspace',
+  'geminiforworkspace': 'gemini_for_workspace',
   'gplus': 'gplus',
   'google+': 'gplus',
   'group': 'groups',
@@ -13788,6 +13816,20 @@ def doReport():
         csvPF.WriteRow(row)
     return (True, lastDate)
 
+  # dynamically extend our choices with other reports Google dynamically adds
+  rep = buildGAPIObject(API.REPORTS)
+  dyn_choices = rep._rootDesc \
+          .get('resources', {}) \
+          .get('activities', {}) \
+          .get('methods', {}) \
+          .get('list', {}) \
+          .get('parameters', {}) \
+          .get('applicationName', {}) \
+          .get('enum', [])
+  for dyn_choice in dyn_choices:
+    if dyn_choice.replace('_', '') not in REPORT_CHOICE_MAP and \
+       dyn_choice not in REPORT_CHOICE_MAP.values():
+      REPORT_CHOICE_MAP[dyn_choice.replace('_', '')] = dyn_choice
   report = getChoice(REPORT_CHOICE_MAP, mapChoice=True)
   if report == 'usage':
     doReportUsage()
@@ -13795,7 +13837,6 @@ def doReport():
   if report == 'usageparameters':
     doReportUsageParameters()
     return
-  rep = buildGAPIObject(API.REPORTS)
   customerId = GC.Values[GC.CUSTOMER_ID]
   if customerId == GC.MY_CUSTOMER:
     customerId = None
@@ -14145,6 +14186,7 @@ def doReport():
       startDateTime += oneDay
     csvPF.writeCSVfile(f'Customer Report - {tryDate}')
   else: # activityReports
+    csvPF.SetTitles('name')
     if addCSVData:
       csvPF.AddTitles(sorted(addCSVData.keys()))
     if select:
@@ -14303,8 +14345,7 @@ def doReport():
         row = {'name': 'NoActivities'}
         if addCSVData:
           row.update(addCSVData)
-          csvPF.WriteRowTitles(row)
-      csvPF.SetSortTitles(['name'])
+        csvPF.WriteRowTitles(row)
     else:
       if eventRowFilter:
         csvPF.SetRowFilter([], GC.Values[GC.CSV_OUTPUT_ROW_FILTER_MODE])
@@ -15763,27 +15804,13 @@ ANALYTIC_ENTITY_MAP = {
      'pageSize': 50,
      'maxPageSize': 200,
      },
-  Ent.ANALYTIC_UA_PROPERTY:
-    {'titles': ['User', 'accountId', 'name', 'id', 'created', 'updated'],
-     'JSONtitles': ['User', 'accountId', 'name', 'id', 'JSON'],
-     'timeObjects': ['created', 'updated'],
-     'items': 'items',
-     'pageSize': 50,
-     'maxPageSize': 200,
-     },
   }
 
 def printShowAnalyticItems(users, entityType):
   analyticEntityMap = ANALYTIC_ENTITY_MAP[entityType]
   csvPF = CSVPrintFile(analyticEntityMap['titles'], 'sortall') if Act.csvFormat() else None
   FJQC = FormatJSONQuoteChar(csvPF)
-  if entityType != Ent.ANALYTIC_UA_PROPERTY:
-    kwargs = {'pageSize': analyticEntityMap['pageSize']}
-    api = API.ANALYTICS_ADMIN
-  else:
-#    kwargs = {'webPropertyId': '~all'}
-    kwargs = {}
-    api = API.ANALYTICS
+  kwargs = {'pageSize': analyticEntityMap['pageSize']}
   if entityType in {Ent.ANALYTIC_ACCOUNT, Ent.ANALYTIC_PROPERTY}:
     kwargs['showDeleted'] = False
   while Cmd.ArgumentsRemaining():
@@ -15796,16 +15823,12 @@ def printShowAnalyticItems(users, entityType):
       kwargs['showDeleted'] = getBoolean()
     elif entityType == Ent.ANALYTIC_PROPERTY and myarg == 'filter':
       kwargs['filter'] = getString(Cmd.OB_STRING)
-    elif entityType == Ent.ANALYTIC_UA_PROPERTY and myarg == 'accountid':
-      kwargs['accountId'] = getString(Cmd.OB_STRING).replace('accounts/', '')
     elif entityType == Ent.ANALYTIC_DATASTREAM and myarg == 'parent':
       kwargs['parent'] = getString(Cmd.OB_STRING)
     else:
       FJQC.GetFormatJSONQuoteChar(myarg, True)
   if entityType == Ent.ANALYTIC_PROPERTY and 'filter' not in kwargs:
     missingArgumentExit('filter')
-  if entityType == Ent.ANALYTIC_UA_PROPERTY and 'accountId' not in kwargs:
-    missingArgumentExit('accountid')
   if entityType == Ent.ANALYTIC_DATASTREAM and 'parent' not in kwargs:
     missingArgumentExit('parent')
   if csvPF and FJQC.formatJSON:
@@ -15813,7 +15836,7 @@ def printShowAnalyticItems(users, entityType):
   i, count, users = getEntityArgument(users)
   for user in users:
     i += 1
-    user, analytics = buildGAPIServiceObject(api, user, i, count)
+    user, analytics = buildGAPIServiceObject(API.ANALYTICS_ADMIN, user, i, count)
     if not analytics:
       continue
     if entityType == Ent.ANALYTIC_ACCOUNT:
@@ -15822,11 +15845,8 @@ def printShowAnalyticItems(users, entityType):
       service = analytics.accountSummaries()
     elif entityType == Ent.ANALYTIC_DATASTREAM:
       service = analytics.properties().dataStreams()
-    elif entityType == Ent.ANALYTIC_PROPERTY:
+    else: #  entityType == Ent.ANALYTIC_PROPERTY:
       service = analytics.properties()
-    else: #Ent.ANALYTIC_UA_PROPERTY:
-      service = analytics.management().webproperties()
-#      service = analytics.management().profiles()
     if csvPF:
       printGettingAllEntityItemsForWhom(entityType, user, i, count)
       pageMessage = getPageMessageForWhom()
@@ -15867,10 +15887,7 @@ def printShowAnalyticItems(users, entityType):
         if not FJQC.formatJSON:
           csvPF.WriteRowTitles(row)
         elif csvPF.CheckRowTitles(row):
-          if entityType != Ent.ANALYTIC_UA_PROPERTY:
-            row = {'User': user, 'name': item['name'], 'displayName': item['displayName']}
-          else:
-            row = {'User': user, 'accountId': item['accountId'], 'id': item['id'], 'name': item['name']}
+          row = {'User': user, 'name': item['name'], 'displayName': item['displayName']}
           for field in analyticEntityMap['JSONtitles'][2:-1]:
             row[field] = item[field]
           row['JSON'] = json.dumps(cleanJSON(item, timeObjects=analyticEntityMap['timeObjects']),
@@ -15908,17 +15925,6 @@ def printShowAnalyticAccountSummaries(users):
 def printShowAnalyticProperties(users):
   printShowAnalyticItems(users, Ent.ANALYTIC_PROPERTY)
 
-# gam <UserTypeEntity> print analyticuaproperties [todrive <ToDriveAttribute>*]
-#	accountid [accounts/]<String>
-#	[maxresults <Integer>]
-#	[formatjson [quotechar <Character>]]
-# gam <UserTypeEntity> show analyticuaproperties
-#	accountid [accounts/]<String>
-#	[maxresults <Integer>]
-#	[formatjson]
-def printShowAnalyticUAProperties(users):
-  printShowAnalyticItems(users, Ent.ANALYTIC_UA_PROPERTY)
-
 # gam <UserTypeEntity> print analyticdatastreams [todrive <ToDriveAttribute>*]
 #	parent <String>
 #	[maxresults <Integer>]
@@ -26472,6 +26478,64 @@ def _getChatMemberEmail(cd, member):
     _, memberUid = member['groupMember']['name'].split('/')
     member['groupMember']['email'], _ = convertUIDtoEmailAddressWithType(f'uid:{memberUid}', cd, None, emailTypes=['group'])
 
+def _getChatSpaceMembers(cd, chatSpace, ciGroupName):
+  if chatSpace.startswith('space/'):
+    _, chatSpace = chatSpace.split('/', 1)
+    chatSpace = 'spaces/'+chatSpace
+  kwargsUAA = {'useAdminAccess': True, 'filter': 'member.type != "BOT"'}
+  user, chat, kvList = buildChatServiceObject(API.CHAT_MEMBERSHIPS_ADMIN, _getAdminEmail(), 0, 0, [Ent.CHAT_SPACE, chatSpace], True)
+  memberList = []
+  if not chat:
+    return memberList
+  fields = getItemFieldsFromFieldsList('memberships', [])
+  qfilter = f'{Ent.Singular(Ent.CHAT_SPACE)}: {chatSpace}, {kwargsUAA["filter"]}'
+  try:
+    members = callGAPIpages(chat.spaces().members(), 'list', 'memberships',
+                            pageMessage=_getChatPageMessage(Ent.CHAT_MEMBER, user, 0, 0, qfilter),
+                            throwReasons=[GAPI.NOT_FOUND, GAPI.INVALID_ARGUMENT, GAPI.PERMISSION_DENIED],
+                            retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
+                            parent=chatSpace, fields=fields, pageSize=CHAT_PAGE_SIZE, **kwargsUAA)
+    for member in members:
+      _getChatMemberEmail(cd, member)
+      gmember = {}
+      if 'member' in member:
+        if member['member']['type'] == 'HUMAN':
+          _, memberUid = member['member']['name'].split('/')
+          gmember['type'] = Ent.TYPE_USER
+          email, _ = convertUIDtoEmailAddressWithType(f'uid:{memberUid}', cd, None, emailTypes=['user'])
+          role = Ent.ROLE_MANAGER if member['role'] == 'ROLE_MANAGER' else Ent.ROLE_MEMBER
+          if not ciGroupName:
+            gmember['id'] = memberUid
+            gmember['email'] = email
+            gmember['role'] = role
+            gmember['status'] = member['state']
+          else:
+            gmember['name'] = f'{ciGroupName}/memberships/{memberUid}'
+            gmember['preferredMemberKey'] = {'id': email}
+            gmember['roles'] = [{'name': role}]
+            gmember['createTime'] = member['createTime']
+          memberList.append(gmember)
+      elif 'groupMember' in member:
+        _, memberUid = member['groupMember']['name'].split('/')
+        gmember['type'] = Ent.TYPE_GROUP
+        role = Ent.ROLE_MANAGER if member['role'] == 'ROLE_MANAGER' else Ent.ROLE_MEMBER
+        email, _ = convertUIDtoEmailAddressWithType(f'uid:{memberUid}', cd, None, emailTypes=['group'])
+        if not ciGroupName:
+          gmember['id'] = memberUid
+          gmember['email'] = email
+          gmember['role'] = role
+          gmember['status'] = member['state']
+        else:
+          gmember['name'] = f'{ciGroupName}/memberships/{memberUid}'
+          gmember['preferredMemberKey'] = {'id': email}
+          gmember['roles'] = [{'name': role}]
+          gmember['createTime'] = member['createTime']
+        memberList.append(gmember)
+    return memberList
+  except (GAPI.notFound, GAPI.invalidArgument, GAPI.permissionDenied) as e:
+    exitIfChatNotConfigured(chat, kvList, str(e), 0, 0)
+    return memberList
+
 def normalizeUserMember(user, userList):
   userList.append(normalizeEmailAddressOrUID(user))
 
@@ -28090,10 +28154,12 @@ def updatePolicyRequests(body, targetResource, printer_id, app_id):
   for request in body['requests']:
     request.setdefault('policyTargetKey', {})
     request['policyTargetKey']['targetResource'] = targetResource
-    if app_id:
-      request['policyTargetKey']['additionalTargetKeys'] = {'app_id': app_id}
-    elif printer_id:
-      request['policyTargetKey']['additionalTargetKeys'] = {'printer_id': printer_id}
+    if app_id or printer_id:
+      request['policyTargetKey'].setdefault('additionalTargetKeys', {})
+      if app_id:
+        request['policyTargetKey']['additionalTargetKeys']['app_id'] = app_id
+      elif printer_id:
+        request['policyTargetKey']['additionalTargetKeys']['printer_id'] = printer_id
 
 # gam delete chromepolicy
 #	(<SchemaName> [<JSONData>])+
@@ -28126,9 +28192,9 @@ def doDeleteChromePolicy():
       if checkArgumentPresent('json'):
         jsonData = getJSON(['direct', 'name', 'orgUnitPath', 'parentOrgUnitPath', 'group'])
         if 'additionalTargetKeys' in jsonData:
-          body['requests'][-1].setdefault('policyTargetKey', {})
+          body['requests'][-1].setdefault('policyTargetKey', {'additionalTargetKeys': {}})
           for atk in jsonData['additionalTargetKeys']:
-            body['requests'][-1]['policyTargetKey']['additionalTargetKeys'] = {atk['name']: atk['value']}
+            body['requests'][-1]['policyTargetKey']['additionalTargetKeys'][atk['name']] = atk['value']
   checkPolicyArgs(targetResource, printer_id, app_id)
   count = len(body['requests'])
   if count != 1:
@@ -28281,9 +28347,9 @@ def doUpdateChromePolicy():
           jsonData = getJSON(['direct', 'name', 'orgUnitPath', 'parentOrgUnitPath', 'group'])
           schemaNameAppId = schemaName
           if 'additionalTargetKeys' in jsonData:
-            body['requests'][-1].setdefault('policyTargetKey', {})
+            body['requests'][-1].setdefault('policyTargetKey', {'additionalTargetKeys': {}})
             for atk in jsonData['additionalTargetKeys']:
-              body['requests'][-1]['policyTargetKey']['additionalTargetKeys'] = {atk['name']: atk['value']}
+              body['requests'][-1]['policyTargetKey']['additionalTargetKeys'][atk['name']] = atk['value']
               if atk['name'] == 'app_id':
                 schemaNameAppId += f"({atk['value']})"
           schemaNameList[-1] = schemaNameAppId
@@ -34130,15 +34196,18 @@ def getGroupMembers(cd, groupEmail, memberRoles, membersList, membersSet, i, cou
 
   printGettingAllEntityItemsForWhom(memberRoles if memberRoles else Ent.ROLE_MANAGER_MEMBER_OWNER, groupEmail, i, count)
   validRoles, listRoles, listFields = _getRoleVerification(memberRoles, 'nextPageToken,members(email,id,role,status,type,delivery_settings)')
-  try:
-    groupMembers = callGAPIpages(cd.members(), 'list', 'members',
-                                 pageMessage=getPageMessageForWhom(),
-                                 throwReasons=GAPI.MEMBERS_THROW_REASONS, retryReasons=GAPI.MEMBERS_RETRY_REASONS,
-                                 includeDerivedMembership=memberOptions[MEMBEROPTION_INCLUDEDERIVEDMEMBERSHIP],
-                                 groupKey=groupEmail, roles=listRoles, fields=listFields, maxResults=GC.Values[GC.MEMBER_MAX_RESULTS])
-  except (GAPI.groupNotFound, GAPI.domainNotFound, GAPI.domainCannotUseApis, GAPI.invalid, GAPI.forbidden, GAPI.serviceNotAvailable):
-    entityUnknownWarning(Ent.GROUP, groupEmail, i, count)
-    return
+  if not groupEmail.startswith('space/'):
+    try:
+      groupMembers = callGAPIpages(cd.members(), 'list', 'members',
+                                   pageMessage=getPageMessageForWhom(),
+                                   throwReasons=GAPI.MEMBERS_THROW_REASONS, retryReasons=GAPI.MEMBERS_RETRY_REASONS,
+                                   includeDerivedMembership=memberOptions[MEMBEROPTION_INCLUDEDERIVEDMEMBERSHIP],
+                                   groupKey=groupEmail, roles=listRoles, fields=listFields, maxResults=GC.Values[GC.MEMBER_MAX_RESULTS])
+    except (GAPI.groupNotFound, GAPI.domainNotFound, GAPI.domainCannotUseApis, GAPI.invalid, GAPI.forbidden, GAPI.serviceNotAvailable):
+      entityUnknownWarning(Ent.GROUP, groupEmail, i, count)
+      return
+  else:
+    groupMembers =  _getChatSpaceMembers(cd, groupEmail, '')
   checkCategory = memberDisplayOptions['showCategory']
   if not memberOptions[MEMBEROPTION_RECURSIVE]:
     if memberOptions[MEMBEROPTION_NODUPLICATES]:
@@ -36243,7 +36312,7 @@ def getCIGroupTransitiveMembers(ci, groupName, membersList, i, count):
   return True
 
 def getCIGroupMembers(ci, groupName, memberRoles, membersList, membersSet, i, count,
-                      memberOptions, memberDisplayOptions, level, typesSet, groupEmail, kwargs):
+                      memberOptions, memberDisplayOptions, level, typesSet, groupEmail, kwargs, cd):
   nameToPrint = groupEmail if groupEmail else groupName
   printGettingAllEntityItemsForWhom(memberRoles if memberRoles else Ent.ROLE_MANAGER_MEMBER_OWNER, nameToPrint, i, count)
   validRoles = _getCIRoleVerification(memberRoles)
@@ -36256,16 +36325,21 @@ def getCIGroupMembers(ci, groupName, memberRoles, membersList, membersSet, i, co
         if member['type'] in typesSet and checkCIMemberMatch(member, memberOptions):
           membersList.append(member)
     return
-  try:
-    groupMembers = callGAPIpages(ci.groups().memberships(), 'list', 'memberships',
-                                 pageMessage=getPageMessageForWhom(),
-                                 throwReasons=GAPI.CIGROUP_LIST_THROW_REASONS, retryReasons=GAPI.CIGROUP_RETRY_REASONS,
-                                 parent=groupName, **kwargs)
-  except (GAPI.resourceNotFound, GAPI.domainNotFound, GAPI.domainCannotUseApis,
-          GAPI.forbidden, GAPI.badRequest, GAPI.invalid, GAPI.invalidArgument, GAPI.systemError,
-          GAPI.permissionDenied, GAPI.serviceNotAvailable):
-    entityUnknownWarning(Ent.CLOUD_IDENTITY_GROUP, nameToPrint, i, count)
-    return
+  if not groupEmail.startswith('space/'):
+    try:
+      groupMembers = callGAPIpages(ci.groups().memberships(), 'list', 'memberships',
+                                   pageMessage=getPageMessageForWhom(),
+                                   throwReasons=GAPI.CIGROUP_LIST_THROW_REASONS, retryReasons=GAPI.CIGROUP_RETRY_REASONS,
+                                   parent=groupName, **kwargs)
+    except (GAPI.resourceNotFound, GAPI.domainNotFound, GAPI.domainCannotUseApis,
+            GAPI.forbidden, GAPI.badRequest, GAPI.invalid, GAPI.invalidArgument, GAPI.systemError,
+            GAPI.permissionDenied, GAPI.serviceNotAvailable):
+      entityUnknownWarning(Ent.CLOUD_IDENTITY_GROUP, nameToPrint, i, count)
+      return
+  else:
+    if cd is None:
+      cd = buildGAPIObject(API.DIRECTORY)
+    groupMembers = _getChatSpaceMembers(cd, groupEmail, groupName)
   checkCategory = memberDisplayOptions['showCategory']
   if not memberOptions[MEMBEROPTION_RECURSIVE]:
     if memberOptions[MEMBEROPTION_NODUPLICATES]:
@@ -36313,7 +36387,7 @@ def getCIGroupMembers(ci, groupName, memberRoles, membersList, membersSet, i, co
           groupMemberList.append((f'groups/{gname}', memberName))
     for member in groupMemberList:
       getCIGroupMembers(ci, member[0], memberRoles, membersList, membersSet, i, count,
-                        memberOptions, memberDisplayOptions, level+1, typesSet, member[1], kwargs)
+                        memberOptions, memberDisplayOptions, level+1, typesSet, member[1], kwargs, cd)
   else:
     for member in groupMembers:
       getCIGroupMemberRoleFixType(member)
@@ -36335,7 +36409,7 @@ def getCIGroupMembers(ci, groupName, memberRoles, membersList, membersSet, i, co
           membersList.append(member)
         _, gname = member['name'].rsplit('/', 1)
         getCIGroupMembers(ci, f'groups/{gname}', memberRoles, membersList, membersSet, i, count,
-                          memberOptions, memberDisplayOptions, level+1, typesSet, memberName, kwargs)
+                          memberOptions, memberDisplayOptions, level+1, typesSet, memberName, kwargs, cd)
 
 CIGROUPMEMBERS_FIELDS_CHOICE_MAP = {
   'createtime': 'createTime',
@@ -36499,7 +36573,7 @@ def doPrintCIGroupMembers():
     membersList = []
     membersSet = set()
     getCIGroupMembers(ci, groupEntity['name'], getRoles, membersList, membersSet, i, count,
-                      memberOptions, memberDisplayOptions, level, typesSet, groupEmail, kwargs)
+                      memberOptions, memberDisplayOptions, level, typesSet, groupEmail, kwargs, None)
     if showOwnedBy and not checkCIGroupShowOwnedBy(showOwnedBy, membersList):
       continue
     for member in membersList:
@@ -76669,7 +76743,6 @@ USER_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_ANALYTICACCOUNTSUMMARY:	printShowAnalyticAccountSummaries,
       Cmd.ARG_ANALYTICDATASTREAM:	printShowAnalyticDatastreams,
       Cmd.ARG_ANALYTICPROPERTY:	printShowAnalyticProperties,
-      Cmd.ARG_ANALYTICUAPROPERTY:	printShowAnalyticUAProperties,
       Cmd.ARG_ASP:		printShowASPs,
       Cmd.ARG_BACKUPCODE:	printShowBackupCodes,
       Cmd.ARG_CALENDAR:		printShowCalendars,
@@ -76776,7 +76849,6 @@ USER_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_ANALYTICACCOUNTSUMMARY:	printShowAnalyticAccountSummaries,
       Cmd.ARG_ANALYTICDATASTREAM:	printShowAnalyticDatastreams,
       Cmd.ARG_ANALYTICPROPERTY:	printShowAnalyticProperties,
-      Cmd.ARG_ANALYTICUAPROPERTY:	printShowAnalyticUAProperties,
       Cmd.ARG_ASP:		printShowASPs,
       Cmd.ARG_BACKUPCODE:	printShowBackupCodes,
       Cmd.ARG_CALENDAR:		printShowCalendars,
@@ -76989,7 +77061,6 @@ USER_COMMANDS_OBJ_ALIASES = {
   Cmd.ARG_ANALYTICACCOUNTSUMMARIES:	Cmd.ARG_ANALYTICACCOUNTSUMMARY,
   Cmd.ARG_ANALYTICDATASTREAMS:	Cmd.ARG_ANALYTICDATASTREAM,
   Cmd.ARG_ANALYTICPROPERTIES:	Cmd.ARG_ANALYTICPROPERTY,
-  Cmd.ARG_ANALYTICUAPROPERTIES:	Cmd.ARG_ANALYTICUAPROPERTY,
   Cmd.ARG_ASPS:			Cmd.ARG_ASP,
   Cmd.ARG_BACKUPCODES:		Cmd.ARG_BACKUPCODE,
   Cmd.ARG_CALENDARS:		Cmd.ARG_CALENDAR,

src/gam/gamlib/glapi.py

@@ -22,7 +22,6 @@
 # APIs
 ACCESSCONTEXTMANAGER = 'accesscontextmanager'
 ALERTCENTER = 'alertcenter'
-ANALYTICS = 'analytics'
 ANALYTICS_ADMIN = 'analyticsadmin'
 CALENDAR = 'calendar'
 CBCM = 'cbcm'
@@ -162,7 +161,6 @@ PROJECT_APIS = [
   'accesscontextmanager.googleapis.com',
   'admin.googleapis.com',
   'alertcenter.googleapis.com',
-  'analytics.googleapis.com',
   'analyticsadmin.googleapis.com',
 #  'audit.googleapis.com',
   'calendar-json.googleapis.com',
@@ -201,7 +199,6 @@ PROJECT_APIS = [
 _INFO = {
   ACCESSCONTEXTMANAGER: {'name': 'Access Context Manager API', 'version': 'v1', 'v2discovery': True},
   ALERTCENTER: {'name': 'AlertCenter API', 'version': 'v1beta1', 'v2discovery': True},
-  ANALYTICS: {'name': 'Analytics API', 'version': 'v3', 'v2discovery': False},
   ANALYTICS_ADMIN: {'name': 'Analytics Admin API', 'version': 'v1beta', 'v2discovery': True},
   CALENDAR: {'name': 'Calendar API', 'version': 'v3', 'v2discovery': True, 'mappedAPI': 'calendar-json'},
   CBCM: {'name': 'Chrome Browser Cloud Management API', 'version': 'v1.1beta1', 'v2discovery': True, 'localjson': True},
@@ -244,7 +241,7 @@ _INFO = {
   EMAIL_AUDIT: {'name': 'Email Audit API', 'version': 'v1', 'v2discovery': False},
   FORMS: {'name': 'Forms API', 'version': 'v1', 'v2discovery': True},
   GMAIL: {'name': 'Gmail API', 'version': 'v1', 'v2discovery': True},
-  GROUPSMIGRATION: {'name': 'Groups Migration API', 'version': 'v1', 'v2discovery': False},
+  GROUPSMIGRATION: {'name': 'Groups Migration API', 'version': 'v1', 'v2discovery': True},
   GROUPSSETTINGS: {'name': 'Groups Settings API', 'version': 'v1', 'v2discovery': True},
   IAM: {'name': 'Identity and Access Management API', 'version': 'v1', 'v2discovery': True},
   IAM_CREDENTIALS: {'name': 'Identity and Access Management Credentials API', 'version': 'v1', 'v2discovery': True},
@@ -532,10 +529,6 @@ _SVCACCT_SCOPES = [
    'api': ALERTCENTER,
    'subscopes': [],
    'scope': 'https://www.googleapis.com/auth/apps.alerts'},
-  {'name': 'Analytics API - read only',
-   'api': ANALYTICS,
-   'subscopes': [],
-   'scope': 'https://www.googleapis.com/auth/analytics.readonly'},
   {'name': 'Analytics Admin API - read only',
    'api': ANALYTICS_ADMIN,
    'subscopes': [],

src/gam/gamlib/glclargs.py

@@ -423,8 +423,6 @@ class GamCLArgs():
   ARG_ANALYTICDATASTREAMS = 'analyticdatastreams'
   ARG_ANALYTICPROPERTY = 'analyticproperty'
   ARG_ANALYTICPROPERTIES = 'analyticproperties'
-  ARG_ANALYTICUAPROPERTY = 'analyticuaproperty'
-  ARG_ANALYTICUAPROPERTIES = 'analyticuaproperties'
   ARG_API = 'api'
   ARG_APIS = 'apis'
   ARG_APIPROJECT = 'apiproject'

src/gam/gamlib/glentity.py

@@ -61,7 +61,6 @@ class GamEntity():
   ANALYTIC_ACCOUNT_SUMMARY = 'anas'
   ANALYTIC_DATASTREAM = 'anad'
   ANALYTIC_PROPERTY = 'anap'
-  ANALYTIC_UA_PROPERTY = 'anau'
   API = 'api '
   APP_ACCESS_SETTINGS = 'apps'
   APP_ID = 'appi'
@@ -412,7 +411,6 @@ class GamEntity():
     ANALYTIC_ACCOUNT_SUMMARY: ['Analytic Account Summaries', 'Analytic Account Summary'],
     ANALYTIC_DATASTREAM: ['Analytic Datastreams', 'Analytic Datastream'],
     ANALYTIC_PROPERTY: ['Analytic GA4 Properties', 'Analytic GA4 Property'],
-    ANALYTIC_UA_PROPERTY: ['Analytic UA Properties', 'Analytic UA Property'],
     API: ['APIs', 'API'],
     APP_ACCESS_SETTINGS: ['Application Access Settings', 'Application Access Settings'],
     APP_ID: ['Application IDs', 'Application ID'],

src/gam/gamlib/glmsgs.py

@@ -72,7 +72,7 @@ Please go to:
 24. Paste it at the "Enter your Client Secret: " prompt in your terminal
 25. Press return/enter in your terminal
 26. Switch back to the browser
-27. Click "CANCEL"
+27. Click "OK"
 28. These steps are complete
 '''
 ENTER_YOUR_CLIENT_ID = '\nEnter your Client ID: '
@@ -287,6 +287,7 @@ GAM_OUT_OF_MEMORY = 'GAM has run out of memory. If this is a large Google Worksp
 GENERATING_NEW_PRIVATE_KEY = 'Generating new private key'
 GETTING = 'Getting'
 GETTING_ALL = 'Getting all'
+GRANTING_RIGHTS_TO_ROTATE_ITS_OWN_PRIVATE_KEY = '{0} rights to rotate its own private key'
 GOOGLE_DELEGATION_ERROR = 'Google delegation error, delegator and delegate both exist and are valid for delegation'
 GOT = 'Got'
 GROUP_MAPS_TO_MULTIPLE_OUS = 'File: {0}, Group: {1} references multiple OUs: {2}'
@@ -294,13 +295,12 @@ GROUP_MAPS_TO_OU_INVALID_ROW = 'File: {0}, Invalid row, must contain non-blank <
 GUARDIAN_INVITATION_STATUS_NOT_PENDING = 'Guardian invitation status is not PENDING'
 HAS_CHILD_ORGS = 'Has child {0}'
 HAS_INVALID_FORMAT = '{0}: {1}, Has invalid format'
-HAS_RIGHTS_TO_ROTATE_OWN_PRIVATE_KEY = 'Giving account {0} rights to rotate {1} private key'
 HEADER_NOT_FOUND_IN_CSV_HEADERS = 'Header "{0}" not found in CSV headers of "{1}".'
 HELP_SYNTAX = 'Help: Syntax in file {0}\n'
 HELP_WIKI = 'Help: Documentation is at {0}\n'
 IGNORED = 'Ignored'
 INSTRUCTIONS_CLIENT_SECRETS_JSON = 'Please run\n\ngam create|use project\ngam oauth create\n\nto create and authorize a Client account.\n'
-INSTRUCTIONS_OAUTH2SERVICE_JSON = 'Please run\n\ngam create|use project\ngam user <user> check serviceaccount\n\nto create and authorize a Service account.\n'
+INSTRUCTIONS_OAUTH2SERVICE_JSON = 'Please run\n\ngam create|use project\ngam user <user> update serviceaccount\n\nto create and authorize a Service account.\n'
 INSUFFICIENT_PERMISSIONS_TO_PERFORM_TASK = 'Insufficient permissions to perform this task'
 INTER_BATCH_WAIT_INCREASED = 'inter_batch_wait increased to {0:.2f}'
 INVALID = 'Invalid'
@@ -468,6 +468,10 @@ REFUSING_TO_DEPROVISION_DEVICES = 'Refusing to deprovision {0} devices because a
 REPLY_TO_CUSTOM_REQUIRES_EMAIL_ADDRESS = 'replyto REPLY_TO_CUSTOM requires customReplyTo <EmailAddress>'
 REQUEST_COMPLETED_NO_FILES = 'Request completed but no results/files were returned, try requesting again'
 REQUEST_NOT_COMPLETE = 'Request needs to be completed before downloading, current status is: {0}'
+RERUN_THE_COMMAND_AND_SPECIFY_A_NEW_SANAME = """
+Re-run the command specify a new service account name with: saname <ServiceAccountName>
+See: https://github.com/GAM-team/GAM/wiki/Authorization#advanced-use
+"""
 RESOURCE_CAPACITY_FLOOR_REQUIRED = 'Options "capacity <Number>" (<Number> > 0) and "floor <String>" required'
 RESOURCE_FLOOR_REQUIRED = 'Option "floor <String>" required'
 RESULTS_TOO_LARGE_FOR_GOOGLE_SPREADSHEET = 'Results are too large for Google Spreadsheets. Uploading as a regular CSV file.'

src/gam/gamlib/glskus.py

@@ -144,6 +144,8 @@ _SKUS = {
     'product': 'Google-Apps', 'aliases': ['wsflw', 'workspacefrontline', 'workspacefrontlineworker'], 'displayName': 'Google Workspace Frontline Starter'},
   '1010020031': {
     'product': 'Google-Apps', 'aliases': ['wsflwstan', 'workspacefrontlinestan', 'workspacefrontlineworkerstan'], 'displayName': 'Google Workspace Frontline Standard'},
+  '1010020034': {
+    'product': 'Google-Apps', 'aliases': ['wsflwplus', 'workspacefrontlineplus', 'workspacefrontlineworkerplus'], 'displayName': 'Google Workspace Frontline Plus'},
   '1010340001': {
     'product': '101034', 'aliases': ['gseau', 'enterprisearchived', 'gsuiteenterprisearchived'], 'displayName': 'Google Workspace Enterprise Plus - Archived User'},
   '1010340002': {

src/gam/gamlib/glverlibs.py

@@ -20,14 +20,19 @@
 
 """
 
-GAM_VER_LIBS = ['cryptography',
-                'filelock',
-                'google-api-python-client',
-                'google-auth-httplib2',
-                'google-auth-oauthlib',
-                'google-auth',
-                'httplib2',
-                'passlib',
-                'python-dateutil',
-                'yubikey-manager',
-                ]
+GAM_VER_LIBS = [
+  'chardet',
+  'cryptography',
+  'filelock',
+  'google-api-python-client',
+  'google-auth-httplib2',
+  'google-auth-oauthlib',
+  'google-auth',
+  'lxml',
+  'httplib2',
+  'passlib',
+  'pathvalidate',
+  'pyscard',
+  'python-dateutil',
+  'yubikey-manager',
+]

src/requirements.txt

@@ -1,14 +1,15 @@
-chardet
-cryptography
+chardet>=5.2.0
+cryptography>=44.0.2
 distro; sys_platform=='linux'
-filelock
-google-api-python-client>=2.1
-google-auth-httplib2
-google-auth-oauthlib>=0.4.1
-google-auth>=2.3.2
-httplib2>=0.17.0
-lxml
-passlib>=1.7.2
-pathvalidate
+filelock>=3.18.0
+google-api-python-client>=2.167.0
+google-auth-httplib2>=0.2.0
+google-auth-oauthlib>=1.2.2
+google-auth>=2.39.0
+httplib2>=0.22.0
+lxml>=5.4.0
+passlib>=1.7.4
+pathvalidate>=3.2.3
+pyscard==2.2.1
 python-dateutil
-yubikey-manager[yubikey]>=5.0
+yubikey-manager>=5.6.1

src/setup.cfg

@@ -17,26 +17,29 @@ classifiers =
     Programming Language :: Python :: 3.10
     Programming Language :: Python :: 3.11
     Programming Language :: Python :: 3.12
+    Programming Language :: Python :: 3.13
     License :: OSI Approved :: Apache License
 
 [options]
 packages = find:
-python_requires = >= 3.8
+python_requires = >= 3.9
+# The following files should be edited to match: pyproject.toml, requirements.txt
 install_requires =
-    chardet
-    cryptography
+    chardet >= 5.2.0
+    cryptography >= 44.0.2
     distro; sys_platform == 'linux'
-    filelock
-    google-api-python-client >= 2.36
-    google-auth-httplib2
-    google-auth-oauthlib >= 0.4.6
-    google-auth >= 2.3.3
-    httplib2 >= 0.20.2
-    lxml
+    filelock >= 3.18.0
+    google-api-python-client >= 2.167.0
+    google-auth-httplib2 >= 0.2.0
+    google-auth-oauthlib >= 1.2.2
+    google-auth >= 2.39.0
+    httplib2 >= 0.22.0
+    lxml >= 5.4.0
     passlib >= 1.7.4
-    pathvalidate
+    pathvalidate >= 3.2.3
+    pyscard == 2.2.1
     python-dateutil
-    yubikey-manager >= 5.0
+    yubikey-manager >= 5.6.1
 
 [options.package_data]
 * = *.pem

wiki/Authorization.md

@@ -283,7 +283,7 @@ You can skip these steps if you know that untrusted third-party apps are allowed
 * `<ServiceAccountDisplayName>` - `<ProjectName>`
 * `<ServiceAccountDescription>` - `<ServiceAccountDisplayName>`
 
-### Basic
+### Basic Create
 Create a project with default values for the project and service account.
 ```
 gam create project [<EmailAddress>] [<ProjectID>]
@@ -291,7 +291,7 @@ gam create project [<EmailAddress>] [<ProjectID>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `<ProjectID>` - A new Google project ID; if omitted, a default value will be used
 
-### Advanced
+### Advanced Create
 Create a project with user-specified values for the project and service account.
 ```
 gam create project [admin <EmailAddress>] [project <ProjectID>]
@@ -326,7 +326,7 @@ Use an existing project to create and download two files: `client_secrets.json`
 * `<ServiceAccountDisplayName>` - `<ProjectName>`
 * `<ServiceAccountDescription>` - `<ServiceAccountDisplayName>`
 
-### Basic
+### Basic Use
 Use an existing uninitialized/uncredentialed project and configure it to be a GAM project; this typically used when
 the GCP  administrators have created a basic project because project creation is not available for most users.
 
@@ -338,12 +338,13 @@ gam use project [<EmailAddress>] [project <ProjectID>]
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `<ProjectID>` - An existing Google project ID; if omitted, you will be prompted for the ID
 
-### Advanced
+### Advanced Use
 Use an existing project with user-specified values for the service account. If the project is already
 a GAM project you must use `saname <ServiceAccountName>` as the existing service account information
 can not be re-downloaded.
 ```
 gam use project [admin <EmailAddress>] [project <ProjectID>]
+        [appname <String>] [supportemail <EmailAddress>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
         [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|

wiki/Command-Line-Parsing.md

@@ -57,10 +57,10 @@ Typically, you will enclose the entire list in double quotes and quote each item
    * ```"item item item"```
 - Items, separated by commas, with spaces, commas or single quotes in the items themselves
    * ```"'it em','it,em',\"it'em\""``` - Linux, MacOS, Windows Command Prompt
-   * ```"'it em','it,em',`"it'em`""``` - Windows Power Shell
+   * ```"'it\ em','it,em',`"it\'em`""``` - Windows Power Shell
 - Items, separated by spaces, with spaces, commas or single quotes in the items themselves
    * ```"'it em' 'it,em' \"it'em\""``` - Linux, MacOS, Windows Command Prompt
-   * ```"'it em' 'it,em' `"it'em`""``` - Windows Power Shell
+   * ```"'it\ em' 'it,em' `"it\'em`""``` - Windows Power Shell
 
 Typical places where these rules apply are lists of OUs and Contact Groups.
 

wiki/Downloads-Installs.md

@@ -24,18 +24,19 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
   - Start a terminal session.
 
 * Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
-  - `gam-7.wx.yz-linux-aarch64-glibc2.35.tar.xz`
-  - `gam-7.wx.yz-linux-aarch64-legacy.tar.xz`
+  - `gam-7.wx.yz-linux-arm64-glibc2.35.tar.xz`
+  - `gam-7.wx.yz-linux-arm64-glibc2.39.tar.xz`
+  - `gam-7.wx.yz-linux-arm64-legacy.tar.xz`
   - Download the archive, extract the contents into some directory.
   - Start a terminal session.
 
 * Executable Archive, Manual, Mac OS versions Sonoma, Sequoia - M1/M2
-  - `gam-7.wx.yz-macos14.7-aarch64.tar.xz`
+  - `gam-7.wx.yz-macos14.7-arm64.tar.xz`
   - Download the archive, extract the contents into some directory.
   - Start a terminal session.
 
 * Executable Archive, Manual, Mac OS versions Sequoia - M3
-  - `gam-7.wx.yz-macos15.2-aarch64.tar.xz`
+  - `gam-7.wx.yz-macos15.4-arm64.tar.xz`
   - Download the archive, extract the contents into some directory.
   - Start a terminal session.
 
@@ -54,6 +55,16 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
   - Download the installer and run it.
   - Start a Command Prompt/PowerShell session.
 
+* Executable Archive, Manual, Windows 11 ARM
+  - `gam-7.wx.yz-windows-arm64.zip`
+  - Download the archive, extract the contents into some directory.
+  - Start a Command Prompt/PowerShell session.
+
+* Executable Installer, Manual, Windows 11 ARM
+  - `gam-7.wx.yz-windows-arm64.msi`
+  - Download the installer and run it.
+  - Start a Command Prompt/PowerShell session.
+
 * Source, all platforms
   - `Source code(zip)`
   - `Source code(tar.gz)`

wiki/GamUpdates.md

@@ -10,6 +10,64 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.06.12
+
+Deleted commands to display Analytic UA properties; the API has been deprecated.
+```
+gam <UserTypeEntity> print|show analyticuaproperties
+```
+
+### 7.06.11
+
+Improved `gam checkconn`.
+
+Updated `gam print group-members` and `gam print cigroup-members` to recognize members
+that are groups representing chat spaces. For now, these groups are not expanded when
+`recursive` is specified.
+
+### 7.06.10
+
+Added the following license SKU.
+```
+1010020034 - Google Workspace Frontline Plus
+```
+
+### 7.06.09
+
+Added `gemini` and `geminiforworkspace` to `<ActivityApplicationName>` for use in
+`gam report <ActivityApplicationName>`.
+
+### 7.06.08
+
+Fixed problem where Yubikeys caused a trap.
+
+### 7.06.07
+
+Updated private key rotation progress messages in `gam create|use|update project`
+and `gam upload sakey`.
+
+Updated `gam use project` to display the following error message when the specifed project
+already has a service account.
+```
+Re-run the command specify a new service account name with: saname <ServiceAccountName>'
+```
+
+### 7.06.06
+
+Native support for Windows 11 Arm-based devices.
+
+Renamed some MacOS and Linux binary installer files to align on terminology. Everything is "arm64" now, no "aarch64".
+
+### 7.06.05
+
+Updated code in `gam delete|update chromepolicy` to handle the `policyTargetKey[additionalTargetKeys]`
+field in a more general manner for future use.
+
+### 7.06.04
+
+Fixed bug in `gam report <ActivityApplictionName>` where a report with no activities
+was not displaying any output.
+
 ### 7.06.03
 
 Fixed bug in `gam <UserTypeEntity> print|show drivelastmodification` that caused a trap

wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -251,10 +251,10 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.06.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.06.12 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
-MacOS Sequoia 15.4 x86_64
+MacOS Sequoia 15.4.1 x86_64
 Path: /Users/admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 
@@ -989,7 +989,7 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.06.03 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.06.12 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
 Windows-10-10.0.17134 AMD64

wiki/Licenses.md

@@ -110,6 +110,7 @@
 | Google Workspace for Education: Teaching and Learning Upgrade | 1010370001 | gwetlu |
 | Google Workspace Frontline Starter | 1010020030 | wsflw |
 | Google Workspace Frontline Standard | 1010020031 | wsflwstan |
+| Google Workspace Frontline Plus | 1010020034 | wsflwplus |
 | Google Workspace Government | Google-Apps-For-Government | gsuitegov |
 | Google Workspace Labs | 1010470002 | gwlabs | workspacelabs |
 

wiki/Meta-Commands-and-File-Redirection.md

@@ -147,7 +147,7 @@ The `columndelimiter <Character>` subargument sets the intercolumn delimiter of
 is the value of `csv_output_column_delimiter` in `gam.cfg` which defaults to comma.
 
 The `quotechar <Character>` subargument sets the character used to quote fields in the CSV file
-that contaim special charactere; the default value is the value of `csv_output_quote_char` in `gam.cfg`
+that contain special charactere; the default value is the value of `csv_output_quote_char` in `gam.cfg`
 which defaults to double quote.
 
 The `noescapechar <Boolean>` subargument controls whether `\` is used as an escape character when writing the CSV file; the default value

wiki/Reports.md

@@ -51,6 +51,7 @@ config csv_output_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
         domain|
         drive|doc|docs|
         gcp|
+        gemini|geminiforworkspace|
         groups|group|
         groupsenterprise|enterprisegroups|
         jamboard|

wiki/Shared-Drives.md

@@ -24,6 +24,7 @@
   - [Display Shared Drive access for specific Shared Drives](#display-shared-drive-access-for-specific-shared-drives)
   - [Display Shared Drive access for selected Shared Drives](#display-shared-drive-access-for-selected-shared-drives)
   - [Display members of all Shared Drives](#display-members-of-all-shared-drives)
+  - [Display external members of all Shared Drives](#display-external-members-of-all-shared-drives)
 - [Display ACLs for Shared Drives with no organizers](#display-acls-for-shared-drives-with-no-organizers)
 - [Display ACLs for Shared Drives with all organizers outside of your domain](#display-acls-for-shared-drives-with-all-organizers-outside-of-your-domain)
 - [Display ACLs for Shared Drives with all ACLs outside of your domain](#display-acls-for-shared-drives-with-all-acls-outside-of-your-domain)
@@ -569,6 +570,12 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 gam config csv_output_header_drop_filter "User,createdTime,permission.photoLink,permission.permissionDetails" redirect csv ./SharedDriveMembers.csv print shareddriveacls oneitemperrow
 ```
 
+## Display external members of all Shared Drives
+Replace `<InternalDomainList>` with your list of internal domains.
+```
+gam config csv_output_header_drop_filter "User,createdTime,permission.photoLink,permission.permissionDetails" redirect csv ./SharedDriveExternalMembers.csv print shareddriveacls pm notdomainlist <InternalDomainList> em oneitemperrow
+```
+
 ## Display Shared Drive access for selected Shared Drives
 ```
 gam [<UserTypeEntity>] show teamdriveacls

wiki/Users-Analytics-Admin.md

@@ -6,14 +6,13 @@
 - [Display Analytic Account Summaries](#display-analytic-account-summaries)
 - [Display Analytic Properties](#display-analytic-properties)
 - [Display Analytic Datastreams](#display-analytic-datastreams)
-- [Display Analytic UA Properties](#display-analytic-ua-properties)
 - [Examples](#examples)
 
 ## API documentation
 * [Analytics Admin API](https://developers.google.com/analytics/devguides/config/admin/v1/rest)
 
 ## Notes
-To use these commands you must add 'Analytics API' and 'Analytics Admin API' to your project and update your service account authorization.
+To use these commands you must add 'Analytics Admin API' to your project and update your service account authorization.
 ```
 gam update project
 gam user user@domain.com update serviceaccount
@@ -142,37 +141,6 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
-## Display Analytic UA Properties
-```
-gam <UserTypeEntity> show analyticuaproperties
-        accountid [accounts/]<String>
-        [maxresults <Integer>]
-        [formatjson]
-```
-The required `accountid <String>` can be in the format: 'accounts/123' or '123'.
-
-By default, GAM asks the API for 50 properties per page of results,
-* `maxresults` - Maximum number of results per page; range is 1-200; the default is 50.
-
-By default, Gam displays the information as an indented list of keys and values.
-* `formatjson` - Display the fields in JSON format.
-```
-gam <UserTypeEntity> print analyticuaproperties [todrive <ToDriveAttribute>*]
-        accountid [accounts/]<String>
-        [maxresults <Integer>]
-        [formatjson [quotechar <Character>]]
-```
-The required `accountid <String>` can be in the format: 'accounts/123' or '123'.
-
-By default, GAM asks the API for 50 properties per page of results,
-* `maxresults` - Maximum number of results per page; range is 1-200; the default is 50.
-
-By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
-the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
-When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
-The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
-`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
-
 
 ## Examples
 Get all analytic accounts
@@ -189,8 +157,3 @@ Get all analytic account properties (GA4)
 ```
 gam redirect stdout - multiprocess redirect stderr stdout redirect csv ./GA4AnalyticAccountProperties.csv multiprocess csv AnalyticAccounts.csv gam user "~User" print analyticproperties filter "parent:~~name~~"
 ```
-
-Get all analytic account properties (UA)
-```
-gam redirect stdout - multiprocess redirect stderr stdout redirect csv ./UAAnalyticAccountProperties.csv multiprocess csv AnalyticAccounts.csv gam user "~User" print analyticuaproperties accountid "~~name~~"
-```

wiki/Users-Chat.md

@@ -42,12 +42,12 @@ Google requires that you have a Chat Bot configured in order to use the Chat API
 
 ## Set up a Chat Bot
 
-* Run the command `gam setup chat`; it will point you to a URL to configure your Chat Bot; this is required to use the Chat API.
+* Run the command `gam setup chat`; it will point you to a URL to configure your Chat Bot.
 * Enter an App name and Description of your choosing.
 * For the Avatar URL you can use `https://dummyimage.com/384x256/4d4d4d/0011ff.png&text=+GAM` or a public URL to an image of your own choosing.
 * In Functionality, uncheck both "Receive 1:1 messages" and "Join spaces and group conversations"
-* In Connection settings, choose "Cloud Pub/Sub" and enter "no-topic" for the topic name. GAM doesn't yet listen to pub/sub so this option is not used.
-* In Visibility, uncheck "Make this Chat app available to specific people and groups in Domain Workspace".
+* In Connection settings, choose "Cloud Pub/Sub" and enter `projects/<ProjectID>/topics/no-topic` for the topic name. Replace `<ProjectID>` with your GAM project ID. GAM doesn't yet listen to pub/sub so this option is not used.
+* In Visibility, uncheck "Make this Chat app available to specific people and groups in  Domain Workspace".
 * Click Save.
 
 ## API documentation

wiki/Version-and-Help.md

@@ -4,10 +4,10 @@ k
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.06.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.06.12 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
-MacOS Sequoia 15.4 x86_64
+MacOS Sequoia 15.4.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
@@ -16,10 +16,10 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.06.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.06.12 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
-MacOS Sequoia 15.4 x86_64
+MacOS Sequoia 15.4.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Your system time differs from www.googleapis.com by less than 1 second
@@ -28,10 +28,10 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.06.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.06.12 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
-MacOS Sequoia 15.4 x86_64
+MacOS Sequoia 15.4.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
@@ -65,7 +65,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.06.03
+   Latest: 7.06.12
 echo $?
 1
 ```
@@ -73,7 +73,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.06.03
+7.06.12
 ```
 In Linux/MacOS you can do:
 ```
@@ -83,10 +83,10 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.06.03 - https://github.com/GAM-team/GAM
+GAM 7.06.12 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.13.3 64-bit final
-MacOS Sequoia 15.4 x86_64
+MacOS Sequoia 15.4.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00