Fix display of dataOwner field for secondary calendars

Added dataOwner field for secondary calendars
2026-06-08 08:11:37 +00:00 · 2025-11-12 09:49:39 -08:00 · 2025-11-12 09:39:35 -08:00 · 2025-11-12 08:10:51 -08:00 · 2025-11-12 08:10:16 -08:00 · 2025-11-10 08:16:34 -08:00
76 changed files with 2514 additions and 1074 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -41,78 +41,96 @@ jobs:
        include:
          - os: ubuntu-22.04
            jid: 1
+            freethreaded: false
            goal: build
            name: Build Intel Ubuntu Jammy
          - os: ubuntu-24.04
            jid: 2
+            freethreaded: false
            goal: build
            name: Build Intel Ubuntu Noble
          - os: ubuntu-24.04-arm
            jid: 3
+            freethreaded: false
            goal: build
            name: Build Arm Ubuntu Noble
          - os: ubuntu-22.04-arm
            jid: 4
+            freethreaded: false
            goal: build
            name: Build Arm Ubuntu Jammy
          - os: ubuntu-22.04
            jid: 5
+            freethreaded: false
            goal: build
            staticx: yes
            name: Build Intel StaticX Legacy
          - os: ubuntu-22.04-arm
            jid: 6
+            freethreaded: false
            goal: build
            staticx: yes
            name: Build Arm StaticX Legacy
-          - os: macos-13
-            jid: 7
-            goal: build
-            name: Build Intel MacOS
          - os: macos-14
            jid: 8
+            freethreaded: false
            goal: build
            name: Build Arm MacOS 14
          - os: macos-15
            jid: 9
+            freethreaded: false
            goal: build
            name: Build Arm MacOS 15
          - os: macos-15-intel
            jid: 10
+            freethreaded: false
            goal: build
            name: Build x86_64 macOS 15
          - os: macos-26
            jid: 11
+            freethreaded: false
            goal: build
            name: Build Arm MacOS 26
          - os: windows-2025
            jid: 12
+            freethreaded: false
            goal: build
            name: Build Intel Windows
          - os: windows-11-arm
            jid: 13
+            freethreaded: false
            goal: build
            name: Build Arm Windows
          - os: ubuntu-24.04
            goal: test
            python: "3.10"
+            freethreaded: false
            jid: 14
            name: Test Python 3.10
          - os: ubuntu-24.04
            goal: test
            python: "3.11"
+            freethreaded: false
            jid: 15
            name: Test Python 3.11
-          #- os: ubuntu-24.04
-          #  goal: test
-          #  python: "3.12"
-          #  jid: 16
-          #  name: Test Python 3.12
-          #- os: ubuntu-24.04
-          #  goal: test
-          #  python: "3.14-dev"
-          #  jid: 16
-          #  name: Test Python 3.14-dev
+          - os: ubuntu-24.04
+            goal: test
+            python: "3.12"
+            freethreaded: false
+            jid: 16
+            name: Test Python 3.12
+          - os: ubuntu-24.04
+            goal: test
+            python: "3.15-dev"
+            freethreaded: false
+            jid: 17
+            name: Test Python 3.15-dev
+          - os: ubuntu-24.04
+            goal: test
+            python: "3.14"
+            freethreaded: true
+            jid: 18
+            name: Test Python 3.14 freethread

    steps:

@@ -135,7 +153,7 @@ jobs:
        with:
          path: |
            cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250922
+          key: gam-${{ matrix.jid }}-20251031

      - name: Untar Cache archive
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -145,17 +163,19 @@ jobs:

      - name: Use pre-compiled Python for testing
        if: matrix.python != ''
-        uses: actions/setup-python@3d1e2d2ca0a067f27da6fec484fce7f5256def85 # v5.6.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ matrix.python }}
          allow-prereleases: true
          check-latest: true
+          freethreaded: ${{ matrix.freethreaded }}

      - name: common variables for all runs
        env:
          JID: ${{ matrix.jid }}
          ACTIONS_CACHE: ${{ steps.cache-python-ssl.outputs.cache-hit }}
          ACTIONS_GOAL: ${{ matrix.goal }}
+          freethreaded: ${{ matrix.freethreaded }}
        run: |
          case $RUNNER_ARCH in
            X64)
@@ -169,6 +189,12 @@ jobs:
              ;;
          esac 
          echo "JID=${JID}" >> $GITHUB_ENV
+          echo "freethreaded=${freethreaded}" >> $GITHUB_ENV
+          if "$freethreaded"; then
+            # Hush some warnings while we test
+            export PYTHON_GIL=0
+            echo "PYTHON_GIL=${PYTHON_GIL}" >> $GITHUB_ENV
+          fi
          echo "ACTIONS_CACHE=${ACTIONS_CACHE}" >> $GITHUB_ENV
          echo "ACTIONS_GOAL=${ACTIONS_GOAL}" >> $GITHUB_ENV
          curl_version=$(curl --version | head -n 1 | awk '{ print $2 }')
@@ -194,13 +220,9 @@ jobs:
        if: matrix.goal == 'test'
        run: |
          export PYTHON=$(which python3)
-          export PIP=$(which pip3)
-          export gam="${PYTHON} -m gam"
          export gampath="$(readlink -e .)/gam"
-          echo -e "PYTHON: ${PYTHON}\nPIP: ${PIP}\gam: ${gam}\ngampath: ${gampath}"
+          echo -e "PYTHON: ${PYTHON}\ngam: ${gam}\ngampath: ${gampath}"
          echo "PYTHON=${PYTHON}" >> $GITHUB_ENV
-          echo "PIP=${PIP}" >> $GITHUB_ENV
-          echo "gam=${gam}" >> $GITHUB_ENV
          echo "gampath=${gampath}" >> $GITHUB_ENV

      - name: Install necessary Github-hosted Linux packages
@@ -261,14 +283,15 @@ jobs:
            MAKEOPT=""
            PERL="c:\strawberry\perl\bin\perl.exe"
            if [[ "$RUNNER_ARCH" == "ARM64" ]]; then
-              PYEXTERNALS_PATH="arm64"
+              PYEXTERNALS_ARCH="arm64"
              WIX_ARCH="arm64"
            elif [[ "$RUNNER_ARCH" == "X64" ]]; then
-              PYEXTERNALS_PATH="amd64"
+              PYEXTERNALS_ARCH="amd64"
              WIX_ARCH="x64"
            fi
-            LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}"
-            echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}/python.exe" >> $GITHUB_ENV
+            PYEXTERNALS_PATH=$(cygpath -u "${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_ARCH}")
+            LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${PYEXTERNALS_PATH}"
+            echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_ARCH}/python.exe" >> $GITHUB_ENV
            echo "WIX_ARCH=${WIX_ARCH}" >> $GITHUB_ENV
          fi
          echo "We'll run make with: ${MAKEOPT}"
@@ -451,22 +474,50 @@ jobs:
          "${PYTHON}" -V
          "${PYTHON}" -c "import ssl; print(f'Using {ssl.OPENSSL_VERSION}')"

+      - name: Create and use Python venv
+        run: |
+          cd "$GITHUB_WORKSPACE"
+          curl -o get-pip.py https://bootstrap.pypa.io/get-pip.py
+          "$PYTHON" get-pip.py
+          "$PYTHON" -m venv venv
+          if [[ "$RUNNER_OS" == "Windows" ]]; then
+            # pyscard seems to build outside venv but not in it.
+            # build it so it's cached.
+            "$PYTHON" -m pip install --upgrade --force-reinstall pyscard
+            export PYTHON="${GITHUB_WORKSPACE}/venv/scripts/python.exe"
+          else
+            export PYTHON="${GITHUB_WORKSPACE}/venv/bin/python3"
+          fi
+          echo "PYTHON=${PYTHON}" >> $GITHUB_ENV
+          if [[ "$ACTIONS_GOAL" == "test" ]]; then
+            export gam="${PYTHON} gam.py"
+            echo "gam=${gam}" >> $GITHUB_ENV
+          fi
+
      - name: Upgrade pip, wheel, etc
        run: |
          curl $curl_retry -O https://bootstrap.pypa.io/get-pip.py
          "$PYTHON" get-pip.py
          "$PYTHON" -m pip install --upgrade pip
          "$PYTHON" -m pip install --upgrade wheel
-          "$PYTHON" -m pip install setuptools
+          "$PYTHON" -m pip install --upgrade setuptools
          "$PYTHON" -m pip install --upgrade importlib-metadata
          "$PYTHON" -m pip install --upgrade setuptools-scm
+          "$PYTHON" -m pip install --upgrade packaging
          "$PYTHON" -m pip list

      - name: Install pip requirements
        run: |
          echo "before anything..."
          "$PYTHON" -m pip list
-          "$PYTHON" -m pip install --upgrade ..[yubikey]
+          echo "--info--"
+          "$PYTHON" -m pip cache info
+          echo "--list--"
+          "$PYTHON" -m pip cache list
+          echo "--pip debug verbose--"
+          "$PYTHON" -m pip debug --verbose
+          echo "--------"
+          "$PYTHON" -m pip install -vvv --upgrade ..[yubikey]
          echo "after everything..."
          "$PYTHON" -m pip list

@@ -894,11 +945,11 @@ jobs:
          $gam calendar $gam_user printevents after -0d
          $gam config enable_dasa false save
          matterid=uid:$($gam create vaultmatter name "GHA matter $newbase" description "test matter" returnidonly)
-          $gam create vaulthold matter $matterid name "GHA hold $newbase" corpus mail accounts $newuser
+          $gam create vaulthold matter $matterid name "GHA hold ${newbase}" corpus mail ou "$newou"
          $gam print vaultmatters matterstate open
          $gam print vaultholds matter $matterid
          $gam print vaultcount matter $matterid corpus mail everyone todrive tdnobrowser
-          $gam create vaultexport matter $matterid name "GHA export $newbase" corpus mail accounts $newuser
+          $gam create vaultexport matter $matterid name "GHA export $newbase" corpus mail ou "$newou"
          $gam print exports matter $matterid | $gam csv - gam info export $matterid id:~~id~~
          $gam config enable_dasa true save
          $gam csv sample.csv gam user ~email add calendar id:$newresource
@@ -938,7 +989,7 @@ jobs:
          $gam report usageparameters customer
          $gam report usage customer parameters gmail:num_emails_sent,accounts:num_1day_logins
          $gam report customer todrive tdnobrowser
-          #$gam report users fields accounts:is_less_secure_apps_access_allowed,gmail:last_imap_time,gmail:last_pop_time filters "accounts:last_login_time>2019-01-01T00:00:00.000Z" todrive tdnobrowser
+          #$gam report users fields accounts:is_less_secure_apps_access_allowed,gmail:last_imap_time,gmail:last_pop_time filters "accounts:last_login_time>2025-01-01T00:00:00.000Z" todrive tdnobrowser
          $gam report users todrive tdnobrowser
          $gam report admin start -3d todrive tdnobrowser
          $gam print devices nopersonaldevices nodeviceusers filter "serial:$JID$JID$JID$JID-" | $gam csv - gam delete device id ~name
@@ -978,7 +1029,8 @@ jobs:
          else
            tar_folders="bin/"
          fi
-          tar cJvvf cache.tar.xz $tar_folders
+          echo '.git*' > ./excludes.txt
+          tar cJvvf cache.tar.xz --exclude-from=excludes.txt $tar_folders

  merge:
    if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
@@ -1028,7 +1080,7 @@ jobs:
          echo "dateversion=${dateversion}" >> $GITHUB_OUTPUT

      - name: Publish draft release
-        uses: softprops/action-gh-release@fbadcc90e88ecface60a0a0d123795b784ceb239 # v2.3.2
+        uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
        with:
          draft: true
          prerelease: false
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -30,6 +30,6 @@ jobs:
          python -m build

      - name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          attestation: true
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -27,7 +27,7 @@ dependencies = [
 ]
 description = "CLI tool to manage Google Workspace"
 readme = "README.md"
-requires-python = ">=3.9"
+requires-python = ">=3.10"
 classifiers = [
    "Programming Language :: Python :: 3",
    "Programming Language :: Python :: 3 :: Only",
--- a/src/GamCommands.txt
+++ b/src/GamCommands.txt
@@ -368,6 +368,7 @@ If an item contains spaces, it should be surrounded by ".
 ## Named items

 <AccessToken> ::= <String>
+<AdminAssigneeType> ::= group|user|serviceaccount|unknown
 <AlertID> ::= <String>
 <APIScopeURL> ::= <String>
 <APPID> ::= <String>
@@ -565,6 +566,7 @@ If an item contains spaces, it should be surrounded by ".
        See: https://support.google.com/mail/answer/7190
 <QueryGroup> ::= <String>
        See: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
+<QueryItem> ::= <UniqueID>|<String>
 <QueryMemberRestrictions> ::= <String>
        See: https://cloud.google.com/identity/docs/reference/rest/v1beta1/SecuritySettings#MemberRestriction
 <QueryMobile> ::= <String>
@@ -690,6 +692,7 @@ If an item contains spaces, it should be surrounded by ".

 ## Lists of basic items

+<AdminAssigneeTypeList> ::= "<AdminAssigneeType>(,<AdminAssigneeType>)*"
 <APIScopeURLList> ::= "<APIScopeURL>(,<APIScopeURL>)*"
 <ASPIDList> ::= "<ASPID>(,<ASPID>)*"
 <AssetTagList> ::= "<AssetTag>(,<AssetTag>)*"
@@ -728,6 +731,7 @@ If an item contains spaces, it should be surrounded by ".
 <DomainNameList> ::= "<DomainName>(,<DomainName>)*"
 <DriveFileACLRoleList> ::= "<DriveFileACLRole>(,<DriveFileACLRole>)*"
 <DriveFileACLTypeList> ::= "<DriveFileACLType>(,<DriveFileACLType>)*"
+<DriveFileIDList> ::= "<DriveFileID>(,<DriveFileID>)*"
 <DriveFileList> ::= "<DriveFileItem>(,<DriveFileItem>)*"
 <DriveFilePermissionList> ::= "<DriveFilePermission>(,<DriveFilePermission>)*"
 <DriveFilePermissionIDList> ::= "<DriveFilePermissionID>(,<DriveFilePermissionID>)*"
@@ -1549,11 +1553,17 @@ gam create|add admin <EmailAddress>|<UniqueID> <RoleItem> customer|(org_unit <Or
        [condition securitygroup|nonsecuritygroup]
 gam delete admin <RoleAssignmentId>

+<AdminAssigneeType> ::= group|user|serviceaccount|unknown
+<AdminAssigneeTypeList> ::= "<AdminAssigneeType>(,<AdminAssigneeType>)*"
+
 gam print admins [todrive <ToDriveAttribute>*]
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
-        [privileges] [oneitemperrow]
+        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
+        [types <AdminAssigneeTypeList>]
+        [recursive] [condition] [privileges] [oneitemperrow]
 gam show admins
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
+        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
+        [types <AdminAssigneeTypeList>]
+        [recursive] [condition] [privileges]

 # Alert Center

@@ -1930,12 +1940,12 @@ gam calendar|calendars <CalendarEntity> info events [<EventEntity>] [maxinstance
        [formatjson]
 gam calendar|calendars <CalendarEntity> show events [<EventEntity>] <EventDisplayProperty>*
        [fields <EventFieldNameList>] [showdayofweek]
-        [countsonly]
-        [formatjson]
+        [countsonly|formatjson]
 gam calendar|calendars <CalendarEntity> print events [<EventEntity>] <EventDisplayProperty>*
        [fields <EventFieldNameList>] [showdayofweek]
-        [countsonly [eventrowfilter]]
-        [formatjson [quotechar <Character>]] [todrive <ToDriveAttribute>*]
+        (addcsvdata <FieldName> <String>)*
+        [eventrowfilter]
+        [countsonly|(formatjson [quotechar <Character>])] [todrive <ToDriveAttribute>*]

 gam calendar <CalendarEntity> addevent <EventAttribute>+ [<EventNotificationAttribute>]
        [showdayofweek]
@@ -2047,7 +2057,7 @@ gam create chatmessage <ChatSpace>
        [(thread <ChatThread>)|(threadkey <String>) [replyoption fail|fallbacktonew]]
        [returnidonly]
 gam update chatmessage name <ChatMessage>
-        <ChatContent>
+        [<ChatContent>] [clearattachments <String>]
 gam delete chatmessage name <ChatMessage>

 <ChatMessageFieldName> ::=
@@ -2222,36 +2232,6 @@ gam print browsertokens [todrive <ToDriveAttribute>*]
        [sortheaders]
        [formatjson [quotechar <Character>]]

-# Chrome Installed Apps Counts
-
-gam show chromeapps
-        [(ou <OrgUnitItem>)|(ou_and_children <OrgUnitItem>)|
-         (ous <OrgUnitList>)|(ous_and_children <OrgUnitList>)]
-        [filter <String>]
-        [orderby appname|apptype|installtype|numberofpermissions|totalinstallcount]
-        [formatjson]
-gam print chromeapps [todrive <ToDriveAttribute>*]
-        [(ou <OrgUnitItem>)|(ou_and_children <OrgUnitItem>)|
-         (ous <OrgUnitList>)|(ous_and_children <OrgUnitList>)]
-        [filter <String>]
-        [orderby appname|apptype|installtype|numberofpermissions|totalinstallcount]
-        [formatjson [quotechar <Character>]] [delimiter <Character>]
-
-gam show chromeappdevices
-        appid <AppID> apptype extension|app|theme|hostedapp|androidapp
-        [(ou <OrgUnitItem>)|(ou_and_children <OrgUnitItem>)|
-         (ous <OrgUnitList>)|(ous_and_children <OrgUnitList>)]
-        [start <Date>] [end <Date>]
-        [orderby deviceid|machine]
-        [formatjson]
-gam print chromeappdevices [todrive <ToDriveAttribute>*]
-        appid <AppID> apptype extension|app|theme|hostedapp|androidapp
-        [(ou <OrgUnitItem>)|(ou_and_children <OrgUnitItem>)|
-         (ous <OrgUnitList>)|(ous_and_children <OrgUnitList>)]
-        [start <Date>] [end <Date>]
-        [orderby deviceid|machine]
-        [formatjson [quotechar <Character>]]
-
 # Chrome Auto Update Expiration Counts

 gam print chromeaues [todrive <ToDriveAttribute>*]
@@ -2361,6 +2341,15 @@ gam show chromeprofilecommands <ChromeProfileNameEntity>
 gam print chromeprofilecommands <ChromeProfileNameEntity> [todrive <ToDriveAttribute>*]
        [formatjson [quotechar <Character>]]

+# Chrome Device Counts
+
+gam show chromedevicecounts
+        (mode all|active|perboottype|perreleasechannel)* [date <Date>]
+        [formatjson]
+gam print chromedevicecounts [todrive <ToDriveAttribute>*]
+        (mode all|active|perboottype|perreleasechannel) [date <Date>]
+        [formatjson [quotechar <Character>]]
+
 # Chrome Versions Counts

 gam show chromeversions
@@ -3269,6 +3258,7 @@ gam print courses [todrive <ToDriveAttribute>*]
        [show all|students|teachers] [countsonly]
        [timefilter creationtime|updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
        [fields <CourseFieldNameList>] [skipfields <CourseFieldNameList>]
+        (addcsvdata <FieldName> <String>)*
        [formatjson [quotechar <Character>]]
        [showitemcountonly]

@@ -3381,6 +3371,7 @@ gam print course-materials [todrive <ToDriveAttribute>*]
        (orderby <CourseMaterialOrderByFieldName> [ascending|descending])*)
        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>]
        [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [oneitemperrow]
        [countsonly] [formatjson [quotechar <Character>]]
 gam print course-submissions [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
@@ -3402,6 +3393,7 @@ gam print course-works [todrive <ToDriveAttribute>*]
        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseWorkFieldNameList>]
        [showstudentsaslist [<Boolean>]] [delimiter <Character>]
        [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [oneitemperrow]
        [countsonly] [formatjson [quotechar <Character>]]

 # Classroom - Student Groups
@@ -3741,16 +3733,14 @@ gam print domaincontacts|peoplecontacts [todrive <ToDriveAttribute>*]
        [sources <PeopleSourceName>]
        [query <String>]
        [mergesources <PeopleMergeSourceName>]
-        [coountsonly]
        [allfields|(fields <PeopleFieldNameList>)] [showmetadata]
-        [formatjson [quotechar <Character>]]
+        [coountsonly|(formatjson [quotechar <Character>])]
 gam show domaincontacts|peoplecontacts
        [sources <PeopleSourceName>]
        [query <String>]
        [mergesources <PeopleMergeSourceName>]
-        [coountsonly]
        [allfields|(fields <PeopleFieldNameList>)] [showmetadata]
-        [formatjson]
+        [coountsonly|formatjson]

 gam info people|peopleprofile <PeopleResourceNameEntity>
        [allfields|(fields <PeopleFieldNameList>)] [showmetadata]
@@ -3758,15 +3748,13 @@ gam info people|peopleprofile <PeopleResourceNameEntity>
 gam print people|peopleprofile [todrive <ToDriveAttribute>*]
        [query <String>]
        [mergesources <PeopleMergeSourceName>]
-        [coountsonly]
        [allfields|(fields <PeopleFieldNameList>)] [showmetadata]
-        [formatjson [quotechar <Character>]]
+        [coountsonly|(formatjson [quotechar <Character>])]
 gam show people|peopleprofile
        [query <String>]
        [mergesources <PeopleMergeSourceName>]
-        [coountsonly]
        [allfields|(fields <PeopleFieldNameList>)] [showmetadata]
-        [formatjson]
+        [coountsonly|formatjson]

 # Email Audit Monitor

@@ -4078,7 +4066,7 @@ gam print group-members [todrive <ToDriveAttribute>*]
 gam create cigroup <EmailAddress>
        [copyfrom <GroupItem>] <GroupAttribute>*
        [makeowner] [alias|aliases <CIGroupAliasList>]
-        [security|makesecuritygroup]
+        [security|makesecuritygroup] [locked]
        [dynamic <QueryDynamicGroup>]
 gam update cigroup <GroupEntity> [copyfrom <GroupItem>] <GroupAttribute>
        [security|makesecuritygroup|
@@ -4642,6 +4630,7 @@ gam report customers|customer|domain [todrive <ToDriveAttribute>*]
        [(nodatechange | limitdatechanges <Integer>) | (fulldatarequired all|<CustomerServiceNameList>)]
        [(fields|parameters <String>)|(services <CustomerServiceNameList>)] [noauthorizedapps]
        [convertmbtogb]
+        (addcsvdata <FieldName> <String>)*

 <UserServiceName> ::=
        accounts|
@@ -4664,6 +4653,7 @@ gam report users|user [todrive <ToDriveAttribute>*]
        [aggregatebydate|aggregatebyuser [Boolean]]
        [maxresults <Number>]
        [convertmbtogb]
+        (addcsvdata <FieldName> <String>)*

 # Reseller

@@ -5410,34 +5400,48 @@ gam show vaultmatters|matters [matterstate <MatterStateList>]
        [formatjson]

 gam print vaultcounts [todrive <ToDriveAttributes>*]
-        matter <MatterItem> corpus mail|groups
-        [(accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone]
-        [(shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))) |
-            (rooms (<ChatSpaceList>|(select <FileSelector>|<CSVFileSelector>))) |
-            (sitesurl (<URLList>||(select <FileSelector>|<CSVFileSelector>)))]
+        matter <MatterItem> <QueryItem>
+        [wait <Integer>]
+gam print vaultcounts [todrive <ToDriveAttributes>*]
+        matter <MatterItem>
+	corpus mail|groups
        [scope [all_data|held_data|unprocessed_data]]
+        [(accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone]
        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>] [timezone <TimeZone>]
        [excludedrafts <Boolean>]
+        [<JSONData>]
        [wait <Integer>]
 gam print vaultcounts [todrive <ToDriveAttributes>*]
        matter <MatterItem> operation <String> [wait <Integer>]

-gam create vaultexport|export matter <MatterItem> [name <String>] corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
-        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
-        (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))) |
-            (rooms (<ChatSpaceList>|(select <FileSelector>|<CSVFileSelector>))) |
-            (sitesurl (<URLList>||(select <FileSelector>|<CSVFileSelector>)))
+gam create vaultexport|export matter <MatterItem> [name <String>]
+        vaultquery <QueryItem>
+        [driveclientsideencryption any|encrypted|unencrypted]
+        [includeaccessinfo <Boolean>]
+        [excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
+        [showconfidentialmodecontent <Boolean>] [usenewexport <Boolean>] [exportlinkeddrivefiles <Boolean>]
+        [format ics|mbox|pst|xml]
+        [region any|europe|us] [showdetails|returnidonly]
+
+gam create vaultexport|export matter <MatterItem> [name <String>]
+        corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
        [scope all_data|held_data|unprocessed_data]
+        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
+        (documentids  (<DriveFileIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        [(includeshareddrives <Boolean>)|(shareddrivesoption included|included_if_account_is_not_a_member|not_included)]
+        (sitesurl (<URLList>||(select <FileSelector>|<CSVFileSelector>)))
+        [driveversiondate <Date>|<Time>]
+        [includerooms <Boolean>]
+        (rooms (<ChatSpaceList>|(select <FileSelector>|<CSVFileSelector>))) |
        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>] [timezone <TimeZone>]
        [locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
        [responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
-        [(includeshareddrives <Boolean>)|(shareddrivesoption included|included_if_account_is_not_a_member|not_included)]
-        [driveversiondate <Date>|<Time>] [includeaccessinfo <Boolean>]
+        (covereddata calllogs|textmessages|voicemails)*
        [driveclientsideencryption any|encrypted|unencrypted]
-        [includerooms <Boolean>]
+        [includeaccessinfo <Boolean>]
        [excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
        [showconfidentialmodecontent <Boolean>] [usenewexport <Boolean>] [exportlinkeddrivefiles <Boolean>]
-        [covereddata calllogs|textmessages|voicemails]
        [format ics|mbox|pst|xml]
        [region any|europe|us] [showdetails|returnidonly]
 gam delete vaultexport|export <ExportItem> matter <MatterItem>
@@ -5493,18 +5497,21 @@ gam show vaultexports|exports
        [fields <VaultExportFieldNameList>] [shownames]
        [formatjson]

+gam create vaulthold|hold matter <MatterItem> [name <String>]
+        vaultquery <QueryItem>
+        [showdetails|returnidonly]
 gam create vaulthold|hold matter <MatterItem> [name <String>] corpus calendar|drive|mail|groups|hangouts_chat|voice
        [(accounts|groups|users <EmailItemList>) | (orgunit|org|ou <OrgUnit>)]
        [query <QueryVaultCorpus>]
        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
-        [includerooms <Boolean>] [covereddata calllogs|textmessages|voicemails]
+        [includerooms <Boolean>] (covereddata calllogs|textmessages|voicemails)*
        [includeshareddrives <Boolean>]
        [showdetails|returnidonly]
 gam update vaulthold|hold <HoldItem> matter <MatterItem>
        [([addaccounts|addgroups|addusers <EmailItemList>] [removeaccounts|removegroups|removeusers <EmailItemList>]) | (orgunit|org|ou <OrgUnit>)]
        [query <QueryVaultCorpus>]
        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
-        [includerooms <Boolean>] [covereddata calllogs|textmessages|voicemails]
+        [includerooms <Boolean>] (covereddata calllogs|textmessages|voicemails)*
        [includeshareddrives <Boolean>]
        [showdetails]
 gam delete vaulthold|hold <HoldItem> matter <MatterItem>
@@ -5544,6 +5551,32 @@ gam show vaultholds|holds [matters <MatterItemList>]
 gam <UserTypeEntity> print vaultholds|holds [todrive <ToDriveAttribute>*]
 gam <UserTypeEntity> show vaultholds|holds

+gam create vaultquery <MatterItem> [name <String>]
+        corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
+        [scope all_data|held_data|unprocessed_data]
+        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
+        (documentids  (<DriveFileIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        [(includeshareddrives <Boolean>)|(shareddrivesoption included|included_if_account_is_not_a_member|not_included)]
+        (sitesurl (<URLList>||(select <FileSelector>|<CSVFileSelector>)))
+        [driveversiondate <Date>|<Time>]
+        [includerooms <Boolean>]
+        (rooms (<ChatSpaceList>|(select <FileSelector>|<CSVFileSelector>))) |
+        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>] [timezone <TimeZone>]
+        [locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
+        [responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
+        (covereddata calllogs|textmessages|voicemails)*
+	[<JSONData>]
+        [shownames]
+        [showdetails|returnidonly|formatjson]
+
+gam copy vaultquery <MatterItem> <QueryItem> [targetmatter <MatterItem>] [name <String>]
+        [shownames]
+        [showdetails|returnidonly|formatjson]
+
+gam delete vaultquery <QueryItem> matter <MatterItem>
+gam delete vaultquery <MatterItem> <QueryItem>
+
 <VaultQueryFieldName> ::=
        createtime |
        displayname |
@@ -5725,10 +5758,9 @@ gam create|add user <EmailAddress> [ignorenullpassword] <UserAttribute>*
        [[notify <EmailAddressList>] [notifyrecoveryemail]
            [subject <String>]
            [notifypassword <String>]
-            [from <EmailAaddress>]
-            [mailbox <EmailAaddress>]
+            [from <EmailAaddress>] [mailbox <EmailAaddress>]
            [replyto <EmailAaddress>]
-            [<NotifyMessageContent>]
+            [<NotifyMessageContent>] [html [<Boolean>]]
            (replace <Tag> <UserReplacement>)*
            (replaceregex <RESearchPattern> <RESubstitution> <Tag> <UserReplacement>)*
         ]
@@ -5751,10 +5783,9 @@ gam update user <UserItem> [ignorenullpassword] <UserAttribute>*
        [[notify <EmailAddressList>] [notifyrecoveryemail]
            [subject <String>]
            [notifypassword <String>]
-            [from <EmailAaddress>]
-            [mailbox <EmailAddress>]
+            [from <EmailAaddress>] [mailbox <EmailAddress>]
            [replyto <EmailAddress>]
-            [<NotifyMessageContent>]
+            [<NotifyMessageContent>] [html [<Boolean>]]
            (replace <Tag> <UserReplacement>)*
            (replaceregex <RESearchPattern> <RESubstitution> <Tag> <UserReplacement>)*
         ]
@@ -5789,10 +5820,9 @@ gam update users <UserTypeEntity> [ignorenullpassword] <UserAttribute>*
        [[notify <EmailAddressList>] [notifyrecoveryemail]
            [subject <String>]
            [notifypassword <String>]
-            [from <EmailAddress>]
-            [mailbox <EmailAddress>]
+            [from <EmailAddress>] [mailbox <EmailAddress>]
            [replyto <EmailAaddress>]
-            [<NotifyMessageContent>]
+            [<NotifyMessageContent>] [html [<Boolean>]]
            (replace <Tag> <UserReplacement>)*
            (replaceregex <RESearchPattern> <RESubstitution> <Tag> <UserReplacement>)*
        ]
@@ -5826,10 +5856,9 @@ gam <UserTypeEntity> update users [ignorenullpassword] <UserAttribute>*
        [[notify <EmailAddressList>] [notifyrecoveryemail]
            [subject <String>]
            [notifypassword <String>]
-            [from <EmailAaddress>]
-            [mailbox <EmailAddress>]
+            [from <EmailAaddress>] [mailbox <EmailAddress>]
            [replyto <EmailAddress>]
-            [<NotifyMessageContent>]
+            [<NotifyMessageContent>] [html [<Boolean>]]
            (replace <Tag> <UserReplacement>)*
            (replaceregex <RESearchPattern> <RESubstitution> <Tag> <UserReplacement>)*
        ]
@@ -6268,12 +6297,11 @@ gam <UserTypeEntity> info events <UserCalendarEntity> [<EventEntity>] [maxinstan
        [formatjson]
 gam <UserTypeEntity> show events <UserCalendarEntity> [<EventEntity>] <EventDisplayProperty>*
        [fields <EventFieldNameList>] [showdayofweek]
-        [countsonly]
-        [formatjson]
+        [countsonly|formatjson]
 gam <UserTypeEntity> print events <UserCalendarEntity> [<EventEntity>] <EventDisplayProperty>*
        [fields <EventFieldNameList>] [showdayofweek]
-        [countsonly [eventrowfilter]]
-        [formatjson [quotechar <Character>]] [todrive <ToDriveAttribute>*]
+        [eventrowfilter]]
+        [countsonly|(formatjson [quotechar <Character>])] [todrive <ToDriveAttribute>*]

 gam <UserTypeEntity> update calattendees <UserCalendarEntity> <EventEntity> [anyorganizer]
        [<EventNotificationAttribute>] [splitupdate] [dryrun|doit]
@@ -6378,13 +6406,13 @@ gam <UserTypeEntity> update chatspace <ChatSpace>
         [type space]
         [description <String>] [guidelines|rules <String>]
         [history <Boolean>])
-        [managemembersandgroups managers|members]
-        [modifyspacedetails managers|members]
-        [togglehistory managers|members]
-        [useatmentionall managers|members]
-        [manageapps managers|members]
-        [managewebhooks managers|members]
-        [replymessages managers|members]
+        [managemembersandgroups owners|managers|members]
+        [modifyspacedetails owners|managers|members]
+        [togglehistory owners|managers|members]
+        [useatmentionall owners|managers|members]
+        [manageapps owners|managers|members]
+        [managewebhooks owners|managers|members]
+        [replymessages owners|managers|members]
        [formatjson]
 gam <UserTypeEntity> delete chatspace <ChatSpace>

@@ -6445,28 +6473,28 @@ gam <UserItem> print chatspaces asadmin [todrive <ToDriveAttribute>*]
        [formatjson [quotechar <Character>]]

 gam <UserTypeEntity> create chatmember <ChatSpace>
-        [type human|bot] [role member|manager]
+        [type human|bot] [role member|manager|owner]
        (user <UserItem>)* (members <UserTypeEntity>)*
        (group <GroupItem>)* (groups <GroupEntity>)*
        [formatjson|returnidonly]
 gam <UserTypeEntity> delete chatmember <ChatSpace>
        ((user <UserItem>)|(members <UserTypeEntity>)|
         (group <GroupItem>)|(groups <GroupEntity>))+
-gam <UserTypeEntity> remove chatmember members <ChatMemberList>
+`gam <UserTypeEntity> remove chatmember members <ChatMemberList>
 gam <UserTypeEntity> update chatmember <ChatSpace>
-        role member|manager
+        role member|manager|owner
        ((user <UserItem>)|(members <UserTypeEntity>))+
 gam <UserTypeEntity> modify chatmember
-        role member|manager
+        role member|manager|owner
        members <ChatMemberList>
 gam <UserTypeEntity> sync chatmembers <ChatSpace>
-        [role member|manager] [type human|bot]
+        [role member|manager|owner] [type human|bot]
        [addonly|removeonly]
        [preview [actioncsv]]
        (users <UserTypeEntity>)* (groups <GroupEntity>)*

 gam <UserItem> create chatmember asadmin <ChatSpace>
-        [type human|bot] [role member|manager]
+        [type human|bot] [role member|manager|owner]
        (user <UserItem>)* (members <UserTypeEntity>)*
        (group <GroupItem>)* (groups <GroupEntity>)*
        [formatjson|returnidonly]
@@ -6475,13 +6503,13 @@ gam <UserItem> delete chatmember asadmin <ChatSpace>
        ((user <UserItem>)|(members <UserTypeEntity>)|
         (group <GroupItem>)|(groups <GroupEntity>))+
 gam <UserItem> update chatmember asadmin <ChatSpace>
-        role member|manager
+        role member|manager|owner
        ((user <UserItem>)|(members <UserTypeEntity>))+
 gam <UserItem> modify chatmember asadmin
-        role member|manager
+        role member|manager|owner
        members <ChatMemberList>
 gam <UserItem> sync chatmembers asadmin <ChatSpace>
-        [role member|manager] [type human|bot]
+        [role member|manager|owner`] [type human|bot]
        [addonly|removeonly]
        [preview [actioncsv]]
        (users <UserTypeEntity>)* (groups <GroupEntity>)*
@@ -6536,7 +6564,7 @@ gam <UserTypeEntity> create chatmessage <ChatSpace>
        [replyoption fail|fallback]
        [returnidonly]
 gam <UserTypeEntity> update chatmessage name <ChatMessage>
-        <ChatContent>
+        [<ChatContent>] [clearattachments <String>]
 gam <UserTypeEntity> delete chatmessage name <ChatMessage>

 <ChatMessageFieldName> ::=
@@ -7529,7 +7557,19 @@ gam <UserTypeEntity> deprovision|deprov [popimap] [signout] [turnoff2sv]
 # Users - Gmail - Delegates

 gam <UserTypeEntity> delegate to [convertalias] <UserEntity>
+        [notify [<Boolean>]
+            [subject <String>]
+            [from <EmailAaddress>] [mailbox <EmailAddress>]
+            [replyto <EmailAaddress>]
+            [<NotifyMessageContent>] [html [<Boolean>]]
+        ]
 gam <UserTypeEntity> create|add delegate|delegates [convertalias] <UserEntity>
+        [notify [<Boolean>]
+            [subject <String>]
+            [from <EmailAaddress>] [mailbox <EmailAddress>]
+            [replyto <EmailAaddress>]
+            [<NotifyMessageContent>] [html [<Boolean>]]
+        ]
 gam <UserTypeEntity> delete delegate|delegates [convertalias] <UserEntity>
 gam <UserTypeEntity> update delegate|delegates [convertalias] [<UserEntity>]
 gam <UserTypeEntity> show delegates|delegate [shownames] [csv]
@@ -8297,13 +8337,13 @@ gam <UserTypeEntity> info contacts
 gam <UserTypeEntity> show contacts
        <PeoplePrintShowUserContactSelection>
        [orderby firstname|lastname|(lastmodified ascending)|(lastnodified descending)
-        [countsonly|allfields|(fields <PeopleFieldNameList>)] [showgroups] [showmetadata]
-        [formatjson]
+        [allfields|(fields <PeopleFieldNameList>)] [showgroups] [showmetadata]
+        [countsonly|formatjson]
 gam <UserTypeEntity> print contacts [todrive <ToDriveAttribute>*]
        <PeoplePrintShowUserContactSelection>
        [orderby firstname|lastname|(lastmodified ascending)|(lastnodified descending)
-        [countsonly|allfields|(fields <PeopleFieldNameList>)] [[showgroups|showgroupnameslist] showmetadata]
-        [formatjson [quotechar <Character>]]
+        [allfields|(fields <PeopleFieldNameList>)] [[showgroups|showgroupnameslist] showmetadata]
+        [countsonly|(formatjson [quotechar <Character>])]

 <OtherContactsFieldName> ::=
        emailaddresses|
@@ -8537,7 +8577,7 @@ gam <UserTypeEntity> info tasklist <TasklistEntity>
 gam <UserTypeEntity> show tasklists
        [countsonly|formatjson]
 gam <UserTypeEntity> print tasklists [todrive <ToDriveAttribute>*]
-        [countsonly | (formatjson [quotechar <Character>])]
+        [countsonly|(formatjson [quotechar <Character>])]

 # Users - Shared Drives

--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -1,3 +1,266 @@
+7.28.06
+
+Updated `gam <UserTypeEntity> info|print|show calendars` and
+`gam calendars <CalendarEntity> print|show settings` to display the
+new `dataOwner` field as described under `Additional details` below.
+
+* See: https://workspaceupdates.googleblog.com/2025/11/secondary-calendar-management-with-dedicated-owners.html
+
+7.28.04
+
+Updated commands that display Chrome device counts to display the date in the output.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Device-Counts
+
+7.28.03
+
+Improved commands to display Chrome device counts.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Device-Counts
+
+7.28.02
+
+Added commands to display Chrome device counts.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Device-Counts
+
+7.28.01
+
+Updated `gam <UserTypeEntity> show fileinfo <DriveFileEntity>` to display `displayName` as the key field
+of a `permission` not `deleted`.
+
+7.28.00
+
+Added option `addcsvdata <FieldName> <String>` to `gam report [usage] customers|users`
+that adds additional columns of data to the CSV file output. This will be most useful
+when reading a CSV of user information and you want to include some of the user information,
+e.g., orgUnitPath, in the output.
+```
+gam redirect csv ./Users.csv print users fields ou
+gam redirect csv ./UserStorageInfo.csv multiprocess csv Users.csv gam report users user "~primaryEmail" parameters accounts:drive_used_quota_in_mb,accounts:gmail_used_quota_in_mb,accounts:gplus_photos_used_quota_in_mb,accounts:total_quota_in_mb,accounts:used_quota_in_mb,accounts:used_quota_in_percentage addcsvdata orgUnitPath "~orgUnitPath"
+```
+
+7.27.05
+
+Added option `addcsvdata <FieldName> <String>` to `gam print courses`
+that adds additional columns of data to the CSV file output.
+
+The following scope is no longer necessary: `Cloud Identity API - Groups Beta (Enables group locking/unlocking)`
+as this scope `Cloud Identity API - Groups` now provides group locking/unlocking.
+
+7.27.04
+
+Added options to `gam <UserTypeEntity> create delegate` that support
+sending email notifications when a user adds a delegate.
+
+* See: https://github.com/GAM-team/GAM/wiki/Users-Gmail-Delegates#delegation-notification
+
+7.27.03
+
+Updated `gam <UserTypeEntity> create|update|sync chatmember` role specification to `role member|manager|owner`.
+This is the mapping between the Chat UI and Chat API; GAM uses the Chat UI role names.
+```
+UI: Member,  API: ROLE_MEMBER
+UI: Manager, API: ROLE_ASSISTANT_MANAGER
+UI: Owner,   API: ROLE_MANAGER
+```
+
+Updated `gam <UserTypeEntity> update chatspace` options for permission settings.
+```
+        [managemembersandgroups owners|managers|members]
+        [modifyspacedetails owners|managers|members]
+        [togglehistory owners|managers|members]
+        [useatmentionall owners|managers|members]
+        [manageapps owners|managers|members]
+        [managewebhooks owners|managers|members]
+        [replymessages owners|managers|members]
+```
+
+7.27.02
+
+Added option `clearattachments <String>` to `gam [<UserTypeMessage>] update chatmessage`
+that clears all attachments from a Chat message. If `<ChatContent>` is not specified,
+the current message text is retained and `<String>` is appended; `<String>` must be specified
+but can be empty in which case the current message test is preserved as-is.
+
+7.27.01
+
+Fixed bug in `gam <UserTypeEntity> claim ownership <DriveFileEntity> ... onlyUsers|skipusers <UserTypeEntity>`
+where the email addresses in `onlyUsers|skipusers <UserTypeEntity>` were not normalized.
+
+7.27.00
+
+Added `debug_redaction` Boolean variable to `gam.cfg`. When True, the default,
+sensitive data like access/refresh tokens, client secret and authorization codes
+are redacted from debug output. This allows you to post debug output without
+compromising your account information. Even with debug redaction,
+anything shared publicly should be double-checked for sensitive content. 
+
+7.25.01
+
+Fixed bug in `gam config timezone <String>` to handle timezone abbreviations correctly;
+they were incorrectly shifted to lowercase.
+
+7.25.00
+
+Removed a capabilty added in 7.24.00 that allowed reading command data from Google Docs and Sheets
+when a user's service account access to Drive and Sheets had been disabled. Jay was concerned
+that this change could be exploited to give access to all user's files.
+
+This capability has been replaced by issuing the following commands. The admin specified in `gam oauth create`
+can read command data from Docs and Sheets to which it has access.
+```
+gam config commanddata_clientaccess true save
+gam oauth create
+Enable the following and proceed to authorization.
+
+[*] 42)  Drive API - commanddata_clientaccess
+[*] 54)  Sheets API - commanddata_clientaccess
+```
+
+Fixed in bug in `gam report` that caused a trap with either of the `thismonth` or `previousmonths` options were used.
+
+Upgraded to Python 3.14.0.
+
+7.24.01
+
+Updated GAM to handle the following error that occurs when GAM tries to authenticate
+as a user that has been disabled by Google.
+```
+ERROR: Authentication Token Error - invalid_account: Forbidden
+```
+
+7.24.00
+
+If you want to disable a user's service account access to Drive and Sheets but still allow reading command data from Google Docs and Sheets,
+issue the following command and make these settings:
+```
+gam user user@domain.com update serviceaccount
+
+[ ] 20)  Drive API (supports readonly)
+[*] 21)  Drive API - read command data
+[ ] 42)  Sheets API (supports readonly)
+[*] 43)  Sheets API - read command data
+```
+
+7.23.07
+
+Fixed bug in `gam print|show admins` where all admin assignments were not displayed when
+`types <AdminAssigneeTypeList>` was not specified, i.e., all assignments should be displayed.
+
+7.23.06
+
+Added option `types <AdminAssigneeTypeList>` to `gam print|show admins` that allows filtering
+of admin assignments by the type of the assignee; by default, all assignee types are displayed.
+```
+<AdminAssigneeType> ::= group|user|serviceaccount|unknown
+<AdminAssigneeTypeList> ::= "<AdminAssigneeType>(,<AdminAssigneeType>)*"
+```
+
+7.23.05
+
+Added option `recursive` that will display assignments to the members
+of security groups assigned to roles; the security group membership is recursively expanded.
+
+7.23.04
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print events`
+and `gam calendars <CalendarEntity> print events` that adds additional columns of data to the CSV file output.
+An example would be to get the calendar name in addition to the calendar ID when printing events.
+```
+gam redirect csv ./Resources.csv print resources fields email,name
+gam redirect csv ./ResourceEventCounts.csv multiprocess redirect stderr - multiprocess csv Resources.csv gam calendar "~resourceEmail" print events starttime -1y countsonly addcsvdata calendarName "~resourceName"
+```
+
+Upgraded to OpenSSL 3.6.0.
+
+7.23.03
+
+Upgraded to OpenSSL 3.5.4.
+
+7.23.02
+
+Added option `oneitemperrow` to 'gam print course-materials|course-work` to have each of a
+course's materials displayed on a separate row with all of the other course fields.
+This produces a CSV file that can be used in subsequent commands to process the materials without further script processing.
+
+7.23.00
+
+Added `chat_max_results` variable to `gam.cfg`.
+```
+chat_max_results
+    When retrieving lists of Chat items from API,
+    how many should be retrieved in each API call
+    Default: 100
+    Range: 1 - 1000
+```
+Previously, this vaule was always set to 1000 which could cause errors.
+
+7.22.07
+
+Added options `showdetails` and `returnidonly` to `gam create|copy vaultquery`.
+
+Added option `<JSONData>` to `gam create vaultexport|vaultquery` and `gam print vaultcounts`.
+
+7.22.06
+
+Added commands to create, copy and delete Vault saved queries.
+```
+gam create vaultquery <MatterItem> [name <String>]
+        corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
+        [scope all_data|held_data|unprocessed_data]
+        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
+        (documentids  (<DriveFileIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        [(includeshareddrives <Boolean>)|(shareddrivesoption included|included_if_account_is_not_a_member|not_included)]
+        (sitesurl (<URLList>||(select <FileSelector>|<CSVFileSelector>)))
+        [driveversiondate <Date>|<Time>]
+        [includerooms <Boolean>]
+        (rooms (<ChatSpaceList>|(select <FileSelector>|<CSVFileSelector>))) |
+        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>] [timezone <TimeZone>]
+        [locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
+        [responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
+        (covereddata calllogs|textmessages|voicemails)*
+        [shownames] [formatjson]
+
+gam copy vaultquery <MatterItem> <QueryItem> [targetmatter <MatterItem>] [name <String>]
+        [shownames] [formatjson]
+
+gam delete vaultquery <QueryItem> matter <MatterItem>
+gam delete vaultquery <MatterItem> <QueryItem>
+```
+
+Added a variant of `gam print vaultcounts` that gets its query parameters from a saved Vault query.
+```
+gam print vaultcounts [todrive <ToDriveAttributes>*]
+        matter <MatterItem> <QueryItem>
+        [wait <Integer>]
+```
+
+7.22.05
+
+Added a variant of `gam create vaultexport` that gets its query parameters from a saved Vault query.
+
+```
+gam create vaultexport|export matter <MatterItem> [name <String>]
+        vaultquery <QueryItem>
+        [driveclientsideencryption any|encrypted|unencrypted]
+        [includeaccessinfo <Boolean>]
+        [excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
+        [showconfidentialmodecontent <Boolean>] [usenewexport <Boolean>] [exportlinkeddrivefiles <Boolean>]
+        [format ics|mbox|pst|xml]
+        [region any|europe|us] [showdetails|returnidonly]
+```
+
+7.22.04
+
+Added a variant of `gam create vaulthold` that gets its parameters from a saved Vault query.
+```
+gam create vaulthold matter <MatterItem> [name <String>]
+        vaultquery <QueryItem>
+        [showdetails|returnidonly]
+```
+
 7.22.03

 Fix backwards compatability bug introduced in 7.22.00 for `gam print users` that changed `suspended`
@@ -36,7 +299,7 @@ GAM now builds on macOS 26 Tahoe and properly identifies the OS.

 A custom build of the cryptography library is no longer needed for Windows arm64 builds as the project now releases their own build for the OS.

-Upgrade to OpenSSL 3.5.3 latest
+Upgraded to OpenSSL 3.5.3.

 7.21.01

--- a/src/gam-install.sh
+++ b/src/gam-install.sh
@@ -83,13 +83,8 @@ echo -e '\x1B[0m'

 version_gt()
 {
-# MacOS < 10.13 doesn't support sort -V
-echo "" | sort -V > /dev/null 2>&1
-vsort_failed=$?
 if [ "${1}" = "${2}" ]; then
  true
-elif (( $vsort_failed != 0 )); then
-  false
 else
  test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"
 fi
--- a/src/gam/init.py
+++ b/src/gam/init.py
--- a/src/gam/main.py
+++ b/src/gam/main.py
@@ -34,7 +34,12 @@ def main():

 # Run from command line
 if __name__ == '__main__':
-  if platform.system() != 'Linux':
+  if getattr(sys, 'frozen', False): # we're frozen:
    multiprocessing.freeze_support()
+  if platform.system() == 'Linux':
+    # set explictly since it's not default in Python < 3.14, forkserver should
+    # be safer than fork and less likely to see bulk command hangs.
+    multiprocessing.set_start_method('forkserver')
+  else:
    multiprocessing.set_start_method('spawn')
  main()
--- a/src/gam/gamlib/glapi.py
+++ b/src/gam/gamlib/glapi.py
@@ -46,7 +46,6 @@ CLASSROOM = 'classroom'
 CLOUDCHANNEL = 'cloudchannel'
 CLOUDIDENTITY_DEVICES = 'cloudidentitydevices'
 CLOUDIDENTITY_GROUPS = 'cloudidentitygroups'
-CLOUDIDENTITY_GROUPS_BETA = 'cloudidentitygroupsbeta'
 CLOUDIDENTITY_INBOUND_SSO = 'cloudidentityinboundsso'
 CLOUDIDENTITY_ORGUNITS = 'cloudidentityorgunits'
 CLOUDIDENTITY_ORGUNITS_BETA = 'cloudidentityorgunitsbeta'
@@ -105,6 +104,8 @@ YOUTUBE = 'youtube'
 BUSINESSACCOUNTMANAGEMENT_SCOPE = 'https://www.googleapis.com/auth/business.manage'
 CHROMEVERSIONHISTORY_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms'
 DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive'
+DRIVE_FILE_SCOPE = 'https://www.googleapis.com/auth/drive.file'
+DRIVE_READONLY_SCOPE = 'https://www.googleapis.com/auth/drive.readonly'
 GMAIL_SEND_SCOPE = 'https://www.googleapis.com/auth/gmail.send'
 GOOGLE_AUTH_PROVIDER_X509_CERT_URL = 'https://www.googleapis.com/oauth2/v1/certs'
 GOOGLE_OAUTH2_ENDPOINT = 'https://accounts.google.com/o/oauth2/v2/auth'
@@ -156,6 +157,7 @@ OAUTH2_TOKEN_ERRORS = [
  'access_denied: Account restricted',
  'internal_failure: Backend Error',
  'internal_failure: None',
+  'invalid_account: Forbidden',
  'invalid_grant',
  'invalid_grant: Bad Request',
  'invalid_grant: Invalid email or User ID',
@@ -239,7 +241,6 @@ _INFO = {
  CLOUDCHANNEL: {'name': 'Cloud Channel API', 'version': 'v1', 'v2discovery': True},
  CLOUDIDENTITY_DEVICES: {'name': 'Cloud Identity API - Devices', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_GROUPS: {'name': 'Cloud Identity API - Groups', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDIDENTITY_GROUPS_BETA: {'name': 'Cloud Identity API - Groups Beta', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_INBOUND_SSO: {'name': 'Cloud Identity API - Inbound SSO Settings', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_ORGUNITS: {'name': 'Cloud Identity API - OrgUnits', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_ORGUNITS_BETA: {'name': 'Cloud Identity API - OrgUnits Beta', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
@@ -253,7 +254,7 @@ _INFO = {
  DOCS: {'name': 'Docs API', 'version': 'v1', 'v2discovery': True},
  DRIVE2: {'name': 'Drive API v2', 'version': 'v2', 'v2discovery': False, 'mappedAPI': 'drive'},
  DRIVE3: {'name': 'Drive API v3', 'version': 'v3', 'v2discovery': False, 'mappedAPI': 'drive'},
-  DRIVETD: {'name': 'Drive API v3 - todrive', 'version': 'v3', 'v2discovery': False, 'mappedAPI': 'drive'},
+  DRIVETD: {'name': 'Drive API v3 - write todrive data', 'version': 'v3', 'v2discovery': False, 'mappedAPI': 'drive'},
  DRIVEACTIVITY: {'name': 'Drive Activity API v2', 'version': 'v2', 'v2discovery': True},
  DRIVELABELS_ADMIN: {'name': 'Drive Labels API - Admin', 'version': 'v2', 'v2discovery': True, 'mappedAPI': DRIVELABELS},
  DRIVELABELS_USER: {'name': 'Drive Labels API - User', 'version': 'v2', 'v2discovery': True, 'mappedAPI': DRIVELABELS},
@@ -283,7 +284,7 @@ _INFO = {
  SERVICEMANAGEMENT: {'name': 'Service Management API', 'version': 'v1', 'v2discovery': True},
  SERVICEUSAGE: {'name': 'Service Usage API', 'version': 'v1', 'v2discovery': True},
  SHEETS: {'name': 'Sheets API', 'version': 'v4', 'v2discovery': True},
-  SHEETSTD: {'name': 'Sheets API - todrive', 'version': 'v4', 'v2discovery': True, 'mappedAPI': SHEETS},
+  SHEETSTD: {'name': 'Sheets API - write todrive data', 'version': 'v4', 'v2discovery': True, 'mappedAPI': SHEETS},
  SITEVERIFICATION: {'name': 'Site Verification API', 'version': 'v1', 'v2discovery': True},
  STORAGE: {'name': 'Cloud Storage API', 'version': 'v1', 'v2discovery': True},
  STORAGEREAD: {'name': 'Cloud Storage API - Read', 'version': 'v1', 'v2discovery': True, 'mappedAPI': STORAGE},
@@ -384,10 +385,6 @@ _CLIENT_SCOPES = [
   'api': CLOUDIDENTITY_GROUPS,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
-  {'name': 'Cloud Identity API - Groups Beta (Enables group locking/unlocking)',
-   'api': CLOUDIDENTITY_GROUPS_BETA,
-   'subscopes': [],
-   'scope': 'https://www.googleapis.com/auth/cloud-identity.groups'},
  {'name': 'Cloud Identity API - Inbound SSO Settings',
   'api': CLOUDIDENTITY_INBOUND_SSO,
   'subscopes': READONLY,
@@ -400,8 +397,7 @@ _CLIENT_SCOPES = [
   'api': CLOUDIDENTITY_POLICY,
   'subscopes': READONLY,
   'roByDefault': True,
-   'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'
-  },
+   'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'},
  {'name': 'Cloud Identity API - User Invitations',
   'api': CLOUDIDENTITY_USERINVITATIONS,
   'subscopes': READONLY,
@@ -416,7 +412,7 @@ _CLIENT_SCOPES = [
   'subscopes': [],
   'offByDefault': True,
   'scope': STORAGE_READWRITE_SCOPE},
-  {'name': 'Contacts API - Domain Shared Contacts and GAL',
+  {'name': 'Contacts API - Domain Shared Contacts',
   'api': CONTACTS,
   'subscopes': [],
   'scope': 'https://www.google.com/m8/feeds'},
@@ -530,6 +526,17 @@ _CLIENT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/ediscovery'},
  ]

+_COMMANDDATA_CLIENT_SCOPES = [
+  {'name': 'Drive API - commanddata_clientaccess',
+   'api': DRIVE3,
+   'subscopes': [],
+   'scope': DRIVE_READONLY_SCOPE},
+  {'name': 'Sheets API - commanddata_clientaccess',
+   'api': SHEETS,
+   'subscopes': [],
+   'scope': 'https://www.googleapis.com/auth/spreadsheets.readonly'},
+  ]
+
 _TODRIVE_CLIENT_SCOPES = [
  {'name': 'Drive API - todrive_clientaccess',
   'api': DRIVE3,
@@ -538,7 +545,7 @@ _TODRIVE_CLIENT_SCOPES = [
  {'name': 'Drive File API - todrive_clientaccess',
   'api': DRIVE3,
   'subscopes': [],
-   'scope': 'https://www.googleapis.com/auth/drive.file'},
+   'scope': DRIVE_FILE_SCOPE},
  {'name': 'Gmail API - todrive_clientaccess',
   'api': GMAIL,
   'subscopes': [],
@@ -643,7 +650,8 @@ _SVCACCT_SCOPES = [
  {'name': 'Drive Activity API v2 - must pair with Drive API',
   'api': DRIVEACTIVITY,
   'subscopes': [],
-   'scope': 'https://www.googleapis.com/auth/drive.activity'},
+   'scope': [DRIVE_READONLY_SCOPE,
+             'https://www.googleapis.com/auth/drive.activity']},
  {'name': 'Drive Labels API - Admin',
   'api': DRIVELABELS_ADMIN,
   'subscopes': READONLY,
@@ -656,10 +664,12 @@ _SVCACCT_SCOPES = [
   'api': DOCS,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/documents'},
-  {'name': 'Forms API',
+  {'name': 'Forms API - must pair with Drive API',
   'api': FORMS,
   'subscopes': [],
-   'scope': DRIVE_SCOPE},
+   'scope': [DRIVE_READONLY_SCOPE,
+             'https://www.googleapis.com/auth/forms.body',
+             'https://www.googleapis.com/auth/forms.responses.readonly']},
  {'name': 'Gmail API - Full Access (Labels, Messages)',
   'api': GMAIL,
   'subscopes': [],
@@ -750,9 +760,10 @@ _SVCACCT_SCOPES = [
  ]

 _SVCACCT_SPECIAL_SCOPES = [
-  {'name': 'Drive API - todrive',
+  {'name': 'Drive API - write todrive data - has access to all Drive',
   'api': DRIVETD,
   'subscopes': [],
+   'offByDefault': True,
   'scope': DRIVE_SCOPE},
  {'name': 'Gmail API - Full Access - read only',
   'api': GMAIL,
@@ -764,8 +775,9 @@ _SVCACCT_SPECIAL_SCOPES = [
   'subscopes': [],
   'offByDefault': True,
   'scope': GMAIL_SEND_SCOPE},
-  {'name': 'Sheets API - todrive',
+  {'name': 'Sheets API - write todrive data - has access to all Sheets',
   'api': SHEETSTD,
+   'offByDefault': True,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/spreadsheets'},
  ]
@@ -789,14 +801,18 @@ def getVersion(api):
 def getClientScopesSet(api):
  return {scope['scope'] for scope in _CLIENT_SCOPES if scope['api'] == api}

-def getClientScopesList(todriveClientAccess):
+def getClientScopesList(commanddataClientAccess, todriveClientAccess):
  caScopes = _CLIENT_SCOPES[:]
+  if commanddataClientAccess:
+    caScopes.extend(_COMMANDDATA_CLIENT_SCOPES)
  if todriveClientAccess:
    caScopes.extend(_TODRIVE_CLIENT_SCOPES)
  return sorted(caScopes, key=lambda k: k['name'])

-def getClientScopesURLs(todriveClientAccess):
+def getClientScopesURLs(commanddataClientAccess, todriveClientAccess):
  caScopes = _CLIENT_SCOPES[:]
+  if commanddataClientAccess:
+    caScopes.extend(_COMMANDDATA_CLIENT_SCOPES)
  if todriveClientAccess:
    caScopes.extend(_TODRIVE_CLIENT_SCOPES)
  return sorted({scope['scope'] for scope in _CLIENT_SCOPES})
--- a/src/gam/gamlib/glcfg.py
+++ b/src/gam/gamlib/glcfg.py
@@ -69,6 +69,8 @@ CACHE_DISCOVERY_ONLY = 'cache_discovery_only'
 CHANNEL_CUSTOMER_ID = 'channel_customer_id'
 # Character set of batch, csv, data files
 CHARSET = 'charset'
+# When retrieving lists of Chat items from API, how many should be retrieved in each chunk
+CHAT_MAX_RESULTS = 'chat_max_results'
 # When retrieving lists of Google Classroom items from API, how many should be retrieved in each chunk
 CLASSROOM_MAX_RESULTS = 'classroom_max_results'
 # Path to client_secrets.json
@@ -83,6 +85,8 @@ CMDLOG_MAX__BACKUPS = 'cmdlog_max__backups'
 CMDLOG_MAX_BACKUPS = 'cmdlog_max_backups'
 # Command logging max kilo bytes per log file
 CMDLOG_MAX_KILO_BYTES = 'cmdlog_max_kilo_bytes'
+# Use client access for command data from Google Docs/Sheets
+COMMANDDATA_CLIENTACCESS = 'commanddata_clientaccess'
 # GAM config directory containing client_secrets.json, oauth2.txt, oauth2service.json, extra_args.txt
 CONFIG_DIR = 'config_dir'
 # When retrieving lists of Google Contacts from API, how many should be retrieved in each chunk
@@ -145,6 +149,8 @@ CSV_OUTPUT_USERS_AUDIT = 'csv_output_users_audit'
 CUSTOMER_ID = 'customer_id'
 # If debug_level > 0: extra_args['prettyPrint'] = True, httplib2.debuglevel = gam_debug_level, appsObj.debug = True
 DEBUG_LEVEL = 'debug_level'
+# redact sensitive credentials from debug output
+DEBUG_REDACTION = 'debug_redaction'
 # Developer Preview API Key
 DEVELOPER_PREVIEW_API_KEY = 'developer_preview_api_key'
 # When retrieving lists of ChromeOS devices from API, how many should be retrieved in each chunk
@@ -335,12 +341,14 @@ Defaults = {
  CACHE_DISCOVERY_ONLY: TRUE,
  CHARSET: DEFAULT_CHARSET,
  CHANNEL_CUSTOMER_ID: '',
+  CHAT_MAX_RESULTS: '100',
  CLASSROOM_MAX_RESULTS: '0',
  CLIENT_SECRETS_JSON: FN_CLIENT_SECRETS_JSON,
  CLOCK_SKEW_IN_SECONDS: '10',
  CMDLOG: '',
  CMDLOG_MAX_BACKUPS: 5,
  CMDLOG_MAX_KILO_BYTES: 1000,
+  COMMANDDATA_CLIENTACCESS: FALSE,
  CONFIG_DIR: '',
  CONTACT_MAX_RESULTS: '100',
  CSV_INPUT_COLUMN_DELIMITER: ',',
@@ -372,6 +380,7 @@ Defaults = {
  CSV_OUTPUT_USERS_AUDIT: FALSE,
  CUSTOMER_ID: MY_CUSTOMER,
  DEBUG_LEVEL: '0',
+  DEBUG_REDACTION: TRUE,
  DEVELOPER_PREVIEW_API_KEY: '',
  DEVICE_MAX_RESULTS: '200',
  DOMAIN: '',
@@ -502,12 +511,14 @@ VAR_INFO = {
  CACHE_DISCOVERY_ONLY: {VAR_TYPE: TYPE_BOOLEAN, VAR_SIGFILE: 'allcache.txt', VAR_SFFT: (TRUE, FALSE)},
  CHARSET: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GAM_CHARSET', VAR_LIMITS: (1, None)},
  CHANNEL_CUSTOMER_ID: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
+  CHAT_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
  CLASSROOM_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (0, 1000)},
  CLIENT_SECRETS_JSON: {VAR_TYPE: TYPE_FILE, VAR_ENVVAR: 'CLIENTSECRETS', VAR_ACCESS: os.R_OK},
  CLOCK_SKEW_IN_SECONDS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (10, 3600)},
  CMDLOG: {VAR_TYPE: TYPE_FILE, VAR_ACCESS: os.W_OK},
  CMDLOG_MAX_BACKUPS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 10)},
  CMDLOG_MAX_KILO_BYTES: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (100, 10000)},
+  COMMANDDATA_CLIENTACCESS: {VAR_TYPE: TYPE_BOOLEAN},
  CONFIG_DIR: {VAR_TYPE: TYPE_DIRECTORY, VAR_ENVVAR: 'GAMUSERCONFIGDIR'},
  CONTACT_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 10000)},
  CSV_INPUT_COLUMN_DELIMITER: {VAR_TYPE: TYPE_CHARACTER},
@@ -539,6 +550,7 @@ VAR_INFO = {
  CSV_OUTPUT_USERS_AUDIT: {VAR_TYPE: TYPE_BOOLEAN},
  CUSTOMER_ID: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'CUSTOMER_ID', VAR_LIMITS: (0, None)},
  DEBUG_LEVEL: {VAR_TYPE: TYPE_INTEGER, VAR_SIGFILE: 'debug.gam', VAR_LIMITS: (0, None), VAR_SFFT: ('0', '4')},
+  DEBUG_REDACTION: {VAR_TYPE: TYPE_BOOLEAN},
  DEVELOPER_PREVIEW_API_KEY: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
  DEVICE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
  DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
--- a/src/gam/gamlib/glclargs.py
+++ b/src/gam/gamlib/glclargs.py
@@ -754,6 +754,7 @@ class GamCLArgs():
  ARG_CHATSPACE = 'chatspace'
  ARG_CHATSPACES = 'chatspaces'
  ARG_CHATSPACEDM = 'chatspacedm'
+  ARG_CHROMEDEVICECOUNTS = 'chromedevicecounts'
  ARG_CHROMEAPP = 'chromeapp'
  ARG_CHROMEAPPS = 'chromeapps'
  ARG_CHROMEAPPDEVICES = 'chromeappdevices'
@@ -1138,6 +1139,7 @@ class GamCLArgs():
  OB_ARGUMENT = 'argument'
  OB_ASP_ID_LIST = 'ASPIDList'
  OB_ASSET_ID = 'AssetID'
+  OB_ADMIN_ASSIGNEE_TYPE_LIST = 'AdminAssigneeTypeList'
  OB_BROWSER_ENROLLEMNT_TOKEN_ID = 'BrowserEnrollmentTokenID'
  OB_BROWSER_ENTITY = 'BrowserEntity'
  OB_BUILDING_ID = 'BuildingID'
@@ -1216,6 +1218,7 @@ class GamCLArgs():
  OB_DOMAIN_NAME_LIST = 'DomainNameList'
  OB_DRIVE_FILE_ENTITY = 'DriveFileEntity'
  OB_DRIVE_FILE_ID = 'DriveFileID'
+  OB_DRIVE_FILE_ID_LIST = 'DriveFileIDList'
  OB_DRIVE_FILE_NAME = 'DriveFileName'
  OB_DRIVE_FILE_PERMISSION_ENTITY = 'DriveFilePermissionEntity'
  OB_DRIVE_FILE_PERMISSION_ID = 'DriveFilePermissionID'
--- a/src/gam/gamlib/glentity.py
+++ b/src/gam/gamlib/glentity.py
@@ -96,6 +96,7 @@ class GamEntity():
  CHAT_MEMBER_USER = 'chmu'
  CHAT_MESSAGE = 'chms'
  CHAT_MESSAGE_ID = 'chmi'
+  CHAT_OWNER_USER = 'chou'
  CHAT_SPACE = 'chsp'
  CHAT_THREAD = 'chth'
  CHILD_ORGANIZATIONAL_UNIT = 'corg'
@@ -105,6 +106,7 @@ class GamEntity():
  CHROME_BROWSER_ENROLLMENT_TOKEN = 'cbet'
  CHROME_CHANNEL = 'chan'
  CHROME_DEVICE = 'chdv'
+  CHROME_DEVICE_COUNT = 'chdc'
  CHROME_MODEL = 'chmo'
  CHROME_NETWORK_ID = 'chni'
  CHROME_NETWORK_NAME = 'chnn'
@@ -462,6 +464,7 @@ class GamEntity():
    CHAT_MEMBER: ['Chat Members', 'Chat Member'],
    CHAT_MEMBER_GROUP: ['Chat Group Members', 'Chat Group Member'],
    CHAT_MEMBER_USER: ['Chat User Members', 'Chat User Member'],
+    CHAT_OWNER_USER: ['Chat User Owners', 'Chat User Owner'],
    CHAT_SPACE: ['Chat Spaces', 'Chat Space'],
    CHAT_THREAD: ['Chat Threads', 'Chat Thread'],
    CHILD_ORGANIZATIONAL_UNIT: ['Child Organizational Units', 'Child Organizational Unit'],
@@ -471,6 +474,7 @@ class GamEntity():
    CHROME_BROWSER_ENROLLMENT_TOKEN: ['Chrome Browser Enrollment Tokens', 'Chrome Browser Enrollment Token'],
    CHROME_CHANNEL: ['Chrome Channels', 'Chrome Channel'],
    CHROME_DEVICE: ['Chrome Devices', 'Chrome Device'],
+    CHROME_DEVICE_COUNT: ['Chrome Device Counts', 'Chrome Device Count'],
    CHROME_MODEL: ['Chrome Models', 'Chrome Model'],
    CHROME_NETWORK_ID: ['Chrome Network IDs', 'Chrome Network ID'],
    CHROME_NETWORK_NAME: ['Chrome Network Names', 'Chrome Network Name'],
--- a/src/gam/gamlib/glglobals.py
+++ b/src/gam/gamlib/glglobals.py
@@ -107,6 +107,8 @@ CURRENT_SVCACCT_USER = 'csa'
 DATETIME_NOW = 'dtno'
 # If debug_level > 0: extra_args['prettyPrint'] = True, httplib2.debuglevel = gam_debug_level, appsObj.debug = True
 DEBUG_LEVEL = 'dbgl'
+# Whether debug output should redact sensitive credentials
+DEBUG_REDACTION = 'dbrd'
 # Decoded ID token
 DECODED_ID_TOKEN = 'didt'
 # Index of start of <UserTypeEntity> in command line
@@ -263,6 +265,7 @@ Globals = {
  CURRENT_SVCACCT_USER: None,
  DATETIME_NOW: None,
  DEBUG_LEVEL: 0,
+  DEBUG_REDACTION: True,
  DECODED_ID_TOKEN: None,
  ENTITY_CL_DELAY_START: 1,
  ENTITY_CL_START: 1,
--- a/src/gam/gamlib/glmsgs.py
+++ b/src/gam/gamlib/glmsgs.py
@@ -224,6 +224,8 @@ COUNT_N_EXCEEDS_MAX_TO_PROCESS_M = 'Count {0} exceeds maximum to {1} {2}'
 CORRUPT_FILE = 'Corrupt file'
 COULD_NOT_FIND_ANY_YUBIKEY = 'Could not find any YubiKey\n'
 COULD_NOT_FIND_YUBIKEY_WITH_SERIAL = 'Could not find YubiKey with serial number {0}\n'
+CREATE_DELEGATE_NOTIFY_MESSAGE = '#user# has granted you #delegate# access to read, delete and send mail on their behalf.'
+CREATE_DELEGATE_NOTIFY_SUBJECT = '#user# mail delegation to #delegate#'
 CREATE_USER_NOTIFY_MESSAGE = 'Hello #givenname# #familyname#,\n\nYou have a new account at #domain#\nAccount details:\nUsername: #user#\nPassword: #password#\nStart using your new account by signing in at\nhttps://www.google.com/accounts/AccountChooser?Email=#user#&continue=https://workspace.google.com/dashboard\n'
 CREATE_USER_NOTIFY_SUBJECT = 'Welcome to #domain#'
 CSV_DATA_ALREADY_SAVED = 'CSV data already saved'
@@ -516,7 +518,7 @@ To set up Google Chat for your current project, please go to:

 and follow the instructions at:

-    https://github.com/GAM-team/GAM/wiki/Chat-Bot#set-up-a-chat-bot
+    https://github.com/GAM-team/GAM/wiki/Chat-Bot-Setup-Use#set-up-a-chat-bot

    You'll use projects/{1}/topics/no-topic in Connection settings Cloud Pub/Sub Topic Name
 """
--- a/wiki/Administrators.md
+++ b/wiki/Administrators.md
@@ -19,6 +19,8 @@

 ## Definitions
 ```
+<AdminAssigneeType> ::= group|user|serviceaccount|unknown
+<AdminAssigneeTypeList> ::= "<AdminAssigneeType>(,<AdminAssigneeType>)*"
 <DomainName> ::= <String>(.<String>)+
 <EmailAddress> ::= <String>@<DomainName>
 <GroupItem> ::= <EmailAddress>|<UniqueID>|<String>
@@ -1475,16 +1477,25 @@ gam delete admin <RoleAssignmentId>
 ## Display administrators
 ```
 gam print admins [todrive <ToDriveAttribute>*]
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
-        [privileges] [oneitemperrow]
+        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
+        [types <AdminAssigneeTypeList>]
+        [recursive] [condition] [privileges] [oneitemperrow]
 gam show admins
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
+        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>]
+        [types <AdminAssigneeTypeList>]
+        [recursive] [condition] [privileges]
 ```
 By default, all administrators and roles are displayed; choose from the following
 options to limit the display:
-* `user <UserItem>` -  Display only this administrator
+* `user|group <EmailAddress>|<UniqueID>` - Display assignments to this administrator
 * `role <RoleItem>` - Display only administrators with this role

+By default, all admin assignee types are displayed. use `types <AdminAssigneeTypeList>` to filter
+admin assignments by the type of the assignee.
+
+By default, assignments to security groups are displayed as a single item; use `recursive`
+to display assignments to the members of the security groups; the security group membershop is recursively expanded.
+
 * `condition` - Display any conditions associated with a role assignment
 * `privileges` - Display privileges associated with each role assignment

@@ -1513,9 +1524,7 @@ gam config csv_input_row_filter "scopeType:regex:ORG_UNIT" redirect stdout ./Upd
 ```

 ## Copy non-system admin roles from a source workspace to a target workspace
-This requires GAM version 7.18.01 or higher.
-
-In the source workspace to the following:
+In the source workspace do the following:
 ```
 gam redirect csv ./SourceNonSystemRoles.csv print adminroles privileges nosystemroles formatjson quotechar "'"
 ```
--- a/wiki/Basic-Items.md
+++ b/wiki/Basic-Items.md
@@ -265,6 +265,7 @@
 ## Named items
 ```
 <AccessToken> ::= <String>
+<AdminAssigneeType> ::= group|user|serviceaccount|unknown
 <AlertID> ::= <String>
 <APIScopeURL> ::= <String>
 <APPID> ::= <String>
@@ -462,6 +463,7 @@
        See: https://support.google.com/mail/answer/7190
 <QueryGroup> ::= <String>
        See: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
+<QueryItem> ::= <UniqueID>|<String>
 <QueryMemberRestrictions> ::= <String>
        See: https://cloud.google.com/identity/docs/reference/rest/v1beta1/SecuritySettings#MemberRestriction
 <QueryMobile> ::= <String>
--- a/wiki/Business-Account-Management.md
+++ b/wiki/Business-Account-Management.md
@@ -9,8 +9,6 @@


 ## Introduction
-These features were added in version 7.18.00.
-
 To use these commands you add the 'Business Account Management API' to your project and update client authorization.
 ```
 gam update project
--- a/wiki/Calendars-Events.md
+++ b/wiki/Calendars-Events.md
@@ -567,7 +567,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam calendar <CalendarEntity> show events [<EventEntity>] <EventDisplayProperty>*
        [fields <EventFieldNameList>] [showdayofweek]
-        [countsly] [formatjson]
+        [countsly|formatjson]
 ```
 In `<EventEntity>`, any `<EventSelectProperty>` options must precede all other options.

@@ -586,8 +586,9 @@ By default, Gam displays event details, use `countsonly` to display only the num
 ```
 gam calendar <CalendarEntity> print events [<EventEntity>] <EventDisplayProperty>*
        [fields <EventFieldNameList>] [showdayofweek]
-        [countsonly [eventrowfilter]]
-        [formatjson [quotechar <Character>]] [todrive <ToDriveAttribute>*]
+        (addcsvdata <FieldName> <String>)*
+        [eventrowfilter]
+        [countsonly|(formatjson [quotechar <Character>])] [todrive <ToDriveAttribute>*]
 ```
 In `<EventEntity>`, any `<EventSelectProperty>` options must precede all other options.

@@ -598,6 +599,9 @@ option `singleevents` to display all instances of a recurring event.

 `showdayofweek` displays columns `start.dayOfWeek` and `end.dayOfWeek` when event start and end times are displayed.

+Add additional columns of data from the command line to the output after the calendarId.
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

--- a/wiki/Calendars.md
+++ b/wiki/Calendars.md
@@ -34,6 +34,7 @@ Client access works when accessing Resource calendars.

 <CalendarSettingsField> ::=
        conferenceproperties|
+        dataowner|
        description|
        id|
        location|
--- a/wiki/Chat-Bot-Setup-Use.md
+++ b/wiki/Chat-Bot-Setup-Use.md
@@ -43,7 +43,7 @@ Even if you're not going to use GAM as a Chat Bot, you have to configure a Chat
 * Uncheck "Build this Chat app as a Workspace add-on."
 * Enter an App name and Description of your choosing.
 * For the Avatar URL you can use `https://dummyimage.com/384x256/4d4d4d/0011ff.png&text=+GAM` or a public URL to an image of your own choosing.
-* In Functionality, uncheck both "Receive 1:1 messages" and "Join spaces and group conversations"
+* Inƒ Functionality, uncheck both "Receive 1:1 messages" and "Join spaces and group conversations" if present
 * In Connection settings, choose "Cloud Pub/Sub" and enter `projects/<ProjectID>/topics/no-topic` for the Topic Name. Replace `<ProjectID>` with your GAM project ID. GAM doesn't yet listen to pub/sub so this option is not used.
 * In Visibility, uncheck "Make this Chat app available to specific people and groups in Domain Workspace".
 * Click Save.
@@ -288,7 +288,7 @@ gam create chatmessage spaces spaces/AAAADi-pvqc gdoc announcements@domain.com n
 Updates and rewrites an existing Chat message. Message will show as edited and no notification will be sent to members.
 ```
 gam update chatmessage name <ChatMessage>
-        <ChatContent>
+        [<ChatContent>] [clearattachments <String>]
 ```
 Specify the source of the message:
 * `text <String>` - The message is `<String>`
@@ -296,12 +296,22 @@ Specify the source of the message:
 * `gdoc <UserGoogleDoc>` - The message is read from a Google Doc.
 * `gcsdoc <StorageBucketObjectName>` - The message is read from a Google Cloud Storage file.

+The option `clearattachments <String>` can be used to clear all attachments from a Chat message.
+If `<ChatContent>` is not specified, the current message text is retained and `<String>` is appended;
+`<String>` must be specified but can be empty in which case the current message test is preserved as-is.
+
 ### Example
+
 This example updates an existing chat message with new text.
 ```
 gam update chatmessage name spaces/AAAADi-pvqc/messages/PKJrx90ooIU.PKJrx90ooIU text "HELLO CHAT?"
 ```

+This example clears attachments from a chat message and appends ` - Attachments cleared`
+to the current message text.
+```
+gam update chatmessage name spaces/AAAADi-pvqc/messages/PKJrx90ooIU.PKJrx90ooIU clearattachments " - Attachments cleared"
+```
 ----

 ## Delete a Chat Message
--- a/wiki/Chrome-Device-Counts.md
+++ b/wiki/Chrome-Device-Counts.md
@@ -0,0 +1,65 @@
+# Chrome Device Counts
+- [API documentation](#api-documentation)
+- [Notes](#notes)
+- [Definitions](#definitions)
+- [Count titles](#count-titles)
+- [Display Chrome device counts](#display-chrome-device-counts)
+
+## API documentation
+* [Chrome Management API - Count Active Devices](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countActiveDevices)
+* [Chrome Management API - Count Devices per Boot Type](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countDevicesPerBootType)
+* [Chrome Management API - Count Devices per Release Channel](https://developers.google.com/chrome/management/reference/rest/v1/customers.reports/countDevicesPerReleaseChannel)
+
+## Notes
+To use these features you must add the `Chrome Management API` to your project and authorize
+the appropriate scope: `Chrome Management API - read only`.
+```
+gam update project
+gam oauth create
+```
+
+## Definitions
+```
+<Date> ::=
+        <Year>-<Month>-<Day> |
+        (+|-)<Number>(d|w|y) |
+        today
+```
+
+## Count titles
+`active` - `sevenDaysCount,thirtyDaysCount`
+`perboottype` - `devBootTypeCount,unreportedBootTypeCount,verifiedBootTypeCount`
+`perreleasechanneel` - `betaChannelCount,canaryChannelCount,devChannelCount,ltcChannelCount,ltsChannelCount,stableChannelCount,unreportedChannelCount,unsupportedChannelCount`
+
+## Display Chrome device counts
+```
+gam show chromedevicecounts
+        (mode all|active|perboottype|perreleasechannel)*
+        [date <Date>]
+        [formatjson]
+```
+By default, `mode all` is selected
+
+By default, `date today` is selected.
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam print chromedevicecounts [todrive <ToDriveAttribute>*]
+        (mode all|active|perboottype|perreleasechannel)*
+        [date <Date>]
+        [formatjson [quotechar <Character>]]
+```
+By default, `mode all` is selected
+
+By default, `date today` is selected.
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
--- a/wiki/Chrome-Installed-Apps.md
+++ b/wiki/Chrome-Installed-Apps.md
@@ -1,9 +1,9 @@
-# Chrome Installed Apps Counts
+# Chrome Installed Apps
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Quoting rules](#quoting-rules)
 - [Display Chrome installed app details](#display-chrome-installed-app-details)
- [Display Chrome installed apps counts](#display-chrome-installed-apps-counts)
+- [Display Chrome installed apps](#display-chrome-installed-apps)
 - [Display Chrome devices with a specific installed application](#display-chrome-devices-with-a-specific-installed-application)

 ## API documentation
@@ -54,7 +54,7 @@ gam info chromeapp android|chrome|web <AppID>
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.

-## Display Chrome installed apps counts
+## Display Chrome installed apps
 ```
 gam show chromeapps
        [(ou <OrgUnitItem>)|(ou_and_children <OrgUnitItem>)|
--- a/wiki/Chrome-Policies.md
+++ b/wiki/Chrome-Policies.md
@@ -228,6 +228,17 @@ Restrict students from accessing Blocked URLs.
 ```
 gam update chromepolicy chrome.users.UrlBlocking urlBlocklist "https://socialmedia.com,https://videowebsite.com" orgunit "/Students"
 ```
+The Policy API and GAM have no ability to edit lists, you have to supply the complete list.
+```
+# Get the current policy
+gam redirect stdout ./urlBlockList.json show chromepolicies filter chrome.users.UrlBlocking orgunit "/Students" formatjson
+
+# Edit urlBlockList.json to add the new URL(s)
+{"additionalTargetKeys": [], "direct": true, "fields": [{"name": "urlBlocklist", "value": "https://socialmedia.com,https://videowebsite.com,https://nogo.com"}, {"name": "chromeInternalUrlsBlocked", "value": false}], "name": "chrome.users.UrlBlocking", "orgUnitPath": "/Students", "parentOrgUnitPath": "/"}
+
+# Update the policy
+gam update chromepolicies chrome.users.UrlBlocking json file urlBlockList.json orgunit "/Students"
+```
 For managed browsers, specify that users can only sign into managed accounts belonging to company/school domains.
 ```
 gam update chromepolicy chrome.users.SecondaryGoogleAccountSignin allowedDomainsForApps company.com,company.net orgunit "/Managed Browsers"
@@ -243,7 +254,6 @@ Allowlist the Google Translate extension for the Students OrgUnit
 ```
 gam update chromepolicy chrome.users.apps.InstallType appInstallType ALLOWED app_id chrome:aapbdbdomjkkjkaonfhkkikfgjllcleb ou "/Students"
 ```
-
 ## Delete Chrome policy
 You can delete a policy for all devices/users within an OU, users with a group or for a specific printer or application within an OU.

--- a/wiki/Chrome-Profile-Management.md
+++ b/wiki/Chrome-Profile-Management.md
@@ -10,8 +10,6 @@
 - [Display Chrome Profile commands](#display-chrome-profile-commands)

 ## Introduction
-These features were added in version 7.01.00.
-
 To use these commands you must update your client authorization.
 ```
 gam oauth create
--- a/wiki/ChromeOS-Devices.md
+++ b/wiki/ChromeOS-Devices.md
@@ -410,7 +410,7 @@ gam update ou csvkmd cros.csv keyfield OU datafield deviceId add croscsvdata dev
 gam <CrOSTypeEntity> update action <CrOSAction> [acknowledge_device_touch_requirement]
        [actionbatchsize <Integer>]
 ```
-As of GAM version `6.67.00`, the new API function `batchChangeStatus` replaces the old API function `action`; ChromeOS devices are now processed in batches.
+ChromeOS devices are now processed in batches.
 The batch size defaults to 10, the `actionbatchsize <Integer>` option can be used to set a batch size between 10 and 250.

 As deprovisioning ChromeOS devices is not reversible, you must enter `acknowledge_device_touch_requirement`
@@ -711,7 +711,9 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print cros query "sync:..2020-01-01" showitemcountonly)
 Windows PowerShell
-count = & gam print cros query "sync:..2020-01-01" showitemcountonly
+$count = & gam print cros query "sync:..2020-01-01" showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print cros query "sync:..2020-01-01" showitemcountonly') do set count=%a
 ```

 ## Print ChromeOS device activity
--- a/wiki/Classroom-Courses.md
+++ b/wiki/Classroom-Courses.md
@@ -441,8 +441,10 @@ gam print courses [todrive <ToDriveAttribute>*]
        [owneremail] [owneremailmatchpattern <REMatchPattern>]
        [alias|aliases|aliasesincolumns [delimiter <Character>]]
        [show all|students|teachers] [countsonly]
-        [fields <CourseFieldNameList>] [skipfields <CourseFieldNameList>] [formatjson [quotechar <Character>]]
        [timefilter creationtime|updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [fields <CourseFieldNameList>] [skipfields <CourseFieldNameList>] [formatjson [quotechar <Character>]]
+        (addcsvdata <FieldName> <String>)*
+        [formatjson [quotechar <Character>]]
 ```
 By default, the `print courses` command displays information about all courses.

@@ -477,6 +479,7 @@ By default, all basic course fields are displayed; use the following options to
    * `countsonly` - Eliminates the student/teacher profile information and outputs only the student/teacher counts.
 * `fields <CourseFieldNameList>` - Select specific basic fields to display.
 * `skipfields <CourseFieldNameList>` - Select specific basic fields to eliminate from display; typically used with `coursematerialsets`.
+* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output

 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
@@ -511,7 +514,9 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print courses states active showitemcountonly)
 Windows PowerShell
-count = & gam print courses states active showitemcountonly
+$count = & gam print courses states active showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print courses states active showitemcountonly') do set count=%a
 ```

 ## Display course announcements
@@ -570,6 +575,7 @@ gam print course-materials [todrive <ToDriveAttribute>*]
        (orderby <CourseMaterialOrderByFieldName> [ascending|descending])*)
        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>]
        [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [oneitemperrow]
        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-materials` command displays course materials information for all courses.
@@ -600,6 +606,10 @@ By default, all course materials fields are displayed; use the following options
 * `showtopicnames` - Display topic names; requires and additional API call per course.
 * `fields <CourseMaterialsFieldNameList>` - Select specific fields to display.

+With `print course-materials`, the materials selected for display are all output on one row/line as a repeating item with the other course fields.
+When `oneitemperrow` is specified, each material is output on a separate row/line with the other course fields.
+This simplifies processing the materials in the CSV file with subsequent Gam commands.
+
 Use the `countsonly` option to display the number of course materials in a course but not their details.

 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
@@ -662,6 +672,7 @@ gam print course-work [todrive <ToDriveAttribute>*]
        [showcreatoremails] [showtopicnames] [fields <CourseWorkFieldNameList>]
        [showstudentsaslist [<Boolean>]] [delimiter <Character>]
        [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [oneitemperrow]
        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-work` command displays course work information for all courses.
@@ -695,6 +706,10 @@ By default, all course work fields are displayed; use the following options to m
 By default, when course work is assigned to individual students, the student IDs are displayed in multiple indexed columns.
 Use options `showstudentsaslist [<Boolean>]` and `delimiter <Character>` to display the student IDs is a single column as a delimited list.

+With `print course-work`, any materials are all output on one row/line as a repeating item with the other course fields.
+When `oneitemperrow` is specified, each material is output on a separate row/line with the other course fields.
+This simplifies processing the materials in the CSV file with subsequent Gam commands.
+
 Use the `countsonly` option to display the number of course works in a course but not their details.

 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
--- a/wiki/Classroom-Membership.md
+++ b/wiki/Classroom-Membership.md
@@ -163,5 +163,7 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print course-participants teacher asmith states active show students showitemcountonly)
 Windows PowerShell
-count = & gam print course-participants teacher asmith states active show students showitemcountonly
+$count = & gam print course-participants teacher asmith states active show students showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print course-participants teacher asmith states active show students showitemcountonly') do set count=%a
 ```
--- a/wiki/Classroom-StudentGroups.md
+++ b/wiki/Classroom-StudentGroups.md
@@ -269,5 +269,7 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print course-participants teacher asmith states active show students showitemcountonly)
 Windows PowerShell
-count = & gam print course-participants teacher asmith states active show students showitemcountonly
+$count = & gam print course-participants teacher asmith states active show students showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print course-participants teacher asmith states active show students showitemcountonly') do set count=%a
 ```
--- a/wiki/Cloud-Identity-Devices.md
+++ b/wiki/Cloud-Identity-Devices.md
@@ -272,7 +272,9 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print devices queries "'model:Mac'" showitemcountonly)
 Windows PowerShell
-count = & gam print devices queries "'model:Mac'" showitemcountonly
+$count = & gam print devices queries "'model:Mac'" showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print devices queries "'model:Mac'" showitemcountonly') do set count=%a
 ```

 ## Approve or block device users
@@ -363,7 +365,9 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print deviceusers queries "'model:Mac'" showitemcountonly)
 Windows PowerShell
-count = & gam print deviceusers queries "'model:Mac'" showitemcountonly
+$count = & gam print deviceusers queries "'model:Mac'" showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print deviceusers queries "'model:Mac'" showitemcountonly') do set count=%a
 ```


--- a/wiki/Cloud-Identity-Groups.md
+++ b/wiki/Cloud-Identity-Groups.md
@@ -11,7 +11,7 @@

 ## API documentation
 * [Cloud Identity Groups Overview](https://cloud.google.com/identity/docs/groups)
-* [Create and Manage Groups uning API](https://support.google.com/a/answer/10427204)
+* [Create and Manage Groups using API](https://support.google.com/a/answer/10427204)
 * [Cloud Identity Groups API - Groups](https://cloud.google.com/identity/docs/reference/rest/v1/groups)
 * [Restrict Group Membership](https://support.google.com/a/answer/11192679)
 * [Lock Groups Beta](https://workspaceupdates.googleblog.com/2024/12/locked-groups-open-beta.html)
@@ -26,15 +26,6 @@

 ## Notes

-In version 7.02.01 options `locked` and `unlocked` wre added to `gam update cigroups` that allow locking groups.
-
-* See: https://workspaceupdates.googleblog.com/2024/12/locked-groups-open-beta.html
-
-You'll have to do a `gam oauth create` and enable the following scope to use these options:
-```
-[*] 22)  Cloud Identity Groups API Beta (Enables group locking/unlocking)
-```
-
 In the Admin Directory API a group has the following characteristics:
 * `id` - The unique ID of a group
 * `email` - The group's email address
@@ -245,7 +236,7 @@ to set `<GroupAttribute>`.
 gam create cigroup <EmailAddress>
        [copyfrom <GroupItem>] <GroupAttribute>*
        [makeowner] [alias|aliases <CIGroupAliasList>]
-        [security|makesecuritygroup]
+        [security|makesecuritygroup] [locked]
        [dynamic <QueryDynamicGroup>]
 gam update cigroup <GroupEntity> [copyfrom <GroupItem>] <GroupAttribute>
        [security|makesecuritygroup|
@@ -467,5 +458,7 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print cigroups showitemcountonly)
 Windows PowerShell
-count = & gam print cidgroups showitemcountonly
+$count = & gam print cigroups showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print cigroups showitemcountonly') do set count=%a
 ```
--- a/wiki/Cloud-Identity-Policies.md
+++ b/wiki/Cloud-Identity-Policies.md
@@ -53,286 +53,7 @@ You must enable access to policies in the GCP cloud console.
 These are the supported policies GAM can show today.

 See: https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings
-```
-user_takeout_status (is takeout enabled for service)
-  blogger.user_takeout
-  books.user_takeout
-  location_history.user_takeout
-  maps.user_takeout
-  pay.user_takeout
-  photos.user_takeout
-  play.user_takeout
-  play_console.user_takeout
-  youtube.user_takeout
-service_status (is service enabled)
-  ad_manager
-  ads
-  adsense
-  alerts
-  analytics
-  applied_digital_skills
-  appsheet
-  arts_and_culture
-  beyondcorp_enterprise
-  blogger
-  bookmarks
-  books
-  calendar
-  campaign_manager
-  chat
-  chrome_canvas
-  chrome_remote_desktop
-  chrome_sync
-  chrome_web_store
-  classroom
-  cloud
-  cloud_search
-  colab
-  cs_first
-  data_studio
-  developers
-  domains
-  drive_and_docs
-  earth
-  enterprise_service_restrictions
-  experimental_apps
-  feedburner
-  fi
-  gmail
-  groups
-  groups_for_business
-  jamboard
-  keep
-  location_history
-  managed_play
-  maps
-  material_gallery
-  meet
-  merchant_center
-  messages
-  migrate
-  my_business
-  my_maps
-  news
-  partner_dash
-  pay
-  pay_for_business
-  photos
-  pinpoint
-  play
-  play_books_partner_center
-  play_console
-  public_data
-  question_hub
-  scholar_profiles
-  search_ads_360
-  search_and_assistant
-  search_console
-  sites
-  socratic
-  takeout
-  tasks
-  third_party_app_backups
-  translate
-  trips
-  vault
-  voice
-  work_insights
-  youtube
-calendar.appointment_schedules
-  enablePayments
-chat.chat_apps_access
-  enableApps
-  enableWebhooks
-chat.chat_file_sharing
-  externalFileSharing
-  internalFileSharing
-chat.chat_history
-  enableChatHistory
-  historyOnByDefault
-  allowUserModification
-chat.external_chat_restriction
-  allowExternalChat
-chat.space_history
-  historyState
-classroom.api_data_access
-  enableApiAccess
-classroom.class_membership
-  whoCanJoinClasses
-  whichClassesCanUsersJoin
-classroom.guardian_access
-  allowAccess
-  whoCanManageGuardianAccess
-classroom.originality_reports
-  enableOriginalityReportsSchoolMatches
-classroom.roster_import
-  rosterImportOption
-classroom.student_unenrollment
-  whoCanUnenrollStudents
-classroom.teacher_permissions
-  whoCanCreateClasses
-cloud_sharing_options.cloud_data_sharing
-  sharingOptions
-detector.regular_expression
-  displayName
-  regularExpression
-  createTime
-  updateTime
-detector.word_list
-  displayName
-  wordList
-  createTime
-  updateTime
-  description
-drive_and_docs.drive_for_desktop
-  allowDriveForDesktop
-  restrictToAuthorizedDevices
-  showDownloadLink
-  allowRealTimePresence
-drive_and_docs.external_sharing
-  externalSharingMode
-  allowReceivingExternalFiles
-  warnForSharingOutsideAllowlistedDomains
-  allowReceivingFilesOutsideAllowlistedDomains
-  allowNonGoogleInvitesInAllowlistedDomains
-  warnForExternalSharing
-  allowNonGoogleInvites
-  allowPublishingFiles
-  accessCheckerSuggestions
-  allowedPartiesForDistributingContent
-drive_and_docs.file_security_update
-  securityUpdate
-  allowUsersToManageUpdate
-drive_and_docs.shared_drive_creation
-  allowSharedDriveCreation
-  orgUnitForNewSharedDrives
-  customOrgUnit
-  allowManagersToOverrideSettings
-  allowExternalUserAccess
-  allowNonMemberAccess
-  allowedPartiesForDownloadPrintCopy
-  allowContentManagersToShareFolders
-gmail.auto_forwarding
-  enableAutoForwarding
-gmail.confidential_mode
-  enableConfidentialMode
-gmail.email_attachment_safety
-  enableEncryptedAttachmentProtection
-  encryptedAttachmentProtectionConsequence
-  enableAttachmentWithScriptsProtection
-  attachmentWithScriptsProtectionConsequence
-  enableAnomalousAttachmentProtection
-  anomalousAttachmentProtectionConsequence
-  allowedAnomalousAttachmentFiletypes
-  applyFutureRecommendedSettingsAutomatically
-  encryptedAttachmentProtectionQuarantineId
-  attachmentWithScriptsProtectionQuarantineId
-  anomalousAttachmentProtectionQuarantineId
-gmail.email_image_proxy_bypass
-  imageProxyBypassPattern
-  enableImageProxy
-gmail.enhanced_pre_delivery_message_scanning
-  enableImprovedSuspiciousContentDetection
-gmail.enhanced_smime_encryption
-  enableSmimeEncryption
-  allowUserToUploadCertificates
-gmail.gmail_name_format
-  allowCustomDisplayNames
-  defaultDisplayNameFormat
-gmail.imap_access
-  enableImapAccess
-gmail.links_and_external_images
-  enableShortenerScanning
-  enableExternalImageScanning
-  enableAggressiveWarningsOnUntrustedLinks
-  applyFutureSettingsAutomatically
-gmail.per_user_outbound_gateway
-  allowUsersToUseExternalSmtpServers
-gmail.pop_access
-  enablePopAccess
-gmail.spoofing_and_authentication
-  detectDomainNameSpoofing
-  detectEmployeeNameSpoofing
-  detectDomainSpoofingFromUnauthenticatedSenders
-  detectUnauthenticatedEmails
-  domainNameSpoofingConsequence
-  employeeNameSpoofingConsequence
-  domainSpoofingConsequence
-  unauthenticatedEmailConsequence
-  detectGroupsSpoofing
-  groupsSpoofingVisibilityType
-  groupsSpoofingConsequence
-  applyFutureSettingsAutomatically
-  domainNameSpoofingQuarantineId
-  employeeNameSpoofingQuarantineId
-  domainSpoofingQuarantineId
-  unauthenticatedEmailQuarantineId
-  groupsSpoofingQuarantineId
-gmail.user_email_uploads
-  enableMailAndContactsImport
-gmail.workspace_sync_for_outlook
-  enableGoogleWorkspaceSyncForMicrosoftOutlook
-groups_for_business.groups_sharing
-  ownersCanAllowIncomingMailFromPublic
-  collaborationCapability
-  createGroupsAccessLevel
-  ownersCanAllowExternalMembers
-  ownersCanHideGroups
-  newGroupsAreHidden
-  viewTopicsDefaultAccessLevel
-meet.safety_access
-  meetingsAllowedToJoin
-meet.safety_domain
-  usersAllowedToJoin
-meet.safety_external_participants
-  enableExternalLabel
-meet.safety_host_management
-  enableHostManagement
-meet.video_recording
-  enableRecording
-rule.dlp
-  displayName
-  description
-  triggers
-  condition
-  action
-  state
-  createTime
-  updateTime
-  ruleTypeMetadata
-rule.system_defined_alerts
-  displayName
-  description
-  action
-  state
-  createTime
-  updateTime
-security.advanced_protection_program
-  enableAdvancedProtectionSelfEnrollment
-  securityCodeOption
-security.less_secure_apps
-  allowLessSecureApps
-security.login_challenges
-  enableEmployeeIdChallenge
-security.password
-  allowedStrength
-  minimumLength
-  maximumLength
-  enforceRequirementsAtLogin
-  allowReuse
-  expirationDuration
-security.session_controls
-  webSessionDuration
-security.super_admin_account_recovery
-  enableAccountRecovery
-security.user_account_recovery
-  enableAccountRecovery
-sites.sites_creation_and_modification
-  allowSitesCreation
-  allowSitesModification
-workspace_marketplace.apps_allowlist
-  apps
-```
+
 ## Display Cloud Identity Policies
 Display selected policies.
 ```
--- a/wiki/Command-Data-From-Google-Docs-Sheets-Storage.md
+++ b/wiki/Command-Data-From-Google-Docs-Sheets-Storage.md
@@ -5,6 +5,7 @@
  - [Plain Text](#plain-text)
  - [HTML](#html)
 - [Read data from a Google Sheet](#read-data-from-a-google-sheet)
+- [Limited Service Account Access](#limited-service-account-access)
 - [Read data from a Google Cloud Storage File](#read-data-from-a-google-cloud-storage-file)
  - [Plain Text](#plain-text)
  - [CSV](#csv)
@@ -79,6 +80,25 @@ Example:
 ```
 gam csv gsheet you@exmaple.com <DriveFileIDEntity> "Sheet 1" gam create user firstname "~FirstName" lastname "~lastName" email "~email"
 ```
+
+## Limited Service Account Access
+If you want to disable a user's service account access to Drive and Sheets but still allow reading command data from Google Docs and Sheets,
+issue the following commands. The admin specified in `gam oauth create` can read command data from Docs and Sheets to which it has access.
+```
+gam config commanddata_clientaccess true save
+gam oauth create
+Enable the following and proceed to authorization.
+
+[*] 42)  Drive API - commanddata_clientaccess
+[*] 54)  Sheets API - commanddata_clientaccess
+```
+In these options, the `<EmailAddress> is not used, but for clarity you may want to specify the
+email address of the  admin specified in `gam oauth create`.
+```
+gdoc <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+gsheet <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
+```
+
 ## Read data from a Google Cloud Storage File
 ```
 <StorageBucketName> ::= <String>
--- a/wiki/Command-Line-Parsing.md
+++ b/wiki/Command-Line-Parsing.md
@@ -4,6 +4,7 @@
 - [Windows PowerShell](#windows-powershell)
 - [List quoting rules](#list-quoting-rules)
 - [Queries example](#queries-example)
+- [Capture command output](#capture-command-output)

 ## Linux and MacOS

@@ -79,3 +80,25 @@ gam print users queries "\"orgUnitPath='/Students/Lower School/2027'\",\"orgUnit
 ```
 gam print users queries "`"orgUnitPath=\'/Students/Lower\ School/2027\'`",`"orgUnitPath=\'/Students/Lower\ School/2028\'`""
 ```
+
+## Capture command output
+
+To retrieve an item count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print users query "orgUnitPath='/Students/Middle School'" showitemcountonly)
+Windows PowerShell
+$count = & gam print users query "orgUnitPath='/Students/Middle School'" showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print users query "orgUnitPath='/Students/Middle School'" showitemcountonly') do set count=%a
+```
+
+To retrieve a File/Shared Drive ID with `returnidonly`:
+```
+Linux/MacOS
+itemId=$(gam user user@domain.com create shareddrive|drivefile ... returnidonly)
+Windows PowerShell
+$itemId = & gam user user@domain.com create shareddrive|drivefile ... returnidonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam user user@domain.com create shareddrive|drivefile ... returnidonly') do set itemId=%a
+```
--- a/wiki/Context-Aware-Access-Levels.md
+++ b/wiki/Context-Aware-Access-Levels.md
@@ -13,10 +13,6 @@
 - [CAA Region Codes](#caa-region-codes)

 ## Notes
-This Wiki page was built directly from Jay Lee's Wiki page; my sincere thanks for his efforts.
-
-GAM 6.20.00 and newer can create and manage access levels which can be assigned to Workspace services for your users.
-
 To use these features you must update your project.
 ```
 gam update project
--- a/wiki/Domain-SharedContacts.md
+++ b/wiki/Domain-SharedContacts.md
@@ -10,7 +10,7 @@
 - [Delete duplicate email addresses from contacts](#delete-duplicate-email-addresses-from-contacts)
 - [Manage domain contact photos](#manage-domain-contact-photos)
 - [Display domain shared contacts](#display-domain-shared-contacts)
- [Display global address list](#display-global-address-list)
+- [Display global address list](Global-Address-List)

 ## API documentation
 * [Domain Shared Contacts API](https://developers.google.com/admin-sdk/domain-shared-contacts)
--- a/wiki/Domains.md
+++ b/wiki/Domains.md
@@ -60,6 +60,15 @@ Display the number of domains.
 gam print|show domains
        showitemcountonly
 ```
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print domains showitemcountonly)
+Windows PowerShell
+$count = & gam print domains showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print domains showitemcountonly') do set count=%a
+```

 ## Create and delete domain aliases
 ```
@@ -94,3 +103,12 @@ Display the number of domain aliases.
 gam print|show domainaliases|aliasdomains
        showitemcountonly
 ```
+To retrieve the count with `showitemcountonly`:
+```
+Linux/MacOS
+count=$(gam print domainaliases showitemcountonly)
+Windows PowerShell
+$count = & gam print domainaliases showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print domainaliases showitemcountonly') do set count=%a
+```
--- a/wiki/Downloads-Installs.md
+++ b/wiki/Downloads-Installs.md
@@ -25,14 +25,14 @@ start a new terminal session and reissue the command from above.
 ## Executable, Manual

 * Executable Archive, Manual, Linux/Google Cloud Shell
-  - `gam-7.wx.yz-linux-x86_64-glibc2.35.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-glibc2.36.tar.xz`
  - `gam-7.wx.yz-linux-x86_64-glibc2.39.tar.xz`
  - `gam-7.wx.yz-linux-x86_64-legacy.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

 * Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
-  - `gam-7.wx.yz-linux-arm64-glibc2.35.tar.xz`
+  - `gam-7.wx.yz-linux-arm64-glibc2.36.tar.xz`
  - `gam-7.wx.yz-linux-arm64-glibc2.39.tar.xz`
  - `gam-7.wx.yz-linux-arm64-legacy.tar.xz`
  - Download the archive, extract the contents into some directory.
@@ -43,16 +43,26 @@ start a new terminal session and reissue the command from above.
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

-* Executable Archive, Manual, Mac OS versions Sequoia - M3
-  - `gam-7.wx.yz-macos15.4-arm64.tar.xz`
+* Executable Archive, Manual, Mac OS versions Sequoia - M2/M3
+  - `gam-7.wx.yz-macos15.6-arm64.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

-* Executable Archive, Manual, Mac OS, versions Ventura, Sonoma, Sequoia - Intel
+* Executable Archive, Manual, Mac OS versions Tahoe - M2/M3/M4
+  - `gam-7.wx.yz-macos26.0-arm64.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS, versions Ventura, Sonoma - Intel
  - `gam-7.wx.yz-macos13.7-x86_64.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

+* Executable Archive, Manual, Mac OS, versions Sequoia, Tahoe - Intel
+  - `gam-7.wx.yz-macos15.6-x86_64.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
 * Executable Archive, Manual, Windows 64 bit
  - `gam-7.wx.yz-windows-x86_64.zip`
  - Download the archive, extract the contents into some directory.
--- a/wiki/GAM7-on-Android-Devices.md
+++ b/wiki/GAM7-on-Android-Devices.md
@@ -13,4 +13,4 @@ _Note: Chromebooks / Chrome OS devices should install GAM7 using [these instruct
    sudo apt update
    sudo apt install curl python3
 ```
-7. [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
+7. [How to Install GAM7](How-to-Install-GAM7)
--- a/wiki/GAM7-on-Chrome-OS-Devices.md
+++ b/wiki/GAM7-on-Chrome-OS-Devices.md
@@ -7,7 +7,7 @@ Chrome OS devices that [support Linux apps](https://support.google.com/chromeboo
    sudo apt update
    sudo apt install xz-utils
 ```
-3. [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
+3. [How to Install GAM7](How-to-Install-GAM7)

 # Google cloud shell

--- a/wiki/GamUpdates.md
+++ b/wiki/GamUpdates.md
@@ -10,6 +10,271 @@ Add the `-s` option to the end of the above commands to suppress creating the `g

 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation

+### 7.28.05
+
+Updated	`gam <UserTypeEntity> info|print|show calendars` and
+`gam calendars <CalendarEntity> print|show settings` to display the
+new `dataOwner` field as described under `Additional details` below.
+
+* See: https://workspaceupdates.googleblog.com/2025/11/secondary-calendar-management-with-dedicated-owners.html
+
+### 7.28.04
+
+Updated commands that display Chrome device counts to display the date in the output.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Device-Counts
+
+### 7.28.03
+
+Improved commands to display Chrome device counts.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Device-Counts
+
+### 7.28.02
+
+Added commands to display Chrome device counts.
+
+* See: https://github.com/GAM-team/GAM/wiki/Chrome-Device-Counts
+
+### 7.28.01
+
+Updated `gam <UserTypeEntity> show fileinfo <DriveFileEntity>` to display `displayName` as the key field
+of a `permission` not `deleted`.
+
+### 7.28.00
+
+Added option `addcsvdata <FieldName> <String>` to `gam report [usage] customers|users`
+that adds additional columns of data to the CSV file output. This will be most useful
+when reading a CSV of user information and you want to include some of the user information,
+e.g., orgUnitPath, in the output.
+```
+gam redirect csv ./Users.csv print users fields ou
+gam redirect csv ./UserStorageInfo.csv multiprocess csv Users.csv gam report users user "~primaryEmail" parameters accounts:drive_used_quota_in_mb,accounts:gmail_used_quota_in_mb,accounts:gplus_photos_used_quota_in_mb,accounts:total_quota_in_mb,accounts:used_quota_in_mb,accounts:used_quota_in_percentage addcsvdata orgUnitPath "~orgUnitPath"
+```
+
+### 7.27.05
+
+Added option `addcsvdata <FieldName> <String>` to `gam print courses`
+that adds additional columns of data to the CSV file output.
+
+The following scope is no longer necessary: `Cloud Identity API - Groups Beta (Enables group locking/unlocking)`
+as this scope `Cloud Identity API - Groups` now provides group locking/unlocking.
+
+### 7.27.04
+
+Added options to `gam <UserTypeEntity> create delegate` that support
+sending email notifications when a user adds a delegate.
+
+* See: https://github.com/GAM-team/GAM/wiki/Users-Gmail-Delegates#delegation-notification
+
+### 7.27.03
+
+Updated `gam <UserTypeEntity> create|update|sync chatmember` role specification to `role member|manager|owner`.
+This is the mapping between the Chat UI and Chat API; GAM uses the Chat UI role names.
+```
+UI: Member,  API: ROLE_MEMBER
+UI: Manager, API: ROLE_ASSISTANT_MANAGER
+UI: Owner,   API: ROLE_MANAGER
+```
+
+Updated `gam <UserTypeEntity> update chatspace` options for permission settings.
+```
+        [managemembersandgroups owners|managers|members]
+        [modifyspacedetails owners|managers|members]
+        [togglehistory owners|managers|members]
+        [useatmentionall owners|managers|members]
+        [manageapps owners|managers|members]
+        [managewebhooks owners|managers|members]
+        [replymessages owners|managers|members]
+```
+
+### 7.27.02
+
+Added option `clearattachments <String>` to `gam [<UserTypeMessage>] update chatmessage`
+that clears all attachments from a Chat message. If `<ChatContent>` is not specified,
+the current message text is retained and `<String>` is appended; `<String>` must be specified
+but can be empty in which case the current message test is preserved as-is.
+
+### 7.27.01
+
+Fixed bug in `gam <UserTypeEntity> claim ownership <DriveFileEntity> ... onlyUsers|skipusers <UserTypeEntity>`
+where the email addresses in `onlyUsers|skipusers <UserTypeEntity>` were not normalized.
+
+### 7.27.00
+
+Added `debug_redaction` Boolean variable to `gam.cfg`. When True, the default,
+sensitive data like access/refresh tokens, client secret and authorization codes
+are redacted from debug output. This allows you to post debug output without
+compromising your account information. Even with debug redaction,
+anything shared publicly should be double-checked for sensitive content. 
+
+### 7.25.01
+
+Fixed bug in `gam config timezone <String>` to handle timezone abbreviations correctly;
+they were incorrectly shifted to lowercase.
+
+### 7.25.00
+
+Removed a capabilty added in 7.24.00 that allowed reading command data from Google Docs and Sheets
+when a user's service account access to Drive and Sheets had been disabled. Jay was concerned
+that this change could be exploited to give access to all user's files.
+
+This capability has been replaced by issuing the following commands. The admin specified in `gam oauth create`
+can read command data from Docs and Sheets to which it has access.
+```
+gam config commanddata_clientaccess true save
+gam oauth create
+Enable the following and proceed to authorization.
+
+[*] 42)  Drive API - commanddata_clientaccess
+[*] 54)  Sheets API - commanddata_clientaccess
+```
+
+* See: https://github.com/GAM-team/GAM/wiki/Command-Data-From-Google-Docs-Sheets-Storage#limited-service-account-access
+
+Fixed in bug in `gam report` that caused a trap with either of the `thismonth` or `previousmonths` options were used.
+
+Upgraded to Python 3.14.0.
+
+### 7.24.01
+
+Updated GAM to handle the following error that occurs when GAM tries to authenticate
+as a user that has been disabled by Google.
+```
+ERROR: Authentication Token Error - invalid_account: Forbidden
+```
+
+### 7.24.00
+
+If you want to disable a user's service account access to Drive and Sheets but still allow reading command data from Google Docs and Sheets,
+issue the following command and make these settings:
+```
+gam user user@domain.com update serviceaccount
+
+[ ] 20)  Drive API (supports readonly)
+[*] 21)  Drive API - read command data
+[ ] 42)  Sheets API (supports readonly)
+[*] 43)  Sheets API - read command data
+```
+
+### 7.23.07
+
+Fixed bug in `gam print|show admins` where all admin assignments were not displayed when
+`types <AdminAssigneeTypeList>` was not specified, i.e., all assignments should be displayed.
+
+### 7.23.06
+
+Added option `types <AdminAssigneeTypeList>` to `gam print|show admins` that allows filtering
+of admin assignments by the type of the assignee; by default, all assignee types are displayed.
+```
+<AdminAssigneeType> ::= group|user|serviceaccount|unknown
+<AdminAssigneeTypeList> ::= "<AdminAssigneeType>(,<AdminAssigneeType>)*"
+```
+
+### 7.23.05
+
+Added option `recursive` to `gam print|show admins` that will display assignments to the members
+of security groups assigned to roles; the security group membership is recursively expanded.
+
+### 7.23.04
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print events`
+and `gam calendars <CalendarEntity> print events` that adds additional columns of data to the CSV file output.
+An example would be to get the calendar name in addition to the calendar ID when printing events.
+```
+gam redirect csv ./Resources.csv print resources fields email,name
+gam redirect csv ./ResourceEventCounts.csv multiprocess redirect stderr - multiprocess csv Resources.csv gam calendar "~resourceEmail" print events starttime -1y countsonly addcsvdata calendarName "~resourceName"
+```
+
+Upgraded to OpenSSL 3.6.0.
+
+### 7.23.03
+
+Upgraded to OpenSSL 3.5.4.
+
+### 7.23.02
+
+Added option `oneitemperrow` to 'gam print course-materials|course-work` to have each of a
+course's materials displayed on a separate row with all of the other course fields.
+This produces a CSV file that can be used in subsequent commands to process the materials without further script processing.
+
+### 7.23.00
+
+Added `chat_max_results` variable to `gam.cfg`.
+```
+chat_max_results
+    When retrieving lists of Chat items from API,
+    how many should be retrieved in each API call
+    Default: 100
+    Range: 1 - 1000
+```
+Previously, this vaule was always set to 1000 which could cause errors.
+
+### 7.22.07
+
+Added options `showdetails` and `returnidonly` to `gam create|copy vaultquery`.
+
+Added option `<JSONData>` to `gam create vaultexport|vaultquery and `gam print vaultcounts``.
+
+### 7.22.06
+
+Added commands to create, copy and delete Vault saved queries.
+```
+gam create vaultquery <MatterItem> [name <String>]
+        corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
+        [scope all_data|held_data|unprocessed_data]
+        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
+        (documentids  (<DriveFileIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        [(includeshareddrives <Boolean>)|(shareddrivesoption included|included_if_account_is_not_a_member|not_included)]
+        (sitesurl (<URLList>||(select <FileSelector>|<CSVFileSelector>)))
+        [driveversiondate <Date>|<Time>]
+        [includerooms <Boolean>]
+        (rooms (<ChatSpaceList>|(select <FileSelector>|<CSVFileSelector>))) |
+        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>] [timezone <TimeZone>]
+        [locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
+        [responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
+        (covereddata calllogs|textmessages|voicemails)*
+        [shownames] [formatjson]
+
+gam copy vaultquery <MatterItem> <QueryItem> [targetmatter <MatterItem"] [name <String>]
+        [shownames] [formatjson]
+
+gam delete vaultquery <QueryItem> matter <MatterItem>
+gam delete vaultquery <MatterItem> <QueryItem>
+```
+
+Added a variant of `gam print vaultcounts` that gets its query parameters from a saved Vault query.
+```
+gam print vaultcounts [todrive <ToDriveAttributes>*]
+        matter <MatterItem> <QueryItem>
+        [wait <Integer>]
+```
+
+### 7.22.05
+
+Added a variant of `gam create vaultexport` that gets its query parameters from a saved Vault query.
+
+```
+gam create vaultexport|export matter <MatterItem> [name <String>]
+        vaultquery <QueryItem>
+        [driveclientsideencryption any|encrypted|unencrypted]
+        [includeaccessinfo <Boolean>]
+        [excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
+        [showconfidentialmodecontent <Boolean>] [usenewexport <Boolean>] [exportlinkeddrivefiles <Boolean>]
+        [format ics|mbox|pst|xml]
+        [region any|europe|us] [showdetails|returnidonly]
+```
+
+### 7.22.04
+
+Added a variant of `gam create vaulthold` that gets its parameters from a saved Vault query.
+```
+gam create vaulthold matter <MatterItem> [name <String>]
+        vaultquery <QueryItem>
+        [showdetails|returnidonly]
+```
+
 ### 7.22.03

 Fix backwards compatability bug introduced in 7.22.00 for `gam print users` that changed `suspended`
--- a/wiki/Google-Data-Transfers.md
+++ b/wiki/Google-Data-Transfers.md
@@ -49,7 +49,7 @@ For calendars, there is an option to indicate whether to release resources for f
 A `<TransferID>` is returned which can be used to monitor the progress of the transfer.

 NOTE: For calendars, the behaviour is not sufficiently defined in the API documentation.
-As of 2020-06-10, background transfers only transfer future non-private events with at least one guest/resource.
+Background transfers only transfer future non-private events with at least one guest/resource.

 The option `<ParameterKey> <ParameterValue>` is for future expansion.

--- a/wiki/Groups.md
+++ b/wiki/Groups.md
@@ -680,5 +680,7 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print groups showitemcountonly)
 Windows PowerShell
-count = & gam print groups showitemcountonly
-```
+$count = & gam print groups showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print groups showitemcountonly') do set count=%a
+
--- a/wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md
+++ b/wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md
@@ -252,10 +252,10 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.22.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.28.05 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.7 64-bit final
-MacOS Sequoia 15.6.1 x86_64
+Python 3.14.0 64-bit final
+macOS Tahoe 26.1 x86_64
 Path: /Users/admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

@@ -990,10 +990,10 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.22.00 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.28.05 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.7 64-bit final
-Windows-10-10.0.17134 AMD64
+Python 3.14.0 64-bit final
+Windows 11 10.0.26200 AMD64
 Path: C:\GAM7
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

--- a/wiki/Licenses.md
+++ b/wiki/Licenses.md
@@ -235,10 +235,6 @@ nv:<String>:<String>
 The first `<String>` is a Product and the second `<String>` is a SKU.

 ## Info User Performance
-
-In GAM versions prior 7.18.05, when you did `gam info user`, GAM would make one attempt to get the user's licenses.
-If something went wrong, you might not get the complete list.
-
 The License Manager API doesn't have a call that returns the list of licenses that a user has; you have to ask:
 ```
 Does user have license SKU 1?
--- a/wiki/List-Items.md
+++ b/wiki/List-Items.md
@@ -5,6 +5,7 @@

 ## Lists of basic items
 ```
+<AdminAssigneeTypeList> ::= "<AdminAssigneeType>(,<AdminAssigneeType>)*"
 <APIScopeURLList> ::= "<APIScopeURL>(,<APIScopeURL>)*"
 <ASPIDList> ::= "<ASPID>(,<ASPID>)*"
 <AssetTagList> ::= "<AssetTag>(,<AssetTag>)*"
@@ -43,6 +44,7 @@
 <DomainNameList> ::= "<DomainName>(,<DomainName>)*"
 <DriveFileACLRoleList> ::= "<DriveFileACLRole>(,<DriveFileACLRole>)*"
 <DriveFileACLTypeList> ::= "<DriveFileACLType>(,<DriveFileACLType>)*"
+<DriveFileIDList> ::= "<DriveFileID>(,<DriveFileID>)*"
 <DriveFileList> ::= "<DriveFileItem>(,<DriveFileItem>)*"
 <DriveFilePermissionList> ::= "<DriveFilePermission>(,<DriveFilePermission>)*"
 <DriveFilePermissionIDList> ::= "<DriveFilePermissionID>(,<DriveFilePermissionID>)*"
--- a/wiki/Mobile-Devices.md
+++ b/wiki/Mobile-Devices.md
@@ -173,5 +173,7 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print mobile showitemcountonly)
 Windows PowerShell
-count = & gam print mobile showitemcountonly
+$count = & gam print mobile showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print mobile showitemcountonly') do set count=%a
 ```
--- a/wiki/Organizational-Units.md
+++ b/wiki/Organizational-Units.md
@@ -266,7 +266,9 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print orgs showitemcountonly)
 Windows PowerShell
-count = & gam print orgs showitemcountonly
+$count = & gam print orgs showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print orgs showitemcountonly') do set count=%a
 ```

 ## Display indented organizational unit tree
--- a/wiki/Reports.md
+++ b/wiki/Reports.md
@@ -12,6 +12,10 @@
 - [User reports](#user-reports)

 ## API documentation
+Changes starting 2025-10-29.
+
+* [Reports API - Admin log event changes](https://support.google.com/a/answer/16601511)
+
 These pages show event/parameter names; scroll down in the left column to: Reports.

 * [Reports API - Activities](https://developers.google.com/admin-sdk/reports/v1/reference/activities)
@@ -209,6 +213,7 @@ gam report usage customer [todrive <ToDriveAttribute>*]
        [skipdates <Date>[:<Date>](,<Date>[:<Date>])*] [skipdaysofweek <DayOfWeek>(,<DayOfWeek>)*]
        [fields|parameters <String>]
        [convertmbtogb]
+        (addcsvdata <FieldName> <String>)*
 ```
 Limit the time period.
 * `start <Date>` - Default value is 30 days prior to `end <Date>`
@@ -220,8 +225,10 @@ Limit the time period.
 Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
 (name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.

+Add additional columns of data from the command line to the output.
+* `addcsvdata <FieldName> <String>`
+
 ### Example
-Jay provided this example.
 ```
 gam report usage customer parameters meet:total_call_minutes,meet:total_meeting_minutes start_date 2020-03-01 skipdaysofweek sat,sun todrive 
 ```
@@ -263,6 +270,7 @@ gam report customers|customer|domain [todrive <ToDriveAttribute>*]
        [(fields|parameters <String>)|(services <CustomerServiceNameList>)]
        [noauthorizedapps]
        [convertmbtogb]
+        (addcsvdata <FieldName> <String>)*
 ```
 Specify the report date; the default is today's date.
 * `date <Date>` - A single date; there is one API call
@@ -275,6 +283,9 @@ Specify the report date; the default is today's date.
 Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
 (name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.

+Add additional columns of data from the command line to the output.
+* `addcsvdata <FieldName> <String>`
+
 If no report is available for the specified date, can an earlier date be used?
 * `limitdatechanges -1' - Back up to earlier dates to find report data; this is the default.
 * `limitdatechanges 0 | nodatechange' - Do not report on an earlier date if no report data is available for the specified date.
@@ -328,6 +339,7 @@ gam report usage user [todrive]
        [skipdates <Date>[:<Date>](,<Date>[:<Date>])*] [skipdaysofweek <DayOfWeek>(,<DayOfWeek>)*]
        [fields|parameters <String>]
        [convertmbtogb]
+        (addcsvdata <FieldName> <String>)*
 ```
 Select the users for whom information is desired.
 * `user all` - All users, the default; there is one API call
@@ -346,6 +358,9 @@ Limit the time period.
 Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
 (name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.

+Add additional columns of data from the command line to the output.
+* `addcsvdata <FieldName> <String>`
+
 ## User reports
 User reports are generally available up to four days before the current date.
 ```
@@ -370,6 +385,7 @@ gam report users|user [todrive <ToDriveAttribute>*]
        [aggregatebydate|aggregatebyuser [Boolean]]
        [maxresults <Number>]
        [convertmbtogb]
+        (addcsvdata <FieldName> <String>)*
 ```
 Select the users for whom information is desired.
 * `user all` - All users, the default; there is one API call
@@ -378,7 +394,7 @@ Select the users for whom information is desired.
  * `showorgunit` - Add a column labelled `orgUnitPath` to the output; an additional API call is made to get the email addresses of the users in `<OrgUnitPath>`
 * `select <UserTypeEntity>` - A selected collection of users, e.g., `select group staff@domain.com`; there is one API call per user

-By default, when `user all` is specified (or no user specification in supplied), GAM backs up looking for data with a (basically) random user. If the randaom
+By default, when `user all` is specified (or no user specification in supplied), GAM backs up looking for data with a (basically) random user. If the random
 doesn't have any data, the command reports that no data was found. Use `allverifyuser <UserItem>` to specify a specific user to use to search for data.

 Specify the report date; the default is today's date.
@@ -392,6 +408,16 @@ Specify the report date; the default is today's date.
 Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
 (name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.

+Add additional columns of data from the command line to the output.
+* `addcsvdata <FieldName> <String>`
+
+This will be most useful when reading a CSV of user information and you want to include some of the user information,
+e.g., orgUnitPath, in the output.
+```
+gam redirect csv ./Users.csv print users fields ou
+gam redirect csv ./UserStorageInfo.csv multiprocess csv Users.csv gam report users user "~primaryEmail" parameters accounts:drive_used_quota_in_mb,accounts:gmail_used_quota_in_mb,accounts:gplus_photos_used_quota_in_mb,accounts:total_quota_in_mb,accounts:used_quota_in_mb,accounts:used_quota_in_percentage addcsvdata orgUnitPath "~orgUnitPath"
+```
+
 If no report is available for the specified date, can an earlier date be used?
 * `limitdatechanges -1' - Back up to earlier dates to find report data; this is the default.
 * `limitdatechanges 0 | nodatechange' - Do not report on an earlier date if no report data is available for the specified date.
@@ -448,6 +474,11 @@ Report on users total storage usage.
 ```
 gam report users parameters accounts:drive_used_quota_in_mb,accounts:gmail_used_quota_in_mb,accounts:gplus_photos_used_quota_in_mb,accounts:total_quota_in_mb,accounts:used_quota_in_mb,accounts:used_quota_in_percentage
 ```
+Report on users total storage usage, include OrgUnitPath
+```
+gam redirect csv ./Users.csv print users fields ou
+gam redirect csv ./UserStorageInfo.csv multiprocess csv Users.csv gam report users user "~primaryEmail" parameters accounts:drive_used_quota_in_mb,accounts:gmail_used_quota_in_mb,accounts:gplus_photos_used_quota_in_mb,accounts:total_quota_in_mb,accounts:used_quota_in_mb,accounts:used_quota_in_percentage addcsvdata orgUnitPath "~orgUnitPath"
+```
 Report on email activity for individual users.
 ```
 $ gam report users select users testuser1,testuser2,testuser3 fields gmail:num_emails_received,gmail:num_emails_sent range 2025-07-01 2025-07-07 
--- a/wiki/Reseller.md
+++ b/wiki/Reseller.md
@@ -1,6 +1,5 @@
 # Reseller
 - [API documentation](#api-documentation)
- [Notes](#notes)
 - [Manage Multiple Domains](#manage-multiple-domains)
 - [Definitions](#definitions)
 - [Manage Resold Customers](#manage-resold-customers)
@@ -12,20 +11,6 @@
 * [Reseller API - Customers](https://developers.google.com/admin-sdk/reseller/v1/reference/customers)
 * [Reseller API - Subscriptions](https://developers.google.com/admin-sdk/reseller/v1/reference/subscriptions)

-## Notes
-
-Updated handling of `seats` option in `gam create|update resoldsubscription` to properly assign
-the API fields `numberOfSeats` and `maximumNumberOfSeats`.
-Prior to version 6.50.00, this is how the `seats <NumberOfSeats> <MaximumNumberOfSeats>` option was processed:
-  * Plan name `ANNUAL_MONTHLY_PAY` or `ANNUAL_YEARLY_PAY`
-    * `seats <NumberOfSeats>` - `<NumberOfSeats>` was properly passed to the API
-    * `seats <NumberOfSeats> <MaximumNumberOfSeats>` - `<NumberOfSeats>` was properly passed to the API; `<MaximumNumberOfSeats>` was passed to the API which ignored it
-  * Plan name `FLEXIBLE` or `TRIAL`
-    * `seats <NumberOfSeats>` - `<NumberOfSeats>` was improperly passed to the API; an API error was generated
-    * `seats <NumberOfSeats> <MaximumNumberOfSeats>` - `<MaximumNumberOfSeats>` was properly passed to the API; `<NumberOfSeats>` was passed to the API which ignored it
-
-Now, you can still use the above option which has been corrected or you can specify `seats <Number>` which will be properly passed in the correct form to the API based on plan name.
-
 ## Manage Multiple Domains
 Thanks to Duncan Isaksen-Loxton for a script to help manage multiple domains.

--- a/wiki/Resources.md
+++ b/wiki/Resources.md
@@ -512,7 +512,9 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print resources showitemcountonly)
 Windows PowerShell
-count = & gam print resources showitemcountonly
+$count = & gam print resources showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print resources showitemcountonly') do set count=%a
 ```

 ## Manage resource calendar ACLs
--- a/wiki/Scripts.md
+++ b/wiki/Scripts.md
@@ -1,7 +1,7 @@
 # Scripts

-These scripts can be used to enhance GAM's capabilities; all are supported with Advanced GAM,
-many are supported with Legacy GAM. They require that Python 3 be installed on you computer.
+These scripts can be used to enhance GAM's capabilities; all are supported with GAM7,
+many are supported with Legacy GAM. They require that Python 3.10 or higher be installed on your computer.

 * https://github.com/taers232c/GAM-Scripts3
 * https://www.python.org/
--- a/wiki/Shared-Drives.md
+++ b/wiki/Shared-Drives.md
@@ -315,6 +315,8 @@ Linux/MacOS
 teamDriveId=$(gam create shareddrive ... returnidonly)
 Windows PowerShell
 $teamDriveId = & gam create shareddrive ... returnidonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam create shareddrive ... returnidonly') do set teamDriveId=%a
 ```

 ## Bulk Create Shared Drives
@@ -537,7 +539,9 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print shareddrives showitemcountonly)
 Windows PowerShell
-count = & gam print shareddrives showitemcountonly
+$count = & gam print shareddrives showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print shareddrives showitemcountonly') do set count=%a
 ```

 ## Display all Shared Drives with a specific organizer
@@ -590,7 +594,9 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print oushareddrives showitemcountonly)
 Windows PowerShell
-count = & gam print oushareddrives showitemcountonly
+$count = & gam print oushareddrives showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print oushareddrives showitemcountonly') do set count=%a
 ```

 ## Manage Shared Drive access
--- a/wiki/Todrive.md
+++ b/wiki/Todrive.md
@@ -330,16 +330,16 @@ you want the updated data copied to `Latest` so you don't have to remember what
 gam redirect csv - todrive tdfileid <DriveFileID> tdupdatesheet tdsheet Tuesday tdbackupsheet "Backup Tuesday" tdcopysheet "Latest" ...
 ```
 ## Limited Service Account Access
-If you want to limit a user's service account access but still allow `todrive',
-issue the following command and authorize the additional service account APIs:
+If you want to limit a user's service account access to Drive, Gmail and Sheets but still allow `todrive`,
+issue the following command and make these settings:
 ```
-gam user user@domain.com update serviceaccount`
+gam user user@domain.com update serviceaccount

-Authorize these APIs:
-
-Drive API - todrive
-Gmail API - Send Messages - including todrive
-Sheets API - todrive
+[ ] 20)  Drive API (supports readonly)
+[*] 22)  Drive API - write todrive data - has access to all Drive
+[*] 31)  Gmail API - Send Messages - including todrive
+[ ] 42)  Sheets API (supports readonly)
+[*] 44)  Sheets API - write todrive data - has access to all Sheets
 ```

 ## No Service Account Access
--- a/wiki/Users-Calendars-Events.md
+++ b/wiki/Users-Calendars-Events.md
@@ -653,7 +653,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam <UserTypeEntity> show events <UserCalendarEntity> [<EventEntity>] <EventDisplayProperty>*
        [fields <EventFieldNameList>] [showdayofweek]
-        [countsonly] [formatjson]
+        [countsonly|formatjson]
 ```
 In `<EventEntity>`, any `<EventSelectProperty>` options must precede all other options.

@@ -672,8 +672,8 @@ By default, Gam displays event details, use `countsonly` to display only the num
 ```
 gam <UserTypeEntity> print events <UserCalendarEntity> [<EventEntity>] <EventDisplayProperty>*
        [fields <EventFieldNameList>] [showdayofweek]
-        [countsonly]
-        [formatjson [quotechar <Character>]] [todrive <ToDriveAttribute>*]
+        (addcsvdata <FieldName> <String>)*
+        [eventrowfilter]                                                                                          [countsonly|(formatjson [quotechar <Character>])] [todrive <ToDriveAttribute>*]
 ```
 In `<EventEntity>`, any `<EventSelectProperty>` options must precede all other options.

@@ -684,6 +684,9 @@ option `singleevents` to display all instances of a recurring event.

 `showdayofweek` displays columns `start.dayOfWeek` and `end.dayOfWeek` when event start and end times are displayed.

+Add additional columns of data from the command line to the output after the calendarId.
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

--- a/wiki/Users-Calendars.md
+++ b/wiki/Users-Calendars.md
@@ -49,6 +49,7 @@

 <CalendarSettingsField> ::=
        conferenceproperties|
+        dataowner|
        description|
        id|
        location|
@@ -134,6 +135,7 @@
        backgroundcolor|
        colorid|
        conferenceproperties|
+        dataowner|
        defaultreminders|
        deleted|
        description|
--- a/wiki/Users-Chat.md
+++ b/wiki/Users-Chat.md
@@ -7,6 +7,7 @@
 - [Chat Space Permissions](#chat-space-permissions)
 - [Manage Chat Spaces](#manage-chat-spaces)
 - [Display Chat Spaces](#display-chat-spaces)
+- [UI API member role mapping](#ui-api-mwmber-role-mapping)
 - [Manage Chat Members](#manage-chat-members)
 - [Display Chat Members](#display-chat-members)
 - [Manage Chat Messages](#manage-chat-messages)
@@ -211,7 +212,7 @@ For `type space`, the following apply:
 * `description <String>` - Optional
 * `guidelines <String>` - Optional
 * `history <Boolean>` - Optional
-* `announcement|collaboration` - Initial permission settings; default is `collaboration`; this is in Developer Preview
+* `announcement|collaboration` - Initial permission settings; default is `collaboration`

 For `type groupchat`, the following apply:
 * `members <UserTypeEntity>` - Required, must specify between 2 and 20 users
@@ -244,30 +245,19 @@ gam <UserTypeEntity> update chatspace <ChatSpace>
         [type space]
         [description <String>] [guidelines|rules <String>]
         [history <Boolean>])
-        [managemembersandgroups managers|members]
-        [modifyspacedetails managers|members]
-        [togglehistory managers|members]
-        [useatmentionall managers|members]
-        [manageapps managers|members]
-        [managewebhooks managers|members]
-        [replymessages managers|members]
+        [managemembersandgroups owners|managers|members]
+        [modifyspacedetails owners|managers|members]
+        [togglehistory owners|managers|members]
+        [useatmentionall owners|managers|members]
+        [manageapps owners|managers|members]
+        [managewebhooks owners|managers|members]
+        [replymessages owners|managers|members]
        [formatjson]
 ```
 A groupchat space can be upgraded to a space by specifying `type space` and `displayname <String>`.

 The `restricted|audience` options can not be combined with options `displayname,type,description,guidelines,history`.

-You can manage permissions for chat spaces with the following options that are available with Developer Preview.
-        [managemembersandgroups managers|members]
-        [modifyspacedetails managers|members]
-        [togglehistory managers|members]
-        [useatmentionall managers|members]
-        [manageapps managers|members]
-        [managewebhooks managers|members]
-        [postmessages managers|members]
-        [replymessages managers|members]
-
-
 By default, Gam displays the information about the created chatspace as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.

@@ -327,7 +317,7 @@ gam <UserTypeEntity> show chatspaces
 By default, chat spaces of all types are displayed.
 * `types <ChatSpaceTypeList>` - Display specific types of spaces.

-When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this fieldf,
+When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this field,
 add `showaccesssettings` to the command. This requires an additional Chat API call per chat space of type `SPACE`
 to get the `accessSettings` field.

@@ -343,7 +333,7 @@ gam <UserTypeEntity> print chatspaces [todrive <ToDriveAttribute>*]
 By default, chat spaces of all types are displayed.
 * `types <ChatSpaceTypeList>` - Display specific types of spaces.

-When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this fieldf,
+When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this field,
 add `showaccesssettings` to the command. This requires an additional Chat API call per chat space of type `SPACE`
 to get the `accessSettings` field.

@@ -401,7 +391,7 @@ By default, all chat spaces of type SPACE are displayed.
 * `query <String> [querytime<String> <Time>]` - Display selected chat spaces
  * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search

-When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this fieldf,
+When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this field,
 add `showaccesssettings` to the command. This requires an additional Chat API call per chat space of type `SPACE`
 to get the `accessSettings` field.

@@ -419,7 +409,7 @@ By default, all chat spaces of type SPACE are displayed.
 * `query <String> [querytime<String> <Time>]` - Display selected chat spaces
  * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search

-When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this fieldf,
+When listing Chat Spaces, the Chat API does not return the `accessSettings` field; if you need to see this field,
 add `showaccesssettings` to the command. This requires an additional Chat API call per chat space of type `SPACE`
 to get the `accessSettings` field.

@@ -432,11 +422,20 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

+## UI API member role mapping
+GAM uses the Chat UI role names.
+
+| UI setting | API setting |
+|------------|------------|
+| Member | ROLE_MEMBER |
+| Manager | ROLE_ASSISTANT_MANAGER |
+| Owner | ROLE_MANAGER |
+
 ## Manage Chat Members
 ### Add members to a user's chat space
 ```
 gam <UserTypeEntity> create chatmember <ChatSpace>
-        [type human|bot] [role member|manager]
+        [type human|bot] [role member|manager|owner]
        (user <UserItem>)* (members <UserTypeEntity>)*
        (group <GroupItem>)* (groups <GroupEntity>)*
        [formatjson|returnidonly]
@@ -462,7 +461,7 @@ gam <UserTypeEntity> remove chatmember members <ChatMemberList>
 Creating memberships for users outside the administrator's Google Workspace organization isn't supported using asadmin.
 ```
 gam <UserItem> create chatmember asadmin <ChatSpace>
-        [type human|bot] [role member|manager]
+        [type human|bot] [role member|manager|owner]
        (user <UserItem>)* (members <UserTypeEntity>)*
        (group <GroupItem>)* (groups <GroupEntity>)*
        [formatjson|returnidonly]
@@ -488,13 +487,13 @@ gam <UserItem> remove chatmember asadmin members <ChatMemberList>
 Update members by specifying a chat space, user/group email addresses and role.
 ```
 gam <UserTypeEntity> update chatmember <ChatSpace>
-        role member|manager
+        role member|manager|owner
        ((user <UserItem>)|(members <UserTypeEntity>))+
 ```
 Update members by specifying chatmember names and role.
 ```
 gam <UserTypeEntity> modify chatmember
-        role member|manager
+        role member|manager|owner
        members <ChatMemberList>
 ```

@@ -502,13 +501,13 @@ gam <UserTypeEntity> modify chatmember
 Update members by specifying a chat space, user/group email addresses and role.
 ```
 gam <UserItem> update chatmember asadmin <ChatSpace>
-        role member|manager
+        role member|manager|owner
        ((user <UserItem>)|(members <UserTypeEntity>))+
 ```
 Update members by specifying chatmember names and role.
 ```
 gam <UserItem> modify chatmember asadmin
-        role member|manager
+        role member|manager|owner
        members <ChatMemberList>
 ```

@@ -751,7 +750,7 @@ gam user user@domain.com create chatmessage spaces spaces/AAAADi-pvqc gdoc annou
 Updates and rewrites an existing Chat message. Message will show as edited and no notification will be sent to members.
 ```
 gam <UserTypeEntity> update chatmessage name <ChatMessage>
-        <ChatContent>
+        [<ChatContent>] [clearattachments <String>]
 ```
 Specify the text of the message: `<ChatContent>`
 * `text <String>` - The message is `<String>`
@@ -759,12 +758,22 @@ Specify the text of the message: `<ChatContent>`
 * `gdoc <UserGoogleDoc>` - The message is read from a Google Doc.
 * `gcsdoc <StorageBucketObjectName>` - The message is read from a Google Cloud Storage file.

+The option `clearattachments <String>` can be used to clear all attachments from a Chat message.
+If `<ChatContent>` is not specified, the current message text is retained and `<String>` is appended;
+`<String>` must be specified but can be empty in which case the current message test is preserved as-is.
+
 ### Example
 This example updates an existing chat message with new text.
 ```
 gam user user@domain.com update chatmessage name spaces/AAAADi-pvqc/messages/PKJrx90ooIU.PKJrx90ooIU text "HELLO CHAT?"
 ```

+This example clears attachments from a chat message and appends ` - Attachments cleared`
+to the current message text.
+```
+gam user user@domain.com update chatmessage name spaces/AAAADi-pvqc/messages/PKJrx90ooIU.PKJrx90ooIU clearattachments " - Attachments cleared"
+```
+
 ### Delete a Chat Message
 Deletes the given Chat message. Members will no longer see the message.

--- a/wiki/Users-Contacts.md
+++ b/wiki/Users-Contacts.md
@@ -17,18 +17,9 @@
 - [Display user contact groups](#display-user-contact-groups)

 ## Notes
-As of version `6.08.00`, GAM uses the People API to manage user contacts rather than the Contacts API.
+GAM uses the People API to manage user contacts rather than the Contacts API.

-Most commands will work unchanged but Google has completely changed how the data is presented. If you
-have scripts that process the output from `print contacts` for example, they will have to be changed.
-
-You might want to keep an older version of GAM available so you can compare the output from the two
-versions and make adjustments as necessary.
-
-If you manage contacts in the contact group "Other Contacts", you will need to use an older version,
-as the People API has very little support for this.
-
-As of version `6.14.04`, There is now support for managing "Other Contacts".
+The People API has very little support for managing contacts in the contact group "Other Contacts".

 [Users - People - Contacts & Profiles](Users-People-Contacts-Profiles)

--- a/wiki/Users-Drive-Cleanup.md
+++ b/wiki/Users-Drive-Cleanup.md
@@ -94,19 +94,10 @@ Show current drive usage.
 gam redirect stdout ./DrivefileUsage.txt user user@domain.com show drivesettings
 ```
 Get list of top level files/folders.
-
-GAM version `6.22.14` and higher:
 ```
 gam redirect csv ./TopLevelFilesFolders.csv user user@domain.com print filelist select rootid fields id,name,mimetype depth 0
 ```
-GAM version `6.22.13` and lower.
-```
-gam user user@domain.com show fileinfo root fields id
-User: user@domain.com, Show 1 Drive File/Folder
-  Drive Folder: My Drive (0AENlVEBUkz-hUkWXYZ)
-    id: 0AENlVEBUkz-hUkWXYZ
-gam redirect csv ./TopLevelFilesFolders.csv user user@domain.com print filelist select 0AENlVEBUkz-hUkWXYZ fields id,name,mimetype depth 0
-```
+
 Purge top level files/folders.
 ```
 gam redirect stdout ./PurgeTopLevelFilesFolders.txt multiprocess redirect stderr stdout csv ./TopLevelFilesFolders.csv gam user "~Owner" purge drivefile "~id"
@@ -128,7 +119,6 @@ Show updated drive usage.
 gam redirect stdout ./DrivefileUsage.txt append user user@domain.com show drivesettings
 ```
 ### Method 3
-* GAM version `6.30.09` and higher
 * Generate a list of top level files/folders that a user owns.
 * Delete them; orphans are not included
 * Generate a list of remaining file/folders (orphans).
--- a/wiki/Users-Drive-Copy-Move.md
+++ b/wiki/Users-Drive-Copy-Move.md
@@ -226,8 +226,6 @@ When a file appears more that once in the copy, the first time the file is proce
 If it is processed again (because of multiple parents within the source folder structure), a shortcut is created that points to the first copy.

 ### Shortcuts
-In previous versions, copying shortcuts caused an error because shortcuts can't be copied, they must be re-created.
-
 If a shortcut in the source structure points to a file/folder that is not in the source structure:
 * The shortcut is re-created to point to the original file/folder.

@@ -263,7 +261,6 @@ When a folder is copied, its permissions are not copied; these options control c
 of the form `option [<Boolean>]`; if `<Boolean>` is omitted, `true` is assumed.

 When copied, a target folder inherits the permissions of its parent folder; these options control whether/how GAM copies the existing source folder permissions.
-The default values of options introduced in version 6.14.00 are set to match the behavior of earlier versions.

 When `mergewithparent` is `true`:
 * `copymergewithparentfolderpermissions false` - The permissions of the source top folder are not not copied to the target folder; this is the default action.
@@ -352,6 +349,8 @@ Linux/MacOS
 fileId=$(gam user user@domain.com copy drivefile <DriveFileEntity> ... returnidonly)
 Windows PowerShell
 $fileId = & gam user user@domain.com copy drivefile <DriveFileEntity> ... returnidonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam user user@domain.com copy drivefile <DriveFileEntity> ... returnidonly') do set fileId=%a
 ```
 The file ID will only be valid when the return code of the command is 0; program accordingly.

@@ -388,7 +387,7 @@ gam user user@domain.com copy drivefile root recursive teamdriveparentid <Shared
 ```

 ### Copy content of a Shared Drive to another Shared Drive
-Suppose you have a source Shared Drive called 0AC_1AB with multiple files and folders, and want to copy all of its content to the target Shared Drive 0AE_9ZX.
+Suppose you have a source Shared Drive with ID 0AC_1AB with multiple files and folders, and want to copy all of its content to the target Shared Drive with ID 0AE_9ZX.

 The following command will copy the content, files and folders inside the source drive recursively, and put them in the target drive.

@@ -431,6 +430,52 @@ gam user user@domain.com copy drivefile teamdriveid 0AC_1AB teamdriveparentid 0A
        copyfilenoninheritedpermissions true
 ```

+### Copy content of a source Shared Drive to a target Shared Drive with parallel Processing
+Suppose you have a source Shared Drive with ID 0AC_1AB with multiple files and folders, and want to copy all of its content to the target Shared Drive with ID 0AE_9ZX.
+
+Get top level items on source Shared Drive
+```
+gam redirect csv ./TopSDItems.csv user user@domain.com print filelist select 0AC_1AB fields id,name,mimetype depth 0
+```
+Copy the top level items to target Shared Drive; append desired permission options
+```
+gam redirect stdout ./CopySharedDrive.txt multiprocess redirect stderr stdout csv TopSDItems.csv gam user user@domain.com copy drivefile "~id" recursive teamdriveparentid 0AE_9ZX
+```
+
+### Copy content of a source Shared Drive folder to a target Shared Drive with parallel Processing
+Get top level items on source Shared Drive folder with ID 1BX-8W3
+```
+gam redirect csv ./TopSDItems.csv user user@domain.com print filelist select 1Bx-8W3 fields id,name,mimetype depth 0
+```
+Create a folder on target Shared Drive with ID 0AE_9ZX, replace "New Folder Name" as desired.
+```
+gam user user@domain.com create drivefile mimetype gfolder teamdriveparentid 0AE-9ZX drivefilename "New Folder Name" returnidonly
+```
+Copy the folder top level items to target Shared Drive folder, assume ID 2CY-45G was returned in previous step
+```
+gam redirect stdout ./CopySharedDrive.txt multiprocess redirect stderr stdout csv TopSDItems.csv gam user user@domain.com copy drivefile "~id" recursive teamdriveparentid 2CY-45G
+```
+You can script the steps:
+
+Linux/MacOS
+```
+gam redirect csv ./TopSDItems.csv user user@domain.com print filelist select 1Bx-8W3 fields id,name,mimetype depth 0
+targetFolderId=$(gam user user@domain.com create drivefile mimetype gfolder teamdriveparentid 0AE-9ZX drivefilename "New Folder Name" returnidonly)
+gam redirect stdout ./CopySharedDrive.txt multiprocess redirect stderr stdout csv TopSDItems.csv gam user user@domain.com copy drivefile "~id" recursive teamdriveparentid $targetFolderId
+```
+Windows PowerShell
+```
+gam redirect csv ./TopSDItems.csv user user@domain.com print filelist select 1Bx-8W3 fields id,name,mimetype depth 0
+$targetFolderId = & gam user user@domain.com create drivefile mimetype gfolder teamdriveparentid 0AE-9ZX drivefilename "New Folder Name" returnidonly
+gam redirect stdout ./CopySharedDrive.txt multiprocess redirect stderr stdout csv TopSDItems.csv gam user user@domain.com copy drivefile "~id" recursive teamdriveparentid $targetFolderId
+```
+Windows Command Prompt
+```
+gam redirect csv ./TopSDItems.csv user user@domain.com print filelist select 1Bx-8W3 fields id,name,mimetype depth 0
+for /f "delims=" %a in ('gam user user@domain.com create drivefile mimetype gfolder teamdriveparentid 0AE-9ZX drivefilename "New Folder Name" returnidonly') do set taregtFolderId=%a
+gam redirect stdout ./CopySharedDrive.txt multiprocess redirect stderr stdout csv TopSDItems.csv gam user user@domain.com copy drivefile "~id" recursive teamdriveparentid %targetFolderId%
+```
+
 ## Move files and folders
 ## Move My Drive folder to Shared Drive
 There are two methods for moving a folder from a My Drive to a Shared Drive:
@@ -570,17 +615,12 @@ gam config auto_batch_min 1 csv_output_row_filter "owners.0.emailAddress:notrege
 ### Multiple parents
 No existing parents are copied for source top/sub files/folders.

-### Removed options
-The following options will generate an error; they were removed in 6.23.00:
-* `copysubfileparents` and `copysubfolderparents`.
-
 ### Move Folder Permissions
-When a folder is moved by recreating it, its permissions are not copied; these options control copying permissions for folders.
+When a folder is moved by recreating it, its permissions are not copied by the Drive API; these options control copying permissions for folders.

 For options of the form `option [<Boolean>]`; if `<Boolean>` is omitted, `true` is assumed.

 When recreated, a target folder inherits the permissions of its parent folder; these options control whether/how GAM copies the existing source folder permissions;
-The default values of options introduced in version 6.14.00 are set to match the behavior of earlier versions.

 When `mergewithparent` is `true`:
 * `copymergewithparentfolderpermissions false` - The permissions of the source top folder are not not copied to the target folder; this is the default action.
@@ -594,7 +634,7 @@ When `duplicatefolders` is `merge` and a sub folder is a duplicate:
 * `copymergedsubfolderpermissions false` - The permissions of the source sub folder are not not copied to the target folder.
 * `copymergedsubfolderpermissions true` - The permissions of the source sub folder are copied to the target folder; this is the default action.

-When `duplicatefolders` is `duplicatename` or `uniquename` and a top/sub folder is not a duplicate:
+When `duplicatefolders` is `merge` or `duplicatename` or `uniquename` and a top/sub folder is not a duplicate:
 * `copytopfolderpermissions true` - The permissions of the source top folder are copied to the target folder; this is the default action.
 * `copytopfolderpermissions false` - The permissions of the source top folder are not not copied to the target folder.
 * `copysubfolderpermissions true` - The permissions of the source sub folders are copied to the target folder; this is the default action.
--- a/wiki/Users-Drive-Files-Display.md
+++ b/wiki/Users-Drive-Files-Display.md
@@ -494,9 +494,8 @@ an API call per file is required to get the information.
  labelsIds: <ClassificationLabelID> <ClassificationLabelID> ...
 ```

-Starting in version 6.27.02, you can get Drive label information without an extra API call
-if you know the `<ClassificationLabelID>`s. Add `labelinfo` to your `fields` list and use `includelabels <ClassificationLabelIDList>`
-to specify the Drive labels.
+You can get Drive label information without an extra API call if you know the `<ClassificationLabelID>`s.
+Add `labelinfo` to your `fields` list and use `includelabels <ClassificationLabelIDList>` to specify the Drive labels.
 ```
 gam user user@domain.com show fileinfo <DriveFileEntity> fields id,name,mimetype,labelinfo includelabels "mRoha85IbwCRl490E00xGLvBsSbkwIiuZ6PRNNEbbFcb"
 ```
@@ -504,7 +503,7 @@ gam user user@domain.com show fileinfo <DriveFileEntity> fields id,name,mimetype
 The `stripcrsfromname` option strips nulls, carriage returns and linefeeds from drive file names.
 Use this option if you discover filenames containing these special characters; it is not common.

-Starting in version 6.80.10, the option `followshortcuts [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+The option `followshortcuts [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
 causes GAM to display information about the target of the shortcut rather than the shortcut itself.

 By default, Gam displays the information as an indented list of keys and values.
@@ -540,7 +539,7 @@ Use this option if you discover filenames containing these special characters; i
 By default, when printing file paths, all paths for a file are displayed on the same row; use `oneitemperrow` to
 have each file path displayed on a separate row.

-Starting in version 6.80.10, the option `followshortcuts [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+The option `followshortcuts [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
 causes GAM to display path information for the target of the shortcut rather than the shortcut itself.

 ## Select files for Display file counts, list, tree
@@ -1197,7 +1196,7 @@ These options can be used instead of the query options to select a specific fold
 * `select <DriveFileEntity>` - All files in the selected folder and below are shown.
  * To select the root folder of My Drive, use its `<DriveFolderID>` obtained by `gam user <UserItem> show fileinfo root id`
    * `select <IDfrom Above>`
-  * Starting in version 6.22.14, you can select the root folder of My Drive with `rootid`.
+  * You can select the root folder of My Drive with `rootid`.
    * `select rootid`
 * `selectsubquery <QueryDriveFile>` - Only the files in the selected folder that match the query are shown.

@@ -1669,7 +1668,7 @@ There is a final row detailing files and folders in the trash; it is omitted if
 * `depth` - Always -1
 * `path` - Trash

-GAM version `6.71.17` added the `depth` column that can be used to filter the depth of the folders displayed.
+The `depth` column that can be used to filter the depth of the folders displayed.
 Depth `-1` is the top level folder, depth `0` are its immediate children, depth `2` are the children of depth `1` and so forth.
 For example to limit the display to the top folder and its immediate children, use `config csv_output_row_filter depth:count<1`.

@@ -1738,8 +1737,6 @@ user@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,-1,Trash
 ```

 ## Display files published to the web
-Ths requires version 6.80.13 or later.
-
 You can display files published to the web.
 ```
 # Get the published files
--- a/wiki/Users-Drive-Files-Manage.md
+++ b/wiki/Users-Drive-Files-Manage.md
@@ -225,10 +225,7 @@ If `noduplicate` is specfied, GAM will issue a warning and not perform the creat
 exists in the parent folder.

 By default, when files are uploaded from local content, they are created with `binary` format, i.e., the data is uploaded
-without any conversion. Legacy GAM had an option `convert` that was passed to the Drive API v2 that it used.
-* convert - Whether to convert this file to the corresponding Docs Editors format
-
-Advanced GAM uses Drive API v3 that doesn't support the `convert` option; it uses the `mimetype` argument to cause conversions.
+without any conversion; use the `mimetype` argument to cause conversions.
 * `mimetype gdoc` - Convert the uploaded content to a Google Doc; e.g., convert a Word (.docx) or text (.txt) file to a Google Doc
 * `mimetype gsheet` - Convert the uploaded content to a Google Sheet; e.g., convert an Excel (.xlsx) or CSV (.csv) file to a Google Sheet
 * `mimetype gpresentation` - Convert the uploaded content to a Google Slides; e.g., convert a PowerPoint (.pptx) file to a Google Slides
@@ -249,6 +246,8 @@ Linux/MacOS
 fileId=$(gam user user@domain.com create drivefile ... returnidonly)
 Windows PowerShell
 $fileId = & gam user user@domain.com create drivefile ... returnidonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam user user@domain.com create drivefile ... returnidonly') do set fileId=%a
 ```
 The file ID will only be valid when the return code of the command is 0; program accordingly.

@@ -555,6 +554,8 @@ Linux/MacOS
 fileId=$(gam user user@domain.com update drivefile <DriveFileEntity> copy ... returnidonly)
 Windows PowerShell
 $fileId = & gam user user@domain.com update drivefile <DriveFileEntity> copy ... returnidonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam user user@domain.com update drivefile <DriveFileEntity> copy ... returnidonly') do set fileId=%a
 ```
 The file ID will only be valid when the return code of the command is 0; program accordingly.

@@ -662,7 +663,7 @@ gam <UserTypeEntity> trash drivefile <DriveFileEntity> [shortcutandtarget [<Bool
 gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> trash [shortcutandtarget [<Boolean>]]
 ```

-Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+The option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
 causes GAM to process the shortcut and the target of the shortcut.

 ## Untrash files
@@ -672,7 +673,7 @@ gam <UserTypeEntity> untrash drivefile <DriveFileEntity> [shortcutandtarget [<Bo
 gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> untrash [shortcutandtarget [<Boolean>]]
 ```

-Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+The  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
 causes GAM to process the shortcut and the target of the shortcut.

 ## Purge files
@@ -682,7 +683,7 @@ gam <UserTypeEntity> purge drivefile <DriveFileEntity> [shortcutandtarget [<Bool
 gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> purge [shortcutandtarget [<Boolean>]]
 ```

-Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+The  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
 causes GAM to process the shortcut and the target of the shortcut.

 ## Download Google Documents as JSON
--- a/wiki/Users-Drive-Permissions.md
+++ b/wiki/Users-Drive-Permissions.md
@@ -29,6 +29,7 @@
 ```
 <DomainName> ::= <String>(.<String>)+
 <EmailAddress> ::= <String>@<DomainName>
+<JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>

@@ -116,25 +117,28 @@ specify `basicpermissions` and additional permission fields, e.g., `permissions.
 <DriveFileACLRoleList> ::= "<DriveFileACLRole>(,<DriveFileACLRole>)*"
 <DriveFileACLType> ::= anyone|domain|group|user
 <DriveFileACLTypeList> ::= "<DriveFileACLType>(,<DriveFileACLType>)*"
-<DriveFilePermission> ::=
-        anyone|anyonewithlink|
-        user:<EmailAddress>|group:<EmailAddress>|
-        domain:<DomainName>|domainwithlink:<DomainName>;<DriveFileACLRole>
 <DriveFilePermissionID> ::=
        anyone|anyonewithlink|id:<String>
 <DriveFilePermissionIDorEmail> ::=
        <DriveFilePermissionID>|<EmailAddress>
-<DriveFilePermissionList> ::=
-        "<DriveFilePermission>(,<DriveFilePermission)*"
 <DriveFilePermissionIDList> ::=
        "<DriveFilePermissionID>(,<DriveFilePermissionID>)*"
-<DriveFilePermissionEntity> ::=
-         <DriveFilePermissionList> |
+<DriveFilePermissionIDEntity> ::=
+         <DriveFilePermissionIDList> |
         (json [charset <Charset>] <JSONData>)|(json file <FileName> [charset <Charset>]) |
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
-<DriveFilePermissionIDEntity> ::=
-         <DriveFilePermissionIDList> |
+	<DriveFilePermission> ::=
+        anyone;<DriveFileACLRole> | 
+        anyonewithlink;<DriveFileACLRole> |
+        domain:<DomainName>;<DriveFileACLRole> |
+        domainwithlink:<DomainName>;<DriveFileACLRole> |
+        group:<EmailAddress>;<DriveFileACLRole> |
+        user:<EmailAddress>;<DriveFileACLRole>
+<DriveFilePermissionList> ::=
+        "<DriveFilePermission>(,<DriveFilePermission)*"
+<DriveFilePermissionEntity> ::=
+         <DriveFilePermissionList> |
         (json [charset <Charset>] <JSONData>)|(json file <FileName> [charset <Charset>]) |
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
@@ -424,12 +428,12 @@ gam config auto_batch_min 1 num_threads 20 redirect csv ./MyDriveShares.csv mult

 Delete those My Drive ACLs.
 ```
-gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
 ```

 Add My Drive ACLs with a different email address and the same role.
 ```
-gam config num_threads 20 redirect stdout ./AddMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" add drivefleacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
+gam config num_threads 20 redirect stdout ./AddMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" add drivefileacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
 ```

 ### Shared Drives
@@ -447,12 +451,12 @@ gam config num_threads 20 csv_input_row_filter "organizers:regex:^.+$" redirect

 Delete those Shared Drive ACLs.
 ```
-gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
 ```

 Add Shared Drive ACLs with a different email address and the same role.
 ```
-gam config num_threads 20 redirect stdout ./ReplaceSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" add drivefleacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
+gam config num_threads 20 redirect stdout ./ReplaceSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" add drivefileacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
 ```

 ## Remove ACLs for all users-groups in external domains
@@ -469,18 +473,22 @@ Replace `<Types>` as required:
 Replace `<Domains>` with specification of external domain(s)
 * `domain domain.com` - A single external domain
 * `domainlist domain1.com,domain2.com,domain3.com...` - A list of external domains
+
+If you want domains other than your internal domain(s)
+* `notdomain domain.com` - A single internal domain
+* `notdomainlist domain1.com,domain2.com,domain3.com...` - A list of internal domains
 ```
 gam config auto_batch_min 1 num_threads 20 redirect csv ./MyDriveShares.csv multiprocess redirect stderr - multiprocess all users print filelist fields id,name,mimetype,basicpermissions pm notrole owner <Types> <Domains> em pmfilter oneitemperrow
 ```

 Delete those My Drive ACLs.
 ```
-gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
 ```

 Add My Drive ACLs with a different email address and the same role.
 ```
-gam config num_threads 20 redirect stdout ./AddMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" add drivefleacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
+gam config num_threads 20 redirect stdout ./AddMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" add drivefileacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
 ```

 ### Shared Drives
@@ -499,18 +507,22 @@ Replace `<Types>` as required:
 Replace `<Domains>` with specification of external domain(s)
 * `domain domain.com` - A single external domain
 * `domainlist domain1.com,domain2.com,domain3.com...` - A list of external domains
+
+If you want domains other than your internal domain(s)
+* `notdomain domain.com` - A single internal domain
+* `notdomainlist domain1.com,domain2.com,domain3.com...` - A list of internal domains
 ```
 gam config num_threads 20 csv_input_row_filter "organizers:regex:^.+$" redirect csv ./SharedDriveShares.csv multiprocess redirect stderr - multiprocess csv SharedDriveOrganizers.csv gam user "~organizers"  print filelist select shareddriveid "~id" fields id,name,mimetype,basicpermissions,driveid showdrivename pm <Types> <Domains> inherited false em pmfilter oneitemperrow
 ```

 Delete those Shared Drive ACLs.
 ```
-gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
 ```

 Add Shared Drive ACLs with a different email address and the same role.
 ```
-gam config num_threads 20 redirect stdout ./ReplaceSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" add drivefleacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
+gam config num_threads 20 redirect stdout ./ReplaceSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" add drivefileacl "~id" "~permission.type" newemail@domain.rom role "~permission.role"
 ```

 ## Remove domainCanFind-domainWithLink ACLs for internal domain
@@ -529,7 +541,7 @@ gam config auto_batch_min 1 num_threads 20 redirect csv ./MyDriveShares.csv mult

 Delete those My Drive ACLs.
 ```
-gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
 ```

 ### Shared Drives
@@ -546,7 +558,7 @@ gam config num_threads 20 csv_input_row_filter "organizers:regex:^.+$" redirect

 Delete those Shared Drive ACLs.
 ```
-gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
 ```

 ## Remove My Drive ACLs for external domains
@@ -558,13 +570,17 @@ Get My Drive ACLs sharing to external domain(s)
 Replace `<Domains>` with specification of external domain(s)
 * `domain domain.com` - A single external domain
 * `domainlist domain1.com,domain2.com,domain3.com...` - A list of external domains
+
+If you want domains other than your internal domain(s)
+* `notdomain domain.com` - A single internal domain
+* `notdomainlist domain1.com,domain2.com,domain3.com...` - A list of internal domains
 ```
 gam config auto_batch_min 1 num_threads 20 redirect csv ./MyDriveShares.csv multiprocess redirect stderr - multiprocess all users print filelist fields id,name,mimetype,basicpermissions pm type domain <Domains> em pmfilter oneitemperrow
 ```

 Delete those My Drive ACLs.
 ```
-gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
 ```

 ## Remove anyoneCanFind-anyoneWithLink ACLs
@@ -583,7 +599,7 @@ gam config auto_batch_min 1 num_threads 20 redirect csv ./MyDriveShares.csv mult

 Delete those My Drive ACLs.
 ```
-gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+gam config num_threads 20 redirect stdout ./DeleteMyDriveShares.txt multiprocess redirect stderr stdout csv MyDriveShares.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
 ```

 ### Shared Drives
@@ -599,5 +615,5 @@ gam config num_threads 20 csv_input_row_filter "organizers:regex:^.+$" redirect

 Delete those Shared Drive ACLs.
 ```
-gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefleacl "~id" "id:~~permission.id~~"
+gam config num_threads 20 redirect stdout ./DeleteSharedDriveShares.txt multiprocess redirect stderr stdout csv SharedDriveShares.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
 ```
--- a/wiki/Users-Drive-Shortcuts.md
+++ b/wiki/Users-Drive-Shortcuts.md
@@ -72,6 +72,8 @@ Linux/MacOS
 fileId=$(gam user user@domain.com create drivefileshortcut ... returnidonly)
 Windows PowerShell
 $fileId = & gam user user@domain.com create drivefileshortcut ... returnidonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam user user@domain.com create drivefileshortcut ... returnidonly') do set fileId=%a
 ```
 The shortcut ID will only be valid when the return code of the command is 0; program accordingly.

--- a/wiki/Users-Gmail-Delegates.md
+++ b/wiki/Users-Gmail-Delegates.md
@@ -3,6 +3,7 @@
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Aliases](#aliases)
+- [Delegation Notification](#delegation-notification)
 - [Create Gmail delegates](#create-gmail-delegates)
 - [Delete Gmail delegates](#delete-gmail-delegates)
 - [Update Gmail delegates](#update-gmail-delegates)
@@ -31,6 +32,23 @@ mail delegation is enabled. In the admin console, go to Apps/Google Workspace/Gm
 <UserEntity> ::=
        <UserList> | <FileSelector> | <CSVkmdSelector> | <CSVDataSelector>
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Users
+
+<StorageBucketName> ::= <String>
+<StorageObjectName> ::= <String>
+<StorageBucketObjectName> ::=
+        https://storage.cloud.google.com/<StorageBucketName>/<StorageObjectName>|
+        https://storage.googleapis.com/<StorageBucketName>/<StorageObjectName>|
+        gs://<StorageBucketName>/<StorageObjectName>|
+        <StorageBucketName>/<StorageObjectName>
+
+<UserGoogleDoc> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<NotifyMessageContent> ::=
+        (message|textmessage|htmlmessage <String>)|
+        (file|textfile|htmlfile <FileName> [charset <Charset>])|
+        (gdoc|ghtml <UserGoogleDoc>)|
+        (gcsdoc|gcshtml <StorageBucketObjectName>)
 ```
 ## Aliases

@@ -39,11 +57,61 @@ The `convertalias` option causes GAM to make an extra API call per user in `<Use
 to convert aliases to primary email addresses. If you know that all of the email addresses
 in `<UserEntity>` are primary, you can omit `convertalias` and avoid the extra API calls.

+## Delegation Notification
+When creating a delegate, you can send a message to the delegate.
+```
+[notify [<Boolean>]
+    [subject <String>]
+    [from <EmailAaddress>] [mailbox <EmailAddress>]
+    [replyto <EmailAddress>]
+    [<NotifyMessageContent>] [html [<Boolean>]]
+]
+```
+* `notify [<Boolean>]` - Should notification be sent
+
+In the subject and message, these strings will be replaced with the specified values:
+* `#user#` - user's email address
+* `#delegate#` - delegate's email address
+
+If subject is not specified, the following value will be used:
+* `#user# mail delegation to #delegate#`
+
+`<NotifyMessageContent>` is the message, there are four ways to specify it:
+* `message|textmessage|htmlmessage <String>` - Use `<String>` as the message
+* `file|htmlfile <FileName> [charset <Charset>]` - Read the message from `<FileName>`
+* `gdoc|ghtml <UserGoogleDoc>` - Read the message from `<UserGoogleDoc>`
+* `gcsdoc|gcshtml <StorageBucketObjectName>` - Read the message from the Google Cloud Storage file `<StorageBucketObjectName>`
+
+If `<NotifyMessageContent>`is not specified, the following value will be used:
+* `#user# has granted you #delegate# access to read, delete and send mail on their behalf.`
+
+Unless specified in `<NotifyMessageContent>`, messages are sent as plain text,
+use `html` or `html true` to indicate that the message is HTML.
+
+Use `\n` in `message <String>` to indicate a line break; no other special characters are recognized.
+
+By default, the email is sent from the admin user identified in oauth2.txt, `gam oauth info` will show the value.
+Use `from <EmailAddress>` to specify an alternate from address.
+Use `mailbox <EmailAddress>` if `from <EmailAddress>` specifies a group; GAM has to login as a user to be able to send a message. 
+Gam gets no indication as to the status of the message delivery; the from user will get a non-delivery receipt if the message could not be sent to the delegate.
+
 ## Create Gmail delegates
 These two commands are equivalent.
 ```
 gam <UserTypeEntity> add delegate|delegates [convertalias] <UserEntity>
+        [[notify <EmailAddressList>]
+            [subject <String>]
+            [from <EmailAaddress>] [mailbox <EmailAddress>]
+            [replyto <EmailAaddress>]
+            [<NotifyMessageContent>]
+        ]
 gam <UserTypeEntity> delegate|delegates to [convertalias] <UserEntity>
+        [[notify <EmailAddressList>]
+            [subject <String>]
+            [from <EmailAaddress>] [mailbox <EmailAddress>]
+            [replyto <EmailAaddress>]
+            [<NotifyMessageContent>]
+        ]
 ```
 ### Example

@@ -51,6 +119,7 @@ To give Bob access to Fred's mailbox as a delegate:

 ```
 gam user fred@domain.com add delegate bob@domain.com
+gam user fred@domain.com delegate to bob@domain.com
 ```

 ## Delete Gmail delegates
--- a/wiki/Users-Meet.md
+++ b/wiki/Users-Meet.md
@@ -22,8 +22,6 @@
 * [Search Conference Participants](https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.participants/list)

 ## Introduction
-These features were added in version 6.81.00.
-
 To use these commands you must add the 'Meet API' to your project and update your service account authorization.
 ```
 gam update project
--- a/wiki/Users-People-Contacts-Profiles.md
+++ b/wiki/Users-People-Contacts-Profiles.md
@@ -24,16 +24,9 @@
 - [Copy User Contacts to another User](#copy-user-contacts-to-another-user)

 ## Notes
-As of version `6.08.00`, GAM uses the People API to manage user contacts rather than the Contacts API.
+GAM uses the People API to manage user contacts rather than the Contacts API.

-Most commands will work unchanged but Google has completely changed how the data is presented. If you
-have scripts that process the output from `print contacts` for example, they will have to be changed.
-
-You might want to keep an older version of GAM available so you can compare the output from the two
-versions and make adjustments as necessary.
-
-If you manage contacts in the contact group "Other Contacts", you will need to use an older version,
-as the People API has very little support for this.
+The People API has very little support for managing contacts in the contact group "Other Contacts".

 To use these commands you must add the `People API` to your project and authorize the appropriate scopes:
 * `Client Access`
@@ -398,8 +391,8 @@ By default, Gam displays the information as an indented list of keys and values.
 gam <UserTypeEntity> show contacts
        <PeoplePrintShowUserContactSelection>
        [orderby firstname|lastname|(lastmodified ascending)|(lastnodified descending)
-        [countsonly|allfields|(fields <PeopleFieldNameList>)] [showgroups] [showmetadata]
-        [formatjson]
+        [allfields|(fields <PeopleFieldNameList>)] [showgroups] [showmetadata]
+        [countsonly|formatjson]
 ```
 By default, Gam displays all of a user's people contacts.
 * `query <String>` - Display contacts based on the data in their fields
@@ -416,8 +409,8 @@ By default, Gam displays the information as an indented list of keys and values.
 gam <UserTypeEntity> print contacts [todrive <ToDriveAttribute>*]
        <PeoplePrintShowUserContactSelection>
        [orderby firstname|lastname|(lastmodified ascending)|(lastnodified descending)
-        [countsonly|allfields|(fields <PeopleFieldNameList>)] [showgroups] [showmetadata]
-        [formatjson [quotechar <Character>]]
+        [allfields|(fields <PeopleFieldNameList>)] [showgroups] [showmetadata]
+        [countsonly|(formatjson [quotechar <Character>])]
 ```
 By default, Gam displays all of a user's people contacts.
 * `query <String>` - Display contacts based on the data in their fields
@@ -547,8 +540,8 @@ User: user@domain.com, Delete maximum of 15 Other Contacts
 ```
 gam <UserTypeEntity> show othercontacts
        [<OtherContactsSelection>]
-        [countsonly|allfields|(fields <OtherContactsFieldNameList>)] [showmetadata]
-        [formatjson]
+        [allfields|(fields <OtherContactsFieldNameList>)] [showmetadata]
+        [countsonly|formatjson]
 ```
 By default, Gam displays all of a user's Other Contacts; use
 `<OtherContactsSelection>` to display a selection of Other Contacts.
@@ -563,8 +556,8 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam <UserTypeEntity> print othercontacts [todrive <ToDriveAttribute>*]
        [<OtherContactsSelection>]
-        [countsonly|allfields|(fields <OtherContactsFieldNameList>)] [showmetadata]
-        [formatjson [quotechar <Character>]]
+        [allfields|(fields <OtherContactsFieldNameList>)] [showmetadata]
+        [countsonly|(formatjson [quotechar <Character>])]
 ```
 By default, Gam displays all of a user's Other Contacts; use
 `<OtherContactsSelection>` to display a selection of Other Contacts.
--- a/wiki/Users-Shared-Drives.md
+++ b/wiki/Users-Shared-Drives.md
@@ -283,6 +283,8 @@ Linux/MacOS
 teamDriveId=$(gam user user@domain.com create shareddrive ... returnidonly)
 Windows PowerShell
 $teamDriveId = & gam user user@domain.com create shareddrive ... returnidonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam user user@domain.com create shareddrive ... returnidonly') do set teamDriveId=%a
 ```

 ## Bulk Create Shared Drives
@@ -425,9 +427,11 @@ The `Getting` and `Got` messages are written to stderr, the count is writtem to
 To retrieve the count with `showitemcountonly`:
 ```
 Linux/MacOS
-count=$(gam user user@domain.com print shareddrives showitemcountonly)
+count=$(gam user user@domain.com print shareddrives ... showitemcountonly)
 Windows PowerShell
-count = & gam user user@domain.com print shareddrives showitemcountonly
+$count = & gam user user@domain.com print shareddrives ... showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam user user@domain.com print shareddrives ... showitemcountonly') do set count=%a
 ```
 ## Display Shared Drive Organizers
 The following command can be used instead of the `GetTeamDriveOrganizers.py` script.
@@ -603,8 +607,6 @@ gam redirect stdout ./AddU2SharedDriveAccess.txt multiprocess redirect stderr st
 ```

 ## Bulk change User1 Shared Drive access to User2
-This requires GAM version 6.79.09 or higher.
-
 Make a CSV file Users.csv with two email address columns: User,Replace
 ```
 # Get Shared Drives for all Users in CSV file
--- a/wiki/Users-Tasks.md
+++ b/wiki/Users-Tasks.md
@@ -122,7 +122,7 @@ gam <UserTypeEntity> show tasks [tasklists <TasklistEntity>]
        [updatedmin <Time>]
        [showcompleted [<Boolean>]] [showdeleted [<Boolean>]] [showhidden [<Boolean>]] [showall]
        [orderby completed|due|updated]
-        [countsonly|compact|formatjson]
+        [compact|countsonly|formatjson]
 ```
 The API only supports dates in `duemin` and `duemax' but you must supply a null time:
 * `duemin YYYY-MM-DDT00:00:00Z` - Specify the starting due date
@@ -152,7 +152,7 @@ gam <UserTypeEntity> print tasks [tasklists <TasklistEntity>] [todrive <ToDriveA
        [updatedmin <Time>]
        [showcompleted [<Boolean>]] [showdeleted [<Boolean>]] [showhidden [<Boolean>]] [showall]
        [orderby completed|due|updated]
-        [countsonly | (formatjson [quotechar <Character>])]
+        [countsonly|(formatjson [quotechar <Character>])]
 ```
 The API only supports dates in `duemin` and `duemax' but you must supply a null time:
 * `duemin YYYY-MM-DDT00:00:00Z` - Specify the starting due date
@@ -230,7 +230,7 @@ By default, Gam displays the task lists as an indented list of keys and values.

 ```
 gam <UserTypeEntity> print tasklists [todrive <ToDriveAttribute>*]
-        [countsonly | (formatjson [quotechar <Character>])]
+        [countsonly|(formatjson [quotechar <Character>])]
 ```
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
--- a/wiki/Users.md
+++ b/wiki/Users.md
@@ -401,14 +401,13 @@ password "helloworld" nohash
 ```

 ## Password Notification
-When creating a user or updating a user's password, you can send a message with details to an email address;'
-this might be the user's secondary email address or their recovery email address.
+When creating a user or updating a user's password, you can send a message with details to an email address
+or addresses; these might be the user's secondary email address, their recovery email address or a help desk user.
 ```
 [[notify <EmailAddressList>] [notifyrecoveryemail]
    [subject <String>]
    [notifypassword <String>]
-    [from <EmailAaddress>]
-    [mailbox <EmailAddress>]
+    [from <EmailAaddress>] [mailbox <EmailAddress>]
    [replyto <EmailAddress>]
    [<NotifyMessageContent>]
    (replace <Tag> <UserReplacement>)*
@@ -419,6 +418,15 @@ this might be the user's secondary email address or their recovery email address
 * `notify <EmailAddressList>` - Specify recipients
 * `notifyrecoveryemail` - Use the user's recovery email address (if defined) as a recipient

+In the subject and message, these strings will be replaced with the specified values:
+* `#givenname#` - first/given name
+* `#familyname#` - last/family name
+* `#email#` - user's email address
+* `#user#` - user's email address
+* `#username#` - portion of user's email address before @
+* `#domain#` - portion of user's email after after @
+* `#password#` - password
+
 If subject is not specified, the following value will be used:
 * create - `Welcome to #domain#`
 * update - `Account #user# password has been changed`
@@ -434,14 +442,8 @@ If `<NotifyMessageContent>`is not specified, the following value will be used:
    Start using your new account by signing in at\nhttps://www.google.com/accounts/AccountChooser?Email=#user#&continue=https://workspace.google.com/dashboard\n`
 * update - `The account password for #givenname# #familyname#, #user# has been changed to: #password#\n`

-In the subject and message, these strings will be replaced with the specified values:
-* `#givenname#` - first/given name
-* `#familyname#` - last/family name
-* `#email#` - user's email address
-* `#user#` - user's email address
-* `#username#` - portion of user's email address before @
-* `#domain#` - portion of user's email after after @
-* `#password#` - password
+Unless specified in `<NotifyMessageContent>`, messages are sent as plain text,
+use `html` or `html true` to indicate that the message is HTML.

 Use `\n` in `message <String>` to indicate a line break; no other special characters are recognized.

@@ -464,8 +466,6 @@ Use `from <EmailAddress>` to specify an alternate from address.
 Use `mailbox <EmailAddress>` if `from <EmailAddress>` specifies a group; GAM has to login as a user to be able to send a message. 
 Gam gets no indication as to the status of the message delivery; the from user will get a non-delivery receipt if the message could not be sent to the `notify <EmailAddressList>`.

-By default, messages are sent as plain text, use `html` or `html true` to indicate that the message is HTML.
-
 ## Define schema fields
 You can set custom schema field values for users; schema fields can be scalar, a single value, or can be multivalued.
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/schemas
@@ -658,8 +658,7 @@ gam update user <UserItem> [ignorenullpassword] <UserAttribute>*
        [[notify <EmailAddressList>] [notifyrecoveryemail]
            [subject <String>]
            [notifypassword <String>]
-            [from <EmailAaddress>]
-            [mailbox <EmailAddress>]
+            [from <EmailAaddress>] [mailbox <EmailAddress>]
            [replyto <EmailAddress>]
            [<NotifyMessageContent>]
            (replace <Tag> <UserReplacement>)*
@@ -680,8 +679,7 @@ gam update users <UserTypeEntity> [ignorenullpassword] <UserAttribute>*
        [[notify <EmailAddressList>] [notifyrecoveryemail]
            [subject <String>]
            [notifypassword <String>]
-            [from <EmailAddress>]
-            [mailbox <EmailAddress>]
+            [from <EmailAddress>] [mailbox <EmailAddress>]
            [replyto <EmailAaddress>]
            [<NotifyMessageContent>]
            (replace <Tag> <UserReplacement>)*
@@ -702,8 +700,7 @@ gam <UserTypeEntity> update users [ignorenullpassword] <UserAttribute>*
        [[notify <EmailAddressList>] [notifyrecoveryemail]
            [subject <String>]
            [notifypassword <String>]
-            [from <EmailAaddress>]
-            [mailbox <EmailAddress>]
+            [from <EmailAaddress>] [mailbox <EmailAddress>]
            [replyto <EmailAddress>]
            [<NotifyMessageContent>]
            (replace <Tag> <UserReplacement>)*
@@ -996,11 +993,9 @@ gam <UserTypeEntity> info users
 For `info users`, unlike all other GAM commands, a `<UserTypeEntity>` value of `all users` is actually `all users_ns_susp` not `all users_ns`.
 This is a backwards compatibility issue.

-Starting in version `5.23.01`, the variable `quick_info_user` was added to `gam.cfg` to control how much information requiring additional API calls is displayed.
-(Prior to version `5.23.01`, assume `quick_info_user = False`.)
+The variable `quick_info_user` was added to `gam.cfg` controls how much information requiring additional API calls is displayed.

 `quick_info_user = False`: Gam makes additional API calls to get more information; you can selectively eliminate these calls to improve performance.
-
 * `noaliases` - Do not get alias information
 * `nobuildingnames` - Do not get building names for locations
 * `nogroups` - Do not get group membership information
@@ -1344,8 +1339,11 @@ To retrieve the count with `showitemcountonly`:
 Linux/MacOS
 count=$(gam print users query "orgUnitPath='/Students/Middle School'" showitemcountonly)
 Windows PowerShell
-count = & gam print users query "orgUnitPath='/Students/Middle School'" showitemcountonly
+$count = & gam print users query "orgUnitPath='/Students/Middle School'" showitemcountonly
+Windows Command Prompt
+for /f "delims=" %a in ('gam print users query "orgUnitPath='/Students/Middle School'" showitemcountonly') do set count=%a
 ```
+
 ## Verify domain membership
 You have a CSV file of email addresses and want to verify of the addresses are valid users in your domain.
 ```
--- a/wiki/Using-GAM7-with-a-YubiKey.md
+++ b/wiki/Using-GAM7-with-a-YubiKey.md
@@ -1,5 +1,4 @@
 # Using GAM7 with a YubiKey
- [Thanks](#thanks)
 - [Yubikey ykman PIV Commands](https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html)
 - [Introduction](#introduction)
 - [FAQs](#faqs)
@@ -7,15 +6,9 @@

 **Alternative Approach**: For enhanced security and simplified operations when running GAM outside Google Cloud, consider [Workload Identity Federation](https://github.com/GAM-team/GAM/wiki/Using-GAM7-with-keyless-authentication-Workload-Identity-Federation) - Google's recommended keyless authentication method that eliminates the need for managing any long-lived credentials. If running GAM in Google Cloud, use [attached service accounts on GCE](https://github.com/GAM-team/GAM/wiki/Running-GAM7-securely-on-a-Google-Compute-Engine) instead.

-## Thanks
-
-Thanks to Jay Lee for the original version of this document.
-
 ## Introduction
 GAM7 supports using a [YubiKey](https://www.yubico.com/products/yubikey-5-overview/) to generate and store the service account's private RSA key. Private keys generated by the YubiKey cannot be exported even to the computer running GAM7. When compared to the plain text oauth2service.json file with the private key stored in text, the YubiKey offers a more secure option that prevents digital theft and copying of the private key. Instead of reading the private key from the oauth2service.json file and signing requests itself, GAM7 will simply send signing requests to the YubiKey and get back the signature.

-GAM7 version 6.50.01 or higher is required. Best practice is to always use the [latest version of GAM7](https://github.com/GAM-team/GAM/wiki/How-to-Update-Advanced-GAM).
-
 ## FAQs
 ### Can I use a Google Titan or other brand security key?
 No, while Titan keys are great as security keys / U2F / 2SV, that is not the protocol being used by GAM7 here. GAM7 uses the PIV app of YubiKeys to work with service accounts. You need to use [a genuine Yubikey.](https://yubico.com/genuine/).
@@ -36,7 +29,7 @@ No, because the YubiKey generated the private key it cannot be digitally exporte
 When using domain-wide delegation with GAM7, the service account and anyone possessing the service account private key oauth2service.json file has access to the Gmail, Drive and Calendar data of ALL Workspace users in your domain. For this reason, whether using a YubiKey or not, you should take strong measures to protect the service account private key.

 ## Setup Steps
-1. Upgrade to at least GAM7 6.50.01.
+1 .Upgrade to the [latest version of GAM7](https://github.com/GAM-team/GAM/wiki/How-to-Update-GAM7).
 2. **If you are using a new YubiKey or don't care about the PIV app data on the YubiKey**
    1. Tell GAM7 to reset and configure the PIV app data on the YubiKey. This wipes all existing keys and configuration and then configures a private key and PIN for GAM7.
      * Single YubiKey - `gam yubikey reset_piv`
--- a/wiki/Using-GAM7-with-a-delegated-admin-service-account.md
+++ b/wiki/Using-GAM7-with-a-delegated-admin-service-account.md
@@ -24,7 +24,7 @@ Not all Google Admin APIs work with DASA right no:
 * GAM7 support for DASA is still experimental and some things may fail. Please report your findings to the [GAM group](https://groups.google.com/g/google-apps-manager).

 ## Setup Steps
-1. Upgrade to at least GAM7 6.50.00. Best practice is to always use the [latest version of GAM7](https://github.com/GAM-team/GAM/wiki/How-to-Update-Advanced-GAM).
+1. Upgrade to the [latest version of GAM7](https://github.com/GAM-team/GAM/wiki/How-to-Update-GAM7).

 2. Follow the steps in `gam create project` up to the point where you are presented with a URL to the Cloud console to create a Client ID and secret. You don’t need to enter anything those, just press CTRL+C to quit the project creation.

--- a/wiki/Vault-Takeout.md
+++ b/wiki/Vault-Takeout.md
@@ -3,6 +3,7 @@
 - [Query documentation](#query-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
+- [Special quoting](#special-quoting)
 - [Vault Matters](#vault-matters)
  - [Create Vault Matters](#create-vault-matters)
  - [Manage Vault Matters](#manage-vault-matters)
@@ -21,9 +22,12 @@
  - [Display Vault Holds](#display-vault-holds)
  - [Display Vault Holds Affecting a User](#display-vault-holds-affecting-a-user)
 - [Vault Saved Queries](#vault-saved-queries)
+  - [Create Vault Saved Queries](#create-vault-saved-queries)
+  - [Copy Vault Saved Queries](#copy-vault-saved-queries)
+  - [Delete Vault Saved Queries](#delete-vault-saved-queries)
  - [Display Vault Saved Queries](#display-vault-saved-queries)
 - [Takeout](#takeout)
-  - [Copy a Takeout Bucket](#copy-a-takeoutbucket)
+  - [Copy a Takeout Bucket](#copy-a-takeout-bucket)
  - [Download a Takeout Bucket](#download-a-takeout-bucket)

 ## API documentation
@@ -54,6 +58,7 @@
 <EmailAddressList> ::= "<EmailAddess>(,<EmailAddress>)*"
 <EmailAddressEntity> ::= <EmailAddressList> | <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVDataSelector>
        See: https://github.com/GAM-team/GAM/wiki/Collections-of-Items
+<JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
 <TimeZone> ::= <String>
        See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 <UniqueID> ::= id:<String>
@@ -66,13 +71,17 @@

 <ChatSpace> ::= spaces/<String> | space/<String> | <String>
 <ChatSpaceList> ::= "<ChatSpace>(,<ChatSpace>)*"
+<DriveFileID> ::= <String>
+<DriveFileIDList> ::= "<DriveFileID>(,<DriveFileID>)*"
 <ExportItem> ::= <UniqueID>|<String>
 <ExportStatus> ::= completed|failed|inprogrsss
 <ExportStatusList> ::= "<ExportStatus>(,<ExportStatus>)*"
 <HoldItem> ::= <UniqueID>|<String>
 <MatterItem> ::= <UniqueID>|<String>
+<MatterItemList> ::= "<MatterItem>(,<MatterItem>)*"
 <MatterState> ::= open|closed|deleted
 <MatterStateList> ::= "<MatterState>(,<MatterState>)*"
+<QueryItem> ::= <UniqueID>|<String>
 <SharedDriveID> ::= <String>
 <SharedDriveIDList> ::= "<SharedDriveID>(,<SharedDriveID>)*"
 <URL> ::= <String>
@@ -135,9 +144,29 @@
 <VaultQueryFieldNameList> ::= "<VaultQueryFieldName>(,<VaultQueryFieldName>)*"

 ```
+
 You specify matters, exports and holds by ID (`<UniqueID>`) or name (`<String>`). The API requires an ID, so if you specify a name,
 GAM has to make additional API calls to convert the name to an ID.

+## Special quoting
+You specify a single matter with `matter <MatterItem>` and a list of matters with `matters <MatterItemList>`.
+
+As matter names can contain spaces, some care must be used when entering `<MatterItem>` and `<MatterItemList>` with names.
+
+Suppose you have a matter `Foo Bar`. To get information about a specific export: `gam info vaultexport "Foo Bar" <ExportItem>`
+
+The shell strips the `"` leaving a single argument `Foo Bar`; gam correctly processes the argument.
+
+Suppose you enter the command: `gam show vaultexports matters "Foo Bar"`
+
+The shell strips the `"` leaving a single argument `Foo Bar`; gam splits the argument on space leaving two items and then tries to process `Foo` and `Bar`, not what you want.
+
+You must enter: `gam info show vaultexports matters "'Foo Bar'"`
+
+The shell strips the `"` leaving a single argument `'Foo Bar'`; gam splits the argument on space while honoring the `'` leaving one item `Foo Bar` and correctly processes the item.
+
+For quoting rules, see: [List Quoting Rules](Command-Line-Parsing)
+
 ## Vault Matters
 ## Create Vault Matters
 Create a Google Vault matter.
@@ -201,11 +230,18 @@ Select fields to display:
 * `fields <VaultMatterFieldNameList>` - Display selected fields; `matterId` and `name` are always displayed

 ## Display Vault Counts
-Display item counts retained in Vault for the given users or groups.
+### Display item counts retained in Vault using a saved Vault query.
+```
+gam print vaultcounts [todrive <ToDriveAttributes>*]
+        matter <MatterItem> <QueryItem>
+        [wait <Integer>]
+```
+
+### Display item counts retained in Vault for the given users or groups.
 * The required argument `matter` specifies the matter name or ID (prefix with id:) where the count should be performed.
 * The required argument `corpus` specifies whether Gmail mailbox data or Google Groups archives are queried.
-* You need to specify one argument of accounts, orgunit or everyone to determine which users/groups to query.
 * The `scope` argument specifies the data to be queried, `all_data` is  the default and is recommended.
+* You need to specify one argument of accounts, orgunit or everyone to determine which users/groups to query.

 The command may take some time to complete; GAM makes repeated API calls until the operation is complete. By default,
 GAM waits 15 seconds between API calls; use the `wait <Integer>` option to specify a different wait period.
@@ -213,26 +249,28 @@ GAM waits 15 seconds between API calls; use the `wait <Integer>` option to speci
 This command can be useful for discovering legacy former employee accounts which no longer have any mail data retained by Vault.
 ```
 gam print vaultcounts [todrive <ToDriveAttributes>*]
-        matter <MatterItem> corpus mail|groups
-        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
-        [(shareddrives|teamdrives (<TeamDriveIDList>|(select <FileSelector>|<CSVFileSelector>))) |
-            (rooms (<ChatSpaceList>|(select <FileSelector>|<CSVFileSelector>))) |
-            (sitesurl (<URLList>||(select <FileSelector>|<CSVFileSelector>)))]
-        [scope <all_data|held_data|unprocessed_data>]
+        matter <MatterItem>
+        corpus mail|groups
+        [scope all_data|held_data|unprocessed_data]
+        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone|entireorg
        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>] [timezone <TimeZone>]
        [excludedrafts <Boolean>]
+        [<JSONData>]
        [wait <Integer>]
 ```
 Specify the search method, this is optional:
 * `accounts <EmailAddressEntity>` - Search all accounts specified in `<EmailAddressEntity>`
 * `orgunit|org|ou <OrgUnitPath>` - Search all accounts in the OU `<OrgUnitPath>`
-* `everyone` - Search for all accounts in the organization
-* `shareddrives|teamdrives <SharedDriveIDList>` - Search for all accounts in the Shared Drives specified in `<SharedDriveIDList>`
-* `shareddrives|teamdrives select <FileSelector>|<CSVFileSelector>` - Search for all accounts in the Shared Drives specified in `<FileSelector>|<CSVFileSelector>`
-* `rooms <ChatSpaceList>` - Search in the Room specified in the chat rooms specified in `<ChatSpaceList>`
-* `rooms <ChatSpaceList>` - Search in the Room specified in the chat rooms specified in `<FileSelector>|<CSVFileSelector>`
-* `sitesurl <URLList>` - Search the published site URLs of new Google Sites in `<URLList>`
-* `sitesurl <URLList>` - Search the published site URLs of new Google Sites specified in `<FileSelector>|<CSVFileSelector>`
+* `everyone|entireorg` - Search for all accounts in the organization
+
+For `corpus mail|group`, you can specify search terms to limit the search.
+* `terms <String>` - [Vault search](https://support.google.com/vault/answer/2474474)
+
+For `corpus mail|group`, you can specify time limits on the search:
+* `start|starttime <Date>|<Time>` - The start time range for the search query. These timestamps are in GMT and rounded down to the start of the given date.
+* `end|endtime <Date>|<Time>` - The end time range for the search query. These timestamps are in GMT and rounded down to the start of the given date.
+
+You can specify query options with `<JSONData>`.

 Check the status of a previous count operation with the name from a previous command.
 ```
@@ -242,32 +280,48 @@ gam print vaultcounts [todrive <ToDriveAttributes>*]

 ## Vault Exports
 ## Create Vault Exports
-Create a Google Vault export request.
+### Create a Google Vault export request using a saved Vault query.
 ```
-gam create vaultexport|export matter <MatterItem> [name <String>] corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
-        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
-        (shareddrives|teamdrives (<TeamDriveIDList>|(select <FileSelector>|<CSVFileSelector>))) |
-            (rooms (<ChatSpaceList>|(select <FileSelector>|<CSVFileSelector>))) |
-            (sitesurl (<URLList>||(select <FileSelector>|<CSVFileSelector>)))
+gam create vaultexport|export matter <MatterItem> [name <String>]
+        vaultquery <QueryItem>
+        [driveclientsideencryption any|encrypted|unencrypted]
+        [includeaccessinfo <Boolean>]
+        [excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
+        [showconfidentialmodecontent <Boolean>] [usenewexport <Boolean>] [exportlinkeddrivefiles <Boolean>]
+        [format ics|mbox|pst|xml]
+        [region any|europe|us] [showdetails|returnidonly]
+```
+
+Create a Google Vault export request by specifying the query parameters.
+```
+gam create vaultexport|export matter <MatterItem> [name <String>]
+        corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
        [scope all_data|held_data|unprocessed_data]
+        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
+        (documentids  (<DriveFileIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        [(includeshareddrives <Boolean>)|(shareddrivesoption included|included_if_account_is_not_a_member|not_included)]
+        (sitesurl (<URLList>||(select <FileSelector>|<CSVFileSelector>)))
+        [driveversiondate <Date>|<Time>]
+        [includerooms <Boolean>]
+        (rooms (<ChatSpaceList>|(select <FileSelector>|<CSVFileSelector>))) |
        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>] [timezone <TimeZone>]
        [locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
        [responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
-        [(includeshareddrives <Boolean>)|(shareddrivesoption included|included_if_account_is_not_a_member|not_included)]
-        [driveversiondate <Date>|<Time>] [includeaccessinfo <Boolean>]
+        (covereddata calllogs|textmessages|voicemails)*
+        [<JSONData>]
        [driveclientsideencryption any|encrypted|unencrypted]
-        [includerooms <Boolean>]
+        [includeaccessinfo <Boolean>]
        [excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
        [showconfidentialmodecontent <Boolean>] [usenewexport <Boolean>] [exportlinkeddrivefiles <Boolean>]
-        [covereddata calllogs|textmessages|voicemails]
        [format ics|mbox|pst|xml]
        [region any|europe|us] [showdetails|returnidonly]
 ```
 <MatterItem> specifies the matter name or ID the export should be associated with.

-Specify the name of the export:
-* `name <String>` - The export will be named `<String>`
-* `default` - The export will be named `GAM <corpus> Export - <Time>`
+If `name <String>` is omitted, the  export will be named `GAM <corpus> Export - <Time>`
+
+## Vault Query options

 Specify the corpus of data, this option is required:
 * `calendar`
@@ -281,13 +335,15 @@ Specify the corpus of data, this option is required:
 Specify the search method, this option is required:
 * `accounts <EmailAddressEntity>` - Search all accounts specified in `<EmailAddressEntity>`
 * `orgunit|org|ou <OrgUnitPath>` - Search all accounts in the OU `<OrgUnitPath>`
-* `everyone` - Search for all accounts in the organization
+* `everyone|entireorg` - Search for all accounts in the organization
+* `documentids <DriveFileIDList>` - Search for all drive files specified in `<DriveFileIDList>`
+* `documentids select <FileSelector>|<CSVFileSelector>` - Search for all drive files  specified in `<FileSelector>|<CSVFileSelector>`
 * `shareddrives|teamdrives <SharedDriveIDList>` - Search for all accounts in the Shared Drives specified in `<SharedDriveIDList>`
 * `shareddrives|teamdrives select <FileSelector>|<CSVFileSelector>` - Search for all accounts in the Shared Drives specified in `<FileSelector>|<CSVFileSelector>`
-* `rooms <ChatSpaceList>` - Search in the Room specified in the chat rooms specified in `<ChatSpaceList>`
-* `rooms <ChatSpaceList>` - Search in the Room specified in the chat rooms specified in `<FileSelector>|<CSVFileSelector>`
 * `sitesurl <URLList>` - Search the published site URLs of new Google Sites in `<URLList>`
 * `sitesurl <URLList>` - Search the published site URLs of new Google Sites specified in `<FileSelector>|<CSVFileSelector>`
+* `rooms <ChatSpaceList>` - Search in the Room specified in the chat rooms specified in `<ChatSpaceList>`
+* `rooms <ChatSpaceList>` - Search in the Room specified in the chat rooms specified in `<FileSelector>|<CSVFileSelector>`

 Specify the scope of data to include in the export:
 * `all_data` - All available data; this is the default
@@ -320,10 +376,6 @@ For `corpus calendar`, you can specify advanced search options:
  * Search the current version of the Calendar event, but export the contents of the last version saved before 12:00 AM UTC on the specified date.
  * Enter the date in UTC.

-For `corpus calendar`, you can specify the format of the exported data:
-* `format ics` - Export in ICS format, this is the default
-* `format pst` - Export in PST format
-
 For `corpus drive`, you can specify advanced search options:
 * `driveversiondate <Date>|<Time>` - Search the versions of the Drive file as of the reference date. These timestamps are in GMT and rounded down to the given date.
 * `includeshareddrives False` - Mapped to `sharedrivesoption included_if_account_is_not_a_member`
@@ -331,6 +383,16 @@ For `corpus drive`, you can specify advanced search options:
 * `sharedrivesoption included` - Resources in shared drives are included in the search
 * `sharedrivesoption included_if_account_is_not_a_member` - Resources in shared drives where account is not a member are included in the search, this is the default
 * `sharedrivesoption not_included` - Resources in shared drives are not included in the search
+
+For `corpus hangouts_chat` you can specify advanced search options:
+* `includerooms False` - Do not include rooms, this is the default
+* `includerooms True` - Include rooms
+
+You can specify query options with `<JSONData>`.
+
+## Vault Export options
+
+For `corpus drive`, you can specify advanced search options:
 * `driveclientsideencryption any` - Include both client-side encrypted and unencrypted content in search, this is the default.
 * `driveclientsideencryption encrypted` - Include client-side encrypted content only in search.
 * `driveclientsideencryption unencrypted` - Include client-side unencrypted content only in search.
@@ -339,10 +401,6 @@ For `corpus drive`, you can specify whether to include access information for us
 * `includeaccessinfo False` - Do not include access information for users with indirect access, this is the default
 * `includeaccessinfo True` - Include access information for users with indirect access

-For `corpus hangouts_chat` you can specify advanced search options:
-* `includerooms False` - Do not include rooms, this is the default
-* `includerooms True` - Include rooms
-
 For `corpus mail`, you can specify advanced search options:
 * `excludedrafts False` - Do not exclude drafts, this is the default
 * `excludedrafts True` - Exclude drafts
@@ -365,18 +423,18 @@ For `corpus mail`, you can specify whether to enable exporting linked Drive file
 See: https://support.google.com/vault/answer/4388708#new_gmail_export&zippy=%2Cfebruary-new-gmail-export-system-available

 For `corpus calendar`, you can specify the format of the exported data:
-* `format ics - Export in ICS format, this is the default
+* `format ics` - Export in ICS format, this is the default
 * `format pst` - Export in PST format

 For `corpus drive`, you can not specify the format of the exported data,

-For `corpus gemini`, `format xml` is the only format of the exported data,
+For `corpus gemini`, `format xml` is the only supported format of the exported data,

 For `corpus groups`, `corpus hangouts_chat`, `corpus mail` and `corpus voice`, you can specify the format of the exported data:
 * `format mbox` - Export in MBOX format, this is the default
 * `format pst` - Export in PST format

-For `corpus voice` you can specify thet data covered by the export:
+For `corpus voice` you can specify the data covered by the export, multiple values are allowed.:
 * `covereddata calllogs` - Call logs
 * `covereddata textmessages` - Voice text messages
 * `covereddata voicemail` - Voicemail
@@ -429,10 +487,8 @@ Alternatively, `<FileName>` can contain the strings `#objectname#`, `#filename#`
 and `#extension#` which will be replaced by the values from the original object names to construct a complete top level name.
 For example, `targetname "#filename#.#extension#"` strips the long matter name from the original name.

-**In versions prior to 6.07.14, If `<FileName>` does not contain `#filename#` and there are multiple top level files with the same extension, only the
-last file with a given extension will be saved as the earlier files will be overwritten.**
-
-This is fixed in 6.07.14: the files will be named `FileName-N.ext` where `N` is `1,2,3,...`.
+If `<FileName>` does not contain `#filename#` and there are multiple top level files with the same extension,
+the files will be named `FileName-N.ext` where `N` is `1,2,3,...`.

 Zip files extracted from the top level Zip file will still have their long names.

@@ -526,7 +582,6 @@ done < user1@domain.com-vault-files.csv
 Why would you want to download files one by one when GAM can download all Cloud Storage objects in one go? Because all of the files combined **might** take up a lot of space (think Terabytes in case of a Drive export of many years) whereas individually, each file will be in a much more manageable ~10 Gigabyte range.

 ## Copy Vault Exports
-Many thanks to Jay for this command and documentation.
 ```
 gam copy vaultexport|export <ExportItem> matter <MatterItem>
        [targetbucket <String>] [targetprefix <String>]
@@ -606,13 +661,29 @@ The `shownames` argument controls whether account and org unit names are display

 ## Vault Holds
 ## Create Vault Holds
+### Create a hold from a saved Vault query.
 ```
-gam create vaulthold|hold matter <MatterItem> [name <String>] corpus calendar|drive|mail|groups|hangouts_chat|voice
+gam create vaulthold|hold matter <MatterItem> [name <String>]
+        vaultquery <QueryItem>
+        [showdetails|returnidonly]
+```
+Specify the name of the hold:
+* `name <String>` - The hold will be named `<String>`
+* `default` - The hold will be named `GAM <corpus> Hold - <Time>`
+
+Use the `showdetails` option to have the full details of the hold displayed.
+
+Use the `returnidonly` option to have only the hold ID displayed.
+
+### Create a hold from parameters.
+```
+gam create vaulthold|hold matter <MatterItem> [name <String>]
+        corpus calendar|drive|mail|groups|hangouts_chat|voice
        [(accounts|groups|users <EmailItemList>) | (orgunit|org|ou <OrgUnit>)]
        [query <QueryVaultCorpus>]
        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
        [includerooms <Boolean>]
-        [covereddata calllogs|textmessages|voicemails]
+        (covereddata calllogs|textmessages|voicemails)*
        [includeshareddrives <Boolean>]
        [showdetails|returnidonly]
 ```
@@ -638,10 +709,10 @@ For `corpus drive`, you can specify advanced search options:
 * `includeshareddrives False` - Files in shared drives are not included in the hold, this is the default
 * `includeshareddrives True` - Files in shared drives are included in the hold

-For `corpus mail`, you can specify search terms to limit the search.
+For `corpus mail|group`, you can specify search terms to limit the search.
 * `terms <String>` - [Vault search](https://support.google.com/vault/answer/2474474)

-For `corpus mail`, you can specify time limits on the search:
+For `corpus mail|group`, you can specify time limits on the search:
 * `start|starttime <Date>|<Time>` - The start time range for the search query. These timestamps are in GMT and rounded down to the start of the given date.
 * `end|endtime <Date>|<Time>` - The end time range for the search query. These timestamps are in GMT and rounded down to the start of the given date.

@@ -649,7 +720,8 @@ For `corpus hangouts_chat` you can specify advanced search options:
 * `includerooms False` - Do not include rooms, this is the default
 * `includerooms True` - Include rooms

-For `corpus voice` you can specify the data covered by the hold:
+For `corpus voice` you can specify the data covered by the hold,
+multiple values are allowed.:
 * `covereddata calllogs` - Call logs
 * `covereddata textmessages` - Voice text messages
 * `covereddata voicemail` - Voicemail
@@ -665,7 +737,7 @@ gam update vaulthold|hold <HoldItem> matter <MatterItem>
        [query <QueryVaultCorpus>]
        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
        [includerooms <Boolean>]
-        [covereddata calllogs|textmessages|voicemails]
+        (covereddata calllogs|textmessages|voicemails)*
        [includeshareddrives <Boolean>]
        [showdetails]
 ```
@@ -673,10 +745,10 @@ For a hold with `corpus drive`, you can specify advanced search options:
 * `includeshareddrives False` - Files in shared drives are not included in the hold, this is the default
 * `includeshareddrives True` - Files in shared drives are included in the hold

-For a hold with `corpus mail`, you can specify search terms to limit the search.
+For a hold with `corpus mail|groups`, you can specify search terms to limit the search.
 * `terms <String>` - [Vault search](https://support.google.com/vault/answer/2474474)

-For a hold with `corpus mail`, you can specify time limits on the search:
+For a hold with `corpus mai|groupsl`, you can specify time limits on the search:
 * `start|starttime <Date>|<Time>` - The start time range for the search query. These timestamps are in GMT and rounded down to the start of the given date.
 * `end|endtime <Date>|<Time>` - The end time range for the search query. These timestamps are in GMT and rounded down to the start of the given date.

@@ -684,7 +756,8 @@ For a hold with `corpus hangouts_chat` you can specify advanced search options:
 * `includerooms False` - Do not include rooms, this is the default
 * `includerooms True` - Include rooms

-For a hold with `corpus voice` you can specify the data covered by the hold:
+For a hold with `corpus voice` you can specify the data covered by the hold,
+multiple values are allowed.:
 * `covereddata calllogs` - Call logs
 * `covereddata textmessages` - Voice text messages
 * `covereddata voicemail` - Voicemail
@@ -752,6 +825,67 @@ gam <UserTypeEntity> show vaultholds|holds
 ```

 ## Vault Saved Queries
+## Create Vault Saved Queries
+```
+gam create vaultquery <MatterItem> [name <String>]
+        corpus calendar|drive|gemini|groups|hangouts_chat|mail|voice
+        [scope all_data|held_data|unprocessed_data]
+        (accounts <EmailAddressEntity>) | (orgunit|org|ou <OrgUnitPath>) | everyone
+        (documentids  (<DriveFileIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))) |
+        [(includeshareddrives <Boolean>)|(shareddrivesoption included|included_if_account_is_not_a_member|not_included)]
+        (sitesurl (<URLList>||(select <FileSelector>|<CSVFileSelector>)))
+        [driveversiondate <Date>|<Time>]
+        [includerooms <Boolean>]
+        (rooms (<ChatSpaceList>|(select <FileSelector>|<CSVFileSelector>))) |
+        [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>] [timezone <TimeZone>]
+        [locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
+        [responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
+        (covereddata calllogs|textmessages|voicemails)*
+        [<JSONData>]
+        [shownames]
+        [showdetails|returnidonly|formatjson]
+```
+
+If `name <String>` is omitted, the query is named `GAM <corpus> Query - <Time>`
+
+The `shownames` argument controls whether org unit and shared drive names are displayed in queries; additional API calls are required to get the names.
+
+See: [Vault Query options](#vault-query-options)
+
+Use the `showdetails` option to have the full details of the saved query displayed.
+
+Use the `returnidonly` option to have only the saved query ID displayed.
+
+Use the `formatjson` option to have only the saved query JSON displayed.
+
+## Copy Vault Saved Queries
+```
+gam copy vaultquery <MatterItem> <QueryItem> [targetmatter <MatterItem>] [name <String>]
+        [shownames]
+        [showdetails|returnidonly|formatjson]
+```
+
+If `targetmatter <MatterItem>` is omitted, the query is copied in the source matter.
+
+If `name <String>` is omitted:
+* `targetmatter <MatterItem>` specified - The copied query has the same name as the source query
+* `targetmatter <MatterItem>` omitted - The copied query is named `Copy of Source Query name`
+
+The `shownames` argument controls whether org unit and shared drive names are displayed in queries; additional API calls are required to get the names.
+
+Use the `showdetails` option to have the full details of the saved query displayed.
+
+Use the `returnidonly` option to have only the saved query ID displayed.
+
+Use the `formatjson` option to have only the saved query JSON displayed.
+
+## Delete Vault Saved Queries
+```
+gam delete vaultquery <QueryItem> matter <MatterItem>
+gam delete vaultquery <MatterItem> <QueryItem>
+```
+
 ## Display Vault Saved Queries
 ```
 gam info vaultquery <QueryItem> matter <MatterItem>
@@ -791,10 +925,9 @@ Select fields to display:

 The `shownames` argument controls whether org unit and shared drive names are displayed in queries; additional API calls are required to get the names.

-# Takeout
-Many thanks to Jay for these commands and documentation.
+## Takeout

-GAM 6.42.00 and newer support copying and downloading Google Cloud Storage (GCS) buckets generated by [organization-wide Takeout](https://support.google.com/a/answer/100458?hl=en).
+GAM supports copying and downloading Google Cloud Storage (GCS) buckets generated by [organization-wide Takeout](https://support.google.com/a/answer/100458?hl=en).
 Once the Takeout completes you need to copy the name of the GCS bucket and provide it to GAM.

 ## Copy a Takeout Bucket
--- a/wiki/Version-and-Help.md
+++ b/wiki/Version-and-Help.md
@@ -3,10 +3,10 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.22.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.28.05 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.7 64-bit final
-macOS Sequoia 15.7 x86_64
+Python 3.14.0 64-bit final
+macOS Tahoe 26.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
@@ -15,10 +15,10 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.22.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.28.05 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.7 64-bit final
-macOS Sequoia 15.7 x86_64
+Python 3.14.0 64-bit final
+macOS Tahoe 26.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Your system time differs from www.googleapis.com by less than 1 second
@@ -27,10 +27,10 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.22.03 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.28.05 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.7 64-bit final
-macOS Sequoia 15.7 x86_64
+Python 3.14.0 64-bit final
+macOS Tahoe 26.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
@@ -68,7 +68,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
  Current: 5.35.08
-   Latest: 7.22.00
+   Latest: 7.28.05
 echo $?
 1
 ```
@@ -76,7 +76,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.22.00
+7.28.05
 ```
 In Linux/MacOS you can do:
 ```
@@ -86,10 +86,10 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.22.00 - https://github.com/GAM-team/GAM
+GAM 7.28.05 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.7 64-bit final
-macOS Sequoia 15.7 x86_64
+Python 3.14.0 64-bit final
+macOS Tahoe 26.1 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
--- a/wiki/_Sidebar.md
+++ b/wiki/_Sidebar.md
@@ -75,6 +75,7 @@ Client Access
 * [Calendars - Events](Calendars-Events)
 * [Chrome Auto Update Expiration Counts](Chrome-AUE-Counts)
 * [Chrome Browser Cloud Management](Chrome-Browser-Cloud-Management)
+* [Chrome Device Counts](Chrome-Device-Counts)
 * [Chrome Device Needs Attention Counts](Chrome-Needs-Attention-Counts)
 * [Chrome Installed Apps](Chrome-Installed-Apps)
 * [Chrome Policies](Chrome-Policies)
--- a/wiki/foo.lst
+++ b/wiki/foo.lst
@@ -0,0 +1 @@
+ChromeOS-Devices.md Classroom-Courses.md Classroom-Membership.md Classroom-StudentGroups.md Cloud-Identity-Devices.md Cloud-Identity-Groups.md Domains.md GamUpdates.md Groups.md Mobile-Devices.md Organizational-Units.md Resources.md Shared-Drives.md Users-Shared-Drives.md Users.md
--- a/wiki/gam.cfg.md
+++ b/wiki/gam.cfg.md
@@ -109,6 +109,11 @@ charset
        Character set of gam batch, gam csv, gam loop files.
        Default: utf-8
        Environment variable: GAM_CHARSET
+chat_max_results
+        When retrieving lists of Chat items from API,
+        how many should be retrieved in each API call
+        Default: 100
+        Range: 1 - 1000
 classroom_max_results
        When retrieving lists of Google Classroom items from API,
        how many should be retrieved in each API call
@@ -135,6 +140,11 @@ cmdlog_max_kilo_bytes
        Maximum kilobytes per log file
        Default: 1000
        Range: 100 - 10000
+commanddata_clientaccess
+        Enable/disable use of client access rather than service account access for the
+        admin specified in `gam oauth create` when reading command data from Docs and Sheets
+        to which it has access.
+        Default: False
 config_dir
        GAM config directory containing client_secrets.json, oauth2.txt, oauth2service.json
        and extra_args.txt
@@ -293,6 +303,9 @@ debug_level
        If debug_level > 0, turn on API debugging output.
        Default: 0
        Signal file: OldGamPath/debug.gam
+debug_redaction
+        Enable/disable redaction of sensitive data from API debugging output
+        Default: True
 device_max_results
        When retrieving lists of ChromeOS devices from API,
        how many should be retrieved in each API call
				`@@ -0,0 +1 @@`
				`ChromeOS-Devices.md Classroom-Courses.md Classroom-Membership.md Classroom-StudentGroups.md Cloud-Identity-Devices.md Cloud-Identity-Groups.md Domains.md GamUpdates.md Groups.md Mobile-Devices.md Organizational-Units.md Resources.md Shared-Drives.md Users-Shared-Drives.md Users.md`