Merge branch 'main' of https://github.com/GAM-team/GAM

Added updateprimaryemail <RegularExpression> <EmailReplacement> option to update [ci]group
Update build.yml
2026-06-09 16:51:36 +00:00 · 2026-04-02 18:13:32 -07:00 · 2026-04-02 18:13:27 -07:00 · 2026-04-02 16:09:30 -04:00 · 2026-04-02 16:06:16 -04:00 · 2026-04-01 17:14:07 -07:00
42 changed files with 2083 additions and 755 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -23,7 +23,7 @@ defaults:

 env:
  SCRATCH_COUNTER: 14
-  OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
+  OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0 no-docs no-ssl3 no-tls1 no-tls1_1 no-dtls no-comp no-srp no-psk no-engine no-dynamic-engine no-nextprotoneg no-weak-ssl-ciphers no-idea no-seed no-camellia no-sm2 no-sm3 no-sm4 no-rc2 no-rc4 no-rc5 no-md2 no-md4 no-cast no-des no-shared no-tests -O3
  OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
  OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
  PYTHON_INSTALL_PATH: ${{ github.workspace }}/bin/python
@@ -126,15 +126,21 @@ jobs:
            name: Test Python 3.12
          - os: ubuntu-24.04
            goal: test
-            python: "3.15-dev"
+            python: "3.13"
            freethreaded: false
            jid: 18
+            name: Test Python 3.13
+          - os: ubuntu-24.04
+            goal: test
+            python: "3.15-dev"
+            freethreaded: false
+            jid: 19
            name: Test Python 3.15-dev
          - os: ubuntu-24.04
            goal: test
            python: "3.14"
            freethreaded: true
-            jid: 19
+            jid: 20
            name: Test Python 3.14 freethread

    steps:
@@ -150,6 +156,7 @@ jobs:
        with:
          workload_identity_provider: projects/297925809119/locations/global/workloadIdentityPools/gha-pool/providers/gha-provider
          service_account: github-actions-testing-for-gam@gam-project-wyo-lub-ivl.iam.gserviceaccount.com
+          access_token_scopes: https://www.googleapis.com/auth/iam

      - name: Cache multiple paths
        if: matrix.goal == 'build'
@@ -158,7 +165,7 @@ jobs:
        with:
          path: |
            cache.tar.xz
-          key: gam-${{ matrix.jid }}-20260227
+          key: gam-${{ matrix.jid }}-20260323

      - name: Untar Cache archive
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -256,7 +263,7 @@ jobs:
        with:
          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
-
+      
      - name: Windows Configure VCode
        uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
        if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -271,6 +278,8 @@ jobs:
          echo "We are running on ${RUNNER_OS}"
          LD_LIBRARY_PATH="${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib:/usr/local/lib"
          if [[ "${RUNNER_OS}" == "macOS" ]]; then
+            export CFLAGS="-O3 -pipe"
+            export LDFLAGS="-Wl,-dead_strip"
            MAKE=make
            MAKEOPT="-j$(sysctl -n hw.logicalcpu)"
            PERL=perl
@@ -279,6 +288,8 @@ jobs:
            echo "We are running on and targetting MacOS ${MACOSX_DEPLOYMENT_TARGET}"
            echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV
          elif [[ "${RUNNER_OS}" == "Linux" ]]; then
+            export CFLAGS="-O3 -pipe"
+            export LDFLAGS="-Wl,--strip-all"
            MAKE=make
            MAKEOPT="-j$(nproc)"
            PERL=perl
@@ -296,14 +307,17 @@ jobs:
            fi
            PYEXTERNALS_PATH=$(cygpath -u "${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_ARCH}")
            LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${PYEXTERNALS_PATH}"
-            echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_ARCH}/python.exe" >> $GITHUB_ENV
+            echo "PYTHON=${PYTHON_INSTALL_PATH}\python.exe" >> $GITHUB_ENV
            echo "WIX_ARCH=${WIX_ARCH}" >> $GITHUB_ENV
+            echo "PS_PYTHON_INSTALL_PATH=$(cygpath -w $PYTHON_INSTALL_PATH)" >> $GITHUB_ENV
          fi
          echo "We'll run make with: ${MAKEOPT}"
          echo "staticx=${staticx}" >> $GITHUB_ENV
          echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" >> $GITHUB_ENV
          echo "MAKE=${MAKE}" >> $GITHUB_ENV
          echo "MAKEOPT=${MAKEOPT}" >> $GITHUB_ENV
+          echo "CFLAGS=${CFLAGS}" >> $GITHUB_ENV
+          echo "LDFLAGS=${LDFLAGS}" >> $GITHUB_ENV
          echo "PERL=${PERL}" >> $GITHUB_ENV
          echo "PYEXTERNALS_PATH=${PYEXTERNALS_PATH}" >> $GITHUB_ENV

@@ -328,10 +342,6 @@ jobs:
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
          cd "${OPENSSL_SOURCE_PATH}"
-          #if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
-            # https://github.com/openssl/openssl/issues/26239
-            export CFLAGS=-DNO_INTERLOCKEDOR64
-          #fi
          # --libdir=lib is needed so Python can find OpenSSL libraries
          "${PERL}" ./Configure --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS

@@ -345,10 +355,6 @@ jobs:
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        run: |
          cd "${OPENSSL_SOURCE_PATH}"
-          # TODO: remove this once https://github.com/openssl/openssl/issues/26239 is fixed.
-          if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
-            export CFLAGS=-DNO_INTERLOCKEDOR64
-          fi
          $MAKE "$MAKEOPT"

      - name: Install OpenSSL
@@ -357,20 +363,23 @@ jobs:
          cd "${OPENSSL_SOURCE_PATH}"
          # install_sw saves us ages processing man pages :-)
          $MAKE install_sw
+          #if [[ "${RUNNER_OS}" != "Windows" ]]; then
+          #  echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
+          #fi
+          #echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
+          #case $RUNNER_ARCH in
+          #  X64)
+          #    echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
+          #    echo "ARCHFLAGS=-arch x86_64" >> $GITHUB_ENV
+          #    ;;
+          #  ARM64)
+          #    echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
+          #    echo "ARCHFLAGS=-arch arm64" >> $GITHUB_ENV
+          #    ;;
+          #esac
          if [[ "${RUNNER_OS}" != "Windows" ]]; then
-            echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
+            strip "${OPENSSL_INSTALL_PATH}/bin/openssl"
          fi
-          echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
-          case $RUNNER_ARCH in
-            X64)
-              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
-              echo "ARCHFLAGS=-arch x86_64" >> $GITHUB_ENV
-              ;;
-            ARM64)
-              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
-              echo "ARCHFLAGS=-arch arm64" >> $GITHUB_ENV
-              ;;
-          esac

      - name: Run OpenSSL
        if: matrix.goal == 'build'
@@ -398,7 +407,9 @@ jobs:
                      --enable-shared \
                      --with-ensurepip=upgrade \
                      --enable-optimizations \
-                      --with-lto || : # exit 0
+                      --with-lto \
+                      --disable-test-modules \
+                      --without-doc-strings || : # exit 0
          cat config.log

      - name: Windows Get External Python deps
@@ -440,22 +451,27 @@ jobs:
          pip install --upgrade sphinx
          sphinx-build --version

-      - name: Windows Config/Build Python
+      - name: Windows Config/Build/Install Python
        if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        shell: powershell
        run: |
          cd "${env:PYTHON_SOURCE_PATH}"
-          # We need out custom openssl.props which uses OpenSSL 3 DLL names
+          # We need our custom openssl.props which uses OpenSSL 3 DLL names
          Copy-Item -Path "${env:GITHUB_WORKSPACE}\src\tools\openssl.props" -Destination PCBuild\ -Verbose
+          # We need our custom _hashlib.vcxproj
+          Copy-Item -Path "${env:GITHUB_WORKSPACE}\src\tools\_hashlib.vcxproj" -Destination PCBuild\ -Verbose
          if (${env:RUNNER_ARCH} -eq "X64") {
            $env:arch = "x64"
-            PCBuild\build.bat -c Release -p $env:arch --pgo
+            #PCBuild\build.bat -c Release -p $env:arch --pgo
          } elseif (${env:RUNNER_ARCH} -eq "ARM64") {
            $env:arch =  "ARM64"
            # TODO: figure out why Windows ARM64 isn't compat with PGO optimiazation
            # causes 10-20% slowdown in Python
-            PCBuild\build.bat -c Release -p $env:arch
+            #PCBuild\build.bat -c Release -p $env:arch
          }
+          PCBuild\build.bat -c Release -p $env:arch --pgo
+          .\python.bat PC\layout --precompile --preset-default --copy $env:PS_PYTHON_INSTALL_PATH
+          Get-ChildItem -Path $env:PS_PYTHON_INSTALL_PATH -File

      - name: Mac/Linux Build Python
        if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -470,6 +486,7 @@ jobs:
          cd "${PYTHON_SOURCE_PATH}"
          $MAKE altinstall
          $MAKE bininstall
+          strip "${PYTHON_INSTALL_PATH}/bin/python3"
          export PATH="${PATH}:${PYTHON_INSTALL_PATH}/bin"
          echo "PATH=${PATH}" >> $GITHUB_ENV
          echo "PATH: ${PATH}"
@@ -537,18 +554,19 @@ jobs:
      - name: Install PyInstaller
        if: matrix.goal == 'build'
        run: |
-          git clone https://github.com/pyinstaller/pyinstaller.git
-          cd pyinstaller
-          export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1)
-          git checkout "${latest_release}"
+          #git clone https://github.com/pyinstaller/pyinstaller.git
+          #cd pyinstaller
+          #export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1)
+          #git checkout "${latest_release}"
          # git checkout "v6.9.0"
          # remove pre-compiled bootloaders so we fail if bootloader compile fails
-          rm -rvf PyInstaller/bootloader/*-*/*
-          cd bootloader
-          "${PYTHON}" ./waf all
-          cd ..
-          echo "---- Installing PyInstaller ----"
-          "${PYTHON}" -m pip install .
+          #rm -rvf PyInstaller/bootloader/*-*/*
+          #cd bootloader
+          #"${PYTHON}" ./waf all
+          #cd ..
+          #echo "---- Installing PyInstaller ----"
+          #"${PYTHON}" -m pip install .
+          "$PYTHON" -m pip install --upgrade pyinstaller

      - name: Build GAM with PyInstaller
        if: matrix.goal != 'test'
@@ -661,28 +679,27 @@ jobs:
          echo "GAM Version ${GAMVERSION}"
          echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV

-      - name: Install WinAppDriver
+      - name: Initialize Windows Desktop Shell
+        if: runner.os == 'Windows'
+        shell: pwsh
+        run: |
+          Write-Host "Checking for Windows Explorer shell..."
+          if (-not (Get-Process -Name explorer -ErrorAction SilentlyContinue)) {
+              Write-Host "Explorer not found. Booting the desktop shell..."
+              Start-Process explorer.exe
+              # Give the desktop a few seconds to fully render the taskbar
+              Start-Sleep -Seconds 10 
+          } else {
+              Write-Host "Explorer is already running."
+          }
+
+      - name: Install NPM deps
        if: runner.os == 'Windows'
        run: |
-          choco install -y winappdriver
-
-      - name: Enabled dev mode for WinAppDriver
-        if: runner.os == 'Windows'
-        shell: cmd
-        run : |
-         reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"
-
-      - name: Install appium and totp tools
-        if: runner.os == 'Windows'
-        run: |
-          echo "Installing appium..."
-          npm install -g appium
+          #echo "Installing appium..."
+          #npm install -g appium
          echo "Installing totp-generator..."
-          npm install "totp-generator"
-          echo "Installing wdio..."
-          npm install @wdio/cli
-          echo "Installing appium win driver..."
-          appium driver install windows
+          npm install totp-generator

      - name: Install Certum MSI
        if: runner.os == 'Windows'
@@ -704,18 +721,21 @@ jobs:
        env:
          TOTP_SECRET: ${{ secrets.TOTP_SECRET }}
        run: |
-          # disable win private firewall that interferes with appium server
-          Set-NetFirewallProfile -Profile Private -Enabled False
-          $appiumCmd = Get-Command appium
-          $appiumPath = $appiumCmd.Path
-          Start-Process -Filepath "powershell.exe" -ArgumentList "-File", $appiumPath, "--address", "127.0.0.1", "--log-level", "error"
-          Start-Sleep -Seconds 10
-          write-host "appium started"
          write-host "running SimplySignDesktop login..."
          node tools/ssd.mjs --log-level warn
          write-host "sleeping during login..."
          Start-Sleep 10

+      - name: Archive png artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # 7.0.0
+        if: runner.os == 'Windows'
+        with:
+          archive: true
+          name: images-${{ matrix.os }}
+          if-no-files-found: ignore
+          path: |
+            *.png
+
      - name: Sign gam.exe
        if: runner.os == 'Windows'
        shell: pwsh
@@ -758,11 +778,6 @@ jobs:
          echo "GAM Archive ${GAM_ARCHIVE}"
          tar -C "${gampath}/.." --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam7

-      - name: Install Wix on Win ARM64
-        if: runner.os == 'Windows' && runner.arch == 'ARM64'
-        run: |
-          choco install wixtoolset
-
      - name: Windows package zip
        if: runner.os == 'Windows' && matrix.goal != 'test'
        run: |
@@ -772,33 +787,15 @@ jobs:
          GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${arch}.zip"
          /c/Program\ Files/7-Zip/7z.exe a -tzip "$GAM_ARCHIVE" gam7 "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3

-      - name: Windows package MSI
+      - name: Windows package exe with Inno Setup
        if: runner.os == 'Windows' && matrix.goal != 'test'
        run: |
-          export MSI_FILENAME="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${arch}.msi"
-          # auto-generate a lib.wxs based on the files PyInstaller created for the lib/ directory
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/heat.exe dir "${gampath}/lib" -ke -srd -cg Lib -gg -dr lib -directoryid lib -out lib.wxs
-          $PYTHON tools/gen-wix-xml-filelist.py lib.wxs
-          echo "-- begin lib.wxs --"
-          cat lib.wxs
-          echo "-- end lib.wxs --"
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/candle.exe -arch "${WIX_ARCH}" gam.wxs lib.wxs
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/light.exe -ext /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/WixUIExtension.dll gam.wixobj lib.wixobj -b "${gampath}/lib" -o "$MSI_FILENAME" || true;
-          rm -v -f *.wixpdb
-          rm -v -f *.wixobj
-          echo "MSI_FILENAME=${MSI_FILENAME}" >> $GITHUB_ENV
-
-      - name: Sign GAM MSI
-        if: runner.os == 'Windows'
-        shell: pwsh
-        run: |
-          write-Host "Signing ${env:MSI_FILENAME}...."
-          # Always explicitely use x64 version os signtool.exe, arm64 version apparently can't
-          # see Certum certs since SimplySignDesktop is x64-only today.
-          Start-Process -Wait -NoNewWindow -ErrorAction Continue -FilePath 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe'  -ArgumentList "sign", "/sha1", "$env:WINDOWS_CODESIGN_CERT_HASH", "/tr", "http://time.certum.pl", "/td", "SHA256", "/fd", "SHA256", "/v", "$env:MSI_FILENAME"
-          write-Host "Verifying signature of ${env:MSI_FILENAME}...."
-          # verify signature. If we failed to sign we should fail to verify and die.
-          & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe' verify /pa /v "$env:MSI_FILENAME"
+          choco install innosetup
+          export signtool="C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe"
+          iscc \
+            /S"gamsigntool=$signtool sign /sha1 $WINDOWS_CODESIGN_CERT_HASH /tr http://time.certum.pl /td SHA256 /fd SHA256 /v \$f" \
+            /O"$GITHUB_WORKSPACE" \
+            gam.iss

      - name: Attest that gam package files were generated from this Action
        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
@@ -807,7 +804,8 @@ jobs:
          subject-path: |
            gam*.tar.xz
            gam*.zip
-            gam*.msi
+            gam*.exe
+        #    gam*.msi

      - name: Archive tar.xz artifacts
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # 7.0.0
@@ -827,14 +825,14 @@ jobs:
          path: |
            gam*.zip

-      - name: Archive msi artifacts
+      - name: Archive exe artifacts
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # 7.0.0
        if: runner.os == 'Windows'
        with:
          archive: false
          if-no-files-found: ignore
          path: |
-            gam*.msi
+            gam*.exe

      - name: Basic Tests build jobs only
        if: matrix.goal != 'test' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -885,7 +883,7 @@ jobs:
               exit $exit_code # Hard fail the step for unapproved errors
            fi
          }
-          
+
          export gam_user="gam-gha-${JID}@pdl.jaylee.us"
          echo "gam_user=${gam_user}" >> $GITHUB_ENV
          run_gam config customer_id "C03uzfv2s" save
@@ -937,6 +935,8 @@ jobs:
          run_gam csv ./resources.csv gam delete resource ~resourceId
          run_gam config csv_output_row_filter "buildingId:regex:^gha_test_${JID}_" redirect csv ./buildings.csv print buildings
          run_gam csv ./buildings.csv gam delete building ~buildingId
+          run_gam config csv_output_row_filter "displayName:regex:^El\ Goog\ gha_test_${JID}_" redirect csv ./ssoprofiles.csv print inboundssoprofiles
+          run_gam csv ./ssoprofiles.csv gam delete inboundssoprofile "id:~~name~~"

          echo "Creating OrgUnit ${newou}"
          run_gam create ou "${newou}"
@@ -947,14 +947,16 @@ jobs:
          done
          driveid=$($gam user $gam_user add shareddrive "${newbase}" returnidonly)
          echo "Created shared drive ${driveid}"
-          run_gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- ou "${newou}"
-          run_gam user $newuser add license workspaceenterpriseplus
+          run_gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password uniquerandom recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- ou "$newou"
          run_gam user $newuser update photo https://dummyimage.com/98x98/000/fff.jpg
          run_gam user $newuser get photo
          run_gam user $newuser delete photo
          run_gam create alias $newalias user $newuser
          run_gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
          run_gam user $gam_user sendemail recipient dev-null@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
+          run_gam user $newuser add license workspaceenterpriseplus
+          run_gam update user $newuser ou root # GAM synonym for / root OU 
+          run_gam update user $newuser ou "$newou"
          run_gam config enable_dasa false save
          # don't expose policy output
          run_gam show policies > policies.csv
@@ -1111,11 +1113,12 @@ jobs:
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        working-directory: ${{ github.workspace }}
        run: |
-          if [[ "${RUNNER_OS}" == "Windows" ]]; then
-            tar_folders="src/cpython/ bin/ssl"
-          else
-            tar_folders="bin/"
-          fi
+          #if [[ "${RUNNER_OS}" == "Windows" ]]; then
+          #  tar_folders="src/cpython/ bin/ssl"
+          #else
+          #  tar_folders="bin/"
+          #fi
+          tar_folders="bin/"
          echo '.git*' > ./excludes.txt
          tar cJvvf cache.tar.xz --exclude-from=excludes.txt $tar_folders

--- a/.github/workflows/get-cacerts.yml
+++ b/.github/workflows/get-cacerts.yml
@@ -1,14 +1,9 @@
 name: Check for Google Root CA Updates

 on:
-  push:
-    paths-ignore:
-      - 'wiki/**'
-  pull_request:
-    paths-ignore:
-      - 'wiki/**'
  schedule:
    - cron: '23 23 * * *'
+  workflow_dispatch:

 defaults:
  run:
@@ -17,9 +12,9 @@ defaults:

 jobs:
  check-certs:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    steps:
-      - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5.0.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal token
          fetch-depth: 0 # otherwise, you will failed to push refs to dest repo
@@ -30,9 +25,51 @@ jobs:
          echo "Current hash is: ${CURRENT_HASH}"
          echo "CURRENT_HASH=${CURRENT_HASH}" >> $GITHUB_ENV

-      - name: Get latest cacerts.pem file from Google
+      - name: Generate GAM-specific bundle with LE + Google roots
        run: |
-          curl -o ./cacerts.pem -vvvv https://pki.goog/roots.pem
+          OUTPUT_FILE="cacerts.pem"
+          > "$OUTPUT_FILE"
+
+          process_cert() {
+            local url="$1"
+            local op_ca="$2"
+            local label="$3"
+            local tmp_cert=$(mktemp)
+            curl "$url" > "$tmp_cert"
+            local issuer=$(openssl x509 -noout -issuer -in "$tmp_cert" | sed -e 's/^issuer= *//')
+            local subject=$(openssl x509 -noout -subject -in "$tmp_cert" | sed -e 's/^subject= *//')
+            local serial_hex=$(openssl x509 -noout -serial -in "$tmp_cert" | sed -e 's/^serial=//')
+            local serial_dec=$(python3 -c "print(int('$serial_hex', 16))")
+            local md5=$(openssl x509 -noout -fingerprint -md5 -in "$tmp_cert" | sed -e 's/.*=//' | tr '[:upper:]' '[:lower:]')
+            local sha1=$(openssl x509 -noout -fingerprint -sha1 -in "$tmp_cert" | sed -e 's/.*=//' | tr '[:upper:]' '[:lower:]')
+            local sha256=$(openssl x509 -noout -fingerprint -sha256 -in "$tmp_cert" | sed -e 's/.*=//' | tr '[:upper:]' '[:lower:]')
+            echo "# Operating CA: $op_ca" >> "$OUTPUT_FILE"
+            echo "# Issuer: $issuer" >> "$OUTPUT_FILE"
+            echo "# Subject: $subject" >> "$OUTPUT_FILE"
+            echo "# Label: \"$label\"" >> "$OUTPUT_FILE"
+            echo "# Serial: $serial_dec" >> "$OUTPUT_FILE"
+            echo "# MD5 Fingerprint: $md5" >> "$OUTPUT_FILE"
+            echo "# SHA1 Fingerprint: $sha1" >> "$OUTPUT_FILE"
+            echo "# SHA256 Fingerprint: $sha256" >> "$OUTPUT_FILE"
+            cat "$tmp_cert" >> "$OUTPUT_FILE"
+            echo "" >> "$OUTPUT_FILE"
+            rm "$tmp_cert"
+            }
+
+          echo "#" >> "$OUTPUT_FILE"
+          echo "# This is a custom certificate authority bundle for GAM" >> "$OUTPUT_FILE"
+          echo "# It's composed of Let's Encrypt Root CAs and Google's" >> "$OUTPUT_FILE"
+          echo "# certificate bundle. This should be the minimal list of" >> "$OUTPUT_FILE"
+          echo "# CAs required to talk to Google and Github." >> "$OUTPUT_FILE"
+          echo"" >> "$OUTPUT_FILE"
+          echo "Processing Let's Encrypt ISRG Root X1..."
+          process_cert "https://letsencrypt.org/certs/isrgrootx1.pem" "Let's Encrypt" "ISRG Root X1"
+          echo "Processing Let's Encrypt ISRG Root X2..."
+          process_cert "https://letsencrypt.org/certs/isrg-root-x2.pem" "Let's Encrypt" "ISRG Root X2"
+
+          echo "Appending Google's roots.pem..."
+          curl -s https://pki.goog/roots.pem >> "$OUTPUT_FILE"
+          echo "Done! The new bundle has been saved to $OUTPUT_FILE."

      - name: Compare hashes
        run: |
@@ -51,6 +88,6 @@ jobs:
          git diff --quiet && git diff --staged --quiet || git commit -am '[ci skip] Updated cacerts.pem'

      - name: Push changes
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@77c5b412c50b723d2a4fbc6d71fb5723bcd439aa
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }} 
--- a/src/GamCommands.txt
+++ b/src/GamCommands.txt
@@ -260,6 +260,7 @@ If an item contains spaces, it should be surrounded by ".
        4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
        8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
        16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
+        aiexpandedaccess | 1010470009 | AI Expanded Access |
        aimeetingsandmessaging | 1010470007 | AI Meetings and Messaging |
        aisecurity | 1010470006 | AI Security |
        appsheetcore | 1010380001 | AppSheet Core |
@@ -278,7 +279,7 @@ If an item contains spaces, it should be surrounded by ".
        gaiproedu | geminiedu | 1010470004 | Google AI Pro for Education |
        geminibiz | 1010470003 | Gemini Business |
        geminiedupremium| 1010470005 | Gemini Education Premium |
-        geminient| duetai | 1010470001 | Gemini Enterprise |
+        geminient| duetai | 1010470001 | Gemini Enterprise - Legacy |
        geminiultra | 1010470008 | Google AI Ultra for Business |
        gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
        gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
@@ -1429,6 +1430,8 @@ gam print addresses [todrive <ToDriveAttribute>*]

 # Authorization

+gam info gcporgid
+
 gam create gcpfolder <String>
 gam create gcpfolder [admin <EmailAddress>] folder <String>

@@ -2990,6 +2993,8 @@ gam [<UserTypeEntity>] show classificationlabelpermissions <ClassificationLabelN
        (combiningfunction <CAACombiningFunction>) |
        (condition <CAAConditionAttribute>+ endcondition)

+gam info gcporgid
+
 gam create caalevel <String> [description <String>] (basic <CAABasicAttribute>+)|(custom <QueryCEL>)|<JSONData>
 gam update caalevel <CAALevelName> [description <String>] (basic <CAABasicAttribute>+)|(custom <QueryCEL>)|<JSONData>
 gam delete caalevel <CAALevelName>
@@ -3544,6 +3549,10 @@ gam info customer [formatjson]

 gam info instance [formatjson]

+gam info customerid
+
+gam info gcporgid
+
 # Data Transfers

 gam print|show transferapps
@@ -3882,6 +3891,7 @@ gam create|add group <EmailAddress>
        [copyfrom <GroupItem>] <GroupAttribute>*
        [verifynotinvitable]
 gam update group|groups <GroupEntity> [email <EmailAddress>]
+        [updateprimaryemail <RESearchPattern> <RESubstitution>]
        [copyfrom <GroupItem>] <GroupAttribute>*
        [security|makesecuritygroup]
        [admincreated <Boolean>]
@@ -4109,6 +4119,7 @@ gam create cigroup <EmailAddress>
        [security|makesecuritygroup] [locked]
        [dynamic <QueryDynamicGroup>]
 gam update cigroup <GroupEntity> [copyfrom <GroupItem>] <GroupAttribute>
+        [updateprimaryemail <RESearchPattern> <RESubstitution>]
        [security|makesecuritygroup|
         dynamicsecurity|makedynamicsecuritygroup|
         lockedsecurity|makelockedsecuritygroup]
@@ -4335,14 +4346,14 @@ gam update deviceuserstate <DeviceUserEntity> [clientid <String>]
 # Cloud Identity Policies

 gam info policies <CIPolicyNameEntity>
-        [nowarnings] [noappnames]
+        [nowarnings] [noappnames] [noidmappimg]
        [formatjson]
 gam print policies [todrive <ToDriveAttribute>*]
-        [filter <String>] [nowarnings] [noappnames]
+        [filter <String>] [nowarnings] [noappnames] [noidmappimg]
        [group <REMatchPattern>] [ou|org|orgunit <REMatchPattern>]
        [formatjson [quotechar <Character>]]
 gam show policies
-        [filter <String>] [nowarnings] [noappnames]
+        [filter <String>] [nowarnings] [noappnames] [noidmappimg]
        [group <REMatchPattern>] [ou|org|orgunit <REMatchPattern>]
        [formatjson]

@@ -4662,6 +4673,8 @@ gam report <ActivityApplicationName> [todrive <ToDriveAttribute>*]
        [event|events <EventNameList>] [ip <String>]
        [gmaileventtypes <NumberRangeList>]
        [groupidfilter <String>] [resourcedetailsfilter <String>]
+        [networkinfofilter <String>] [statusfilter <String>]
+        [applicationinfofilter <String>] [includesensitivedata]
        [notimesort]
        [maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
        [countsonly [bydate|summary] [eventrowfilter]]
@@ -4926,36 +4939,43 @@ gam print schema|schemas [todrive <ToDriveAttribute>*]
 gam sendemail [recipient|to] <RecipientEntity>
        [from <EmailAddress>] [mailbox <EmailAddress>] [replyto <EmailAddress>]
        [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
-        [subject <String>]
-        [<MessageContent>]
+        [subject <String>] [<MessageContent>] [html [<Boolean>]]
        (replace <Tag> <String>)*
        (replaceregex <RESearchPattern> <RESubstitution> <Tag> <String>)*
-        [html [<Boolean>]] (attach <FileName> [charset <Charset>])*
+        (attach <FileName> [charset <Charset>])*
        (embedimage <FileName> <String>)*
        [newuser <EmailAddress> firstname|givenname <String> lastname|familyname <string> password <Password>]
        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*
+        [threadid <String>]
 gam <UserTypeEntity> sendemail recipient|to <RecipientEntity>
        [replyto <EmailAddress>]
        [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
-        [subject <String>]
-        [<MessageContent>]
+        [subject <String>] [<MessageContent>] [html [<Boolean>]]
        (replace <Tag> <String>)*
        (replaceregex <RESearchPattern> <RESubstitution> <Tag> <String>)*
-        [html [<Boolean>]] (attach <FileName> [charset <Charset>])*
+        (attach <FileName> [charset <Charset>])*
        (embedimage <FileName> <String>)*
        [newuser <EmailAddress> firstname|givenname <String> lastname|familyname <string> password <Password>]
        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*
+        [threadid <String>]
 gam <UserTypeEntity> sendemail from <EmailAddress>
        [replyto <EmailAddress>]
        [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
-        [subject <String>]
-        [<MessageContent>]
+        [subject <String>] [<MessageContent>] [html [<Boolean>]]
        (replace <Tag> <String>)*
        (replaceregex <RESearchPattern> <RESubstitution> <Tag> <String>)*
-        [html [<Boolean>]] (attach <FileName> [charset <Charset>])*
+        (attach <FileName> [charset <Charset>])*
        (embedimage <FileName> <String>)*
        [newuser <EmailAddress> firstname|givenname <String> lastname|familyname <string> password <Password>]
        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*
+        [threadid <String>]
+gam <UserTypeEntity> sendreply
+        (((query <QueryGmail> [querytime<String> <Date>]*) [or|and])+) | (ids <MessageIDEntity>)
+        [replyto <EmailAddress>]
+        [subject <String>] [<MessageContent>] [html [<Boolean>]]
+        (attach <FileName> [charset <CharSet>])*
+        (embedimage <FileName> <String>)*
+        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*

 # Shared Drives - Administrator

@@ -5191,7 +5211,6 @@ gam create|add permissions <SharedDriveEntityAdmin> <DriveFilePermissionEntity>
        <PermissionMatch>* [<PermissionMatchAction>]
 gam delete permissions <SharedDriveEntityAdmin> <DriveFilePermissionIDEntity>
        <PermissionMatch>* [<PermissionMatchAction>]
-        [enforceexpansiveaccess [<Boolean>]]

 In these commands, you specify an administrator and then indicate that you want domain administrator access with the adminaccess option.

@@ -5205,11 +5224,9 @@ gam <UserTypeEntity> create|add drivefileacl <SharedDriveEntityAdmin>
        adminaccess
 gam <UserTypeEntity> update drivefileacl <SharedDriveEntityAdmin> <DriveFilePermissionIDorEmail>
        (role <DriveFileACLRole>) [expires|expiration <Time>] [removeexpiration [<Boolean>]]
-        [enforceexpansiveaccess [<Boolean>]]
        [showtitles] [nodetails|(csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]])]
        adminaccess
 gam <UserTypeEntity> delete drivefileacl <SharedDriveEntityAdmin> <DriveFilePermissionIDorEmail>
-        [enforceexpansiveaccess [<Boolean>]]
        [showtitles] adminaccess
 gam <UserTypeEntity> info drivefileacl <SharedDriveEntityAdmin> <DriveFilePermissionIDorEmail> adminaccess
        [showtitles]
@@ -5235,7 +5252,6 @@ gam <UserTypeEntity> create|add permissions <SharedDriveEntityAdmin> <DriveFileP
        <PermissionMatch>* [<PermissionMatchAction>]
 gam <UserTypeEntity> delete permissions <SharedDriveEntityAdmin> <DriveFilePermissionIDEntity> adminaccess
        <PermissionMatch>* [<PermissionMatchAction>]
-        [enforceexpansiveaccess [<Boolean>]]

 In these commands, the Google administrator named in oauth2.txt is used.

@@ -5747,7 +5763,7 @@ gam download storagefile <StorageBucketObjectName>
        (language clear|<LanguageList>)|
        (lastname|familyname <String>)|
        (note clear|([text_html|text_plain] <UserNoteContent))|
-        (ou|org|orgunitpath <OrgUnitPath>|<OrgUnitID>)
+        (ou|org|orgunitpath <OrgUnitPath>|<OrgUnitID>|root)
        (password (random [<Integer>])|(uniquerandom [<Integer>])|
                   blocklogin|
                   prompt|uniqueprompt|
@@ -5803,12 +5819,12 @@ gam download storagefile <StorageBucketObjectName>

 <UserClearAttribute> ::=
        (address clear)|
-        (otheremail clear)|
        (externalid clear)|
        (im clear)|
        (keyword clear)|
        (location clear)|
        (organization clear)|
+        (otheremail clear)|
        (phone clear)|
        (posix clear)|
        (relation clear)|
@@ -5821,6 +5837,18 @@ gam download storagefile <StorageBucketObjectName>
        <UserMultiAttribute>|
        <UserClearAttribute>

+<UserMultiAttributeFilterName> ::=
+        address|addresses|
+        externalid|externalids|
+        im|ims|
+        keyword|keywords|
+        location|locations|
+        orgainzation|organizations|
+        otheremail|otheremails|
+        phone|phones|
+        relation|relations|
+        website|websites
+       
 gam create|add user <EmailAddress> [ignorenullpassword] <UserAttribute>*
        [verifynotinvitable|alwaysevict]
        (groups [<GroupRole>] [[delivery] <DeliverySetting>] <GroupEntity>)*
@@ -5875,6 +5903,8 @@ gam info user [<UserItem>]
        [nolicenses|nolicences|licenses|licences]
        [noschemas|allschemas|(schemas|custom|customschemas <SchemaNameList>)]
        [userview] <UserFieldName>* [fields <UserFieldNameList>]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
        [formatjson]

@@ -5911,6 +5941,8 @@ gam info users <UserTypeEntity>
        [nolicenses|nolicences|licenses|licences]
        [noschemas|allschemas|(schemas|custom|customschemas <SchemaNameList>)]
        [userview] <UserFieldName>* [fields <UserFieldNameList>]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
        [formatjson]

@@ -5947,6 +5979,8 @@ gam <UserTypeEntity> info users
        [nolicenses|nolicences|licenses|licences]
        [noschemas|allschemas|(schemas|custom|customschemas <SchemaNameList>)]
        [userview] <UserFieldName>* [fields <UserFieldNameList>]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
        [formatjson]

@@ -5966,6 +6000,8 @@ gam print users [todrive <ToDriveAttribute>*]
        [schemas|custom|customschemas all|<SchemaNameList>]
        [emailpart|emailparts|username]
        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
        [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
        [issuspended <Boolean>] [isarchived <Boolean>] [aliasmatchpattern <REMatchPattern>]
@@ -5983,6 +6019,8 @@ gam print users [todrive <ToDriveAttribute>*] select <UserTypeEntity>
        [schemas|custom|customschemas all|<SchemaNameList>]
        [emailpart|emailparts|username]
        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
        [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
        [issuspended <Boolean>] [isarchived <Boolean>] [aliasmatchpattern <REMatchPattern>]
@@ -5998,6 +6036,8 @@ gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
        [schemas|custom|customschemas all|<SchemaNameList>]
        [emailpart|emailparts|username]
        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
        [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
        [issuspended <Boolean>] [isarchived <Boolean>] [aliasmatchpattern <REMatchPattern>]
@@ -6490,7 +6530,8 @@ gam <UserTypeEntity> create chatspace
        [description <String>] [guidelines <String>]
        [history <Boolean>]
        [<ChatContent>]
-        [formatjson|returnidonly]
+        [(csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*) | formatjson | returnidonly]
+
 gam <UserTypeEntity> update chatspace <ChatSpace>
        [restricted|(audience <String>)]|
        ([displayname <String>]
@@ -6930,7 +6971,6 @@ gam <UserTypeEntity> copy drivefile <DriveFileEntity>
        [sendemailifrequired [<Boolean>]]
        [suppressnotselectedmessages [<Boolean>]]
        [verifyorganizer [<Boolean>]]
-        [enforceexpansiveaccess [<Boolean>]]

 gam <UserTypeEntity> move drivefile <DriveFileEntity> [newfilename <DriveFileName>]
        [summary [<Boolean>]] [showpermissionmessages [<Boolean>]]
@@ -6955,7 +6995,6 @@ gam <UserTypeEntity> move drivefile <DriveFileEntity> [newfilename <DriveFileNam
        [retainsourcefolders [<Boolean>]]
        [sendemailifrequired [<Boolean>]]
        [verifyorganizer [<Boolean>]]
-        [enforceexpansiveaccess [<Boolean>]]

 gam <UserTypeEntity> get document <DriveFileEntity>
        [viewmode default|suggestions_inline|preview_suggestions_accepted|preview_without_suggestions]
@@ -7062,10 +7101,10 @@ gam <UserTypeEntity> create|add drivefileacl <DriveFileEntity> [adminaccess|asad
        [showtitles] [nodetails|(csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]])]
 gam <UserTypeEntity> update drivefileacl <DriveFileEntity> <DriveFilePermissionIDorEmail>
        (role <DriveFileACLRole>) [expires|expiration <Time>] [removeexpiration [<Boolean>]]
-        [updatesheetprotectedranges [<Boolean>]] [enforceexpansiveaccess [<Boolean>]]
+        [updatesheetprotectedranges [<Boolean>]]
        [showtitles] [nodetails|(csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]])]
 gam <UserTypeEntity> delete drivefileacl <DriveFileEntity> <DriveFilePermissionIDorEmail>
-        [updatesheetprotectedranges [<Boolean>]] [enforceexpansiveaccess [<Boolean>]]
+        [updatesheetprotectedranges [<Boolean>]]
        [showtitles]
 gam <UserTypeEntity> info drivefileacl <DriveFileEntity> <DriveFilePermissionIDorEmail>
        [showtitles]
@@ -7189,7 +7228,6 @@ gam <UserTypeEntity> print filerevisions <DriveFileEntity> [todrive <ToDriveAttr

 gam <UserTypeEntity> transfer ownership <DriveFileEntity> <UserItem>
        [<DriveFileParentAttribute>] [includetrashed] [norecursion [<Boolean>]]
-        [enforceexpansiveaccess [<Boolean>]]
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [preview] [filepath] [pathdelimiter <Character>] [buildtree]
        [todrive <ToDriveAttribute>*]
@@ -7198,7 +7236,6 @@ gam <UserTypeEntity> claim ownership <DriveFileEntity>
        [skipids <DriveFileEntity>] [onlyusers|skipusers <UserTypeEntity>] [subdomains <DomainNameEntity>]
        [restricted [<Boolean>]] [writerscanshare|writerscantshare [<Boolean>]]
        [keepuser | (retainrole commenter|reader|writer|editor|fileorganizer|none)] [noretentionmessages]
-        [enforceexpansiveaccess [<Boolean>]]
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [preview] [filepath] [pathdelimiter <Character>] [buildtree]
        [todrive <ToDriveAttribute>*]
@@ -7206,7 +7243,6 @@ gam <UserTypeEntity> claim ownership <DriveFileEntity>
 gam <UserTypeEntity> transfer drive <UserItem> [select <DriveFileEntity>]
        [(targetfolderid <DriveFolderID>)|(targetfoldername <DriveFolderName>)]
        [targetuserfoldername <DriveFolderName>] [targetuserorphansfoldername <DriveFolderName>]
-        [enforceexpansiveaccess [<Boolean>]]
        [mergewithtarget [<Boolean>]]
        [skipids <DriveFileEntity>]
        [keepuser | (retainrole reader|commenter|writer|editor|fileorganizer|none)] [noretentionmessages]
@@ -7498,7 +7534,7 @@ gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
        [filenamematchpattern <REMatchPattern>]
        <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
        [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showsizeunits] [showmimetypesize]
        [showlastmodification] [pathdelimiter <Character>]
        (addcsvdata <FieldName> <String>)*
        [summary none|only|plus] [summaryuser <String>]
@@ -7514,7 +7550,7 @@ gam <UserTypeEntity> show filecounts
        [filenamematchpattern <REMatchPattern>]
        <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
        [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showsizeunits] [showmimetypesize]
        [showlastmodification] [pathdelimiter <Character>]
        [summary none|only|plus] [summaryuser <String>]

@@ -7584,7 +7620,7 @@ gam <UserTypeEntity> print filelist [todrive <ToDriveAttribute>*]
        [excludetrashed]
        [maxfiles <Integer>] [nodataheaders <String>]
        [countsonly [summary none|only|plus] [summaryuser <String>]
-                    [showsource] [showsize] [showmimetypesize]]
+                    [showsource] [showsize] [showsizeunits] [showmimetypesize]]
        [countsrowfilter]
        [filepath|fullpath [folderpathonly [<Boolean>]] [pathdelimiter <Character>] [addpathstojson] [showdepth]] [buildtree]
        [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
@@ -8881,19 +8917,21 @@ gam <UserTypeEntity> show sheetrange <DriveFileEntity>

 gam <UserTypeEntity> delete tokens clientid <ClientID>

+gam info gcporgid
+
 gam <UserTypeEntity> print tokens|token [todrive <ToDriveAttribute>*] [clientid <ClientID>]
        [usertokencounts|(aggregateusersby|orderby clientid|id|appname|displaytext)]
-        [delimiter <Character>]
+        [delimiter <Character>] [gcpdetails]
 gam <UserTypeEntity> show tokens|token|3lo|oauth [clientid <ClientID>]
        [usertokencounts|(aggregateusersby|orderby clientid|id|appname|displaytext)]
-        [delimiter <Character>]
+        [delimiter <Character>] [gcpdetails]
 gam print tokens|token [todrive <ToDriveAttribute>*] [clientid <ClientID>]
        [usertokencounts|(aggregateusersby|orderby clientid|id|appname|displaytext)]
-        [delimiter <Character>]
+        [delimiter <Character>] [gcpdetails]
        [<UserTypeEntity>]
 gam show tokens|token [clientid <ClientID>]
        [usertokencounts|(aggregateusersby|orderby clientid|id|appname|displaytext)]
-        [delimiter <Character>]
+        [delimiter <Character>] [gcpdetails]
        [<UserTypeEntity>]

 # Users - YouTube
--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -1,3 +1,202 @@
+7.39.04
+
+Added `updateprimaryemail <RegularExpression> <EmailReplacement>` option to
+`gam update group <GroupEntity>` and `gam update cigroup <GroupEntity>` to allow modifying
+the group's current primary email address.
+For example, to change the domain of a set of groups from the current domain.com to newdomain.com:
+```
+gam update group csvfile Groups.csv:email updateprimaryemail "^(.+)@domain.com$" "\1@newdomain.com"
+```
+
+7.39.03
+
+Added the following options to `gam <UserTypeEntity> create chatspace` that can be used to capture
+space details when creating chat spaces in bulk.
+```
+csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*
+```
+
+See: https://github.com/GAM-team/GAM/wiki/Users-Chat#bulk-build-chat-spaces
+
+7.39.02
+
+Fixed progress messages for `gam <UserTypeEntity> print filelist` when permissions were being
+displayed/matched for Shared Drives.
+
+7.39.01
+
+Updated `gam <UserTypeEntity> transfer drive <UserItem>` to handle the following error:
+```
+ERROR: 403: cannotDeletePermission - The authenticated user cannot delete the permission.
+```
+
+7.39.00
+
+Deleted variable `enforce_expansive_access` from `gam.cfg` and removed option `enforceexpansiveaccess`
+from the following commands as expansive access is now always enforced by Google on My Drives.
+```
+gam <UserTypeEntity> delete permissions
+gam <UserTypeEntity> delete drivefileacl
+gam <UserTypeEntity> update drivefileacl
+gam <UserTypeEntity> copy drivefile
+gam <UserTypeEntity> move drivefile
+gam <UserTypeEntity> transfer ownership
+gam <UserTypeEntity> claim ownership
+```
+
+7.38.02
+
+Added license SKU `1010470009` for `AI Expanded Access`; abbreviation `aiexpandedaccess`.
+
+Renamed license SKU `1010470001` from `Gemini Enterprise` to `Gemini Enterprise - Legacy`.
+
+7.38.01
+
+Added `root` as a synonym for '/' in command line arguments that specify an OU.
+This is to avoid issues where a stand-alone `/` on the command line may be mis-interpreted
+by the command line interpreter as a reference to the file system root.
+
+7.38.00
+
+Added variable `gcp_org_id` to `gam.cfg` that is used by the following commands;
+by setting the value, additional API calls are eliminated.
+```
+gam create project
+gam create gcpfolder
+gam create|update|delete caalevel
+gam print|show caalevels
+gam print|show tokens gcpdetails
+```
+You can get and set the `gam.cfg/gcp_org_id` value with these commands:
+```
+$ gam info gcporgid             
+organizations/906207637890
+$ gam config gcp_org_id organizations/906207637890 save
+```
+
+You can get and set the `gam.cfg/customer_id` value with these commands:
+```
+$ gam info customerid             
+C78abc9de
+$ gam config customer_id C78abc9de save
+```
+
+Added the following options to `gam report <ActivityApplicationName>`.
+```
+applicationinfofilter <String>
+networkinfofilter <String>
+statusfilter <String>
+includesensitivedata
+```
+
+7.37.00
+
+Added new client access scopes used by `gam print tokens`.
+```
+[*] 52)  Resource Manager API - Organizations readonly
+[*] 53)  Resource Manager API - Projects readonly
+```
+
+Added option `gcpdetails` to `gam print tokens` that uses these scopes to get additional project information.
+
+7.36.03
+
+Added command to send email replies that causes Gmail to recognize the message
+in conversation mode for the user sending the reply and the user receiving the reply;
+GAM supplies the necessary headers and options.
+```
+gam <UserTypeEntity> sendreply
+        (((query <QueryGmail> [querytime<String> <Date>]*) [or|and])+) | (ids <MessageIDEntity>)
+        [replyto <EmailAddress>]
+        [subject <String>] [<MessageContent>] [html [<Boolean>]]
+        (attach <FileName> [charset <CharSet>])*
+        (embedimage <FileName> <String>)*
+        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*
+
+gam user user@domain.com sendreply query "rfc822MsgId:<CAAMmEdqj43...1OsQ@mail.gmail.com>" textmessage "Thanks for the information"
+gam user user@domain.com sendreply ids 19cfc3506c02c22b textmessage "Thanks for the information"
+```
+
+* See: https://github.com/GAM-team/GAM/wiki/Send-Email#conversation-mode
+
+7.36.02
+
+Added option `threadid <String>` to `gam [<UserTypeEntity>] sendemail` that causes Gmail to recognize the message
+in conversation mode in for the user sending the message.
+
+* See: https://github.com/GAM-team/GAM/wiki/Send-Email#conversation-mode
+
+7.36.01
+
+Fixed bug in `gam info|print|show policies` where the `policyQuery/query` field was not displayed.
+
+Added option `noidmapping` to `gam info|print|show policies` to suppress adding the `policyQuery/groupEmail` and
+`policyQuery/orgUnitPath` name fields that are mapped from the `policyQuery/group` and `policyQuery/orgInit` id fields.
+
+7.36.00
+
+Added options `filtermultiattrtype` and filtermultiattrcustom` to `gam info user` and
+`gam print users` that support filtering `<UserMultiAttribute>` display based on `type` or `customType`.
+
+```
+<UserMultiAttributeFilterName> ::=
+        address|addresses|
+        externalid|externalids|
+        im|ims|
+        keyword|keywords|
+        location|locations|
+        orgainzation|organizations|
+        otheremail|otheremails|
+        phone|phones|
+        relation|relations|
+        website|websites
+```
+
+* `filtermultiattrtype <UserMultiAttributeFilterName> <String>` - Display `<UserMultiAttributeFilterName>` if its `type` is `<String>`
+* `filtermultiattrcustom <UserMultiAttributeFilterName> <String>` - Display `<UserMultiAttributeFilterName>` if its `customType` is `<String>`
+
+```
+gam info user user@domain.com quick filtermultiattrtype organizations work filtermultiattrcustom phones private
+```
+
+7.35.03
+
+Updated `gam <UserTypeEntity> print filelist|filecounts` to handle options `showsize` and `showsizeunits` as independent options.
+* `showsize` - Display a column `Size` with a byte count
+* `showsizeunits` - Display a column `SizeUnits` with a formatted size with units
+
+If you select both options, you can sort multiple rows using the `Size` column.
+
+7.35.02
+
+Added option `showsizeunits` to `gam gam <UserTypeEntity> print filelist|filecounts` as an alternative to option `showsize`.
+* `showsize` - 31549200951 - This is a byte count
+* `showsizeunits` - 31.55 GB - This is as shown in the Admin console
+
+7.35.01
+
+The following commands have been updated to not verify the existence of `gam.cfg` credentials files
+as the WARNING messages about the missing files can be confusing to new users setting up GAM.
+```
+gam checkconn
+gam oauth|oauth2
+gam version
+```
+
+7.35.00
+
+Windows `gam-7.wx.yz-x86_64.msi` has been replaced with `gam-7.wx.yz-x86_64.exe`.
+
+Windows `gam-7.wx.yz-arm64.msi` has been replaced with `gam-7.wx.yz-arm64.exe`.
+
+Updated cacerts.pem to avoid to following error in `gam checkconn`.
+```
+Checking raw.githubusercontent.com (185.199.110.133) (2)...                                         ERROR
+    Certificate verification failed. If you are behind a firewall / proxy server that does TLS / SSL inspection you may need to point GAM at your certificate authority file by setting cacerts_pem = /path/to/your/certauth.pem in gam.cfg.
+```
+
+If you have customized cacerts.pem, update your version with the `Operating CA: Let's Encrypt` values from the GAM default version.
+
 7.34.13

 Fixed bug in `gam info policies <CIPolicyNameEntity> ... formatjson` where extraneous line
@@ -6483,7 +6682,7 @@ This addresses the following issue:
 Updated `gam <UserTypeEntity> add|delete|update|print|show datastudiopermissions` to display an appropriate
 error message, `The caller does not have permission`, when the user doesn't have permission to execute the command.
 Previously, the following incorrect error message was displayed:
-`ERROR: Data Studio API not enabled. Please run "gam update project" and "gam user user@domain.com check serviceaccount"`
+`ERROR: Data Studio API not enabled. Please run "gam update project" and "gam user user@domain.com update serviceaccount"`

 6.26.14

@@ -6765,7 +6964,7 @@ and display drive labels on files. Please test/experiment and report any issues.
 To use these commands you must add the 'Drive Labels API' to your project and update your service account authorization.
 ```
 gam update project
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```
 Supported editions for this feature: Business Standard and Business Plus; Enterprise; Education Standard and Education Plus; G Suite Business; Essentials.

@@ -6963,7 +7162,7 @@ ERROR: 403: permissionDenied - Google Forms API has not been used in project XXX
 ```
 is replaced with
 ```
-ERROR: Forms API not enabled. Please run "gam update project" and "gam user user@domain.com check serviceaccount"
+ERROR: Forms API not enabled. Please run "gam update project" and "gam user user@domain.com update serviceaccount"
 ```

 6.23.00
@@ -9321,7 +9520,7 @@ To use this feature you must add the `People API` to your project and authorize
 * `People API - Other Contacts - read only`: https://www.googleapis.com/auth/contacts.other.readonly
 ```
 gam update project
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```

 Added commands to display user's contact groups using the People API.
@@ -9362,7 +9561,7 @@ To use these features you must add the `People API` to your project and authoriz
 ```
 gam update project
 gam oauth create
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```

 Following Jay's lead, added new license SKU `Cloud Search`.
@@ -9401,7 +9600,7 @@ Added commands to display Data Studio assets and display/manage Data Studio perm
 To use these commands you must add the `Data Studio API` to your project and update your service account authorization.
 ```
 gam update project
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```
 This is a first release from me, experiment and use with caution.

@@ -10444,7 +10643,7 @@ Added commands to support the new Device Management API.

 To use these commands you must update your service account authorization.
 ```
-gam user user@domain.com check serviceaccount
+gam user user@domain.com update serviceaccount
 ```

 In the following places a Google Admin email address is required; by default the admin email address in `oauth2.txt` is used.
--- a/src/gam.iss
+++ b/src/gam.iss
@@ -0,0 +1,116 @@
+; --- 1. PREPROCESSOR DEFINITIONS ---
+#define AppVersion GetEnv("GAMVERSION")
+#if AppVersion == ""
+  #define AppVersion "7.0.0" 
+#endif
+
+; Pull architecture directly from GitHub Actions environment variable
+#define RunnerArch GetEnv("RUNNER_ARCH")
+
+[Setup]
+; --- 2. CORE APPLICATION INFO ---
+AppId={{D86B52B2-EFE9-4F9D-8BA3-9D84B9B2D319}
+AppName=GAM7
+AppVersion={#AppVersion}
+AppPublisher=GAM Team - google-apps-manager@googlegroups.com
+DefaultDirName={sd}\GAM7
+LicenseFile=dist\gam\gam7\LICENSE
+PrivilegesRequired=admin
+ChangesEnvironment=yes
+
+; Tell Inno Setup to use a custom signtool defined via the command line
+SignTool=gamsigntool
+
+; --- 3. COMPRESSION & OPTIMIZATION ---
+Compression=lzma2/ultra64
+SolidCompression=yes
+
+; --- 4. DYNAMIC ARCHITECTURE CONFIGURATION ---
+; GitHub Actions RUNNER_ARCH is typically uppercase "ARM64" or "X64"
+#if RunnerArch == "ARM64" || RunnerArch == "arm64"
+  ArchitecturesAllowed=arm64
+  ArchitecturesInstallIn64BitMode=arm64
+  OutputBaseFilename=gam-{#AppVersion}-windows-arm64
+#else
+  ArchitecturesAllowed=x64compatible
+  ArchitecturesInstallIn64BitMode=x64compatible
+  OutputBaseFilename=gam-{#AppVersion}-windows-x86_64
+#endif
+
+[Messages]
+; Custom error if an admin tries to run the ARM64 installer on an Intel machine
+#if RunnerArch == "ARM64" || RunnerArch == "arm64"
+WindowsVersionNotSupported=You downloaded the ARM64 version of GAM, but this computer has an Intel or AMD processor.%n%nPlease go back to the release page and download the x86_64 installer instead.
+#endif
+
+[Files]
+; --- 5. DYNAMIC FILE INCLUSION ---
+Source: "dist\gam\gam7\*"; DestDir: "{app}"; Flags: ignoreversion recursesubdirs createallsubdirs
+
+[Registry]
+; --- 6. PATH ENVIRONMENT VARIABLE ---
+Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"; \
+    ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; \
+    Check: NeedsAddPath(ExpandConstant('{app}'))
+
+[Code]
+const
+  ERROR_SUCCESS = 0;
+
+function MsiEnumRelatedProducts(lpUpgradeCode: string; dwReserved: Integer; iProductIndex: Integer; lpProductBuf: string): Integer;
+  external 'MsiEnumRelatedProductsW@msi.dll stdcall';
+
+function UninstallWixMSI(): Boolean;
+var
+  UpgradeCode: string;
+  ProductCode: string;
+  ResultCode: Integer;
+begin
+  UpgradeCode := '{D86B52B2-EFE9-4F9D-8BA3-9D84B9B2D319}';
+  ProductCode := StringOfChar(' ', 39); 
+  
+  ResultCode := MsiEnumRelatedProducts(UpgradeCode, 0, 0, ProductCode);
+  
+  if ResultCode = ERROR_SUCCESS then
+  begin
+    ProductCode := Trim(ProductCode);
+    Exec('msiexec.exe', '/x ' + ProductCode + ' /qn /norestart', '', SW_HIDE, ewWaitUntilTerminated, ResultCode);
+  end;
+  
+  Result := True;
+end;
+
+function InitializeSetup(): Boolean;
+begin
+  // --- Architecture Warning for Emulation ---
+  #if RunnerArch != "ARM64" && RunnerArch != "arm64"
+  if IsArm64() then
+  begin
+    if MsgBox('Notice: You are installing the Intel (x86_64) build of GAM on an ARM processor.' + #13#10#13#10 +
+              'While this will work via Windows emulation, it will perform worse than the native ARM64 version.' + #13#10#13#10 +
+              'Do you want to continue with the installation anyway?', 
+              mbConfirmation, MB_YESNO) = idNo then
+    begin
+      Result := False; 
+      Exit;
+    end;
+  end;
+  #endif
+
+  UninstallWixMSI();
+  Result := True; 
+end;
+
+function NeedsAddPath(Param: string): boolean;
+var
+  OrigPath: string;
+begin
+  if not RegQueryStringValue(HKEY_LOCAL_MACHINE,
+    'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
+    'Path', OrigPath)
+  then begin
+    Result := True;
+    exit;
+  end;
+  Result := Pos(';' + Param + ';', ';' + OrigPath + ';') = 0;
+end;
--- a/src/gam.wxs
+++ b/src/gam.wxs
@@ -8,7 +8,7 @@
      Manufacturer="GAM Team - google-apps-manager@googlegroups.com"
      UpgradeCode="D86B52B2-EFE9-4F9D-8BA3-9D84B9B2D319">
    <Package
-        InstallerVersion="200" Compressed="yes" InstallScope="perMachine" />
+        InstallerVersion="500" Compressed="yes" InstallScope="perMachine" />

    <MajorUpgrade
        DowngradeErrorMessage=
--- a/src/gam/init.py
+++ b/src/gam/init.py
--- a/src/gam/cacerts.pem
+++ b/src/gam/cacerts.pem
@@ -1,3 +1,72 @@
+#
+# This is a custom certificate authority bundle for GAM
+# It's composed of Let's Encrypt Root CAs and Google's
+# certificate bundle. This should be the minimal list of
+# CAs required to talk to Google and Github.
+
+# Operating CA: Let's Encrypt
+# Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
+# Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
+# Label: "ISRG Root X1"
+# Serial: 172886928669790476064670243504169061120
+# MD5 Fingerprint: 0c:d2:f9:e0:da:17:73:e9:ed:86:4d:a5:e3:70:e7:4e
+# SHA1 Fingerprint: ca:bd:2a:79:a1:07:6a:31:f2:1d:25:36:35:cb:03:9d:43:29:a5:e8
+# SHA256 Fingerprint: 96:bc:ec:06:26:49:76:f3:74:60:77:9a:cf:28:c5:a7:cf:e8:a3:c0:aa:e1:1a:8f:fc:ee:05:c0:bd:df:08:c6
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
+
+# Operating CA: Let's Encrypt
+# Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X2
+# Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X2
+# Label: "ISRG Root X2"
+# Serial: 87493402998870891108772069816698636114
+# MD5 Fingerprint: d3:9e:c4:1e:23:3c:a6:df:cf:a3:7e:6d:e0:14:e6:e5
+# SHA1 Fingerprint: bd:b1:b9:3c:d5:97:8d:45:c6:26:14:55:f8:db:95:c7:5a:d1:53:af
+# SHA256 Fingerprint: 69:72:9b:8e:15:a8:6e:fc:17:7a:57:af:b7:17:1d:fc:64:ad:d2:8c:2f:ca:8c:f1:50:7e:34:45:3c:cb:14:70
+-----BEGIN CERTIFICATE-----
+MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
+MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
+ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
+ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
+zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
+tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
+/q4AaOeMSQ+2b1tbFfLn
+-----END CERTIFICATE-----
+
 # Operating CA: DigiCert
 # Issuer: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
 # Subject: CN=DigiCert Assured ID Root CA O=DigiCert Inc OU=www.digicert.com
--- a/src/gam/gamlib/glaction.py
+++ b/src/gam/gamlib/glaction.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-

-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2026 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -107,6 +107,7 @@ class GamAction():
  SAVE = 'save'
  SEND = 'send'
  SENDEMAIL = 'snem'
+  SENDREPLY = 'sner'
  SET = 'set '
  SETUP = 'setu'
  SHARE = 'shar'
@@ -225,6 +226,7 @@ class GamAction():
    SAVE: ['Saved', 'Save'],
    SEND: ['Sent', 'Send'],
    SENDEMAIL: ['Email Sent', 'Send Email'],
+    SENDREPLY: ['Reply Sent', 'Send Reply'],
    SET: ['Set', 'Set'],
    SETUP: ['Set Up', 'Set Up'],
    SHARE: ['Shared', 'Share'],
--- a/src/gam/gamlib/glapi.py
+++ b/src/gam/gamlib/glapi.py
@@ -54,6 +54,7 @@ CLOUDIDENTITY_POLICY = 'cloudidentitypolicy'
 CLOUDIDENTITY_POLICY_BETA = 'cloudidentitypolicybeta'
 CLOUDIDENTITY_USERINVITATIONS = 'cloudidentityuserinvitations'
 CLOUDRESOURCEMANAGER = 'cloudresourcemanager'
+CLOUDRESOURCEMANAGERV1 = 'cloudresourcemanagerv1'
 CONTACTS = 'contacts'
 CONTACTDELEGATION = 'contactdelegation'
 DATATRANSFER = 'datatransfer'
@@ -103,7 +104,6 @@ TASKS = 'tasks'
 VAULT = 'vault'
 YOUTUBE = 'youtube'
 #
-BUSINESSACCOUNTMANAGEMENT_SCOPE = 'https://www.googleapis.com/auth/business.manage'
 CHROMEVERSIONHISTORY_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms'
 DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive'
 DRIVE_FILE_SCOPE = 'https://www.googleapis.com/auth/drive.file'
@@ -119,7 +119,6 @@ STORAGE_READONLY_SCOPE = 'https://www.googleapis.com/auth/devstorage.read_only'
 STORAGE_READWRITE_SCOPE = 'https://www.googleapis.com/auth/devstorage.read_write'
 USERINFO_EMAIL_SCOPE = 'https://www.googleapis.com/auth/userinfo.email' # email
 USERINFO_PROFILE_SCOPE = 'https://www.googleapis.com/auth/userinfo.profile' # profile
-VAULT_SCOPES = ['https://www.googleapis.com/auth/ediscovery', 'https://www.googleapis.com/auth/ediscovery.readonly']
 REQUIRED_SCOPES = [USERINFO_EMAIL_SCOPE, USERINFO_PROFILE_SCOPE]
 REQUIRED_SCOPES_SET = set(REQUIRED_SCOPES)
 NUM_CLIENT_SCOPES_ERROR_LIMIT = 48
@@ -138,6 +137,21 @@ SCOPELESS_APIS = {
  SERVICEACCOUNTLOOKUP,
  }
 #
+
+# Scopes not in the discovery doc that are still valid for the API.
+EXTRA_SCOPES = {
+  BUSINESSACCOUNTMANAGEMENT: ['https://www.googleapis.com/auth/business.manage'],
+  CLOUDRESOURCEMANAGER: ['https://www.googleapis.com/auth/cloudplatformfolders',
+                         'https://www.googleapis.com/auth/cloudplatformfolders.readonly',
+                         'https://www.googleapis.com/auth/cloudplatformprojects',
+                         'https://www.googleapis.com/auth/cloudplatformprojects.readonly',
+                         'https://www.googleapis.com/auth/cloudplatformorganizations',
+                         'https://www.googleapis.com/auth/cloudplatformorganizations.readonly',
+                         ],
+  VAULT: ['https://www.googleapis.com/auth/ediscovery', 'https://www.googleapis.com/auth/ediscovery.readonly'],
+}
+EXTRA_SCOPES[CLOUDRESOURCEMANAGERV1] = EXTRA_SCOPES[CLOUDRESOURCEMANAGER]
+
 APIS_NEEDING_ACCESS_TOKEN = {
  CBCM: ['https://www.googleapis.com/auth/admin.directory.device.chromebrowsers']
  }
@@ -250,7 +264,8 @@ _INFO = {
  CLOUDIDENTITY_POLICY: {'name': 'Cloud Identity API - Policy', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_POLICY_BETA: {'name': 'Cloud Identity API - Policy Beta', 'version': 'v1beta1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
  CLOUDIDENTITY_USERINVITATIONS: {'name': 'Cloud Identity API - User Invitations', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudidentity'},
-  CLOUDRESOURCEMANAGER: {'name': 'Cloud Resource Manager API v3', 'version': 'v3', 'v2discovery': True},
+  CLOUDRESOURCEMANAGER: {'name': 'Resource Manager API v3', 'version': 'v3', 'v2discovery': True},
+  CLOUDRESOURCEMANAGERV1: {'name': 'Resource Manager API v1', 'version': 'v1', 'v2discovery': True, 'mappedAPI': 'cloudresourcemanager'},
  CONTACTS: {'name': 'Contacts API', 'version': 'v3', 'v2discovery': False},
  CONTACTDELEGATION: {'name': 'Contact Delegation API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
  DATATRANSFER: {'name': 'Data Transfer API', 'version': 'datatransfer_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
@@ -305,9 +320,8 @@ READONLY = ['readonly',]
 _CLIENT_SCOPES = [
  {'name': 'Business Account Management API',
   'api': BUSINESSACCOUNTMANAGEMENT,
-   'subscopes': [],
   'offByDefault': True,
-   'scope': BUSINESSACCOUNTMANAGEMENT_SCOPE},
+   'scope': EXTRA_SCOPES[BUSINESSACCOUNTMANAGEMENT]},
  {'name': 'Calendar API',
   'api': CALENDAR,
   'subscopes': READONLY,
@@ -316,21 +330,18 @@ _CLIENT_SCOPES = [
   'api': CBCM,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/admin.directory.device.chromebrowsers'},
-  {'name': 'Chrome Management API - read only',
+  {'name': 'Chrome Management API - readonly',
   'api': CHROMEMANAGEMENT,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/chrome.management.reports.readonly'},
-  {'name': 'Chrome Management API - AppDetails read only',
+  {'name': 'Chrome Management API - AppDetails readonly',
   'api': CHROMEMANAGEMENT_APPDETAILS,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/chrome.management.appdetails.readonly'},
  {'name': 'Chrome Management API - Profiles',
   'api': CHROMEMANAGEMENT_CHROMEPROFILES,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/chrome.management.profiles'},
-  {'name': 'Chrome Management API - Telemetry read only',
+  {'name': 'Chrome Management API - Telemetry readonly',
   'api': CHROMEMANAGEMENT_TELEMETRY,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/chrome.management.telemetry.readonly'},
  {'name': 'Chrome Policy API',
   'api': CHROMEPOLICY,
@@ -342,7 +353,6 @@ _CLIENT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/admin.chrome.printers'},
  {'name': 'Chrome Version History API',
   'api': CHROMEVERSIONHISTORY,
-   'subscopes': [],
   'scope': ''},
  {'name': 'Classroom API - Courses',
   'api': CLASSROOM,
@@ -370,11 +380,9 @@ _CLIENT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/classroom.guardianlinks.students'},
  {'name': 'Classroom API - Profile Emails',
   'api': CLASSROOM,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/classroom.profile.emails'},
  {'name': 'Classroom API - Profile Photos',
   'api': CLASSROOM,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/classroom.profile.photos'},
  {'name': 'Classroom API - Rosters',
   'api': CLASSROOM,
@@ -404,7 +412,6 @@ _CLIENT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'},
  {'name': 'Cloud Identity API - Policy Beta',
   'api': CLOUDIDENTITY_POLICY_BETA,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'},
  {'name': 'Cloud Identity API - User Invitations',
@@ -413,17 +420,14 @@ _CLIENT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/cloud-identity.userinvitations'},
  {'name': 'Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)',
   'api': STORAGEREAD,
-   'subscopes': [],
   'offByDefault': True,
   'scope': STORAGE_READONLY_SCOPE},
  {'name': 'Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)',
   'api': STORAGEWRITE,
-   'subscopes': [],
   'offByDefault': True,
   'scope': STORAGE_READWRITE_SCOPE},
  {'name': 'Contacts API - Domain Shared Contacts',
   'api': CONTACTS,
-   'subscopes': [],
   'scope': 'https://www.google.com/m8/feeds'},
  {'name': 'Contact Delegation API',
   'api': CONTACTDELEGATION,
@@ -451,7 +455,7 @@ _CLIENT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/admin.directory.group'},
  {'name': 'Directory API - Mobile Devices Directory',
   'api': DIRECTORY,
-   'subscopes': ['readonly', 'action'],
+   'subscopes': ['readonly', 'actiononly'],
   'scope': 'https://www.googleapis.com/auth/admin.directory.device.mobile'},
  {'name': 'Directory API - Organizational Units',
   'api': DIRECTORY,
@@ -471,7 +475,6 @@ _CLIENT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/admin.directory.userschema'},
  {'name': 'Directory API - User Security',
   'api': DIRECTORY,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/admin.directory.user.security'},
  {'name': 'Directory API - Users',
   'api': DIRECTORY,
@@ -479,24 +482,19 @@ _CLIENT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/admin.directory.user'},
  {'name': 'Email Audit API',
   'api': EMAIL_AUDIT,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://apps-apis.google.com/a/feeds/compliance/audit/'},
  {'name': 'Groups Migration API',
   'api': GROUPSMIGRATION,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/apps.groups.migration'},
  {'name': 'Groups Settings API',
   'api': GROUPSSETTINGS,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/apps.groups.settings'},
  {'name': 'License Manager API',
   'api': LICENSING,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/apps.licensing'},
-  {'name': 'People Directory API - read only',
+  {'name': 'People Directory API - readonly',
   'api': PEOPLE_DIRECTORY,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/directory.readonly'},
  {'name': 'People API',
   'api': PEOPLE,
@@ -504,29 +502,31 @@ _CLIENT_SCOPES = [
   'scope': PEOPLE_SCOPE},
  {'name': 'Pub / Sub API',
   'api': PUBSUB,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/pubsub'},
-  {'name': 'Reports API - Audit Reports',
+  {'name': 'Reports API - Audit Reports readonly',
   'api': REPORTS,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/admin.reports.audit.readonly'},
-  {'name': 'Reports API - Usage Reports',
+  {'name': 'Reports API - Usage Reports readonly',
   'api': REPORTS,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/admin.reports.usage.readonly'},
  {'name': 'Reseller API',
   'api': RESELLER,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/apps.order'},
+  {'name': 'Resource Manager API - Organizations readonly',
+   'api': CLOUDRESOURCEMANAGER,
+   'offByDefault': True,
+   'scope': 'https://www.googleapis.com/auth/cloudplatformorganizations.readonly'},
+  {'name': 'Resource Manager API - Projects readonly',
+   'api': CLOUDRESOURCEMANAGER,
+   'offByDefault': True,
+   'scope': 'https://www.googleapis.com/auth/cloudplatformprojects.readonly'},
  {'name': 'Service Account Lookup pseudo-API',
   'api': SERVICEACCOUNTLOOKUP,
-   'subscopes': [],
   'scope': ''},
  {'name': 'Site Verification API',
   'api': SITEVERIFICATION,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/siteverification'},
  {'name': 'Vault API',
@@ -538,30 +538,24 @@ _CLIENT_SCOPES = [
 _COMMANDDATA_CLIENT_SCOPES = [
  {'name': 'Drive API - commanddata_clientaccess',
   'api': DRIVE3,
-   'subscopes': [],
   'scope': DRIVE_READONLY_SCOPE},
-  {'name': 'Sheets API - commanddata_clientaccess',
+  {'name': 'Sheets API - commanddata_clientaccess readonly',
   'api': SHEETS,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/spreadsheets.readonly'},
  ]

 _TODRIVE_CLIENT_SCOPES = [
  {'name': 'Drive API - todrive_clientaccess',
   'api': DRIVE3,
-   'subscopes': [],
   'scope': DRIVE_SCOPE},
  {'name': 'Drive File API - todrive_clientaccess',
   'api': DRIVE3,
-   'subscopes': [],
   'scope': DRIVE_FILE_SCOPE},
  {'name': 'Gmail API - todrive_clientaccess',
   'api': GMAIL,
-   'subscopes': [],
   'scope': GMAIL_SEND_SCOPE},
  {'name': 'Sheets API - todrive_clientaccess',
   'api': SHEETS,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/spreadsheets'},
  ]

@@ -570,11 +564,9 @@ OAUTH2SA_SCOPES = 'us_scopes'
 _SVCACCT_SCOPES = [
  {'name': 'AlertCenter API',
   'api': ALERTCENTER,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/apps.alerts'},
-  {'name': 'Analytics Admin API - read only',
+  {'name': 'Analytics Admin API - readonly',
   'api': ANALYTICS_ADMIN,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/analytics.readonly'},
  {'name': 'Calendar API',
   'api': CALENDAR,
@@ -611,11 +603,9 @@ _SVCACCT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/chat.admin.spaces'},
  {'name': 'Chat API - Spaces Delete',
   'api': CHAT_SPACES_DELETE,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/chat.delete'},
  {'name': 'Chat API - Spaces Delete Admin',
   'api': CHAT_SPACES_DELETE_ADMIN,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/chat.admin.delete'},
  {'name': 'Classroom API - Course Announcements',
   'api': CLASSROOM,
@@ -635,11 +625,9 @@ _SVCACCT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/classroom.coursework.students'},
  {'name': 'Classroom API - Profile Emails',
   'api': CLASSROOM,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/classroom.profile.emails'},
  {'name': 'Classroom API - Profile Photos',
   'api': CLASSROOM,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/classroom.profile.photos'},
  {'name': 'Classroom API - Rosters',
   'api': CLASSROOM,
@@ -656,7 +644,6 @@ _SVCACCT_SCOPES = [
 #   'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'},
 #  {'name': 'Cloud Identity API - Policy Beta',
 #   'api': CLOUDIDENTITY_POLICY_BETA,
-#   'subscopes': [],
 #   'offByDefault': True,
 #   'scope': 'https://www.googleapis.com/auth/cloud-identity.policies'},
 #  {'name': 'Cloud Identity User Invitations API',
@@ -665,7 +652,6 @@ _SVCACCT_SCOPES = [
 #   'scope': 'https://www.googleapis.com/auth/cloud-identity'},
 #  {'name': 'Contacts API - Users',
 #   'api': CONTACTS,
-#   'subscopes': [],
 #   'scope': 'https://www.google.com/m8/feeds'},
  {'name': 'Drive API',
   'api': DRIVE3,
@@ -673,7 +659,6 @@ _SVCACCT_SCOPES = [
   'scope': DRIVE_SCOPE},
  {'name': 'Drive Activity API v2 - must pair with Drive API',
   'api': DRIVEACTIVITY,
-   'subscopes': [],
   'scope': [DRIVE_READONLY_SCOPE,
             'https://www.googleapis.com/auth/drive.activity']},
  {'name': 'Drive Labels API - Admin',
@@ -690,30 +675,24 @@ _SVCACCT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/documents'},
  {'name': 'Forms API - must pair with Drive API',
   'api': FORMS,
-   'subscopes': [],
   'scope': [DRIVE_READONLY_SCOPE,
             'https://www.googleapis.com/auth/forms.body',
             'https://www.googleapis.com/auth/forms.responses.readonly']},
  {'name': 'Gmail API - Full Access (Labels, Messages)',
   'api': GMAIL,
-   'subscopes': [],
   'scope': 'https://mail.google.com/'},
  {'name': 'Gmail API - Full Access (Labels, Messages) except delete message',
   'api': GMAIL,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/gmail.modify'},
  {'name': 'Gmail API - Basic Settings (Filters, IMAP, Language, POP, Vacation) - read/write, Sharing Settings (Delegates, Forwarding, SendAs) - read',
   'api': GMAIL,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/gmail.settings.basic'},
  {'name': 'Gmail API - Sharing Settings (Delegates, Forwarding, SendAs) - write',
   'api': GMAIL,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/gmail.settings.sharing'},
 #  {'name': 'Identity and Access Management API',
 #   'api': IAM,
 #   'offByDefault': True,
-#   'subscopes': [],
 #   'scope': CLOUD_PLATFORM_SCOPE},
  {'name': 'Keep API',
   'api': KEEP,
@@ -725,32 +704,26 @@ _SVCACCT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/datastudio'},
  {'name': 'Meet API - Manage/Display Meeting Spaces',
   'api': MEET_SPACES,
-   'subscopes': [],
   'scope': ['https://www.googleapis.com/auth/meetings.space.created',
             'https://www.googleapis.com/auth/meetings.space.settings']},
-  {'name': 'Meet API - Read Meeting Spaces metadata',
+  {'name': 'Meet API - Read Meeting Spaces metadata readonly',
   'api': MEET_READONLY,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/meetings.space.readonly'},
  {'name': 'OAuth2 API',
   'api': OAUTH2,
-   'subscopes': [],
   'scope': USERINFO_PROFILE_SCOPE},
  {'name': 'People API',
   'api': PEOPLE,
   'subscopes': READONLY,
   'scope': PEOPLE_SCOPE},
-  {'name': 'People Directory API - read only',
+  {'name': 'People Directory API - readonly',
   'api': PEOPLE_DIRECTORY,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/directory.readonly'},
-  {'name': 'People API - Other Contacts - read only',
+  {'name': 'People API - Other Contacts - readonly',
   'api': PEOPLE_OTHERCONTACTS,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/contacts.other.readonly'},
-  {'name': 'Search Console  API - read only',
+  {'name': 'Search Console  API - readonly',
   'api': SEARCHCONSOLE,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/webmasters.readonly'},
  {'name': 'Sheets API',
@@ -759,26 +732,22 @@ _SVCACCT_SCOPES = [
   'scope': 'https://www.googleapis.com/auth/spreadsheets'},
  {'name': 'Site Verification API',
   'api': SITEVERIFICATION,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/siteverification'},
-  {'name': 'Tag Manager API - Accounts, Containers, Workspaces, Tags - read only',
+  {'name': 'Tag Manager API - Accounts, Containers, Workspaces, Tags - readonly',
   'api': TAGMANAGER,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/tagmanager.readonly'},
  {'name': 'Tag Manager API - Users',
   'api': TAGMANAGER_USERS,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/tagmanager.manage.users'},
  {'name': 'Tasks API',
   'api': TASKS,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/tasks'},
-  {'name': 'Youtube API - read only',
+  {'name': 'Youtube API - readonly',
   'api': YOUTUBE,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/youtube.readonly'},
  ]
@@ -786,30 +755,25 @@ _SVCACCT_SCOPES = [
 _SVCACCT_SPECIAL_SCOPES = [
  {'name': 'Drive API - write todrive data - has access to all Drive',
   'api': DRIVETD,
-   'subscopes': [],
   'offByDefault': True,
   'scope': DRIVE_SCOPE},
-  {'name': 'Gmail API - Full Access - read only',
+  {'name': 'Gmail API - Full Access - readonly',
   'api': GMAIL,
-   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/gmail.readonly'},
  {'name': 'Gmail API - Send Messages - including todrive',
   'api': GMAIL,
-   'subscopes': [],
   'offByDefault': True,
   'scope': GMAIL_SEND_SCOPE},
  {'name': 'Sheets API - write todrive data - has access to all Sheets',
   'api': SHEETSTD,
   'offByDefault': True,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/spreadsheets'},
  ]

 _USER_SVCACCT_ONLY_SCOPES = [
  {'name': 'Groups Migration API',
   'api': GROUPSMIGRATION,
-   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/apps.groups.migration'},
  ]

@@ -849,7 +813,7 @@ def getClientScopesURLs(commanddataClientAccess, todriveClientAccess):

 def getSvcAcctScopeAPI(uscope):
  for scope in _SVCACCT_SCOPES:
-    if uscope == scope['scope'] or (uscope.endswith('.readonly') and 'readonly' in scope['subscopes']):
+    if uscope == scope['scope'] or (uscope.endswith('.readonly') and 'readonly' in scope.get('subscopes', [])):
      return scope['api']
  return None

@@ -877,11 +841,11 @@ def findAPIforScope(scopesList):
    if cscope['scope'] == scope:
      requiredAPIs.append(cscope['name'])
      return True
-    if cscope['subscopes'] == READONLY and cscope['scope']+'.readonly' == scope:
+    if 'readonly' in cscope.get('subscopes', []) and cscope['scope']+'.readonly' == scope:
      requiredAPIs.append(cscope['name']+' (supports readonly)')
      return True
    return False
-    
+
  requiredAPIs = []
  for scope in scopesList:
    for cscope in _CLIENT_SCOPES:
--- a/src/gam/gamlib/glcfg.py
+++ b/src/gam/gamlib/glcfg.py
@@ -171,12 +171,12 @@ EMAIL_BATCH_SIZE = 'email_batch_size'
 ENABLE_DASA = 'enable_dasa'
 # Enable Cloud Session Reauthentication by borrowing a RAPT token from gcloud command
 ENABLE_GCLOUD_REAUTH = 'enable_gcloud_reauth'
-# Value for enforceExpansiveAccess for commands that delete or update drive file ACLs/permissions.
-ENFORCE_EXPANSIVE_ACCESS = 'enforce_expansive_access'
 # When retrieving lists of calendar events from API, how many should be retrieved in each chunk
 EVENT_MAX_RESULTS = 'event_max_results'
 # Path to extra_args.txt
 EXTRA_ARGS = 'extra_args'
+# Google Cloud Project Organization ID
+GCP_ORG_ID = 'gcp_org_id'
 # Gmail CSE certificates directory
 GMAIL_CSE_INCERT_DIR = 'gmail_cse_incert_dir'
 # Gmail CSE KACL wrapped key files
@@ -396,13 +396,13 @@ Defaults = {
  DEVICE_MAX_RESULTS: '200',
  DOMAIN: '',
  DRIVE_DIR: '',
-  ENFORCE_EXPANSIVE_ACCESS: TRUE,
  DRIVE_MAX_RESULTS: '1000',
  EMAIL_BATCH_SIZE: '50',
  ENABLE_DASA: FALSE,
  ENABLE_GCLOUD_REAUTH: FALSE,
  EVENT_MAX_RESULTS: '250',
  EXTRA_ARGS: '',
+  GCP_ORG_ID: '',
  GMAIL_CSE_INCERT_DIR: '',
  GMAIL_CSE_INKEY_DIR: '',
  INPUT_DIR: '.',
@@ -570,13 +570,13 @@ VAR_INFO = {
  DEVICE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
  DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
  DRIVE_DIR: {VAR_TYPE: TYPE_DIRECTORY, VAR_ENVVAR: 'GAMDRIVEDIR'},
-  ENFORCE_EXPANSIVE_ACCESS: {VAR_TYPE: TYPE_BOOLEAN},
  DRIVE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
  EMAIL_BATCH_SIZE: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 100)},
  ENABLE_DASA: {VAR_TYPE: TYPE_BOOLEAN, VAR_SIGFILE: 'enabledasa.txt', VAR_SFFT: (FALSE, TRUE)},
  ENABLE_GCLOUD_REAUTH: {VAR_TYPE: TYPE_BOOLEAN},
  EVENT_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 2500)},
  EXTRA_ARGS: {VAR_TYPE: TYPE_FILE, VAR_SIGFILE: FN_EXTRA_ARGS_TXT, VAR_SFFT: ('', FN_EXTRA_ARGS_TXT), VAR_ACCESS: os.R_OK},
+  GCP_ORG_ID: {VAR_TYPE: TYPE_STRING, VAR_LIMITS: (0, None)},
  GMAIL_CSE_INCERT_DIR: {VAR_TYPE: TYPE_DIRECTORY},
  GMAIL_CSE_INKEY_DIR: {VAR_TYPE: TYPE_DIRECTORY},
  INPUT_DIR: {VAR_TYPE: TYPE_DIRECTORY},
--- a/src/gam/gamlib/glclargs.py
+++ b/src/gam/gamlib/glclargs.py
@@ -830,6 +830,7 @@ class GamCLArgs():
  ARG_CSEKEYPAIRS = 'csekeypairs'
  ARG_CURRENTPROJECTID = 'currentprojectid'
  ARG_CUSTOMER = 'customer'
+  ARG_CUSTOMERID = 'customerid'
  ARG_DATASTUDIOASSET = 'datastudioasset'
  ARG_DATASTUDIOASSETS = 'datastudioassets'
  ARG_DATASTUDIOPERMISSION = 'datastudiopermission'
@@ -913,6 +914,7 @@ class GamCLArgs():
  ARG_FORWARDINGADDRESS = 'forwardingaddress'
  ARG_FORWARDINGADDRESSES = 'forwardingaddresses'
  ARG_GCPFOLDER = 'gcpfolder'
+  ARG_GCPORGID = 'gcporgid'
  ARG_GCPSERVICEACCOUNT = 'gcpserviceaccount'
  ARG_GMAIL = 'gmail'
  ARG_GMAILPROFILE = 'gmailprofile'
--- a/src/gam/gamlib/glentity.py
+++ b/src/gam/gamlib/glentity.py
@@ -242,6 +242,7 @@ class GamEntity():
  FORWARDING_ADDRESS = 'fwda'
  GCP_FOLDER = 'gcpf'
  GCP_FOLDER_NAME = 'gcpn'
+  GCP_ORG_ID = 'gcpo'
  GMAIL_PROFILE = 'gmpr'
  GROUP = 'grou'
  GROUP_ALIAS = 'gali'
@@ -613,6 +614,7 @@ class GamEntity():
    FORWARDING_ADDRESS: ['Forwarding Addresses', 'Forwarding Address'],
    GCP_FOLDER: ['GCP Folders', 'GCP Folder'],
    GCP_FOLDER_NAME: ['GCP Folder Names', 'GCP Folder Name'],
+    GCP_ORG_ID: ['GCP Organization ID', 'GCP Organization ID'],
    GMAIL_PROFILE: ['Gmail Profile', 'Gmail Profile'],
    GROUP: ['Groups', 'Group'],
    GROUP_ALIAS: ['Group Aliases', 'Group Alias'],
--- a/src/gam/gamlib/glgapi.py
+++ b/src/gam/gamlib/glgapi.py
@@ -257,10 +257,10 @@ DRIVE3_UPDATE_ACL_THROW_REASONS = [BAD_REQUEST, INVALID_OWNERSHIP_TRANSFER, CANN
                                   CANNOT_UPDATE_PERMISSION,
                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION, CANNOT_MODIFY_INHERITED_PERMISSION,
                                   FIELD_NOT_WRITABLE, PERMISSION_NOT_FOUND]
-DRIVE3_DELETE_ACL_THROW_REASONS = [BAD_REQUEST, CANNOT_REMOVE_OWNER,
+DRIVE3_DELETE_ACL_THROW_REASONS = [BAD_REQUEST, NOT_FOUND, PERMISSION_NOT_FOUND, CANNOT_REMOVE_OWNER,
                                   CANNOT_MODIFY_INHERITED_TEAMDRIVE_PERMISSION, CANNOT_MODIFY_INHERITED_PERMISSION,
                                   INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, SHARING_RATE_LIMIT_EXCEEDED,
-                                   NOT_FOUND, PERMISSION_NOT_FOUND, CANNOT_DELETE_PERMISSION]
+                                   CANNOT_DELETE_PERMISSION, FILE_NEVER_WRITABLE]
 DRIVE3_MODIFY_LABEL_THROW_REASONS = DRIVE_USER_THROW_REASONS+[FILE_NOT_FOUND, NOT_FOUND, FORBIDDEN, INTERNAL_ERROR,
                                                              FILE_NEVER_WRITABLE, APPLY_LABEL_FORBIDDEN,
                                                              INSUFFICIENT_ADMINISTRATOR_PRIVILEGES, INSUFFICIENT_FILE_PERMISSIONS,
--- a/src/gam/gamlib/glskus.py
+++ b/src/gam/gamlib/glskus.py
@@ -94,7 +94,7 @@ _SKUS = {
  '1010430001': {
    'product': '101043', 'aliases': ['gwas', 'plusstorage'], 'displayName': 'Google Workspace Additional Storage'},
  '1010470001': {
-    'product': '101047', 'aliases': ['geminient', 'duetai'], 'displayName': 'Gemini Enterprise'},
+    'product': '101047', 'aliases': ['geminient', 'duetai'], 'displayName': 'Gemini Enterprise - Legacy'},
  '1010470002': {
    'product': '101047', 'aliases': ['gwlabs', 'workspacelabs'], 'displayName': 'Google Workspace Labs'},
  '1010470003': {
@@ -109,6 +109,8 @@ _SKUS = {
    'product': '101047', 'aliases': ['aimeetingsandmessaging'], 'displayName': 'AI Meetings and Messaging'},
  '1010470008': {
    'product': '101047', 'aliases': ['geminiultra'], 'displayName': 'Google AI Ultra for Business'},
+  '1010470009': {
+    'product': '101047', 'aliases': ['aiexpandedaccess'], 'displayName': 'AI Expanded Access'},
  '1010490001': {
    'product': '101049', 'aliases': ['eeu'], 'displayName': 'Endpoint Education Upgrade'},
  '1010500001': {
--- a/src/tools/_hashlib.vcxproj
+++ b/src/tools/_hashlib.vcxproj
@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|ARM">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|ARM64">
+      <Configuration>Debug</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGInstrument|ARM">
+      <Configuration>PGInstrument</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGInstrument|ARM64">
+      <Configuration>PGInstrument</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGInstrument|Win32">
+      <Configuration>PGInstrument</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGInstrument|x64">
+      <Configuration>PGInstrument</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGUpdate|ARM">
+      <Configuration>PGUpdate</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGUpdate|ARM64">
+      <Configuration>PGUpdate</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGUpdate|Win32">
+      <Configuration>PGUpdate</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="PGUpdate|x64">
+      <Configuration>PGUpdate</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM">
+      <Configuration>Release</Configuration>
+      <Platform>ARM</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|ARM64">
+      <Configuration>Release</Configuration>
+      <Platform>ARM64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{447F05A8-F581-4CAC-A466-5AC7936E207E}</ProjectGuid>
+    <RootNamespace>_hashlib</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="python.props" />
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>NotSet</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <PropertyGroup>
+    <TargetExt>$(PyStdlibPydExt)</TargetExt>
+  </PropertyGroup>
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+    <Import Project="pyproject.props" />
+    <Import Project="openssl.props" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
+  </PropertyGroup>
+  <ItemDefinitionGroup>
+    <Link>
+      <AdditionalDependencies>ws2_32.lib;crypt32.lib;advapi32.lib;user32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\Modules\_hashopenssl.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="..\PC\python_nt.rc" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="pythoncore.vcxproj">
+      <Project>{cf7ac3d1-e2df-41d2-bea6-1e2556cdea26}</Project>
+      <ReferenceOutputAssembly>false</ReferenceOutputAssembly>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
--- a/src/tools/openssl.props
+++ b/src/tools/openssl.props
@@ -15,12 +15,14 @@
    <_DLLSuffix Condition="$(Platform) == 'ARM64'">$(_DLLSuffix)-arm64</_DLLSuffix>
    <_DLLSuffix Condition="$(Platform) == 'x64'">$(_DLLSuffix)-x64</_DLLSuffix>
  </PropertyGroup>
+  <!-- GAM Static Build: Disable missing DLL/PDB copy
  <ItemGroup>
    <_SSLDLL Include="$(opensslOutDir)\libcrypto$(_DLLSuffix).dll" />
    <_SSLDLL Include="$(opensslOutDir)\libcrypto$(_DLLSuffix).pdb" />
    <_SSLDLL Include="$(opensslOutDir)\libssl$(_DLLSuffix).dll" />
    <_SSLDLL Include="$(opensslOutDir)\libssl$(_DLLSuffix).pdb" />
  </ItemGroup>
+  -->
  <Target Name="_CopySSLDLL" Inputs="@(_SSLDLL)" Outputs="@(_SSLDLL->'$(OutDir)%(Filename)%(Extension)')" AfterTargets="Build">
    <Copy SourceFiles="@(_SSLDLL)" DestinationFolder="$(OutDir)" />
  </Target>
--- a/src/tools/ssd.mjs
+++ b/src/tools/ssd.mjs
@@ -1,128 +1,147 @@
-// Node.js script that implements an Appium client which will launch
-// Simply Sign Desktop app and log a user in. Once logged in it should
-// be possible to use tools like signtool.exe to sign Windows EXE/MSI files
-// with the Certum certificate.
+// Node.js script to launch Simply Sign Desktop app and log a user in
+// using native Windows keystrokes and screenshot-desktop for reliable CI imaging.

-import { Key, remote } from 'webdriverio';
-import { exec } from 'child_process';
+import { execSync, spawn } from 'child_process';
 import { TOTP } from 'totp-generator';
-
-async function screenshot(driver, filename) {
-  // uncomment to save .png screenshots
-  await driver.saveScreenshot(filename);
-  return
-}
+import path from 'path';
+import fs from 'fs';

 function sleep(ms) {
  return new Promise(resolve => setTimeout(resolve, ms));
 }

-async function executeCommand(command) {
+// Native PowerShell Keystroke Sender
+function sendKeys(keys) {
+  const script = `$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('${keys}')`;
+  execSync(`powershell -Command "${script}"`);
+}
+
+// Native PowerShell Desktop Clear
+function minimizeAllWindows() {
+  console.log('Minimizing all rogue background windows...');
+  const script = `$shell = New-Object -ComObject "Shell.Application"; $shell.MinimizeAll()`;
  try {
-    let { stdout, stderr } = await exec(command);
-    return stdout;
-  } catch (error) {
-    console.error(`Error executing command: ${command}`);
-    console.error(`Error details: ${error}`);
-    throw error; 
+    execSync(`powershell -Command "${script}"`);
+  } catch (err) {
+    console.log('Minimize command failed silently.');
  }
 }

-async function runSSD() {
-    const opts = {
-        port: 4723,
-        logLevel: "silent",
-        capabilities: {
-            platformName: "Windows",
-            "appium:app": "C:\\Program Files\\Certum\\SimplySign Desktop\\SimplySignDesktop.exe",
-            "appium:automationName": "Windows",
-        },
-    };
+async function takeScreenshot(filename) {
+  const workspace = process.env.GITHUB_WORKSPACE || process.cwd();
+  const fullPath = path.join(workspace, filename);

-    let driver;
-    try {
-        driver = await remote(opts);
-        
-        // Github Actions Win ARM64 is stuck on a OOB screen that steals focus
-        // These enter / escapes should dismiss it.
-        const runner_arch =  process.env.RUNNER_ARCH;
-        if ( runner_arch === "ARM64" ) {
-          console.log('Running on ARM64...');
-          await sleep(3000); // Pause execution for 3 seconds
-          await screenshot(driver, 'oob1.png');
-          await driver.sendKeys([Key.Enter]);
-          await sleep(3000); // Pause execution for 3 seconds
-          await screenshot(driver, 'oob2.png');
-          await driver.sendKeys([Key.Enter]);
-          await sleep(3000); // Pause execution for 3 seconds
-          await screenshot(driver, 'oob3.png');
-          await driver.sendKeys([Key.Escape]);
-          await screenshot(driver, 'oob6.png');
-        } else {
-          console.log('NOT running on ARM64');
-        }
-
-        //  Execute SSD again to open login dialog
-        exec('"C:\\Program Files\\Certum\\SimplySign Desktop\\SimplySignDesktop.exe"', (error, stdout, stderr) => {
-          if (error) {
-            console.error(`exec error: ${error}`);
-            return;
-          }
-        });
-        await sleep(3000);
-
-        // Login
-        const windows = await driver.getWindowHandles();
-        const login_window = windows[0]
-        await driver.switchWindow(login_window);
-        await screenshot(driver, 'login01.png');
-        const id_value = 'jay0lee@gmail.com';
-        const id_arr =  [...id_value];
-        await driver.sendKeys(id_arr);
-        await screenshot(driver, 'login02.png');
-        await driver.sendKeys([Key.Tab]);
-        console.log('Our secret is ' + process.env.TOTP_SECRET.length + ' characters.');
-        // We wait until the last possible second to generate
-        // our TOTP to ensure it's still valid.
-        const { otp } = await TOTP.generate(process.env.TOTP_SECRET, {algorithm: 'SHA-256'});
-        console.log('Our token is ' + otp.length + ' characters.');
-        const otp_arr =  [...otp];
-        await driver.sendKeys(otp_arr);
-        await screenshot(driver, 'login03.png');
-        await driver.sendKeys([Key.Enter]);
-
-        // TODO: it's expected that on successful login the window
-        // will close and these screenshots will error out. Figure
-        // out how to handle that gracefully.
-        await screenshot(driver, 'login04.png');
-        await sleep(500);
-        await screenshot(driver, 'login05.png');
-        await sleep(500);
-        await screenshot(driver, 'login06.png');
-        await sleep(500);
-        await screenshot(driver, 'login07.png');
-        await sleep(500);
-        await screenshot(driver, 'login08.png');
-        await sleep(500);
-        await screenshot(driver, 'login09.png');
-        await sleep(500);
-        await screenshot(driver, 'login10.png');
-        await sleep(500);
-        await screenshot(driver, 'login11.png');
-        await sleep(500);
-        await screenshot(driver, 'login12.png');
-
-    } catch (error) {
-        console.error(error);
-        //console.error("Error during Appium run:");
+  const psScript = `
+    Add-Type -AssemblyName System.Windows.Forms;
+    Add-Type -AssemblyName System.Drawing;
+    $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen;
+    
+    if ($Screen.Width -eq 0 -or $Screen.Height -eq 0) {
+        Write-Error "Screen dimensions are 0x0. Desktop not fully initialized.";
+        exit 1;
    }
+    
+    $bitmap = New-Object System.Drawing.Bitmap $Screen.Width, $Screen.Height;
+    $graphic = [System.Drawing.Graphics]::FromImage($bitmap);
+    $graphic.CopyFromScreen($Screen.Left, $Screen.Top, 0, 0, $bitmap.Size);
+    $bitmap.Save('${fullPath}');
+  `;
+  
+  try {
+    execSync(`powershell -Command "${psScript}"`);
+    console.log(`Saved screenshot: ${fullPath}`);
+  } catch (err) {
+    console.error(`Failed to save screenshot ${fullPath}:`, err.message);
+  }
+}

-    // INTENTIONAL Keep driver open so tray icon for Certum doesn't close
-    // finally {
-    //    if (driver) {
-    //        await driver.deleteSession(); // Close the Appium session
-    //    }
-    //}
+// Fire and forget application launcher
+function launchSSD() {
+    const child = spawn('C:\\Program Files\\Certum\\SimplySign Desktop\\SimplySignDesktop.exe', [], {
+        detached: true,       
+        stdio: 'ignore'       
+    });
+    child.unref();            
+}
+
+async function runSSD() {
+    await takeScreenshot('001.png');
+    minimizeAllWindows();
+    await sleep(2000);
+    await takeScreenshot('002.png');
+    sendKeys('{ESC}');
+    await sleep(2000);
+    await takeScreenshot('003.png');
+    //sendKeys('{ESC}');
+    //await sleep(2000);
+    //await takeScreenshot('004.png');
+    //sendKeys('{ESC}');
+    //await sleep(2000);
+    //await takeScreenshot('005.png');
+    //sendKeys('%{F4}');
+    //await sleep(2000);
+    //await takeScreenshot('006.png');
+    //sendKeys('%{F4}');
+    //await sleep(2000);
+    //await takeScreenshot('007.png');
+
+    // Re-execute SSD to open login dialog
+    launchSSD();
+    await sleep(3000);
+    await takeScreenshot('008.png');
+    launchSSD();
+    await sleep(3000);
+    await takeScreenshot('009.png');
+
+    // 2. Login Flow
+    console.log('Typing credentials...');
+    
+    // Type Email
+    sendKeys('jay0lee@gmail.com');
+    await sleep(500); 
+    await takeScreenshot('010.png');
+    
+    // Tab to next field
+    sendKeys('{TAB}');
+    await sleep(500);
+
+    // Generate and type TOTP
+    console.log(`Our secret is ${process.env.TOTP_SECRET.length} characters.`);
+    const { otp } = await TOTP.generate(process.env.TOTP_SECRET, {algorithm: 'SHA-256'});
+    console.log(`Our token is ${otp.length} characters.`);
+    
+    sendKeys(otp);
+    await sleep(500);
+    await takeScreenshot('011.png');
+
+    // Submit
+    sendKeys('{ENTER}');
+    console.log('Login sequence complete.');
+    
+    // Screenshot cascade to monitor the window closing
+    await takeScreenshot('012.png');
+    await sleep(500);
+    await takeScreenshot('013.png');
+    await sleep(500);
+    await takeScreenshot('014.png');
+    await sleep(500);
+
+    
+    console.log('Exiting script, leaving SimplySign running in background.');
+
+    // Verification block to list all PNGs in the workspace
+    console.log('\n--- Screenshot Verification ---');
+    const workspace = process.env.GITHUB_WORKSPACE || process.cwd();
+    try {
+        const files = fs.readdirSync(workspace);
+        const pngFiles = files.filter(f => f.endsWith('.png'));
+        console.log(`Target Directory: ${workspace}`);
+        console.log(`Found ${pngFiles.length} .png files:`);
+        pngFiles.forEach(f => console.log(` - ${f}`));
+    } catch (err) {
+        console.error(`Error reading directory ${workspace}:`, err.message);
+    }
+    console.log('-------------------------------\n');
 }

 runSSD();
--- a/wiki/Cloud-Identity-Policies.md
+++ b/wiki/Cloud-Identity-Policies.md
@@ -58,7 +58,7 @@ See: https://cloud.google.com/identity/docs/concepts/supported-policy-api-settin
 Display selected policies.
 ```
 gam info policies <CIPolicyEntity>
-        [nowarnings] [noappnames]
+        [nowarnings] [noappnames] [noidmappimg]
        [formatjson]
 ```

@@ -69,16 +69,20 @@ Select policies::

 By default, policy warnings are displayed, use the 'nowarnings` option to suppress their display.

-By default,  additional API calls are made for `settings/workspace_marketplace.apps_allowlist`
+By default, additional API calls are made for `settings/workspace_marketplace.apps_allowlist`
 to get the application name for the application ID. Use option `noappnames` to suppress these calls.

+By default, additional API calls are made to add the `policyQuery/groupEmail` and `policyQuery/orgUnitPath` fields
+that are mapped from the `policyQuery/group` and `policyQuery/orgUnit` fields. Use option `noidmapping'
+to suppress these calls and not add the additional fields.
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.

 Display all or filtered policies.
 ```
 gam show policies
-        [filter <String>] [nowarnings] [noappnames]
+        [filter <String>] [nowarnings] [noappnames] [noidmappimg]
        [group <REMatchPattern>] [ou|org|orgunit <REMatchPattern>]
        [formatjson]
 ```
@@ -92,12 +96,16 @@ By default, policy warnings are displayed, use the `nowarnings` option to suppre
 By default,  additional API calls are made for `settings/workspace_marketplace.apps_allowlist`
 to get the application name for the application ID. Use option `noappnames` to suppress these calls.

+By default, additional API calls are made to add the `policyQuery/groupEmail` and `policyQuery/orgUnitPath` fields
+that are mapped from the `policyQuery/group` and `policyQuery/orgUnit` fields. Use option `noidmapping'
+to suppress these calls and not add the additional fields.
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.

 ```
 gam print policies [todrive <ToDriveAttribute>*]
-        [filter <String>] [nowarnings] [noappnames]
+        [filter <String>] [nowarnings] [noappnames] [noidmappimg]
        [group <REMatchPattern>] [ou|org|orgunit <REMatchPattern>]
        [formatjson [quotechar <Character>]]
 ```
@@ -108,6 +116,10 @@ By default, all policies are displayed:

 By default, policy warnings are displayed, use the `nowarnings` option to suppress their display.

+By default, additional API calls are made to add the `policyQuery/groupEmail` and `policyQuery/orgUnitPath` fields
+that are mapped from the `policyQuery/group` and `policyQuery/orgUnit` fields. Use option `noidmapping'
+to suppress these calls and not add the additional fields.
+
 By default,  additional API calls are made for `settings/workspace_marketplace.apps_allowlist`
 to get the application name for the application ID. Use option `noappnames` to suppress these calls.

--- a/wiki/Context-Aware-Access-Levels.md
+++ b/wiki/Context-Aware-Access-Levels.md
@@ -3,6 +3,7 @@
 - [Notes](#Notes)
 - [API documentation](#api-documentation)
 - [Grant Service Account Rights to Manage CAA](#grant-service-account-rights-to-manage-caa)
+- [Get Google Cloud organization ID for your workspace](#Get Google Cloud organization ID for your workspace)
 - [Definitions](#definitions)
 - [Parameters for Basic Levels](#parameters-for-basic-levels)
 - [Create an Access Level](#create-an-access-level)
@@ -36,6 +37,15 @@ In order for GAM to manage CAA access levels, you need to grant your service acc
 10. Click `Save`. It may take 15 minutes or more for the role permissions to propagate.
 11. Confirm the role is in place by re-running `gam print caalevels`

+## Get Google Cloud organization ID for your workspace
+This ID is used by the caalevel commands; to eliminate additional API calls,
+you can get the value and store it in the `gam.cfg/gcp_org_id` variable.
+```
+$ gam info gcporgid
+organizations/906207637890
+$ gam config gcp_org_id organizations/906207637890 save
+```
+
 ## Definitions
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
--- a/wiki/Customer.md
+++ b/wiki/Customer.md
@@ -4,6 +4,8 @@
 - [Update customer](#update-customer)
 - [Display customer](#display-customer)
 - [Display instance](#display-instance)
+- [Display Customer ID](#display-customer-id)
+- [Display GCP organization ID](#display-gcp-organization-id)

 ## API documentation
 * [Directory API - Customers](https://developers.google.com/admin-sdk/directory/reference/rest/v1/customers)
@@ -45,3 +47,19 @@ gam info instance [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
+
+## Display Customer ID
+You can get and set the `gam.cfg/customer_id` value with these commands:
+```
+$ gam info customerid             
+C78abc9de
+$ gam config customer_id C78abc9de save
+```
+## Display GCP organization ID
+You can get and set the `gam.cfg/gcp_org_id` value with these commands:
+```
+$ gam info gcporgid             
+organizations/906207637890
+$ gam config gcp_org_id organizations/906207637890 save
+```
+
--- a/wiki/Downloads-Installs.md
+++ b/wiki/Downloads-Installs.md
@@ -25,41 +25,41 @@ start a new terminal session and reissue the command from above.
 ## Executable, Manual

 * Executable Archive, Manual, Linux/Google Cloud Shell
-  - `gam-7.wx.yz-linux-x86_64-glibc2.36.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-glibc2.35.tar.xz`
  - `gam-7.wx.yz-linux-x86_64-glibc2.39.tar.xz`
  - `gam-7.wx.yz-linux-x86_64-legacy.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

 * Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
-  - `gam-7.wx.yz-linux-arm64-glibc2.36.tar.xz`
+  - `gam-7.wx.yz-linux-arm64-glibc2.35.tar.xz`
  - `gam-7.wx.yz-linux-arm64-glibc2.39.tar.xz`
  - `gam-7.wx.yz-linux-arm64-legacy.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

 * Executable Archive, Manual, Mac OS versions Sonoma, Sequoia - M1/M2
-  - `gam-7.wx.yz-macos14.7-arm64.tar.xz`
+  - `gam-7.wx.yz-macos14.8-arm64.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

 * Executable Archive, Manual, Mac OS versions Sequoia - M2/M3
-  - `gam-7.wx.yz-macos15.6-arm64.tar.xz`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session.
-
-* Executable Archive, Manual, Mac OS versions Tahoe - M2/M3/M4
-  - `gam-7.wx.yz-macos26.0-arm64.tar.xz`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session.
-
-* Executable Archive, Manual, Mac OS, versions Ventura, Sonoma - Intel
-  - `gam-7.wx.yz-macos13.7-x86_64.tar.xz`
+  - `gam-7.wx.yz-macos15.7-arm64.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

 * Executable Archive, Manual, Mac OS, versions Sequoia, Tahoe - Intel
-  - `gam-7.wx.yz-macos15.6-x86_64.tar.xz`
+  - `gam-7.wx.yz-macos15.7-x86_64.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS versions Tahoe - M2/M3/M4
+  - `gam-7.wx.yz-macos26.3-arm64.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS versions Tahoe - Intel
+  - `gam-7.wx.yz-macos26.3-x86_64.tar.xz`
  - Download the archive, extract the contents into some directory.
  - Start a terminal session.

@@ -69,7 +69,7 @@ start a new terminal session and reissue the command from above.
  - Start a Command Prompt/PowerShell session.

 * Executable Installer, Manual, Windows 64 bit
-  - `gam-7.wx.yz-windows-x86_64.msi`
+  - `gam-7.wx.yz-windows-x86_64.exe`
  - Download the installer and run it.
  - Start a Command Prompt/PowerShell session.

@@ -79,7 +79,7 @@ start a new terminal session and reissue the command from above.
  - Start a Command Prompt/PowerShell session.

 * Executable Installer, Manual, Windows 11 ARM
-  - `gam-7.wx.yz-windows-arm64.msi`
+  - `gam-7.wx.yz-windows-arm64.exe`
  - Download the installer and run it.
  - Start a Command Prompt/PowerShell session.

--- a/wiki/GamUpdates.md
+++ b/wiki/GamUpdates.md
@@ -10,6 +10,200 @@ Add the `-s` option to the end of the above commands to suppress creating the `g

 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation

+### 7.39.03
+
+Added the following options to `gam <UserTypeEntity> create chatspace` that can be used to capture
+space details when creating chat spaces in bulk.
+```
+csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]] (addcsvdata <FieldName> <String>)*
+```
+
+See: https://github.com/GAM-team/GAM/wiki/Users-Chat#bulk-build-chat-spaces
+
+### 7.39.02
+
+Fixed progress messages for `gam <UserTypeEntity> print filelist` when permissions were being
+displayed/matched for Shared Drives.
+
+### 7.39.01
+
+Updated `gam <UserTypeEntity> transfer drive <UserItem>` to handle the following error:
+```
+ERROR: 403: cannotDeletePermission - The authenticated user cannot delete the permission.
+```
+
+### 7.39.00
+
+Deleted variable `enforce_expansive_access` from `gam.cfg` and removed option `enforceexpansiveaccess`
+from the following commands as expansive access is now always enforced by Google on My Drives.
+```
+gam <UserTypeEntity> delete permissions
+gam <UserTypeEntity> delete drivefileacl
+gam <UserTypeEntity> update drivefileacl
+gam <UserTypeEntity> copy drivefile
+gam <UserTypeEntity> move drivefile
+gam <UserTypeEntity> transfer ownership
+gam <UserTypeEntity> claim ownership
+```
+
+### 7.38.02
+
+Added license SKU `1010470009` for `AI Expanded Access`; abbreviation `aiexpandedaccess`.
+
+Renamed license SKU `1010470001` from `Gemini Enterprise` to `Gemini Enterprise - Legacy`.
+
+### 7.38.01
+
+Added `root` as a synonym for '/' in command line arguments that specify an OU.
+This is to avoid issues where a stand-alone `/` on the command line may be mis-interpreted
+by the command line interpreter as a reference to the file system root.
+
+### 7.38.00
+
+Added variable `gcp_org_id` to `gam.cfg` that is used by the following commands;
+by setting the value, additional API calls are eliminated.
+```
+gam create project
+gam create gcpfolder
+gam create|update|delete caalevel
+gam print|show caalevels
+gam print|show tokens gcpdetails
+```
+You can get and set the `gam.cfg/gcp_org_id` value with these commands:
+```
+$ gam info gcporgid
+organizations/906207637890
+$ gam config gcp_org_id organizations/906207637890 save
+```
+
+You can get and set the `gam.cfg/customer_id` value with these commands:
+```
+$ gam info customerid     
+C78abc9de
+$ gam config customer_id C78abc9de save
+```
+
+Added the following options to `gam report <ActivityApplicationName>`.
+```
+applicationinfofilter <String>
+networkinfofilter <String>
+statusfilter <String>
+includesensitivedata
+```
+
+### 7.37.00
+
+Added new client access scopes used by `gam print tokens`.
+```
+[*] 52)  Resource Manager API - Organizations readonly
+[*] 53)  Resource Manager API - Projects readonly
+```
+
+Added option `gcpdetails` to `gam print tokens` that uses these scopes to get additional project information.
+
+### 7.36.03
+
+Added command to send email replies that causes Gmail to recognize the message
+in conversation mode for the user sending the reply and the user receiving the reply;
+GAM supplies the necessary headers and options.
+```
+gam <UserTypeEntity> sendreply
+        (((query <QueryGmail> [querytime<String> <Date>]*) [or|and])+) | (ids <MessageIDEntity>)
+        [replyto <EmailAddress>]
+        [subject <String>] [<MessageContent>] [html [<Boolean>]]
+        (attach <FileName> [charset <CharSet>])*
+        (embedimage <FileName> <String>)*
+        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*
+
+gam user user@domain.com sendreply query "rfc822MsgId:<CAAMmEdqj43...1OsQ@mail.gmail.com>" textmessage "Thanks for the information"
+gam user user@domain.com sendreply ids 19cfc3506c02c22b textmessage "Thanks for the information"
+```
+
+* See: https://github.com/GAM-team/GAM/wiki/Send-Email#conversation-mode
+
+### 7.36.02
+
+Added option `threadid <String>` to `gam [<UserTypeEntity>] sendemail` that causes Gmail to recognize the message
+in conversation mode in for the user sending the message.
+
+* See: https://github.com/GAM-team/GAM/wiki/Send-Email#conversation-mode
+
+### 7.36.01
+
+Fixed bug in `gam info|print|show policies` where the `policyQuery/query` field was not displayed.
+
+Added option `noidmapping` to `gam info|print|show policies` to suppress adding the `policyQuery/groupEmail` and
+`policyQuery/orgUnitPath` name fields that are mapped from the `policyQuery/group` and `policyQuery/orgInit` id fields.
+
+### 7.36.00
+
+Added options `filtermultiattrtype` and filtermultiattrcustom` to `gam info user` and
+`gam print users` that support filtering `<UserMultiAttribute>` display based on `type` or `customType`.
+
+```
+<UserMultiAttributeFilterName> ::=
+        address|addresses|
+        externalid|externalids|
+        im|ims|
+        keyword|keywords|
+        location|locations|
+        orgainzation|organizations|
+        otheremail|otheremails|
+        phone|phones|
+        relation|relations|
+        website|websites
+```
+
+* `filtermultiattrtype <UserMultiAttributeFilterName> <String>` - Display `<UserMultiAttributeFilterName>` if its `type` is `<String>`
+* `filtermultiattrcustom <UserMultiAttributeFilterName> <String>` - Display `<UserMultiAttributeFilterName>` if its `customType` is `<String>`
+
+```
+gam info user user@domain.com quick filtermultiattrtype organizations work filtermultiattrcustom phones private
+```
+
+### 7.35.03
+
+Updated `gam <UserTypeEntity> print filelist|filecounts` to handle options `showsize` and `showsizeunits` as independent options.
+* `showsize` - Display a column `Size` with a byte count
+* `showsizeunits` - Display a column `SizeUnits` with a formatted size with units
+
+If you select both options, you can sort multiple rows using the `Size` column.
+
+### 7.35.02
+
+Added option `showsizeunits` to `gam gam <UserTypeEntity> print filelist|filecounts` as an alternative to option `showsize`.
+* `showsize` - 31549200951 - This is a byte count
+* `showsizeunits` - 31.55 GB - This is as shown in the Admin console
+
+### 7.35.01
+
+The following commands have been updated to not verify the existence of `gam.cfg` credentials files
+as the WARNING messages about the missing files can be confusing to new users setting up GAM.
+```
+gam checkconn
+gam oauth|oauth2
+gam version
+```
+
+### 7.35.00
+
+Windows `gam-7.wx.yz-x86_64.msi` has been replaced with `gam-7.wx.yz-x86_64.exe`.
+
+Windows `gam-7.wx.yz-arm64.msi` has been replaced with `gam-7.wx.yz-arm64.exe`.
+
+Updated cacerts.pem to avoid to following error in `gam checkconn`.
+```
+Checking raw.githubusercontent.com (185.199.110.133) (2)...                                         ERROR
+    Certificate verification failed. If you are behind a firewall / proxy server that does TLS / SSL inspection you may need to point GAM at your certificate authority file by setting cacerts_pem = /path/to/your/certauth.pem in gam.cfg.
+```
+
+If you have customized cacerts.pem, update your version with the `Operating CA: Let's Encrypt` values from the GAM default version.
+
+### 7.34.13
+
+Fixed bug in `gam info policies <CIPolicyNameEntity> ... formatjson` where extraneous line
+`Show Info 1 Policy` was displayed.
+
 ### 7.34.12

 Fixed build errors that prevented Windows zip files from being created.
--- a/wiki/How-to-Upgrade-GAMADV-XTD3-to-GAM7.md
+++ b/wiki/How-to-Upgrade-GAMADV-XTD3-to-GAM7.md
@@ -129,7 +129,7 @@ See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
 ### Update to latest version, use current path `C:\GAMADV-XTD3`.
 You don't have to update path or scripts.
 * Executable Installer, Manual, Windows 64 bit
-  - `gam-7.wx.yz-windows-x86_64.msi`
+  - `gam-7.wx.yz-windows-x86_64.exe`
  - Download the installer and run it. When prompted for the Destination Foler, enter `C:\GAMADV-XTD3`.
 * Executable Archive, Manual, Windows 64 bit
  - `gam-7.wx.yz-windows-x86_64.zip`
@@ -139,7 +139,7 @@ Your update is complete.

 ### Update to latest version, use new path `C:\GAM7`.
 * Executable Installer, Manual, Windows 64 bit
-  - `gam-7.wx.yz-windows-x86_64.msi`
+  - `gam-7.wx.yz-windows-x86_64.exe`
  - Download the installer and run it.
  - Start a Command Prompt/PowerShell session.
 * Executable Archive, Manual, Windows 64 bit
--- a/wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md
+++ b/wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md
@@ -251,11 +251,10 @@ writes the credentials into the file oauth2.txt.
 ```
 gamteam@server:/Users/gamteam$ rm -f /Users/gamteam/GAMConfig/oauth2.txt
 gamteam@server:/Users/gamteam$ gam version
-WARNING: Config File: /Users/gamteam/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/gamteam/GAMConfig/oauth2.txt, Not Found
-GAM 7.34.12 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.39.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
-macOS Tahoe 26.3 arm64
+macOS Tahoe 26.3.1 arm64
 Path: /Users/gamteam/bin/gam7
 Config File: /Users/gamteam/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

@@ -1035,8 +1034,7 @@ writes the credentials into the file oauth2.txt.
 ```
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
-WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.34.12 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.39.03 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
 Windows 11 10.0.26200 AMD64
--- a/wiki/Licenses.md
+++ b/wiki/Licenses.md
@@ -41,6 +41,7 @@

 | License Name | License SKU | Abbreviation  |
 |--------------|-------------|---------------|
+| AI Expanded Access | 1010470009 | aiexpandedaccess |
 | AI Meetings and Messaging | 1010470007 | aimeetingsandmessaging | 
 | AI Security | 1010470006 |  aisecurity |
 | AppSheet Core | 1010380001 | appsheetcore |
@@ -61,7 +62,7 @@
 | G Suite Lite | Google-Apps-Lite | gsuitelite |
 | Gemini Business | 1010470003 | geminibiz
 | Gemini Education Premium | 1010470005 | geminiedupremium |
-| Gemini Enterprise | 1010470001 | geminient | duetai |
+| Gemini Enterprise - Legacy | 1010470001 | geminient | duetai |
 | Google AI Pro for Education | 1010470004 | gaiproedu |
 | Google AI Ultra for Business | 1010470008 | geminiultra |
 | Google Apps Message Security | Google-Apps-For-Postini | postini |
@@ -152,6 +153,7 @@
        4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
        8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
        16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
+        aiexpandedaccess | 1010470009 | AI Expanded Access |
        aimeetingsandmessaging | 1010470007 | AI Meetings and Messaging |
        aisecurity | 1010470006 | AI Security |
        appsheetcore | 1010380001 | AppSheet Core |
@@ -170,7 +172,7 @@
        gaiproedu | geminiedu | 1010470004 | Google AI Pro for Education |
        geminibiz | 1010470003 | Gemini Business |
        geminiedupremium| 1010470005 | Gemini Education Premium |
-        geminient| duetai | 1010470001 | Gemini Enterprise |
+        geminient| duetai | 1010470001 | Gemini Enterprise - Legacy|
        geminiultra | 1010470008 | Google AI Ultra for Business |
        gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
        gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
--- a/wiki/Reports.md
+++ b/wiki/Reports.md
@@ -99,6 +99,8 @@ gam report <ActivityApplicationName> [todrive <ToDriveAttribute>*]
        [event|events <EventNameList>] [ip <String>]
        [gmaileventtypes <NumberRangeList>]
        [groupidfilter <String>] [resourcedetailsfilter <String>]
+        [networkinfofilter <String>] [statusfilter <String>]
+        [applicationinfofilter <String>] [includesensitivedata]
        [notimesort]
        [maxactivities <Number>] [maxevents <Number>] [maxresults <Number>]
        [countsonly [bydate|summary] [eventrowfilter]]
@@ -154,6 +156,15 @@ Limit to those users that are a member of at least one of a list of groups.
 Limit based on resource details.
 * `resourcedetailsfilter <String>` - See: https://developers.google.com/workspace/admin/reports/reference/rest/v1/activities/list#query-parameters

+Limit based on 'regionCode`.
+* `networkinfofilter <String>` - Format: 'regionCode="IN"'
+
+Limit based on `statusCode`.
+* `statusfilter <String>` - Format: 'statusCode="200"'
+
+Limit based on `oAuthClientId`.
+* `applicationinfofilter <String>` - Format: 'oAuthClientId="clientId"'
+
 You can use `config csv_output_row_filter` to filter the events if the API filter can't produce the results you want.

 Limit to a list of specific events.
--- a/wiki/Reseller.md
+++ b/wiki/Reseller.md
@@ -44,6 +44,7 @@ Thanks to Duncan Isaksen-Loxton for a script to help manage multiple domains.
        4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
        8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
        16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
+        aiexpandedaccess | 1010470009 | AI Expanded Access |
        aimeetingsandmessaging | 1010470007 | AI Meetings and Messaging |
        aisecurity | 1010470006 | AI Security |
        appsheetcore | 1010380001 | AppSheet Core |
@@ -61,7 +62,7 @@ Thanks to Duncan Isaksen-Loxton for a script to help manage multiple domains.
        geminibiz | 1010470003 | Gemini Business |
        geminiedu | 1010470004 | Gemini Education |
        geminiedupremium| 1010470005 | Gemini Education Premium |
-        geminient| duetai | 1010470001 | Gemini Enterprise |
+        geminient| duetai | 1010470001 | Gemini Enterprise - Legacy |
        gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
        gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
--- a/wiki/Resources.md
+++ b/wiki/Resources.md
@@ -377,6 +377,9 @@ features "CameraSet"
 features "'Laptop Cart'"
 features "CameraSet,'Laptop Cart'"
 ```
+
+For quoting rules, see: [List Quoting Rules](Command-Line-Parsing)
+
 ## Manage buildings
 When creating a building, at a minimum you must enter `address|addresslines` and `country|regioncode`.

--- a/wiki/Send-Email.md
+++ b/wiki/Send-Email.md
@@ -13,6 +13,7 @@
 - [Send an email to users](#send-an-email-to-users)
 - [Simple `replace <Tag> <String>` processing](Tag-Replace)
 - [Example](#example)
+- [Conversation mode](#conversation-mode)

 ## Note
 Thanks to @bousquf for the following enhancement. You want to send a message from an authorized group
@@ -214,14 +215,14 @@ Configure it at Admin Console > Apps > Google Workspace > Gmail > Routing > SMTP
 gam sendemail [recipient|to] <RecipientEntity>
        [from <EmailAddress>] [mailbox <EmailAddress>] [replyto <EmailAddress>]
        [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
-        [subject <String>]
-        [<MessageContent>]
+        [subject <String>] [<MessageContent>]
        (replace <Tag> <String>)*
        (replaceregex <REMatchPattern> <RESubstitution> <Tag> <String>)*
        [html [<Boolean>]] (attach <FileName> [charset <Charset>])*
        (embedimage <FileName> <String>)*
        [newuser <EmailAddress> firstname|givenname <String> lastname|familyname <string> password <Password>]
        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*
+        [threadid <String>]
 ```
 By default, emails will be sent from the admin user named in oauth2.txt, override this with the `from <EmailAddress>` option.

@@ -272,14 +273,14 @@ You can specify additional recipients, e.g., help desk personnel.
 gam sendemail [recipient|to] <RecipientEntity> [from <EmailAddress>]
        [replyto <EmailAddress>]
        [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
-        [subject <String>]
-        [<MessageContent>]
+        [subject <String>] [<MessageContent>]
        (replace <Tag> <String>)*
        (replaceregex <REMatchPattern> <RESubstitution> <Tag> <String>)*
        [html [<Boolean>]] (attach <FileName> [charset <Charset>])*
        (embedimage <FileName> <String>)*
        [newuser <EmailAddress> firstname|givenname <String> lastname|familyname <string> password <Password>]
        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*
+        [threadid <String>]
 ```

 By default, emails will be sent from the admin user named in oauth2.txt, override this with the `from <EmailAddress>` option.
@@ -353,14 +354,14 @@ gam csv Users.csv gam sendemail "~personal" subject "Your new #domain# account`
 gam <UserTypeEntity> sendemail recipient|to <RecipientEntity>
        [replyto <EmailAddress>]
        [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
-        [subject <String>]
-        [<MessageContent>]
+        [subject <String>] [<MessageContent>]
        (replace <Tag> <String>)*
        (replaceregex <REMatchPattern> <RESubstitution> <Tag> <String>)*
        [html [<Boolean>]] (attach <FileName> [charset <Charset>])*
        (embedimage <FileName> <String>)*
        [newuser <EmailAddress> firstname|givenname <String> lastname|familyname <string> password <Password>]
        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*
+        [threadid <String>]
 ```
 Emails will be sent from the users in `<UserTypeEntity>` to the recipients in `<RecipientEntity>`.

@@ -395,14 +396,14 @@ Your command line will have: `embedimage file1.jpg image1 embedimage file2.jpg i
 gam <UserTypeEntity> sendemail from <EmailAddress>
        [replyto <EmailAddress>]
        [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
-        [subject <String>]
-        [<MessageContent>]
+        [subject <String>] [<MessageContent>]
        (replace <Tag> <String>)*
        (replaceregex <REMatchPattern> <RESubstitution> <Tag> <String>)*
        [html [<Boolean>]] (attach <FileName> [charset <Charset>])*
        (embedimage <FileName> <String>)*
        [newuser <EmailAddress> firstname|givenname <String> lastname|familyname <string> password <Password>]
        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*
+        [threadid <String>]
 ```
 Emails will be sent to the users in `<UserTypeEntity>`.

@@ -451,3 +452,42 @@ $ gam csv UserEmail.csv gam user "~User" sendemail to "~To" subject "~Subject" t
 User: user1@domain.com, Send Email to 1 Recipient
  Recipient: user2@domain.com, Message: Test, Email Sent: 17677cdfbe1146f4
 ```
+
+## Conversation mode
+
+To reply to an email and have Gmail recognize it in conversation mode for the original sender, you have to specify the
+`References` and `In-Reply-to` headers with the `RFC822 Message ID` from the original message
+and the `subject` from the original message.
+```
+gam user recipient@domain.com sendemail to sender@domain.com references "<CAAMabc...XYZQ@mail.gmail.com>" in-reply-to "<CAAMabc...XYZQ@mail.gmail.com>" subject "Re: Original subject" textmessage "Reply text"
+```
+
+If you want to have Gmail recognize the reply in conversation mode in the Sent folder of the original recipient,
+you must include `threadid <String>`; you can get the 'threadId` with:
+```
+gam user recipient@domain.com show threads query "rfc822MsgId:<CAAMabc...XYZQ@mail.gmail.com>"  
+Getting all Messages that match query ((rfc822MsgId:<CAAMabc...XYZQ@mail.gmail.com>)) for recipient@domain.com
+Got 1 Message that matched query ((rfc822MsgId:<CAAMabc...XYZQ@mail.gmail.com>)) for recipient@domain.com...
+User: recipient@domain.com, Show 1 Thread
+  Thread: 19cfd414fe48430d
+    Message: 19cfd414fe48430d
+...
+
+gam user recipient@domain.com sendemail to sender@domain.com references "<CAAMabc...XYZQ@mail.gmail.com>" in-reply-to "<CAAMabc...XYZQ@mail.gmail.com>" subject "Re: Original subject" textmessage "Reply text" threadid 19cfd414fe48430d
+```
+As of version 7.36.03, GAM has a command to simplify this process.
+```
+gam <UserTypeEntity> sendreply
+        (((query <QueryGmail> [querytime<String> <Date>]*) [or|and])+) | (ids <MessageIDEntity>)
+        [replyto <EmailAddress>]
+        [subject <String>] [<MessageContent>] [html [<Boolean>]]
+        (attach <FileName> [charset <CharSet>])*
+        (embedimage <FileName> <String>)*
+        (<SMTPDateHeader> <Time>)* (<SMTPHeader> <String>)* (header <String> <String>)*
+
+gam user recipient@domain.com sendreply query "rfc822MsgId:<CAAMabc...XYZQ@mail.gmail.com>" textmessage "Reply text"
+```
+
+
+
+
--- a/wiki/Shared-Drives.md
+++ b/wiki/Shared-Drives.md
@@ -14,6 +14,7 @@
  - [Change Shared Drive visibility](#change-shared-drive-visibility)
 - [Display Shared Drives](#display-shared-drives)
 - [Display Shared Drive Counts](#display-shared-drive-counts)
+- [Display Shared Drive Storage Info](#display-shared-drive-storage-info)
 - [Display List of Shared Drives in an Organizational Unit](#display-list-of-shared-drives-in-an-organizational-unit)
 - [Display Count of Shared Drives in an Organizational Unit](#display-count-of-shared-drives-in-an-organizational-unit)
 - [Display Shared Drive Organizers](#display-shared-drive-organizers)
@@ -563,6 +564,21 @@ Windows Command Prompt
 for /f "delims=" %a in ('gam print shareddrives showitemcountonly') do set count=%a
 ```

+## Display Shared Drive Storage Info
+
+Get a list of Shared Drives/organizers.
+```
+gam redirect csv ./SharedDriveOrganizers.csv print shareddriveorganizers includefileorganizers
+```
+Get SharedDrive Drive file count and storage info; use one of the following for size information:
+* `showsize` - 31549200951 - This is a byte count; include `Size` in `csv_output_header_filter`
+* `showsizeunits` - 31.55 GB - This is as shown in the Admin console; include `SizeUnits` in csv_output_header_filter
+```
+gam config csv_output_header_filter "id,name,Total,Size,SizeUnits,Item cap" csv_input_row_filter "organizers:regex:^.+$"
+  redirect csv ./SharedDriveStorageInfo.csv multiprocess redirect stderr - multiprocess
+  csv ./SharedDriveOrganizers.csv gam user "~organizers" print filecounts select shareddriveid "~id" showsize showsizeunits
+```
+
 ## Display all Shared Drives with a specific organizer
 Substitute actual email address for `organizer@domain.com`.
 ```
--- a/wiki/Users-Chat.md
+++ b/wiki/Users-Chat.md
@@ -37,9 +37,6 @@ gam user user@domain.com update serviceaccount
 [*] 11)  Chat API - User Sections (supports readonly)

 ```
-`Chat API - User Sections` is in Developer Preview; you must have a the following variables set in `gam.cfg` to use these commands.
-* `developer_preview_apis = chat`
-* `developer_preview_api_key = <String>`

 Added `use_chat_admin_access` Boolean variable to `gam.cfg`. 
 ```
@@ -214,16 +211,14 @@ gam <UserTypeEntity> create chatspace
        [members <UserTypeEntity>]
        [displayname <String>]
        [description <String>] [guidelines <String>]
-        [history <Boolean>]
        [<ChatContent>]
        [formatjson|returnidonly]
 ```
 For `type space`, the following apply:
-* `members <UserTypeEntity>` - Optional, can not specify more that 20 users
+* `members <UserTypeEntity>` - Optional, can not specify more than 20 users
 * `displayname <String>` - Required
 * `description <String>` - Optional
 * `guidelines <String>` - Optional
-* `history <Boolean>` - Optional
 * `announcement|collaboration` - Initial permission settings; default is `collaboration`

 For `type groupchat`, the following apply:
@@ -231,23 +226,60 @@ For `type groupchat`, the following apply:
 * `displayname <String>` - Ignored
 * `description <String>` - Optional
 * `guidelines <String>` - Optional
-* `history <Boolean>` - Optional

 For `type directmessage`, the following apply:
 * `members <UserTypeEntity>` - Required, must specify 1 user
 * `displayname <String>` - Ignored
 * `description <String>` - Ignored
 * `guidelines <String>` - Ignored
-* `history <Boolean>` - Optional

 By default, Gam displays the information about the created chatspace as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 * `returnidonly` - Display the chatspace name only

+Alternately, you can display the information about the created chatspace as columns of fields.
+* `csv [todrive <ToDriveAttribute>*]` - Write Chat Space information to a CSV file.
+* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
 Use the `<ChatContent>` option to send an initial message to the created chatspace.

 By default, details about the chatmessage are displayed.
+* `formatjson` - Display the chat message name in JSON format.
 * `returnidonly` - Display the chatmessage name only
+* `csv` - The column `message.name` is added the CSV file output
+
+### Bulk build chat spaces
+You want to create Chat Spaces for use by users that don't currently have Chat enabled;
+all commands will be run by a super admin.
+
+Make a CSV file NewSpaces.csv with columns: displayName,manager,members
+```
+displayName,manager,members
+Chat 123,user1@domain.com,user1@domain.com user2@domain.com user3@domain.com
+Chat 456,user4@domain.com,user4@domain.com user5@domain.com user6@domain.com
+```
+The manager column specifies the member that will be updated to be a manager.
+
+Create the spaces
+```
+gam redirect csv ./NewSpaceDetails.csv multiprocess csv NewSpaces.csv gam user admin@domain.com create chatspace type space collaboration displayname "~displayName" members "~members" csv addcsvdata manager "~manager"
+```
+
+Update the specified member from ROLE_MEMBER to ROLE_MANAGER
+```
+gam redirect stdout ./UpdateMemberToManager.txt multiprocess redirect stderr stdout csv NewSpaceDetails.csv gam user admin@domain.com update chatmember "~name" role manager user "~manager"
+```
+
+Delete the super admin from the space
+```
+gam redirect stdout ./DeleteAdmin.txt multiprocess redirect stderr stdout csv NewSpaceDetails.csv gam user admin@domain.com delete chatmember "~name" user admin@domain.com
+```

 ### Update a user's chat space
 ```
--- a/wiki/Users-Drive-Copy-Move.md
+++ b/wiki/Users-Drive-Copy-Move.md
@@ -140,7 +140,6 @@ gam <UserTypeEntity> copy drivefile <DriveFileEntity>
        (mappermissionsdomain <DomainName> <DomainName>)*
        [sendemailifrequired [<Boolean>]]
        [verifyorganizer [<Boolean>]]
-        [enforceexpansiveaccess [<Boolean>]]
 ```
 The files/folders specified by `<DriveFileEntity>` are referred to as `source`, `target` refers to where those files are being copied.
 The files/folders specified by `<DriveFileEntity>` are referred to as `top`; when a folder is being copied recursively, the files/folders that it contains are referred as `sub`.
@@ -590,7 +589,6 @@ gam <UserTypeEntity> move drivefile <DriveFileEntity> [newfilename <DriveFileNam
        [retainsourcefolders [<Boolean>]]
        [sendemailifrequired [<Boolean>]]
        [verifyorganizer [<Boolean>]]
-        [enforceexpansiveaccess [<Boolean>]]
 ```
 The files/folders specified by `<DriveFileEntity>` are referred to as `source`, `target` refers to where those files are being moved.
 The files/folders specified by `<DriveFileEntity>` are referred to as `top`; when a folder is being moved, the files/folders that it contains are referred as `sub`.
--- a/wiki/Users-Drive-Files-Display.md
+++ b/wiki/Users-Drive-Files-Display.md
@@ -405,7 +405,7 @@ quotaBytesUsed - The number of storage quota bytes used by the file.
 size - Size in bytes of blobs and first party editor files.
 ```
 Previously, GAM used the `size` field when totaling file sizes, it now uses the `quotaBytesUsed` field.
-The option `sizefield quotabytesused|size` allows you to select which field to use.
+The option `sizefield quotabytesused|size` allows you to select which field to use; `quotabytesused` is the default.

 For most MIME types, the values are the same; for the following MIME types, `quotabytesused` is larger.
 ```
@@ -719,7 +719,7 @@ gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
        [filenamematchpattern <REMatchPattern>]
        <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
        [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showsizeunits] [showmimetypesize]
        [showlastmodification] [pathdelimiter <Character>]
        (addcsvdata <FieldName> <String>)*
        [summary none|only|plus] [summaryuser <String>]
@@ -735,7 +735,7 @@ gam <UserTypeEntity> show filecounts
        [filenamematchpattern <REMatchPattern>]
        <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
        [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showsizeunits] [showmimetypesize]
        [showlastmodification] [pathdelimiter <Character>]
        [summary none|only|plus] [summaryuser <String>]
 ```
@@ -748,7 +748,11 @@ saying that the query is invalid when, in fact, it is but the user does not have
 When `continueoninvalidquery` is true, GAM prints an error message and proceeds to the next user rather that terminating
 as it does now. Of course, if the query really is invalid, you will get the message for every user.

-The `showsize` option displays the total size (in bytes) of the files counted.
+The `showsize` option displays the total size (in bytes) of the files counted; e.g., `31549200951`.
+With `print filecounts`, this will be in a column labelled `Size`.
+
+The `showsizeunits` option displays the total size of the files counted with two decimal places and units; e.g., `31.55 GB`.
+With `print filecounts`, this will be in a column labelled `SizeUnits`.

 The `showmimetypesize` option displays the total size (in bytes) of each MIME type counted.

@@ -1100,7 +1104,7 @@ gam <UserTypeEntity> print|show filelist [todrive <ToDriveAttribute>*]
        [excludetrashed]
        [maxfiles <Integer>] [nodataheaders <String>]
        [countsonly [summary none|only|plus] [summaryuser <String>]
-                    [showsource] [showsize] [showmimetypesize]]
+                    [showsource] [showsize] [showsizeunits] [showmimetypesize]]
        [countsrowfilter]
        [filepath|fullpath [folderpathonly [<Boolean>]] [pathdelimiter <Character>] [addpathstojson] [showdepth]] [buildtree]
        [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
@@ -1304,7 +1308,9 @@ The `summaryuser <String>` option  replaces the default summary user `Summary` w

 The `countsonly` suboption `showsource` adds additional columns `Source` and `Name` that identify the top level folder ID and Name from which the counts are derived.

-The `countsonly` suboption `showsize` adds an additional column `Size` that indicates the total size (in bytes) of the files represented on the row.
+The `countsonly` suboption `showsize` adds an additional column `Size` that indicates the total size (in bytes) of the files represented on the row; e.g., `31549200951`.
+
+The `countsonly` suboption `showsizeunits` adds an additional column `SizeUnits` that indicates the total size of the files represented on the row with two decimal places and units; e.g., `31.55 GB`.

 The `countsonly` suboption `showmimetypesize` adds additional columns `<MimeType>:Size` that indicate the total size (in bytes) of each MIME type.

--- a/wiki/Users-Drive-Ownership.md
+++ b/wiki/Users-Drive-Ownership.md
@@ -61,7 +61,6 @@ Use [Users - Drive - Transfer](Users-Drive-Transfer) for more complex ownership
 ```
 gam <UserTypeEntity> transfer ownership <DriveFileEntity> <UserItem>
        [<DriveFileParentAttribute>] [includetrashed] [norecursion [<Boolean>]]
-        [enforceexpansiveaccess [<Boolean>]]
        (orderby <DriveOrderByFieldName> [ascending|descending])*
        [preview] [filepath] [pathdelimiter <Character>] [buildtree] [todrive <ToDriveAttribute>*]
 ```
@@ -101,7 +100,6 @@ gam <UserTypeEntity> claim ownership <DriveFileEntity>
        [skipids <DriveFileEntity>] [onlyusers|skipusers <UserTypeEntity>] [subdomains <DomainNameEntity>]
        [restricted [<Boolean>]] [writerscanshare|writerscantshare [<Boolean>]]
        [keepuser | (retainrole reader|commenter|writer|editor|none)] [noretentionmessages]
-        [enforceexpansiveaccess [<Boolean>]]
        (orderby <DriveOrderByFieldName> [ascending|descending])*
        [preview] [filepath] [pathdelimiter <Character>] [buildtree] [todrive <ToDriveAttribute>*]
 ```
--- a/wiki/Users-Drive-Permissions.md
+++ b/wiki/Users-Drive-Permissions.md
@@ -220,7 +220,7 @@ By default, when an ACL is created, GAM outputs details of the ACL as indented k
 ```
 gam <UserTypeEntity> update drivefileacl <DriveFileEntity> <DriveFilePermissionIDorEmail>
        (role <DriveFileACLRole>) [expiration <Time>] [removeexpiration [<Boolean>]]
-        [updatesheetprotectedranges [<Boolean>]] [enforceexpansiveaccess [<Boolean>]]
+        [updatesheetprotectedranges [<Boolean>]]
        [showtitles] [nodetails|(csv [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]])]
 ```
 There is no change of parents when a new user is updated to be a file's owner.
@@ -236,10 +236,7 @@ The option `updatesheetprotectedranges` only applies to items in `<DriveFileEnti
    * ACLs with role reader or commenter will be removed from existing protected ranges
    * ACLs with role writer or higher will be added to existing protected ranges

-`enforceexpansiveaccess` defaults to the value of `gam.cfg/enforce_expansive_access` that controls
-the ability to update inherited ACLs.
-* False - Inherited ACLs can be updated
-* True = Inherited ACLs can not be updated
+Inherited ACLs can not be updated.

 By default, the file ID is displayed in the output; to see the file name, use the `showtitles`
 option; this requires an additional API call per file.
@@ -251,7 +248,7 @@ By default, when an ACL is updated, GAM outputs details of the ACL as indented k
 ### Delete
 ```
 gam <UserTypeEntity> delete|del drivefileacl <DriveFileEntity> <DriveFilePermissionIDorEmail>
-        [updatesheetprotectedranges [<Boolean>]] [enforceexpansiveaccess [<Boolean>]]
+        [updatesheetprotectedranges [<Boolean>]]
        [showtitles]
 ```
 The option `updatesheetprotectedranges` only applies to items in `<DriveFileEntity>` that are Google Sheets.
@@ -261,10 +258,7 @@ The option `updatesheetprotectedranges` only applies to items in `<DriveFileEnti
  * Sheet Protected Ranges are updated to reflect the deleted ACL; additional API calls are required.
    * ACLs with any role will be removed from existing protected ranges

-`enforceexpansiveaccess` defaults to the value of `gam.cfg/enforce_expansive_access` that controls
-the ability to delete inherited ACLs.
-* False - Inherited ACLs can be deleted
-* True = Inherited ACLs can not be deleted
+Inherited ACLs can not be deleted.

 By default, the file ID is displayed in the output; to see the file name, use the `showtitles`
 option; this requires an additional API call per file.
@@ -306,12 +300,8 @@ When adding permissions from JSON data, permissions with `deleted` true are neve
 ```
 gam <UserTypeEntity> delete permissions <DriveFileEntity> <DriveFilePermissionIDEntity>
        <PermissionMatch>* [<PermissionMatchAction>]
-        [enforceexpansiveaccess [<Boolean>]]
 ```
-`enforceexpansiveaccess` defaults to the value of `gam.cfg/enforce_expansive_access` that controls
-the ability to delete inherited ACLs.
-* False - Inherited ACLs can be deleted
-* True = Inherited ACLs can not be deleted
+Inherited ACLs can not be deleted.

 When deleting permissions from JSON data, permissions with role `owner` true are never processed.

--- a/wiki/Users-Drive-Transfer.md
+++ b/wiki/Users-Drive-Transfer.md
@@ -48,7 +48,6 @@ gam <UserTypeEntity> transfer drive <UserItem> [select <DriveFileEntity>]
        [noretentionmessages]
        [nonowner_retainrole reader|commenter|writer|editor|contentmanager|fileorganizer|current|none]
        [nonowner_targetrole reader|commenter|writer|editor|contentmanager|fileorganizer|current|none|source]
-        [enforceexpansiveaccess [<Boolean>]]
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [preview] [todrive <ToDriveAttribute>*]
 ```
--- a/wiki/Users-Tokens.md
+++ b/wiki/Users-Tokens.md
@@ -1,5 +1,6 @@
 # Users - Tokens
 - [API documentation](#api-documentation)
+- [Get Google Cloud organization ID for your workspace](#get-google-cloud-organization-id-for-your-workspace)
 - [Definitions](#definitions)
 - [Delete a user's token](#delete-a-users-token)
 - [Display individual user's tokens](#display-individual-users-tokens)
@@ -9,6 +10,15 @@
 ## API documentation
 * [Directory API - Tokens](https://developers.google.com/admin-sdk/directory/reference/rest/v1/tokens)

+## Get Google Cloud organization ID for your workspace
+This ID is used by `gam print|show token gcpdetails`; to eliminate additional API calls,
+you can get the value and store it in the `gam.cfg/gcp_org_id` variable.
+```
+$ gam info gcporgid
+organizations/906207637890
+$ gam config gcp_org_id organizations/906207637890 save
+```
+
 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)

@@ -23,14 +33,18 @@ gam <UserTypeEntity> delete|del token|tokens clientid <ClientID>
 ```
 gam <UserTypeEntity> print tokens|token [todrive <ToDriveAttributes>*] [clientid <ClientID>]
        [orderby clientid|id|appname|displaytext] [delimiter <Character>]
+        [gcpdetails]
 gam <UserTypeEntity> show tokens|token|3lo|oauth [clientid <ClientID>]
        [orderby clientid|id|appname|displaytext]
+        [gcpdetails]
 gam print tokens|token [todrive <ToDriveAttributes>*] [clientid <ClientID>]
        [orderby clientid|id|appname|displaytext] [delimiter <Character>]
        [<UserTypeEntity>]
+        [gcpdetails]
 gam show tokens|token [clientid <ClientID>]
        [orderby clientid|id|appname|displaytext] [delimiter <Character>]
        [<UserTypeEntity>]
+        [gcpdetails]
 ```
 By default, all client tokens for a user are displayed, use `clientid <ClientID>` to display a specific client token.

@@ -38,6 +52,9 @@ For each user, select the order of token presentation:
 * `orderby clientid|id` - Display each user's tokens ordered by Client ID
 * `orderby appname|displaytext` - Display each user's tokens ordered by App Name

+Use `gcpdetails` to get project information about the client; you get the project number
+and whether it is an internal project. In order to accurately determine if a project is internal, your GAM admin user must have at least the `Browser` [IAM role for the entire GCP organization](https://docs.cloud.google.com/iam/docs/roles-permissions/browser) which allows them to lookup basic metadata about your organization projects. If your admin is not able to see all GCP projects in your organization results may not be accurate.
+
 For `print tokens`:
 * `delimiter <Character>` - Separate `scopes` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.

--- a/wiki/Users.md
+++ b/wiki/Users.md
@@ -329,6 +329,20 @@ You can remove all instances of a `<UserMultiAttribute>` with `<UserClearAttribu
        <UserMultiAttribute>|
        <UserClearAttribute>
 ```
+```
+<UserMultiAttributeFilterName> ::=
+        address|addresses|
+        externalid|externalids|
+        im|ims|
+        keyword|keywords|
+        location|locations|
+        orgainzation|organizations|
+        otheremail|otheremails|
+        phone|phones|
+        relation|relations|
+        website|websites
+```
+
 ## Admin Console User Info
 When defining a user in the admin console, there is a section labelled `Employee information` with the following items:
 * `Employee ID`
@@ -971,6 +985,8 @@ gam info user [<UserItem>]
        [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
        [noschemas|allschemas|(schemas|custom|customschemas <SchemaNameList>)]
        [userview] <UserFieldName>* [fields <UserFieldNameList>]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [formatjson]
 ```
 ### Display information about multiple users
@@ -984,6 +1000,8 @@ gam info users <UserTypeEntity>
        [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
        [noschemas|allschemas|(schemas|custom|customschemas <SchemaNameList>)]
        [userview] <UserFieldName>* [fields <UserFieldNameList>]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [formatjson]
 gam <UserTypeEntity> info users
        [quick]
@@ -994,6 +1012,8 @@ gam <UserTypeEntity> info users
        [(products|product <ProductIDList>)|(skus|sku <SKUIDList>)]
        [noschemas|allschemas|(schemas|custom|customschemas <SchemaNameList>)]
        [userview] <UserFieldName>* [fields <UserFieldNameList>]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [formatjson]
 ```
 For `info users`, unlike all other GAM commands, a `<UserTypeEntity>` value of `all users` is actually `all users_ns_susp` not `all users_ns`.
@@ -1031,6 +1051,11 @@ By default, Gam displays fields that only an adminstrator can view.
 By default, Gam displays all fields for a user.
 * `<UserFieldName>* [fields <UserFieldNameList>]` - Only display selected fields.

+By default, all instances of `<UserMultiAttribute>` are displayed, use these options to only display instances
+of a specified `type` or `customType`.
+* `filtermultiattrtype <UserMultiAttributeFilterName> <String>` - Display `<UserMultiAttributeFilterName>` if its `type` is `<String>`
+* `filtermultiattrcustom <UserMultiAttributeFilterName> <String>` - Display `<UserMultiAttributeFilterName>` if its `customType` is `<String>`
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.

@@ -1062,6 +1087,8 @@ gam print users [todrive <ToDriveAttribute>*]
        [schemas|custom|customschemas all|<SchemaNameList>]
        [emailpart|emailparts|username]
        [userview] [allfields|basic|full|(<UserFieldName>*|fields <UserFieldNameList>)]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
        [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
        [issuspended <Boolean>] [isarchived <Boolean>] [aliasmatchpattern <REMatchPattern>]
@@ -1088,6 +1115,8 @@ gam print users [todrive <ToDriveAttribute>*] select <UserTypeEntity>
        [schemas|custom|customschemas all|<SchemaNameList>]
        [emailpart|emailparts|username]
        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
        [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
        [issuspended <Boolean>] [isarchived <Boolean>] [aliasmatchpattern <REMatchPattern>]
@@ -1102,6 +1131,8 @@ gam <UserTypeEntity> print users [todrive <ToDriveAttribute>*]
        [schemas|custom|customschemas all|<SchemaNameList>]
        [emailpart|emailparts|username]
        [userview] [basic|full|allfields|(<UserFieldName>*|fields <UserFieldNameList>)]
+        (filtermultiattrtype <UserMultiAttributeFilterName> <String>)*
+        (filtermultiattrcustom <UserMultiAttributeFilterName> <String>)*
        [delimiter <Character>] [sortheaders [<Boolean>]] [scalarsfirst [<Boolean>]]
        [formatjson [quotechar <Character>]] [quoteplusphonenumbers]
        [issuspended <Boolean>] [isarchived <Boolean>] [aliasmatchpattern <REMatchPattern>]
@@ -1137,6 +1168,11 @@ By default, Gam displays only the primary email address for each user.
 * `schemas|custom all` - Display custom schema information for all schemas.
 * `schemas|custom <SchemaNameList>` - Display all fields or selected fields of the specified custom schemas

+By default, all instances of `<UserMultiAttribute>` are displayed, use these options to only display instances
+of a specified `type` or `customType`.
+* `filtermultiattrtype <UserMultiAttributeFilterName> <String>` - Display `<UserMultiAttributeFilterName>` if its `type` is `<String>`
+* `filtermultiattrcustom <UserMultiAttributeFilterName> <String>` - Display `<UserMultiAttributeFilterName>` if its `customType` is `<String>`
+
 By default, when aliases are displayed, all aliases are displayed. Use `aliasmatchpattern <REMatchPattern>`
 to limit the display of aliases to those that match `<REMatchPattern>`.

--- a/wiki/Verifying-a-GAM7-Build-is-Legitimate-and-Official.md
+++ b/wiki/Verifying-a-GAM7-Build-is-Legitimate-and-Official.md
@@ -11,7 +11,7 @@ It's important to confirm you are always running an official GAM7 release. The f
 # GitHub Attestation (Linux/MacOS/Windows)
 GitHub offers [artifict attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) which prove if a given GAM binary or archive was built by the [GAM-team/GAM](https://gitHub.com/GAM-team/GAM) project and links to the build job. This offers you certainty that the GAM executable you are running or the GAM package you downloaded were officially generated by the [GAM-team/GAM](https://gitHub.com/GAM-team/GAM) project.

-To verify a given GAM executable file or package (.zip, .msi or .tar.xz) is legitimate, use the following steps:
+To verify a given GAM executable file or package (.zip, .exe or .tar.xz) is legitimate, use the following steps:
 1. Install the [GitHub CLI command line tool](https://github.com/cli/cli#installation).
 2. Login to the tool with the command. You need a [free GitHub account](https://gitHub.com/join) for this.
 ```
@@ -27,7 +27,7 @@ gh attestation verify --repo GAM-team/GAM --format=json \

 4. If the GAM file or package is legit you'll see output like:
 ```
-Loaded digest sha256:a63dc5e71c0b3335865877fc7dc9248bbf7481d22995c18253a2ae71fcb9793a for file://gam-7.00.00-windows-x86_64.msi
+Loaded digest sha256:a63dc5e71c0b3335865877fc7dc9248bbf7481d22995c18253a2ae71fcb9793a for file://gam-7.00.00-windows-x86_64.exe
 Loaded 1 attestation from GitHub API
 ✓ Verification succeeded!

@@ -77,7 +77,7 @@ origin=Developer ID Application: Jay Lee (GZ85H2DRLM)
 If you do not see "accepted" and "Jay Lee" as the developer ID, there may be a problem. Please report any suspicious files or concerns to the [GAM Group](https://groups.google.com/g/google-apps-manager) or the [GAM Chat Space](https://git.io/gam-chat).

 # Windows Code Sign
-On Windows, Official gam.exe files and MSI installer packages are signed by a [Certum Open Source code signing certificate](https://shop.certum.eu/open-source-code-signing.html). You can validate the signature and thus be sure you are running official GAM7 from the command line and GUI:
+On Windows, Official gam.exe files and EXE installer packages are signed by a [Certum Open Source code signing certificate](https://shop.certum.eu/open-source-code-signing.html). You can validate the signature and thus be sure you are running official GAM7 from the command line and GUI:
 
 # Command Line
 From PowerShell, run the following command:
@@ -113,6 +113,6 @@ SignerCertificate : [Subject]
 confirm that status is "Valid" and the SignerCertificate says "Open Source Developer, James Lee" (yes, James is Jay's legal name, now you know).

 ## GUI
-From File Manager, you can right click on gam.exe or the MSI package and go to the Digital Signatures tab. From there you'll see the signing certificate which should show "Open Source Developer, James Lee".
+From File Manager, you can right click on gam.exe or the EXE installer package and go to the Digital Signatures tab. From there you'll see the signing certificate which should show "Open Source Developer, James Lee".

 ![image](https://github.com/user-attachments/assets/dceb8cb8-36e0-4ed7-8b03-09322b49b06a)
--- a/wiki/Version-and-Help.md
+++ b/wiki/Version-and-Help.md
@@ -1,12 +1,12 @@
-\# Version and Help
+# Version and Help

 Print the current version of Gam with details
 ```
 gam version
-GAM 7.34.12 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.39.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
-macOS Tahoe 26.3 arm64
+macOS Tahoe 26.3.1 arm64
 Path: /Users/gamteam/bin/gam7
 Config File: /Users/gamteam/GamConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2026-02-15T07:51:00-08:00
@@ -15,10 +15,10 @@ Time: 2026-02-15T07:51:00-08:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.34.12 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.39.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
-macOS Tahoe 26.3 arm64
+macOS Tahoe 26.3.1 arm64
 Path: /Users/gamteam/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Your system time differs from www.googleapis.com by less than 1 second
@@ -27,10 +27,10 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.34.12 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.39.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
-macOS Tahoe 26.3 arm64
+macOS Tahoe 26.3.1 arm64
 Path: /Users/gamteam/bin/gam7
 Config File: /Users/gamteam/GamConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2026-02-15T07:51:00-08:00
@@ -68,7 +68,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/gamteam/bin/gam7
 Version Check:
  Current: 5.35.08
-   Latest: 7.34.12
+   Latest: 7.39.03
 echo $?
 1
 ```
@@ -76,7 +76,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.34.12
+7.39.03
 ```
 In Linux/MacOS you can do:
 ```
@@ -86,10 +86,10 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.34.12 - https://github.com/GAM-team/GAM
+GAM 7.39.03 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
 Python 3.14.3 64-bit final
-macOS Tahoe 26.3 arm64
+macOS Tahoe 26.3.1 arm64
 Path: /Users/gamteam/bin/gam7
 Config File: /Users/gamteam/GamConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2026-02-15T07:51:00-08:00
--- a/wiki/gam.cfg.md
+++ b/wiki/gam.cfg.md
@@ -355,17 +355,6 @@ enable_dasa
        admin_email, customer_id and domain must be set when enable_dasa is True,
        customer_id may not be set to my_customer
        Signal file: OldGamPath/enabledasa.txt
-enforce_expansive_access
-        The default value for option `enforceexpansiveaccess` in all commands that delete or update
-        drive file ACLs/permissions.
-        gam <UserTypeEntity> delete permissions
-        gam <UserTypeEntity> delete drivefileacl
-        gam <UserTypeEntity> update drivefileacl
-        gam <UserTypeEntity> copy drivefile
-        gam <UserTypeEntity> move drivefile
-        gam <UserTypeEntity> transfer ownership
-        gam <UserTypeEntity> claim ownership
-        Default: True
 event_max_results
        When retrieving lists of Calendar events from API,
        how many should be retrieved in each API call
@@ -375,6 +364,21 @@ extra_args
        Path to extra_args.txt
        Default: Blank
        Data file: extra_args.txt
+gcp_org_id
+        The Google Cloud organization ID for your workspace.
+        Default: Blank
+        This value is used by the following commands;
+        by setting the value, additional API calls are eliminated.
+        gam create project
+        gam create gcpfolder
+        gam create|update|delete caalevel
+        gam print|show caalevels
+        gam print|show tokens gcpdetails
+
+        You can get and save the `gcp_org_id` value with these commands:
+        $ gam info gcporgid
+        organizations/906207637890
+        $ gam config gcp_org_id organizations/906207637890 save
 gmail_cse_incert_dir
        Directory for the S/MIME certificate files used by Gmail Client Side Encryption.
        Default: Blank
@@ -1008,7 +1012,6 @@ drive_max_results = 1000
 email_batch_size = 50
 enable_dasa = false
 enable_gcloud_reauth = false
-enforce_expansive_access = true
 event_max_results = 250
 extra_args = ''
 gmail_cse_incert_dir = ''