* feat: add Application Default Credentials (ADC) auth mode
When GOG_AUTH_MODE=adc, the CLI authenticates using ambient credentials
(GKE Workload Identity, GOOGLE_APPLICATION_CREDENTIALS, or gcloud ADC)
instead of the keyring-based OAuth flow. This enables use in environments
like GKE pods where the service account accesses resources explicitly
shared with it — no domain-wide delegation or user impersonation needed.
The account email is no longer required in ADC mode; requireAccount()
returns "adc" as a placeholder when no --account/GOG_ACCOUNT is set.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(auth): add ADC mode (#357) (thanks @tengis617)
* fix(auth): satisfy ADC lint on landed branch (#357)
* test(auth): fix ADC test whitespace lint (#357)
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
Implements Google Admin SDK Directory API support for Workspace user and
group management with domain-wide delegation.
New commands:
- gog admin users list --domain example.com
- gog admin users get user@example.com
- gog admin users create user@example.com --given John --family Doe
- gog admin users suspend user@example.com
- gog admin groups list --domain example.com
- gog admin groups members list group@example.com
- gog admin groups members add group@example.comuser@example.com --role MEMBER
- gog admin groups members remove group@example.comuser@example.comCloses#340
Note: This is a focused implementation of core user/group management.
For full GAM feature parity (PR #179), additional work would be needed
for: alerts, licenses, org units, printers, reports, vault, SSO, etc.
Skip setting cfg.Subject when the subject matches the service account's
own client_email. This lets a service account access only resources
explicitly shared with it, without requiring Domain-Wide Delegation.
Closessteipete/gogcli#346✍️ Author: Claude Code with @carrotRakko (AI-written, human-approved)
Why
- gogcli refreshed access tokens from a stored refresh token but never wrote back
a rotated refresh token returned by Google.
- In multi-process CLI usage this can leave keyring state stale across invocations
and eventually cause invalid_grant when the old token is retired.
What
- add persistingTokenSource wrapper in internal/googleapi/client.go
- wrap oauth2.Config TokenSource in tokenSourceForAccountScopes
- persist rotated refresh token back into secrets store when it changes
- keep persistence failures non-fatal (warn, return token)
- add unit tests for rotate/no-rotate/persist-failure paths
Tests
- go test ./internal/googleapi
When a Keep-specific service account file (keep-sa-*.json) exists,
tokenSourceForServiceAccountScopes falls back to it for all API calls,
not just Keep. This causes 401 errors on Calendar, Gmail, Drive, and
other services that should use OAuth.
Only use keep-sa and legacy Keep SA files when serviceLabel is "keep",
allowing other services to fall through to OAuth authentication.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(drive): include shortcutDetails in drive get fields
Add shortcutDetails to the Drive Get API fields to enable resolving
shortcut target file IDs and MIME types.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(googleapi): replace Client.Timeout with transport-level ResponseHeaderTimeout
The global http.Client.Timeout (30s) applied to the entire request
lifecycle, causing large Drive file downloads (videos, backups, etc.)
to time out. Replace it with http.Transport.ResponseHeaderTimeout
which only limits the time waiting for the server to begin responding.
Once response headers arrive and the body starts streaming, there is
no hard cap — large transfers complete naturally.
- Set ResponseHeaderTimeout=30s on the base transport
- Remove http.Client.Timeout from the API client
- Keep a dedicated tokenExchangeTimeout=30s for OAuth2 token refreshes
- Add tests verifying the new transport configuration
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add docs update command for editing Google Docs
* fix: handle document content range correctly for replace
* docs: add Jarbas avatar
* feat(gogcli): add markdown formatting support for Google Docs
Phase 1 & 2 complete:
- Markdown parser supporting headings, lists, code blocks, blockquotes, links
- Google Docs API integration for formatting
- --format markdown flag for docs update command
- Heading styles (H1-H6), horizontal rules, list indentation
- Code blocks with monospace font
Pending (Phase 3):
- Inline formatting (bold, italic, inline code) - index calculation issues
- Links - index calculation issues
Usage:
gog docs update <docId> --content-file ./doc.md --format markdown
* fix(gogcli): fix inline formatting indices in markdown formatter
- Simplified document generation to avoid index calculation errors
- Fixed ParseInlineFormatting to correctly track positions
- Preserves: headings, code blocks, blockquotes, lists, horizontal rules
Pending: inline formatting (bold, italic, code, links) - indices still need work
* fix(gogcli): use UTF-16 code units for Google Docs API indexing
- Fixed markdown formatter to use UTF-16 code units instead of UTF-8 bytes
- Added utf16Len() helper function for accurate character counting
- Fixed inline formatting indices (bold, italic, code, links)
- Added empty line handling (MDEmptyLine)
- Successfully tested with Docker course doc (21KB, emojis, diagrams)
This resolves index mismatch errors caused by multi-byte characters like emojis
which are 4 bytes in UTF-8 but 2 code units in UTF-16.
* feat(gogcli): add slides commands with markdown support
- Add 'gog slides update' command with markdown formatting
- Create slides_formatter.go for Google Slides API batch updates
- Create slides_markdown.go for markdown parsing (titles, bullets, code)
- Add slides.go with update/create/read operations
- Update googleauth service for Slides scope
Related: PR #219
* fix(gogcli): use shapes for slides text boxes instead of direct insertion
- Fixed slides creation to use CreateShape with TEXT_BOX instead of inserting text directly
- Direct text insertion into slides is not supported by Google Slides API
- Added title text box with bold 36pt font
- Added body text box for content (bullets, paragraphs, code)
- Supports markdown formatting (bold, bullets, code blocks)
Tested: Successfully created 20-slide presentation from Docker course outline
* feat: add markdown table support (formatted text output)
* feat: implement native Google Docs table insertion with multi-step API
* feat(slides): add --template flag for creating presentations from templates
* fix: stabilize docs/slides markdown + auth flow (#219) (thanks @goncaloalves)
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
- Add `gog groups list` to list groups user belongs to
- Add `gog groups members <email>` to list group members
- Add `gog calendar team <group-email>` for team calendar queries
- Support --freebusy flag for faster availability checks
- Parallel fetching with event deduplication
- Cloud Identity API client for non-admin group access
- Update README with new commands and examples
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add support for Google Keep API with domain-wide delegation for
Google Workspace accounts.
New commands:
- `gog keep list` - list all notes
- `gog keep get <noteId>` - get a specific note
- `gog auth keep <email> --key <path>` - configure service account
The Keep API requires Workspace with domain-wide delegation because
Google restricts the Keep scope to enterprise use. Once configured,
the service account is auto-detected for the specified email.
Features:
- Service account authentication with impersonation
- Auto-detection of stored service account credentials
- JSON output support for scripting
- Manual override with --service-account and --impersonate flags
