openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 2 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 9 additions & 2 deletions b/‎README.md‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎docs/auth-clients.md‎
Lines changed: 3 additions & 3 deletions b/‎docs/auth-clients.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/commands.generated.md‎
Lines changed: 6 additions & 0 deletions b/‎docs/commands.generated.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/commands/README.md‎
Lines changed: 7 additions & 1 deletion b/‎docs/commands/README.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎docs/commands/gog-admin-orgunits-create.md‎
Lines changed: 44 additions & 0 deletions b/‎docs/commands/gog-admin-orgunits-create.md‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎docs/commands/gog-admin-orgunits-delete.md‎
Lines changed: 42 additions & 0 deletions b/‎docs/commands/gog-admin-orgunits-delete.md‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎docs/commands/gog-admin-orgunits-get.md‎
Lines changed: 42 additions & 0 deletions b/‎docs/commands/gog-admin-orgunits-get.md‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎docs/commands/gog-admin-orgunits-list.md‎
Lines changed: 44 additions & 0 deletions b/‎docs/commands/gog-admin-orgunits-list.md‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎docs/commands/gog-admin-orgunits-update.md‎
Lines changed: 45 additions & 0 deletions b/‎docs/commands/gog-admin-orgunits-update.md‎
Lines changed: 45 additions & 0 deletions
@@ -5,6 +5,7 @@
 ### Added
 
 - Admin: expand `admin users create` with GAM-style aliases, generated passwords, suspended/archived creation, recovery contact fields, and password hash metadata; add `admin users delete` for cleanup.
+- Admin: add `admin orgunits` commands to list, inspect, create, update, and delete Workspace organizational units.
 - Sites: add Drive-backed `sites` commands to list, search, inspect, and open New Google Sites. (#574) — thanks @thewilloftheshadow.
 - Analytics/Search Console: add GA4 `analytics accounts|report` plus Search Console site, search analytics, and sitemap commands. (#402) — thanks @haresh-seenivasagan.
 - Gmail: add `gmail send --body-html-file` for sending HTML email bodies from files without shell command substitution. (#575) — thanks @toruvieI.
@@ -19,6 +20,7 @@
 ### Fixed
 
 - Auth: make `auth service-account status` show `stored`, a clear missing-key message, and the exact setup hint when no service-account key is configured.
+- Admin: retry the post-create state update so `admin users create --suspended` and `--archived` remain reliable while the Admin SDK finishes provisioning the new user.
 - Calendar: make `calendar update --with-meet` idempotent when an event already has conference data, add explicit `--regenerate-meet`, and show `recurringEventId` in plain event output. (#576 / #573) — thanks @alexisperumal and @NodeJSmith.
 - Release: fail closed when macOS signing secrets are missing and verify Darwin release assets are not ad-hoc signed, so Homebrew upgrades keep stable Keychain trust. (#569) — thanks @aaroneden.
 - Auth: list one row per OAuth client when the same account is authorized under multiple clients, and let `auth list --client` filter that token bucket. (#563) — thanks @UnPractical91.
 
@@ -364,7 +364,14 @@ gog --account [email protected] admin users create [email protected] \
 
 Omit `--password` to generate a temporary password. See
 [docs/workspace-admin.md](docs/workspace-admin.md) for service-account setup,
-user cleanup, recovery fields, and group examples.
+user cleanup, recovery fields, organizational units, and group examples.
+
+Workspace organizational units are covered too:
+
+```bash
+gog --account [email protected] admin orgunits list --type all
+gog --account [email protected] admin orgunits create Engineering --parent /
+```
 
 Generated service scope table:
 
@@ -409,7 +416,7 @@ go run scripts/gen-auth-services-md.go
 - [docs/commands/README.md](docs/commands/README.md): generated command index
 - [docs/safety-profiles.md](docs/safety-profiles.md): command guards and baked safe binaries
 - [docs/auth-clients.md](docs/auth-clients.md): OAuth clients, account mapping, and service accounts
-- [docs/workspace-admin.md](docs/workspace-admin.md): Workspace user and group administration
+- [docs/workspace-admin.md](docs/workspace-admin.md): Workspace user, org unit, and group administration
 - [docs/sheets-tables.md](docs/sheets-tables.md): structured Sheets tables
 - [docs/backup.md](docs/backup.md): encrypted Google account backups
 - [CHANGELOG.md](CHANGELOG.md): release notes
 
@@ -67,7 +67,7 @@ Shows stored credential files plus any configured domain mappings.
 
 ## Workspace service accounts
 
-Workspace Admin, group, and Keep automation commonly run through a
+Workspace Admin, group, org-unit, and Keep automation commonly run through a
 service-account key with domain-wide delegation. Store the key for the
 Workspace admin identity you want to impersonate:
 
@@ -85,5 +85,5 @@ gog --account [email protected] admin users create [email protected] \
   --change-password
 ```
 
-See [Workspace Admin](workspace-admin.md) for user creation, cleanup, and group
-examples.
+See [Workspace Admin](workspace-admin.md) for user creation, organizational
+units, cleanup, and group examples.
@@ -10,6 +10,12 @@ Generated from `gog schema --json`.
         - [`gog admin groups members add (invite) <groupEmail> <memberEmail> [flags]`](commands/gog-admin-groups-members-add.md) - Add a member to a group
         - [`gog admin groups members list (ls) <groupEmail> [flags]`](commands/gog-admin-groups-members-list.md) - List group members
         - [`gog admin groups members remove (rm,del,delete) <groupEmail> <memberEmail>`](commands/gog-admin-groups-members-remove.md) - Remove a member from a group
+    - [`gog admin orgunits (org-units,ou) <command>`](commands/gog-admin-orgunits.md) - Manage Workspace organizational units
+      - [`gog admin orgunits (org-units,ou) create (add,new) <name> [flags]`](commands/gog-admin-orgunits-create.md) - Create an organizational unit
+      - [`gog admin orgunits (org-units,ou) delete (rm,del,remove) <path>`](commands/gog-admin-orgunits-delete.md) - Delete an organizational unit
+      - [`gog admin orgunits (org-units,ou) get (info,show) <path>`](commands/gog-admin-orgunits-get.md) - Get organizational unit details
+      - [`gog admin orgunits (org-units,ou) list (ls) [flags]`](commands/gog-admin-orgunits-list.md) - List organizational units
+      - [`gog admin orgunits (org-units,ou) update (edit,set) <path> [flags]`](commands/gog-admin-orgunits-update.md) - Update an organizational unit
     - [`gog admin users <command>`](commands/gog-admin-users.md) - Manage Workspace users
       - [`gog admin users create (add,new) <email> [flags]`](commands/gog-admin-users-create.md) - Create a new user
       - [`gog admin users delete (rm,del,remove) <userEmail>`](commands/gog-admin-users-delete.md) - Delete a user account
 
@@ -2,7 +2,7 @@
 
 Every `gog` command has a generated docs page. The source of truth is the live CLI schema; run `make docs-commands` after changing command names, flags, help text, aliases, or arguments.
 
-Generated pages: 517.
+Generated pages: 523.
 
 ## Top-level Commands
 
@@ -58,6 +58,12 @@ Generated pages: 517.
         - [gog admin groups members add](gog-admin-groups-members-add.md) - Add a member to a group
         - [gog admin groups members list](gog-admin-groups-members-list.md) - List group members
         - [gog admin groups members remove](gog-admin-groups-members-remove.md) - Remove a member from a group
+    - [gog admin orgunits](gog-admin-orgunits.md) - Manage Workspace organizational units
+      - [gog admin orgunits create](gog-admin-orgunits-create.md) - Create an organizational unit
+      - [gog admin orgunits delete](gog-admin-orgunits-delete.md) - Delete an organizational unit
+      - [gog admin orgunits get](gog-admin-orgunits-get.md) - Get organizational unit details
+      - [gog admin orgunits list](gog-admin-orgunits-list.md) - List organizational units
+      - [gog admin orgunits update](gog-admin-orgunits-update.md) - Update an organizational unit
     - [gog admin users](gog-admin-users.md) - Manage Workspace users
       - [gog admin users create](gog-admin-users-create.md) - Create a new user
       - [gog admin users delete](gog-admin-users-delete.md) - Delete a user account
 
@@ -0,0 +1,44 @@
+# `gog admin orgunits create`
+
+> Generated from `gog schema --json`. Do not edit this page by hand; run `make docs-commands`.
+
+Create an organizational unit
+
+## Usage
+
+```bash
+gog admin orgunits (org-units,ou) create (add,new) <name> [flags]
+```
+
+## Parent
+
+- [gog admin orgunits](gog-admin-orgunits.md)
+
+## Flags
+
+| Flag | Type | Default | Help |
+| --- | --- | --- | --- |
+| `--access-token` | `string` |  | Use provided access token directly (bypasses stored refresh tokens; token expires in ~1h) |
+| `-a`<br>`--account`<br>`--acct` | `string` |  | Account email for API commands (gmail/calendar/chat/classroom/drive/docs/slides/contacts/tasks/people/sheets/forms/sites/appscript/analytics/searchconsole/ads) |
+| `--client` | `string` |  | OAuth client name (selects stored credentials + token bucket) |
+| `--color` | `string` | auto | Color output: auto\|always\|never |
+| `--description` | `string` |  | Description |
+| `--disable-commands` | `string` |  | Comma-separated list of disabled commands; dot paths allowed |
+| `-n`<br>`--dry-run`<br>`--dryrun`<br>`--noop`<br>`--preview` | `bool` |  | Do not make changes; print intended actions and exit successfully |
+| `--enable-commands` | `string` |  | Comma-separated list of enabled commands; dot paths allowed (restricts CLI) |
+| `-y`<br>`--force`<br>`--assume-yes`<br>`--yes` | `bool` |  | Skip confirmations for destructive commands |
+| `--gmail-no-send` | `bool` | false | Block Gmail send operations (agent safety) |
+| `-h`<br>`--help` | `kong.helpFlag` |  | Show context-sensitive help. |
+| `-j`<br>`--json`<br>`--machine` | `bool` | false | Output JSON to stdout (best for scripting) |
+| `--no-input`<br>`--non-interactive`<br>`--noninteractive` | `bool` |  | Never prompt; fail instead (useful for CI) |
+| `--parent` | `string` | / | Parent org unit path |
+| `-p`<br>`--plain`<br>`--tsv` | `bool` | false | Output stable, parseable text to stdout (TSV; no colors) |
+| `--results-only` | `bool` |  | In JSON mode, emit only the primary result (drops envelope fields like nextPageToken) |
+| `--select`<br>`--pick`<br>`--project` | `string` |  | In JSON mode, select comma-separated fields (best-effort; supports dot paths). Desire path: use --fields for most commands. |
+| `-v`<br>`--verbose` | `bool` |  | Enable verbose logging |
+| `--version` | `kong.VersionFlag` |  | Print version and exit |
+
+## See Also
+
+- [gog admin orgunits](gog-admin-orgunits.md)
+- [Command index](README.md)
@@ -0,0 +1,42 @@
+# `gog admin orgunits delete`
+
+> Generated from `gog schema --json`. Do not edit this page by hand; run `make docs-commands`.
+
+Delete an organizational unit
+
+## Usage
+
+```bash
+gog admin orgunits (org-units,ou) delete (rm,del,remove) <path>
+```
+
+## Parent
+
+- [gog admin orgunits](gog-admin-orgunits.md)
+
+## Flags
+
+| Flag | Type | Default | Help |
+| --- | --- | --- | --- |
+| `--access-token` | `string` |  | Use provided access token directly (bypasses stored refresh tokens; token expires in ~1h) |
+| `-a`<br>`--account`<br>`--acct` | `string` |  | Account email for API commands (gmail/calendar/chat/classroom/drive/docs/slides/contacts/tasks/people/sheets/forms/sites/appscript/analytics/searchconsole/ads) |
+| `--client` | `string` |  | OAuth client name (selects stored credentials + token bucket) |
+| `--color` | `string` | auto | Color output: auto\|always\|never |
+| `--disable-commands` | `string` |  | Comma-separated list of disabled commands; dot paths allowed |
+| `-n`<br>`--dry-run`<br>`--dryrun`<br>`--noop`<br>`--preview` | `bool` |  | Do not make changes; print intended actions and exit successfully |
+| `--enable-commands` | `string` |  | Comma-separated list of enabled commands; dot paths allowed (restricts CLI) |
+| `-y`<br>`--force`<br>`--assume-yes`<br>`--yes` | `bool` |  | Skip confirmations for destructive commands |
+| `--gmail-no-send` | `bool` | false | Block Gmail send operations (agent safety) |
+| `-h`<br>`--help` | `kong.helpFlag` |  | Show context-sensitive help. |
+| `-j`<br>`--json`<br>`--machine` | `bool` | false | Output JSON to stdout (best for scripting) |
+| `--no-input`<br>`--non-interactive`<br>`--noninteractive` | `bool` |  | Never prompt; fail instead (useful for CI) |
+| `-p`<br>`--plain`<br>`--tsv` | `bool` | false | Output stable, parseable text to stdout (TSV; no colors) |
+| `--results-only` | `bool` |  | In JSON mode, emit only the primary result (drops envelope fields like nextPageToken) |
+| `--select`<br>`--pick`<br>`--project` | `string` |  | In JSON mode, select comma-separated fields (best-effort; supports dot paths). Desire path: use --fields for most commands. |
+| `-v`<br>`--verbose` | `bool` |  | Enable verbose logging |
+| `--version` | `kong.VersionFlag` |  | Print version and exit |
+
+## See Also
+
+- [gog admin orgunits](gog-admin-orgunits.md)
+- [Command index](README.md)
@@ -0,0 +1,42 @@
+# `gog admin orgunits get`
+
+> Generated from `gog schema --json`. Do not edit this page by hand; run `make docs-commands`.
+
+Get organizational unit details
+
+## Usage
+
+```bash
+gog admin orgunits (org-units,ou) get (info,show) <path>
+```
+
+## Parent
+
+- [gog admin orgunits](gog-admin-orgunits.md)
+
+## Flags
+
+| Flag | Type | Default | Help |
+| --- | --- | --- | --- |
+| `--access-token` | `string` |  | Use provided access token directly (bypasses stored refresh tokens; token expires in ~1h) |
+| `-a`<br>`--account`<br>`--acct` | `string` |  | Account email for API commands (gmail/calendar/chat/classroom/drive/docs/slides/contacts/tasks/people/sheets/forms/sites/appscript/analytics/searchconsole/ads) |
+| `--client` | `string` |  | OAuth client name (selects stored credentials + token bucket) |
+| `--color` | `string` | auto | Color output: auto\|always\|never |
+| `--disable-commands` | `string` |  | Comma-separated list of disabled commands; dot paths allowed |
+| `-n`<br>`--dry-run`<br>`--dryrun`<br>`--noop`<br>`--preview` | `bool` |  | Do not make changes; print intended actions and exit successfully |
+| `--enable-commands` | `string` |  | Comma-separated list of enabled commands; dot paths allowed (restricts CLI) |
+| `-y`<br>`--force`<br>`--assume-yes`<br>`--yes` | `bool` |  | Skip confirmations for destructive commands |
+| `--gmail-no-send` | `bool` | false | Block Gmail send operations (agent safety) |
+| `-h`<br>`--help` | `kong.helpFlag` |  | Show context-sensitive help. |
+| `-j`<br>`--json`<br>`--machine` | `bool` | false | Output JSON to stdout (best for scripting) |
+| `--no-input`<br>`--non-interactive`<br>`--noninteractive` | `bool` |  | Never prompt; fail instead (useful for CI) |
+| `-p`<br>`--plain`<br>`--tsv` | `bool` | false | Output stable, parseable text to stdout (TSV; no colors) |
+| `--results-only` | `bool` |  | In JSON mode, emit only the primary result (drops envelope fields like nextPageToken) |
+| `--select`<br>`--pick`<br>`--project` | `string` |  | In JSON mode, select comma-separated fields (best-effort; supports dot paths). Desire path: use --fields for most commands. |
+| `-v`<br>`--verbose` | `bool` |  | Enable verbose logging |
+| `--version` | `kong.VersionFlag` |  | Print version and exit |
+
+## See Also
+
+- [gog admin orgunits](gog-admin-orgunits.md)
+- [Command index](README.md)
@@ -0,0 +1,44 @@
+# `gog admin orgunits list`
+
+> Generated from `gog schema --json`. Do not edit this page by hand; run `make docs-commands`.
+
+List organizational units
+
+## Usage
+
+```bash
+gog admin orgunits (org-units,ou) list (ls) [flags]
+```
+
+## Parent
+
+- [gog admin orgunits](gog-admin-orgunits.md)
+
+## Flags
+
+| Flag | Type | Default | Help |
+| --- | --- | --- | --- |
+| `--access-token` | `string` |  | Use provided access token directly (bypasses stored refresh tokens; token expires in ~1h) |
+| `-a`<br>`--account`<br>`--acct` | `string` |  | Account email for API commands (gmail/calendar/chat/classroom/drive/docs/slides/contacts/tasks/people/sheets/forms/sites/appscript/analytics/searchconsole/ads) |
+| `--client` | `string` |  | OAuth client name (selects stored credentials + token bucket) |
+| `--color` | `string` | auto | Color output: auto\|always\|never |
+| `--disable-commands` | `string` |  | Comma-separated list of disabled commands; dot paths allowed |
+| `-n`<br>`--dry-run`<br>`--dryrun`<br>`--noop`<br>`--preview` | `bool` |  | Do not make changes; print intended actions and exit successfully |
+| `--enable-commands` | `string` |  | Comma-separated list of enabled commands; dot paths allowed (restricts CLI) |
+| `-y`<br>`--force`<br>`--assume-yes`<br>`--yes` | `bool` |  | Skip confirmations for destructive commands |
+| `--gmail-no-send` | `bool` | false | Block Gmail send operations (agent safety) |
+| `-h`<br>`--help` | `kong.helpFlag` |  | Show context-sensitive help. |
+| `-j`<br>`--json`<br>`--machine` | `bool` | false | Output JSON to stdout (best for scripting) |
+| `--no-input`<br>`--non-interactive`<br>`--noninteractive` | `bool` |  | Never prompt; fail instead (useful for CI) |
+| `--parent` | `string` | / | Parent org unit path or ID |
+| `-p`<br>`--plain`<br>`--tsv` | `bool` | false | Output stable, parseable text to stdout (TSV; no colors) |
+| `--results-only` | `bool` |  | In JSON mode, emit only the primary result (drops envelope fields like nextPageToken) |
+| `--select`<br>`--pick`<br>`--project` | `string` |  | In JSON mode, select comma-separated fields (best-effort; supports dot paths). Desire path: use --fields for most commands. |
+| `--type` | `string` | children | Return all descendants, children, or all including parent |
+| `-v`<br>`--verbose` | `bool` |  | Enable verbose logging |
+| `--version` | `kong.VersionFlag` |  | Print version and exit |
+
+## See Also
+
+- [gog admin orgunits](gog-admin-orgunits.md)
+- [Command index](README.md)
@@ -0,0 +1,45 @@
+# `gog admin orgunits update`
+
+> Generated from `gog schema --json`. Do not edit this page by hand; run `make docs-commands`.
+
+Update an organizational unit
+
+## Usage
+
+```bash
+gog admin orgunits (org-units,ou) update (edit,set) <path> [flags]
+```
+
+## Parent
+
+- [gog admin orgunits](gog-admin-orgunits.md)
+
+## Flags
+
+| Flag | Type | Default | Help |
+| --- | --- | --- | --- |
+| `--access-token` | `string` |  | Use provided access token directly (bypasses stored refresh tokens; token expires in ~1h) |
+| `-a`<br>`--account`<br>`--acct` | `string` |  | Account email for API commands (gmail/calendar/chat/classroom/drive/docs/slides/contacts/tasks/people/sheets/forms/sites/appscript/analytics/searchconsole/ads) |
+| `--client` | `string` |  | OAuth client name (selects stored credentials + token bucket) |
+| `--color` | `string` | auto | Color output: auto\|always\|never |
+| `--description` | `*string` |  | Description |
+| `--disable-commands` | `string` |  | Comma-separated list of disabled commands; dot paths allowed |
+| `-n`<br>`--dry-run`<br>`--dryrun`<br>`--noop`<br>`--preview` | `bool` |  | Do not make changes; print intended actions and exit successfully |
+| `--enable-commands` | `string` |  | Comma-separated list of enabled commands; dot paths allowed (restricts CLI) |
+| `-y`<br>`--force`<br>`--assume-yes`<br>`--yes` | `bool` |  | Skip confirmations for destructive commands |
+| `--gmail-no-send` | `bool` | false | Block Gmail send operations (agent safety) |
+| `-h`<br>`--help` | `kong.helpFlag` |  | Show context-sensitive help. |
+| `-j`<br>`--json`<br>`--machine` | `bool` | false | Output JSON to stdout (best for scripting) |
+| `--name` | `*string` |  | New org unit name |
+| `--no-input`<br>`--non-interactive`<br>`--noninteractive` | `bool` |  | Never prompt; fail instead (useful for CI) |
+| `--parent` | `*string` |  | New parent org unit path |
+| `-p`<br>`--plain`<br>`--tsv` | `bool` | false | Output stable, parseable text to stdout (TSV; no colors) |
+| `--results-only` | `bool` |  | In JSON mode, emit only the primary result (drops envelope fields like nextPageToken) |
+| `--select`<br>`--pick`<br>`--project` | `string` |  | In JSON mode, select comma-separated fields (best-effort; supports dot paths). Desire path: use --fields for most commands. |
+| `-v`<br>`--verbose` | `bool` |  | Enable verbose logging |
+| `--version` | `kong.VersionFlag` |  | Print version and exit |
+
+## See Also
+
+- [gog admin orgunits](gog-admin-orgunits.md)
+- [Command index](README.md)