From 1402cbd3aab992a3f51bf030ba120b2700b735c2 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Thu, 14 May 2026 16:29:42 +0200
Subject: [PATCH 1/8] Remove dependency on AEM's KeyStoreService

Introduce AEM agnostic service interface for which an impl is only
registered when running inside AEM.
Allows starting SCR component AuthorizableInstallerServiceImpl even
outside AEM.

This closes #878
---
 .../actool/aem/AemUserKeyStoreService.java    | 57 +++++++++++++++++++
 .../AuthorizableInstallerServiceImpl.java     |  4 +-
 .../actool/crypto/UserKeyStoreService.java    | 36 ++++++++++++
 3 files changed, 95 insertions(+), 2 deletions(-)
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aem/AemUserKeyStoreService.java
 create mode 100644 accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/crypto/UserKeyStoreService.java

diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aem/AemUserKeyStoreService.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aem/AemUserKeyStoreService.java
new file mode 100644
index 00000000..6db774e6
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/aem/AemUserKeyStoreService.java
@@ -0,0 +1,57 @@
+package biz.netcentric.cq.tools.actool.aem;
+
+/*-
+ * #%L
+ * Access Control Tool Bundle
+ * %%
+ * Copyright (C) 2015 - 2026 Cognizant Netcentric
+ * %%
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ * 
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+
+import org.apache.sling.api.resource.ResourceResolver;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
+import org.osgi.service.component.annotations.ReferencePolicyOption;
+
+import com.adobe.granite.keystore.KeyStoreService;
+
+import biz.netcentric.cq.tools.actool.crypto.UserKeyStoreService;
+
+@Component
+public class AemUserKeyStoreService implements UserKeyStoreService {
+
+    @Reference(policyOption = ReferencePolicyOption.GREEDY)
+    private KeyStoreService delegate;
+
+    @Override
+    public boolean keyStoreExists(ResourceResolver resourceResolver, String userId) {
+        return delegate.keyStoreExists(resourceResolver, userId);
+    }
+
+    @Override
+    public void addKeyStoreKeyEntry(ResourceResolver resourceResolver, String userId, String key, PrivateKey privateKey,
+            Certificate[] certificates) {
+        delegate.addKeyStoreKeyEntry(resourceResolver, userId, key, privateKey, certificates);
+    }
+
+    @Override
+    public void addKeyStoreKeyPair(ResourceResolver resourceResolver, String userId, KeyPair keyPair, String key) {
+        delegate.addKeyStoreKeyPair(resourceResolver, userId, keyPair, key);
+    }
+
+    @Override
+    public void createKeyStore(ResourceResolver resourceResolver, String userId, char[] keyStorePasswordCharArray) {
+        delegate.createKeyStore(resourceResolver, userId, keyStorePasswordCharArray);
+    }
+
+}
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
index 8a891ad7..775c5131 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
@@ -62,7 +62,6 @@
 import org.slf4j.LoggerFactory;
 
 import com.adobe.granite.keystore.KeyStoreNotInitialisedException;
-import com.adobe.granite.keystore.KeyStoreService;
 
 import biz.netcentric.cq.tools.actool.api.InstallationOptions;
 import biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableCreatorException;
@@ -73,6 +72,7 @@
 import biz.netcentric.cq.tools.actool.configmodel.pkcs.Key;
 import biz.netcentric.cq.tools.actool.configmodel.pkcs.RandomPassword;
 import biz.netcentric.cq.tools.actool.crypto.DecryptionService;
+import biz.netcentric.cq.tools.actool.crypto.UserKeyStoreService;
 import biz.netcentric.cq.tools.actool.externalusermanagement.ExternalGroupManagement;
 import biz.netcentric.cq.tools.actool.helper.AcHelper;
 import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
@@ -105,7 +105,7 @@ public class AuthorizableInstallerServiceImpl implements
     DecryptionService decryptionService;
     
     @Reference(cardinality = ReferenceCardinality.OPTIONAL, policy=ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
-    volatile KeyStoreService keyStoreService;
+    volatile UserKeyStoreService keyStoreService;
     
     @Reference(policyOption = ReferencePolicyOption.GREEDY)
     ResourceResolverFactory resourceResolverFactory;
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/crypto/UserKeyStoreService.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/crypto/UserKeyStoreService.java
new file mode 100644
index 00000000..e7c862d9
--- /dev/null
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/crypto/UserKeyStoreService.java
@@ -0,0 +1,36 @@
+package biz.netcentric.cq.tools.actool.crypto;
+
+/*-
+ * #%L
+ * Access Control Tool Bundle
+ * %%
+ * Copyright (C) 2015 - 2026 Cognizant Netcentric
+ * %%
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ * 
+ * SPDX-License-Identifier: EPL-2.0
+ * #L%
+ */
+
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+
+import org.apache.sling.api.resource.ResourceResolver;
+
+/** Interface for managing user's key stores. 
+ * This allows to decouple from a concrete (AEM-specific) interface like {@link com.adobe.granite.keystore.KeyStoreService} */
+public interface UserKeyStoreService {
+
+    boolean keyStoreExists(ResourceResolver resourceResolver, String userId);
+
+    void addKeyStoreKeyEntry(ResourceResolver resourceResolver, String userId, String key, PrivateKey privateKey,
+            Certificate[] certificates);
+
+    void addKeyStoreKeyPair(ResourceResolver resourceResolver, String userId, KeyPair keyPair, String key);
+
+    void createKeyStore(ResourceResolver resourceResolver, String userId, char[] keyStorePasswordCharArray);
+
+}

From 42d2c7d5f0fb8e1a4c7c72bf35a9a18084549fa5 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Thu, 14 May 2026 21:04:26 +0200
Subject: [PATCH 2/8] Cleanup exception handling

---
 README.md                                                | 2 +-
 .../impl/AuthorizableInstallerServiceImpl.java           | 9 +++------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 3dcee932..8f39e7ad 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ See also our talk at [adaptTo() 2016](https://adapt.to/2016/en/schedule/ac-tool.
 
 The AC Tool requires **Java 11 and AEM 6.5.18** or above (use v3.x for older AEM versions which runs on Java 8 and AEM 6.4 or above) for on-premise installations. Since v2.5.0 **[AEM as a Cloud Service](https://www.adobe.com/marketing/experience-manager/cloud-service.html)** is supported, see [Startup Hook](https://github.com/Netcentric/accesscontroltool/blob/develop/docs/ApplyConfig.md#startup-hook) for details.
 
-It is also possible to run the AC Tool on **Apache Sling 12** or above (ensure system user `actool-service` has `jcr:all` permissions on root). When using the AC Tool with Sling, actions in ACE definitions and encrypted passwords cannot be used. To use the `externalId` attribute, ensure bundle `oak-auth-external` installed (not part of default Sling distribution).
+It is also possible to run the AC Tool on **Apache Sling 12** or above (ensure system user `actool-service` has `jcr:all` permissions on root). When using the AC Tool with Sling, actions in ACE definitions, encrypted passwords and user's key stores cannot be used. To use the `externalId` attribute, ensure bundle `oak-auth-external` installed (not part of default Sling distribution).
 
 # Installation
 
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
index 775c5131..bd6c35bc 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
@@ -36,7 +36,6 @@
 import javax.jcr.RepositoryException;
 import javax.jcr.Session;
 import javax.jcr.SimpleCredentials;
-import javax.jcr.UnsupportedRepositoryOperationException;
 import javax.jcr.ValueFactory;
 
 import org.apache.commons.collections4.CollectionUtils;
@@ -61,8 +60,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.adobe.granite.keystore.KeyStoreNotInitialisedException;
-
 import biz.netcentric.cq.tools.actool.api.InstallationOptions;
 import biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableCreatorException;
 import biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableInstallerService;
@@ -218,7 +215,7 @@ private void installAuthorizableConfigurationBean(final Session session,
         }
     }
 
-    private void installKeys(boolean appendToKeyStore, User user, Map<String, Key> keys, String userId, String keyStorePassword, Session session, InstallationLogger installLog) throws LoginException, SlingIOException, SecurityException, KeyStoreNotInitialisedException, IOException, GeneralSecurityException, UnsupportedRepositoryOperationException, RepositoryException {
+    private void installKeys(boolean appendToKeyStore, User user, Map<String, Key> keys, String userId, String keyStorePassword, Session session, InstallationLogger installLog) throws LoginException, SlingIOException, SecurityException, IOException, GeneralSecurityException, RepositoryException {
         Map<String, Object> authInfo = new HashMap<>();
         authInfo.put(JcrResourceConstants.AUTHENTICATION_INFO_SESSION, session);
         ResourceResolver resolver = resourceResolverFactory.getResourceResolver(authInfo);
@@ -234,7 +231,7 @@ private void installKeys(boolean appendToKeyStore, User user, Map<String, Key> k
         }
     }
 
-    private void removeKeyStore(ResourceResolver resolver, User user, InstallationLogger installLog) throws UnsupportedRepositoryOperationException, RepositoryException, PersistenceException {
+    private void removeKeyStore(ResourceResolver resolver, User user, InstallationLogger installLog) throws RepositoryException, PersistenceException {
         String keyStorePath = user.getPath() + "/" + USER_KEYSTORE_FOLDER;
         Resource keyStoreResource = resolver.getResource(keyStorePath);
         if (keyStoreResource != null) {
@@ -245,7 +242,7 @@ private void removeKeyStore(ResourceResolver resolver, User user, InstallationLo
         }
     }
 
-    private void installKeys(Map<String, Key> keys, String userId, String keyStorePassword, ResourceResolver resourceResolver, InstallationLogger installLog) throws SlingIOException, SecurityException, KeyStoreNotInitialisedException, IOException, GeneralSecurityException {
+    private void installKeys(Map<String, Key> keys, String userId, String keyStorePassword, ResourceResolver resourceResolver, InstallationLogger installLog) throws SlingIOException, SecurityException {
         if (keyStoreService == null) {
             throw new IllegalStateException(
                     "Keys are used on the authorizable which require the AEM KeyStore Service which is missing.");

From 48ca59368297d727fd798569d440af4aadef0d79 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Thu, 14 May 2026 21:16:36 +0200
Subject: [PATCH 3/8] Remove Granite JMX dependency for JMX beans

---
 accesscontroltool-bundle/pom.xml              | 23 +++++++++----------
 .../cq/tools/actool/jmx/AceServiceMBean.java  |  5 ++--
 .../tools/actool/jmx/AceServiceMBeanImpl.java |  7 ++----
 pom.xml                                       | 11 ++++++---
 4 files changed, 24 insertions(+), 22 deletions(-)

diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml
index 8bc1cefe..ee0ae8f3 100644
--- a/accesscontroltool-bundle/pom.xml
+++ b/accesscontroltool-bundle/pom.xml
@@ -117,6 +117,17 @@
             <artifactId>oak-jackrabbit-api</artifactId>
             <scope>provided</scope>
         </dependency>
+        <!-- for org.apache.jackrabbit.oak.commons.jmx -->
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>oak-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>oak-core-spi</artifactId>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.jackrabbit.vault</groupId>
             <artifactId>org.apache.jackrabbit.vault</artifactId>
@@ -199,12 +210,6 @@
             <artifactId>httpclient-osgi</artifactId>
             <scope>provided</scope>
         </dependency>
-        <!-- JMX annotations -->
-        <dependency>
-            <groupId>com.adobe.granite</groupId>
-            <artifactId>com.adobe.granite.jmx</artifactId>
-            <scope>provided</scope>
-        </dependency>
         <!-- Crypto Support -->
         <dependency>
             <groupId>com.adobe.granite</groupId>
@@ -277,12 +282,6 @@
             <scope>test</scope>
         </dependency>
         <!-- IT dependencies -->
-        <dependency>
-            <groupId>org.apache.jackrabbit</groupId>
-            <artifactId>oak-api</artifactId>
-            <version>${oak.testing.version}</version>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>org.apache.jackrabbit</groupId>
             <artifactId>oak-core</artifactId>
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/jmx/AceServiceMBean.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/jmx/AceServiceMBean.java
index c7a6d591..187287ac 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/jmx/AceServiceMBean.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/jmx/AceServiceMBean.java
@@ -16,8 +16,9 @@
 
 import javax.jcr.RepositoryException;
 
-import com.adobe.granite.jmx.annotation.Description;
-import com.adobe.granite.jmx.annotation.Name;
+import org.apache.jackrabbit.oak.api.jmx.Description;
+import org.apache.jackrabbit.oak.api.jmx.Name;
+
 
 /**
  * exposes functionalities of the Netcentric AC-Tool
diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/jmx/AceServiceMBeanImpl.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/jmx/AceServiceMBeanImpl.java
index d5348ed4..251f4069 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/jmx/AceServiceMBeanImpl.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/jmx/AceServiceMBeanImpl.java
@@ -22,6 +22,7 @@
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.time.StopWatch;
+import org.apache.jackrabbit.oak.commons.jmx.AnnotatedStandardMBean;
 import org.apache.sling.jcr.api.SlingRepository;
 import org.osgi.service.component.annotations.Component;
 import org.osgi.service.component.annotations.Reference;
@@ -29,8 +30,6 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.adobe.granite.jmx.annotation.AnnotatedStandardMBean;
-
 import biz.netcentric.cq.tools.actool.api.InstallationOptionsBuilder;
 import biz.netcentric.cq.tools.actool.dumpservice.ConfigDumpService;
 import biz.netcentric.cq.tools.actool.history.AcHistoryService;
@@ -167,6 +166,7 @@ public String showInstallationLog(final String n, boolean verbose) throws Reposi
     public String purgeAllAuthorizablesFromConfiguration() {
         return acInstallationService.purgeAuthorizablesFromConfig();
     }
+
     @Override
     public String purgeAllAuthorizablesFromConfiguration(String configurationRootPath) {
         InstallationOptionsBuilder builder = new InstallationOptionsBuilder();
@@ -192,7 +192,4 @@ public String getVersion() {
         return acInstallationService.getVersion();
     }
 
-
-
-
 }
diff --git a/pom.xml b/pom.xml
index ccd5a692..ed3b66c8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -149,9 +149,14 @@
                 <version>${oak.version}</version>
             </dependency>
             <dependency>
-                <groupId>com.adobe.granite</groupId>
-                <artifactId>com.adobe.granite.jmx</artifactId>
-                <version>0.2.14</version><!-- 6.4 ships with 0.3.4, newest available in Maven Central is 0.2.14 though-->
+                <groupId>org.apache.jackrabbit</groupId>
+                <artifactId>oak-api</artifactId>
+                <version>${oak.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.jackrabbit</groupId>
+                <artifactId>oak-core-spi</artifactId>
+                <version>${oak.version}</version>
             </dependency>
             <dependency>
                 <groupId>com.adobe.granite</groupId>

From 98ceb0f6c5f1a5403bf2bd99d17da89eae4cf5d4 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Thu, 14 May 2026 21:20:38 +0200
Subject: [PATCH 4/8] Remove unused throws declaration

---
 .../impl/AuthorizableInstallerServiceImpl.java                  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
index bd6c35bc..7348d5df 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.java
@@ -215,7 +215,7 @@ private void installAuthorizableConfigurationBean(final Session session,
         }
     }
 
-    private void installKeys(boolean appendToKeyStore, User user, Map<String, Key> keys, String userId, String keyStorePassword, Session session, InstallationLogger installLog) throws LoginException, SlingIOException, SecurityException, IOException, GeneralSecurityException, RepositoryException {
+    private void installKeys(boolean appendToKeyStore, User user, Map<String, Key> keys, String userId, String keyStorePassword, Session session, InstallationLogger installLog) throws LoginException, SlingIOException, SecurityException, IOException, RepositoryException {
         Map<String, Object> authInfo = new HashMap<>();
         authInfo.put(JcrResourceConstants.AUTHENTICATION_INFO_SESSION, session);
         ResourceResolver resolver = resourceResolverFactory.getResourceResolver(authInfo);

From a84d89141aa61c30cfc5cc775967cf8acbf62f65 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Thu, 14 May 2026 21:34:30 +0200
Subject: [PATCH 5/8] Fix ITs by overriding old Oak dependencies

---
 accesscontroltool-bundle/pom.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml
index ee0ae8f3..bb636d5f 100644
--- a/accesscontroltool-bundle/pom.xml
+++ b/accesscontroltool-bundle/pom.xml
@@ -379,11 +379,23 @@
                                 <artifactId>oak-jackrabbit-api</artifactId>
                                 <version>${oak.testing.version}</version>
                             </additionalClasspathDependency>
+                            <additionalClasspathDependency>
+                                <groupId>org.apache.jackrabbit</groupId>
+                                <artifactId>oak-api</artifactId>
+                                <version>${oak.testing.version}</version>
+                            </additionalClasspathDependency>
+                            <additionalClasspathDependency>
+                                <groupId>org.apache.jackrabbit</groupId>
+                                <artifactId>oak-core-spi</artifactId>
+                                <version>${oak.testing.version}</version>
+                            </additionalClasspathDependency>
                         </additionalClasspathDependencies>
                         <classpathDependencyExcludes>
                             <classpathDependencyExclude>org.apache.jackrabbit:oak-security-spi</classpathDependencyExclude>
                             <classpathDependencyExclude>org.apache.jackrabbit:oak-auth-external</classpathDependencyExclude>
                             <classpathDependencyExclude>org.apache.jackrabbit:jackrabbit-api</classpathDependencyExclude>
+                            <classpathDependencyExclude>org.apache.jackrabbit:oak-api</classpathDependencyExclude>
+                            <classpathDependencyExclude>org.apache.jackrabbit:oak-core-spi</classpathDependencyExclude>
                         </classpathDependencyExcludes>
                     </configuration>
                 </plugin>

From 56ab597e1e42a34fe593b15ce8f69baaa39704ea Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Fri, 15 May 2026 09:46:49 +0200
Subject: [PATCH 6/8] Add target OSGi environment for Sling Starter 12

Test if bundle is resolvable in Sling Starter 12
However this won't check if relevant SCR components are started.
---
 README.md                                     |   2 +-
 accesscontroltool-bundle/minimum-aem.bndrun   |   2 +-
 accesscontroltool-bundle/minimum-sling.bndrun |  17 ++
 accesscontroltool-bundle/pom.xml              |  15 +-
 .../minimum-aem.bndrun                        |   0
 .../pom.xml                                   |   0
 target-osgi-environment/pom.xml               |   4 +-
 .../minimum-sling.bndrun                      |  22 ++
 .../sling-minimum-version-environment/pom.xml | 285 ++++++++++++++++++
 9 files changed, 343 insertions(+), 4 deletions(-)
 create mode 100644 accesscontroltool-bundle/minimum-sling.bndrun
 rename target-osgi-environment/{minimum-environment => aem-minimum-version-environment}/minimum-aem.bndrun (100%)
 rename target-osgi-environment/{minimum-environment => aem-minimum-version-environment}/pom.xml (100%)
 create mode 100644 target-osgi-environment/sling-minimum-version-environment/minimum-sling.bndrun
 create mode 100644 target-osgi-environment/sling-minimum-version-environment/pom.xml

diff --git a/README.md b/README.md
index 8f39e7ad..81ad9558 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ See also our talk at [adaptTo() 2016](https://adapt.to/2016/en/schedule/ac-tool.
 
 The AC Tool requires **Java 11 and AEM 6.5.18** or above (use v3.x for older AEM versions which runs on Java 8 and AEM 6.4 or above) for on-premise installations. Since v2.5.0 **[AEM as a Cloud Service](https://www.adobe.com/marketing/experience-manager/cloud-service.html)** is supported, see [Startup Hook](https://github.com/Netcentric/accesscontroltool/blob/develop/docs/ApplyConfig.md#startup-hook) for details.
 
-It is also possible to run the AC Tool on **Apache Sling 12** or above (ensure system user `actool-service` has `jcr:all` permissions on root). When using the AC Tool with Sling, actions in ACE definitions, encrypted passwords and user's key stores cannot be used. To use the `externalId` attribute, ensure bundle `oak-auth-external` installed (not part of default Sling distribution).
+It is also possible to run the AC Tool on **Apache Sling 12** or above (ensure system user `actool-service` has `jcr:all` permissions on root). When using the AC Tool with Sling, actions in ACE definitions, encrypted passwords and user's key stores cannot be used. To use the `externalId` attribute, ensure bundle `oak-auth-external` installed (not part of default Sling Starter distribution).
 
 # Installation
 
diff --git a/accesscontroltool-bundle/minimum-aem.bndrun b/accesscontroltool-bundle/minimum-aem.bndrun
index 8bdf1741..08e40d50 100644
--- a/accesscontroltool-bundle/minimum-aem.bndrun
+++ b/accesscontroltool-bundle/minimum-aem.bndrun
@@ -13,5 +13,5 @@
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 
--include ../target-osgi-environment/minimum-environment/minimum-aem.bndrun
+-include ../target-osgi-environment/aem-minimum-version-environment/minimum-aem.bndrun
 
diff --git a/accesscontroltool-bundle/minimum-sling.bndrun b/accesscontroltool-bundle/minimum-sling.bndrun
new file mode 100644
index 00000000..574a97dd
--- /dev/null
+++ b/accesscontroltool-bundle/minimum-sling.bndrun
@@ -0,0 +1,17 @@
+#  Licensed to the Apache Software Foundation (ASF) under one or more
+#  contributor license agreements.  See the NOTICE file distributed with
+#  this work for additional information regarding copyright ownership.
+#  The ASF licenses this file to You under the Apache License, Version 2.0
+#  (the "License"); you may not use this file except in compliance with
+#  the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+-include ../target-osgi-environment/sling-minimum-version-environment/minimum-sling.bndrun
+
diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml
index bb636d5f..0a32ece9 100644
--- a/accesscontroltool-bundle/pom.xml
+++ b/accesscontroltool-bundle/pom.xml
@@ -423,7 +423,7 @@
                 <artifactId>bnd-resolver-maven-plugin</artifactId>
                 <executions>
                     <execution>
-                        <id>resolve-against-minimum</id>
+                        <id>resolve-against-minimum-aem</id>
                         <goals>
                             <goal>resolve</goal>
                         </goals>
@@ -435,6 +435,19 @@
                             </bndruns>
                         </configuration>
                     </execution>
+                    <execution>
+                        <id>resolve-against-minimal-sling</id>
+                        <goals>
+                            <goal>resolve</goal>
+                        </goals>
+                        <phase>verify</phase>
+                        <configuration>
+                            <useMavenDependencies>false</useMavenDependencies>
+                            <bndruns>
+                                <include>minimum-sling.bndrun</include>
+                            </bndruns>
+                        </configuration>
+                    </execution>
                     <!-- resolving against the maximum, i.e. AEMaaCS version happens separately in the aemanalyser-maven-plugin -->
                 </executions>
                 <configuration>
diff --git a/target-osgi-environment/minimum-environment/minimum-aem.bndrun b/target-osgi-environment/aem-minimum-version-environment/minimum-aem.bndrun
similarity index 100%
rename from target-osgi-environment/minimum-environment/minimum-aem.bndrun
rename to target-osgi-environment/aem-minimum-version-environment/minimum-aem.bndrun
diff --git a/target-osgi-environment/minimum-environment/pom.xml b/target-osgi-environment/aem-minimum-version-environment/pom.xml
similarity index 100%
rename from target-osgi-environment/minimum-environment/pom.xml
rename to target-osgi-environment/aem-minimum-version-environment/pom.xml
diff --git a/target-osgi-environment/pom.xml b/target-osgi-environment/pom.xml
index 0210b582..1101af81 100644
--- a/target-osgi-environment/pom.xml
+++ b/target-osgi-environment/pom.xml
@@ -26,8 +26,10 @@
     <artifactId>target-osgi-environment</artifactId>
     <packaging>pom</packaging>
     <name>Target OSGi Environments</name>
+    <description>Defines the target OSGi environments for the Access Control Tool. Used with bnd-resolver-maven-plugin to check if ACTool bundles are resolvable in supported OSGi runtimes.</description>
 
     <modules>
-        <module>minimum-environment</module>
+        <module>aem-minimum-version-environment</module>
+        <module>sling-minimum-version-environment</module>
     </modules>
 </project>
diff --git a/target-osgi-environment/sling-minimum-version-environment/minimum-sling.bndrun b/target-osgi-environment/sling-minimum-version-environment/minimum-sling.bndrun
new file mode 100644
index 00000000..204b6e28
--- /dev/null
+++ b/target-osgi-environment/sling-minimum-version-environment/minimum-sling.bndrun
@@ -0,0 +1,22 @@
+#  Licensed to the Apache Software Foundation (ASF) under one or more
+#  contributor license agreements.  See the NOTICE file distributed with
+#  this work for additional information regarding copyright ownership.
+#  The ASF licenses this file to You under the Apache License, Version 2.0
+#  (the "License"); you may not use this file except in compliance with
+#  the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+-standalone: ${fileuri;${.}/target/index.xml}
+
+-runfw: org.apache.felix.framework
+-runee: JavaSE-11
+
+# disable capability matching as too many headers are missing
+# -resolve.effective: active
\ No newline at end of file
diff --git a/target-osgi-environment/sling-minimum-version-environment/pom.xml b/target-osgi-environment/sling-minimum-version-environment/pom.xml
new file mode 100644
index 00000000..53592a3b
--- /dev/null
+++ b/target-osgi-environment/sling-minimum-version-environment/pom.xml
@@ -0,0 +1,285 @@
+<?xml version="1.0"?><!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements. See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License. You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd ">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
+        <artifactId>target-osgi-environment</artifactId>
+        <relativePath>../pom.xml</relativePath>
+        <version>4.1.2-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>sling-minimum-version-environment</artifactId>
+    <packaging>pom</packaging>
+    <name>Minimum Sling Target OSGi Environment for Access Control Tool</name>
+    <description>The bndrun files and the used bundles for resolving all bundles in the minimum supported version of Sling (Sling Starter 12)</description>
+
+    <!-- ====================================================================== -->
+    <!-- B U I L D -->
+    <!-- ====================================================================== -->
+    <build>
+        <plugins>
+
+            <!-- create OSGi repo index for target container -->
+            <plugin>
+                <groupId>biz.aQute.bnd</groupId>
+                <artifactId>bnd-indexer-maven-plugin</artifactId>
+                <version>${bnd.version}</version>
+                <executions>
+                    <execution>
+                        <id>index</id>
+                        <goals>
+                            <goal>index</goal>
+                        </goals>
+                        <configuration>
+                            <attach>false</attach>
+                            <includeGzip>false</includeGzip>
+                            <scopes>compile,runtime,provided</scopes>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+    <!-- relevant bundles from Sling Starter 12-->
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.framework</artifactId>
+            <version>7.0.3</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.util.function</artifactId>
+            <version>1.2.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.util.promise</artifactId>
+            <version>1.2.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.converter</artifactId>
+            <version>1.0.18</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.scr</artifactId>
+            <version>2.2.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.configadmin</artifactId>
+            <version>1.9.22</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.eventadmin</artifactId>
+            <version>1.6.2</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.http.servlet-api</artifactId>
+            <version>1.2.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpcore-osgi</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient-osgi</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.2</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.daisy.libs</groupId>
+            <artifactId>commons-httpclient</artifactId>
+            <version>3.1.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.log</artifactId>
+            <version>5.1.10</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.osgi</artifactId>
+            <version>2.4.2</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.scheduler</artifactId>
+            <version>2.7.12</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.classloader</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.json</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.hc.api</artifactId>
+            <version>1.0.4</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.serviceusermapper</artifactId>
+            <version>1.5.4</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.settings</artifactId>
+            <version>1.4.2</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.event</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.jcr</groupId>
+            <artifactId>jcr</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>oak-jackrabbit-api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>jackrabbit-webdav</artifactId>
+            <version>${jackrabbit.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>jackrabbit-jcr-commons</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>jackrabbit-spi-commons</artifactId>
+            <version>${jackrabbit.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.jcr.api</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.jcr.base</artifactId>
+            <version>3.1.14</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.jcr.oak.server</artifactId>
+            <!-- https://github.com/apache/sling-org-apache-sling-jcr-oak-server/blob/master/README.md -->
+            <version>1.2.10</version> <!-- compatible with Oak 1.22.x -->
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>oak-security-spi</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit.vault</groupId>
+            <artifactId>org.apache.jackrabbit.vault</artifactId>
+            <version>3.6.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+</project>

From ed783be6555623c8689b8c308a98856c0cda86ab Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Fri, 15 May 2026 15:02:44 +0200
Subject: [PATCH 7/8] Resolve also against latest Sling Starter 14

Broaden import-package version range for
"org.apache.jackrabbit.oak.commons.jmx"
---
 accesscontroltool-bundle/bnd.bnd              |   2 +
 accesscontroltool-bundle/maximum-sling.bndrun |  17 +
 accesscontroltool-bundle/pom.xml              |  15 +-
 pom.xml                                       |   6 +
 target-osgi-environment/pom.xml               |   1 +
 .../maximum-sling.bndrun                      |  22 ++
 .../sling-maximum-version-environment/pom.xml | 339 ++++++++++++++++++
 .../minimum-sling.bndrun                      |   2 +-
 .../sling-minimum-version-environment/pom.xml |  38 +-
 9 files changed, 429 insertions(+), 13 deletions(-)
 create mode 100644 accesscontroltool-bundle/maximum-sling.bndrun
 create mode 100644 target-osgi-environment/sling-maximum-version-environment/maximum-sling.bndrun
 create mode 100644 target-osgi-environment/sling-maximum-version-environment/pom.xml

diff --git a/accesscontroltool-bundle/bnd.bnd b/accesscontroltool-bundle/bnd.bnd
index 5613d84f..e78aa697 100644
--- a/accesscontroltool-bundle/bnd.bnd
+++ b/accesscontroltool-bundle/bnd.bnd
@@ -7,6 +7,7 @@ Bundle-SymbolicName: biz.netcentric.cq.tools.accesscontroltool.bundle
 
 # allow to run in Sling without AEM bundles
 # allow to run without bouncycastle which is only necessary for some edge cases when managing keys
+# broader version range for JMX annotation as 2.0.0 was introduced in https://github.com/apache/jackrabbit-oak/commit/42b0a70d305372e9c228697012f12c59d643fe27#diff-776354a994a5afefbc8da17a75d83569e198589f2abe3be6890bb621f9a1a708 but is still compatible with our use cases
 Import-Package: \
 com.adobe.granite.crypto;resolution:=optional,\
 com.adobe.granite.keystore;resolution:=optional,\
@@ -15,6 +16,7 @@ com.fasterxml.jackson.databind;resolution:=optional,\
 org.apache.http.*;resolution:=optional,\
 org.bouncycastle.*;resolution:=optional,\
 org.apache.jackrabbit.oak.spi.security.authentication.external.*;resolution:=optional,\
+org.apache.jackrabbit.oak.commons.jmx;version="[1.1.0,3.0.0)",\
 !jakarta.servlet.jsp.el,\
 *
 
diff --git a/accesscontroltool-bundle/maximum-sling.bndrun b/accesscontroltool-bundle/maximum-sling.bndrun
new file mode 100644
index 00000000..e41ac476
--- /dev/null
+++ b/accesscontroltool-bundle/maximum-sling.bndrun
@@ -0,0 +1,17 @@
+#  Licensed to the Apache Software Foundation (ASF) under one or more
+#  contributor license agreements.  See the NOTICE file distributed with
+#  this work for additional information regarding copyright ownership.
+#  The ASF licenses this file to You under the Apache License, Version 2.0
+#  (the "License"); you may not use this file except in compliance with
+#  the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+-include ../target-osgi-environment/sling-maximum-version-environment/maximum-sling.bndrun
+
diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml
index 0a32ece9..a90452ac 100644
--- a/accesscontroltool-bundle/pom.xml
+++ b/accesscontroltool-bundle/pom.xml
@@ -436,7 +436,7 @@
                         </configuration>
                     </execution>
                     <execution>
-                        <id>resolve-against-minimal-sling</id>
+                        <id>resolve-against-minimum-sling</id>
                         <goals>
                             <goal>resolve</goal>
                         </goals>
@@ -448,6 +448,19 @@
                             </bndruns>
                         </configuration>
                     </execution>
+                    <execution>
+                        <id>resolve-against-maximum-sling</id>
+                        <goals>
+                            <goal>resolve</goal>
+                        </goals>
+                        <phase>verify</phase>
+                        <configuration>
+                            <useMavenDependencies>false</useMavenDependencies>
+                            <bndruns>
+                                <include>maximum-sling.bndrun</include>
+                            </bndruns>
+                        </configuration>
+                    </execution>
                     <!-- resolving against the maximum, i.e. AEMaaCS version happens separately in the aemanalyser-maven-plugin -->
                 </executions>
                 <configuration>
diff --git a/pom.xml b/pom.xml
index ed3b66c8..9adc0313 100644
--- a/pom.xml
+++ b/pom.xml
@@ -153,6 +153,12 @@
                 <artifactId>oak-api</artifactId>
                 <version>${oak.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.jackrabbit</groupId>
+                <artifactId>oak-jackrabbit-api</artifactId>
+                <!-- downgrade to make still compatible with Sling Starter 12-->
+                <version>1.22.14</version>
+            </dependency>
             <dependency>
                 <groupId>org.apache.jackrabbit</groupId>
                 <artifactId>oak-core-spi</artifactId>
diff --git a/target-osgi-environment/pom.xml b/target-osgi-environment/pom.xml
index 1101af81..53e30914 100644
--- a/target-osgi-environment/pom.xml
+++ b/target-osgi-environment/pom.xml
@@ -31,5 +31,6 @@
     <modules>
         <module>aem-minimum-version-environment</module>
         <module>sling-minimum-version-environment</module>
+        <module>sling-maximum-version-environment</module>
     </modules>
 </project>
diff --git a/target-osgi-environment/sling-maximum-version-environment/maximum-sling.bndrun b/target-osgi-environment/sling-maximum-version-environment/maximum-sling.bndrun
new file mode 100644
index 00000000..b3cd8a09
--- /dev/null
+++ b/target-osgi-environment/sling-maximum-version-environment/maximum-sling.bndrun
@@ -0,0 +1,22 @@
+#  Licensed to the Apache Software Foundation (ASF) under one or more
+#  contributor license agreements.  See the NOTICE file distributed with
+#  this work for additional information regarding copyright ownership.
+#  The ASF licenses this file to You under the Apache License, Version 2.0
+#  (the "License"); you may not use this file except in compliance with
+#  the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+-standalone: ${fileuri;${.}/target/index.xml}
+
+-runfw: org.apache.felix.framework
+-runee: JavaSE-21
+
+# disable capability matching as too many headers are missing (https://github.com/bndtools/bnd/issues/7232)
+# -resolve.effective: active
\ No newline at end of file
diff --git a/target-osgi-environment/sling-maximum-version-environment/pom.xml b/target-osgi-environment/sling-maximum-version-environment/pom.xml
new file mode 100644
index 00000000..d3e27f53
--- /dev/null
+++ b/target-osgi-environment/sling-maximum-version-environment/pom.xml
@@ -0,0 +1,339 @@
+<?xml version="1.0"?><!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements. See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License. You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd ">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
+        <artifactId>target-osgi-environment</artifactId>
+        <relativePath>../pom.xml</relativePath>
+        <version>4.1.2-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>sling-maximum-version-environment</artifactId>
+    <packaging>pom</packaging>
+    <name>Maximum Sling Target OSGi Environment for Access Control Tool</name>
+    <description>The bndrun files and the used bundles for resolving all bundles in the maximum supported version of Sling (Sling Starter 14)</description>
+
+    <properties>
+        <oak.version>1.90.0</oak.version>
+        <jackrabbit.version>2.22.3</jackrabbit.version>
+        <jackson.version>2.21.1</jackson.version>
+    </properties>
+    <!-- ====================================================================== -->
+    <!-- B U I L D -->
+    <!-- ====================================================================== -->
+    <build>
+        <plugins>
+
+            <!-- create OSGi repo index for target container -->
+            <plugin>
+                <groupId>biz.aQute.bnd</groupId>
+                <artifactId>bnd-indexer-maven-plugin</artifactId>
+                <version>${bnd.version}</version>
+                <executions>
+                    <execution>
+                        <id>index</id>
+                        <goals>
+                            <goal>index</goal>
+                        </goals>
+                        <configuration>
+                            <attach>false</attach>
+                            <includeGzip>false</includeGzip>
+                            <scopes>compile,runtime,provided</scopes>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+    <!-- relevant bundles from Sling Starter 14, updated with prompt "Update dependencies with versions defined in https://repo1.maven.org/maven2/org/apache/sling/org.apache.sling.starter/14/org.apache.sling.starter-14-nosample_base.slingosgifeature"-->
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.framework</artifactId>
+            <version>7.0.5</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.service.component</artifactId>
+            <version>1.5.1</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.util.function</artifactId>
+            <version>1.2.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.util.promise</artifactId>
+            <version>1.3.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.converter</artifactId>
+            <version>1.0.18</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.scr</artifactId>
+            <version>2.2.14</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.configadmin</artifactId>
+            <version>1.9.26</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.eventadmin</artifactId>
+            <version>1.6.4</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.http.jetty12</artifactId>
+            <version>1.1.8</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.http.servlet-api</artifactId>
+            <version>6.1.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.aries.spifly</groupId>
+            <artifactId>org.apache.aries.spifly.dynamic.bundle</artifactId>
+            <version>1.3.7</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <version>2.0.17</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpcore-osgi</artifactId>
+            <version>4.4.16</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient-osgi</artifactId>
+            <version>4.5.14</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.21.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.20.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.2</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.5.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+            <version>1.21.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-fileupload</groupId>
+            <artifactId>commons-fileupload</artifactId>
+            <version>1.6.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.daisy.libs</groupId>
+            <artifactId>commons-httpclient</artifactId>
+            <version>3.1.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.api</artifactId>
+            <version>3.0.2</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.log</artifactId>
+            <version>6.0.4</version>
+            <classifier>all</classifier>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.osgi</artifactId>
+            <version>2.4.2</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.scheduler</artifactId>
+            <version>2.7.14</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.commons.classloader</artifactId>
+            <version>1.4.4</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.hc.api</artifactId>
+            <version>1.0.4</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.serviceusermapper</artifactId>
+            <version>1.5.8</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.settings</artifactId>
+            <version>1.5.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.event</artifactId>
+            <version>4.4.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.event.api</artifactId>
+            <version>1.0.4</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.dropwizard.metrics</groupId>
+            <artifactId>metrics-core</artifactId>
+            <version>3.2.6</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.jcr</groupId>
+            <artifactId>jcr</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>oak-jackrabbit-api</artifactId>
+            <version>${oak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>jackrabbit-webdav</artifactId>
+            <version>${jackrabbit.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>jackrabbit-jcr-commons</artifactId>
+            <version>${jackrabbit.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>jackrabbit-spi-commons</artifactId>
+            <version>${jackrabbit.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.jcr.api</artifactId>
+            <version>2.4.2</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.jcr.base</artifactId>
+            <version>3.2.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.jcr.oak.server</artifactId>
+            <!-- https://github.com/apache/sling-org-apache-sling-jcr-oak-server/blob/master/README.md -->
+            <version>1.4.4</version> <!-- compatible with Oak 1.90.x -->
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit</groupId>
+            <artifactId>oak-security-spi</artifactId>
+            <version>${oak.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.jackrabbit.vault</groupId>
+            <artifactId>org.apache.jackrabbit.vault</artifactId>
+            <version>4.2.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <version>${jackson.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>${jackson.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+            <version>2.21</version>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+</project>
diff --git a/target-osgi-environment/sling-minimum-version-environment/minimum-sling.bndrun b/target-osgi-environment/sling-minimum-version-environment/minimum-sling.bndrun
index 204b6e28..5b296ac5 100644
--- a/target-osgi-environment/sling-minimum-version-environment/minimum-sling.bndrun
+++ b/target-osgi-environment/sling-minimum-version-environment/minimum-sling.bndrun
@@ -18,5 +18,5 @@
 -runfw: org.apache.felix.framework
 -runee: JavaSE-11
 
-# disable capability matching as too many headers are missing
+# disable capability matching as too many headers are missing (https://github.com/bndtools/bnd/issues/7232)
 # -resolve.effective: active
\ No newline at end of file
diff --git a/target-osgi-environment/sling-minimum-version-environment/pom.xml b/target-osgi-environment/sling-minimum-version-environment/pom.xml
index 53592a3b..6d4a6773 100644
--- a/target-osgi-environment/sling-minimum-version-environment/pom.xml
+++ b/target-osgi-environment/sling-minimum-version-environment/pom.xml
@@ -29,6 +29,11 @@
     <name>Minimum Sling Target OSGi Environment for Access Control Tool</name>
     <description>The bndrun files and the used bundles for resolving all bundles in the minimum supported version of Sling (Sling Starter 12)</description>
 
+    <properties>
+        <oak.version>1.42.0</oak.version>
+        <jackrabbit.version>2.20.4</jackrabbit.version>
+        <jackson.version>2.13.1</jackson.version>
+    </properties>
     <!-- ====================================================================== -->
     <!-- B U I L D -->
     <!-- ====================================================================== -->
@@ -115,26 +120,25 @@
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpcore-osgi</artifactId>
+            <version>4.4.15</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient-osgi</artifactId>
-            <scope>provided</scope>
-        </dependency>
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
+            <version>4.5.13</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
+            <version>2.11.0</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
+            <version>3.12.0</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -146,6 +150,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-collections4</artifactId>
+            <version>4.4</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -157,6 +162,7 @@
         <dependency>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.api</artifactId>
+            <version>2.24.0</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -180,11 +186,7 @@
         <dependency>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.commons.classloader</artifactId>
-            <scope>provided</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.sling</groupId>
-            <artifactId>org.apache.sling.commons.json</artifactId>
+            <version>1.4.4</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -208,6 +210,13 @@
         <dependency>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.event</artifactId>
+            <version>4.3.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.dropwizard.metrics</groupId>
+            <artifactId>metrics-core</artifactId>
+            <version>3.2.6</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -218,6 +227,7 @@
         <dependency>
             <groupId>org.apache.jackrabbit</groupId>
             <artifactId>oak-jackrabbit-api</artifactId>
+            <version>${oak.version}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -229,6 +239,7 @@
         <dependency>
             <groupId>org.apache.jackrabbit</groupId>
             <artifactId>jackrabbit-jcr-commons</artifactId>
+            <version>${jackrabbit.version}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -240,12 +251,13 @@
         <dependency>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.jcr.api</artifactId>
+            <version>2.4.0</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.apache.sling</groupId>
             <artifactId>org.apache.sling.jcr.base</artifactId>
-            <version>3.1.14</version>
+            <version>3.1.10</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -258,6 +270,7 @@
         <dependency>
             <groupId>org.apache.jackrabbit</groupId>
             <artifactId>oak-security-spi</artifactId>
+            <version>${oak.version}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -269,16 +282,19 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>
+            <version>${jackson.version}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
+            <version>${jackson.version}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-annotations</artifactId>
+            <version>${jackson.version}</version>
             <scope>provided</scope>
         </dependency>
     </dependencies>

From 10ea02ccf251a6084acc11a9b5db520d449d0474 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Fri, 15 May 2026 17:44:39 +0200
Subject: [PATCH 8/8] Fix IT

---
 accesscontroltool-bundle/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accesscontroltool-bundle/pom.xml b/accesscontroltool-bundle/pom.xml
index a90452ac..ea6bf238 100644
--- a/accesscontroltool-bundle/pom.xml
+++ b/accesscontroltool-bundle/pom.xml
@@ -393,7 +393,7 @@
                         <classpathDependencyExcludes>
                             <classpathDependencyExclude>org.apache.jackrabbit:oak-security-spi</classpathDependencyExclude>
                             <classpathDependencyExclude>org.apache.jackrabbit:oak-auth-external</classpathDependencyExclude>
-                            <classpathDependencyExclude>org.apache.jackrabbit:jackrabbit-api</classpathDependencyExclude>
+                            <classpathDependencyExclude>org.apache.jackrabbit:oak-jackrabbit-api</classpathDependencyExclude>
                             <classpathDependencyExclude>org.apache.jackrabbit:oak-api</classpathDependencyExclude>
                             <classpathDependencyExclude>org.apache.jackrabbit:oak-core-spi</classpathDependencyExclude>
                         </classpathDependencyExcludes>