From cf332cd359a7c463abc12171d89e3088e29168ff Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Thu, 4 Feb 2021 17:29:02 +0100
Subject: [PATCH 01/20] Make ui.content package no longer block replication
 queue on AEMaaCS

Give underlying system user write access to /var/acs-commons
Set other ACLs below /var only on Author

This closes #2341
---
 CHANGELOG.md                                        |  1 +
 ...it.RepositoryInitializer-varworkflow-acls.config | 13 +++++++++++++
 ...poinit.RepositoryInitializer-distribution.config | 11 +++++++++++
 .../src/main/content/META-INF/vault/filter.xml      |  2 --
 .../workflow-package-manager-service/.content.xml   |  7 -------
 .../acs-commons/workflow-remover/.content.xml       |  6 ------
 .../jcr_root/var/workflow/instances/_rep_policy.xml |  8 --------
 .../jcr_root/var/workflow/packages/_rep_policy.xml  |  8 --------
 8 files changed, 25 insertions(+), 31 deletions(-)
 create mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
 create mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config
 delete mode 100644 ui.content/src/main/content/jcr_root/home/users/system/acs-commons/workflow-package-manager-service/.content.xml
 delete mode 100644 ui.content/src/main/content/jcr_root/home/users/system/acs-commons/workflow-remover/.content.xml
 delete mode 100644 ui.content/src/main/content/jcr_root/var/workflow/instances/_rep_policy.xml
 delete mode 100644 ui.content/src/main/content/jcr_root/var/workflow/packages/_rep_policy.xml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 310c31df30..bf74ba1609 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com)
 
 ### Fixed
 - #2529 - Unable to find an implementation for interface acscommons.io.jsonwebtoken.io.Serializer using java.util.ServiceLoader
+- #2341 - ACS Commons fails to deploy to AEM as a Cloud Service due to inclusion of /var nodes
 
 ## 4.11.2 - 2021-01-05
 
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
new file mode 100644
index 0000000000..61460e1d26
--- /dev/null
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
@@ -0,0 +1,13 @@
+scripts=[
+# these users and ACLs are only necessary on author
+create service user acs-commons-workflow-remover-service with path system/acs-commons
+set principal ACL for acs-commons-workflow-remover-service
+    allow jcr:read, rep:write on /var/workflow/instances
+end
+
+create service user acs-commons-workflowpackagemanager-service with path system/acs-commons
+set principal ACL for acs-commons-workflowpackagemanager-service
+    allow jcr:read on /var/workflow/packages
+end
+"
+]
\ No newline at end of file
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config
new file mode 100644
index 0000000000..569c2009de
--- /dev/null
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config
@@ -0,0 +1,11 @@
+scripts=[
+"# extend rights for installing the ui.content package containing /var nodes with AEMaaCS (https://helpx.adobe.com/in/experience-manager/kb/cm/cloudmanager-deploy-fails-due-to-sling-distribution-aem.html)
+create path /var/acs-commons(nt:folder)
+
+# AEM classic does not know this system user, but creating it below system/acs-commons shouldn't do any harm
+create service user sling-distribution-importer with path system/acs-commons
+set principal ACL for sling-distribution-importer
+    allow jcr:read, rep:write, jcr:versionManagement, jcr:modifyAccessControl ,jcr:readAccessControl, jcr:lockManagement on /var/acs-commons
+end
+"
+]
\ No newline at end of file
diff --git a/ui.content/src/main/content/META-INF/vault/filter.xml b/ui.content/src/main/content/META-INF/vault/filter.xml
index 0792c808bd..621b29e65d 100644
--- a/ui.content/src/main/content/META-INF/vault/filter.xml
+++ b/ui.content/src/main/content/META-INF/vault/filter.xml
@@ -103,6 +103,4 @@
         <include pattern="/var/acs-commons/on-deploy-scripts-status"/>
         <include pattern="/var/acs-commons/mcp"/>
     </filter>
-    <filter root="/var/workflow/instances/rep:policy"/>
-    <filter root="/var/workflow/packages/rep:policy"/>
 </workspaceFilter>
diff --git a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/workflow-package-manager-service/.content.xml b/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/workflow-package-manager-service/.content.xml
deleted file mode 100644
index e5f8f7a7d5..0000000000
--- a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/workflow-package-manager-service/.content.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-    jcr:primaryType="rep:SystemUser"
-    jcr:uuid="e7ba4bca-1a46-3e8f-ab05-dab75889c48a"
-    rep:authorizableId="acs-commons-workflowpackagemanager-service"
-    rep:principalName=" acs-commons-workflowpackagemanager-service"
-    />
diff --git a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/workflow-remover/.content.xml b/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/workflow-remover/.content.xml
deleted file mode 100644
index 8e00d4539b..0000000000
--- a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/workflow-remover/.content.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-    jcr:primaryType="rep:SystemUser"
-    jcr:uuid="cf6360a5-f76b-364e-8257-0fc54accfc1f"
-    rep:authorizableId="acs-commons-workflow-remover-service"
-    rep:principalName="acs-commons-workflow-remover-service"/>
diff --git a/ui.content/src/main/content/jcr_root/var/workflow/instances/_rep_policy.xml b/ui.content/src/main/content/jcr_root/var/workflow/instances/_rep_policy.xml
deleted file mode 100644
index f6060ff490..0000000000
--- a/ui.content/src/main/content/jcr_root/var/workflow/instances/_rep_policy.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-          jcr:primaryType="rep:ACL">
-    <allow
-            jcr:primaryType="rep:GrantACE"
-            rep:principalName="acs-commons-workflow-remover-service"
-            rep:privileges="{Name}[jcr:read,jcr:write]"/>
-</jcr:root>
\ No newline at end of file
diff --git a/ui.content/src/main/content/jcr_root/var/workflow/packages/_rep_policy.xml b/ui.content/src/main/content/jcr_root/var/workflow/packages/_rep_policy.xml
deleted file mode 100644
index 748e2e8642..0000000000
--- a/ui.content/src/main/content/jcr_root/var/workflow/packages/_rep_policy.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-          jcr:primaryType="rep:ACL">
-    <allow
-            jcr:primaryType="rep:GrantACE"
-            rep:principalName="acs-commons-workflowpackagemanager-service"
-            rep:privileges="{Name}[jcr:read]"/>
-</jcr:root>
\ No newline at end of file

From 9514b03f8b0706307890b23b5b1847f803b8a590 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Sun, 7 Feb 2021 10:43:44 +0100
Subject: [PATCH 02/20] add missing quote

---
 ...g.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
index 61460e1d26..d9fc1dc29c 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
@@ -1,5 +1,5 @@
 scripts=[
-# these users and ACLs are only necessary on author
+"# these users and ACLs are only necessary on author
 create service user acs-commons-workflow-remover-service with path system/acs-commons
 set principal ACL for acs-commons-workflow-remover-service
     allow jcr:read, rep:write on /var/workflow/instances

From f7cf09d72f09f5a3a090abd7ea445f8a55b80bcb Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Sun, 7 Feb 2021 10:56:36 +0100
Subject: [PATCH 03/20] ensure-oak-index system user and ACLs set via repoinit

---
 ....repoinit.RepositoryInitializer-ensure-oakindex.config | 8 ++++++++
 ui.content/src/main/content/META-INF/vault/filter.xml     | 1 -
 .../src/main/content/jcr_root/_oak_index/_rep_policy.xml  | 8 --------
 .../acs-commons/ensure-oak-index-service/.content.xml     | 6 ------
 4 files changed, 8 insertions(+), 15 deletions(-)
 create mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-ensure-oakindex.config
 delete mode 100644 ui.content/src/main/content/jcr_root/_oak_index/_rep_policy.xml
 delete mode 100644 ui.content/src/main/content/jcr_root/home/users/system/acs-commons/ensure-oak-index-service/.content.xml

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-ensure-oakindex.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-ensure-oakindex.config
new file mode 100644
index 0000000000..2fec03697b
--- /dev/null
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-ensure-oakindex.config
@@ -0,0 +1,8 @@
+scripts=[
+"
+create service user acs-commons-ensure-oak-index-service with path system/acs-commons
+set principal ACL for acs-commons-ensure-oak-index-service
+    allow jcr:read,rep:write,rep:indexDefinitionManagement on /oak:index
+end
+"
+]
\ No newline at end of file
diff --git a/ui.content/src/main/content/META-INF/vault/filter.xml b/ui.content/src/main/content/META-INF/vault/filter.xml
index 621b29e65d..c258790962 100644
--- a/ui.content/src/main/content/META-INF/vault/filter.xml
+++ b/ui.content/src/main/content/META-INF/vault/filter.xml
@@ -89,7 +89,6 @@
     <filter root="/home/groups/rep:policy"/>
     <filter root="/home/users/rep:policy"/>
     <filter root="/home/users/system/acs-commons"/>
-    <filter root="/oak:index/rep:policy"/>
     <filter root="/rep:policy"/>
     <filter root="/var/acs-commons">
         <include pattern="/var/acs-commons/rep:policy"/>
diff --git a/ui.content/src/main/content/jcr_root/_oak_index/_rep_policy.xml b/ui.content/src/main/content/jcr_root/_oak_index/_rep_policy.xml
deleted file mode 100644
index ae972447e6..0000000000
--- a/ui.content/src/main/content/jcr_root/_oak_index/_rep_policy.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-          jcr:primaryType="rep:ACL">
-    <allow
-            jcr:primaryType="rep:GrantACE"
-            rep:principalName="acs-commons-ensure-oak-index-service"
-            rep:privileges="{Name}[jcr:read,rep:write,rep:indexDefinitionManagement]"/>
-</jcr:root>
\ No newline at end of file
diff --git a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/ensure-oak-index-service/.content.xml b/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/ensure-oak-index-service/.content.xml
deleted file mode 100644
index a66633eaf5..0000000000
--- a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/ensure-oak-index-service/.content.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-    jcr:primaryType="rep:SystemUser"
-    jcr:uuid="006878ae-9772-3f3f-89b3-3a9cbf701988"
-    rep:authorizableId="acs-commons-ensure-oak-index-service"
-    rep:principalName="acs-commons-ensure-oak-index-service"/>

From 4bbed0c800f1480c01a72a4bc0055d078b90e7b7 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Tue, 9 Feb 2021 10:42:01 +0100
Subject: [PATCH 04/20] set root ACLs (and connected service users) via
 repoinit

---
 ...itoryInitializer-replication-status.config |  8 ++++
 ...nit.RepositoryInitializer-root-acls.config | 18 ++++++++
 .../main/content/META-INF/vault/filter.xml    |  1 -
 .../src/main/content/jcr_root/_rep_policy.xml | 46 -------------------
 .../dispatcher-flush-service/.content.xml     |  6 ---
 .../ensure-service-user/.content.xml          |  6 ---
 .../on-deploy-scripts-service/.content.xml    |  6 ---
 .../.content.xml                              |  6 ---
 8 files changed, 26 insertions(+), 71 deletions(-)
 create mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-replication-status.config
 create mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-root-acls.config
 delete mode 100644 ui.content/src/main/content/jcr_root/_rep_policy.xml
 delete mode 100644 ui.content/src/main/content/jcr_root/home/users/system/acs-commons/dispatcher-flush-service/.content.xml
 delete mode 100755 ui.content/src/main/content/jcr_root/home/users/system/acs-commons/ensure-service-user/.content.xml
 delete mode 100644 ui.content/src/main/content/jcr_root/home/users/system/acs-commons/on-deploy-scripts-service/.content.xml
 delete mode 100644 ui.content/src/main/content/jcr_root/home/users/system/acs-commons/package-replication-event-service/.content.xml

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-replication-status.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-replication-status.config
new file mode 100644
index 0000000000..a4d722dc6d
--- /dev/null
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-replication-status.config
@@ -0,0 +1,8 @@
+scripts=[
+"# these users and ACLs are only necessary on author
+create service user acs-commons-package-replication-status-event-service with path system/acs-commons
+set principal ACL for acs-commons-package-replication-status-event-service
+    allow jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl on /
+end
+"
+]
\ No newline at end of file
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-root-acls.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-root-acls.config
new file mode 100644
index 0000000000..dc85b54923
--- /dev/null
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-root-acls.config
@@ -0,0 +1,18 @@
+scripts=[
+"
+create service user acs-commons-dispatcher-flush-service with path system/acs-commons
+set principal ACL for acs-commons-dispatcher-flush-service
+    allow jcr:read,crx:replicate,jcr:removeNode on /
+end
+
+create service user acs-commons-ensure-service-user-service with path system/acs-commons
+set principal ACL for acs-commons-ensure-service-user-service
+    allow jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl on /
+end
+
+create service user acs-commons-on-deploy-scripts-service with path system/acs-commons
+set principal ACL for acs-commons-on-deploy-scripts-service
+    allow jcr:read on /
+end
+"
+]
\ No newline at end of file
diff --git a/ui.content/src/main/content/META-INF/vault/filter.xml b/ui.content/src/main/content/META-INF/vault/filter.xml
index c258790962..29cb10ebc8 100644
--- a/ui.content/src/main/content/META-INF/vault/filter.xml
+++ b/ui.content/src/main/content/META-INF/vault/filter.xml
@@ -89,7 +89,6 @@
     <filter root="/home/groups/rep:policy"/>
     <filter root="/home/users/rep:policy"/>
     <filter root="/home/users/system/acs-commons"/>
-    <filter root="/rep:policy"/>
     <filter root="/var/acs-commons">
         <include pattern="/var/acs-commons/rep:policy"/>
         <include pattern="/var/acs-commons/jcr:content"/>
diff --git a/ui.content/src/main/content/jcr_root/_rep_policy.xml b/ui.content/src/main/content/jcr_root/_rep_policy.xml
deleted file mode 100644
index e5099c3a3b..0000000000
--- a/ui.content/src/main/content/jcr_root/_rep_policy.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-          jcr:primaryType="rep:ACL">
-    <allow
-            jcr:primaryType="rep:GrantACE"
-            rep:principalName="acs-commons-ensure-oak-index-service"
-            rep:privileges="{Name}[jcr:read,rep:write,rep:indexDefinitionManagement]">
-        <rep:restrictions
-            jcr:primaryType="rep:Restrictions"
-            rep:glob="*/oak:index"/>
-    </allow>
-    <allow0
-            jcr:primaryType="rep:GrantACE"
-            rep:principalName="acs-commons-ensure-oak-index-service"
-            rep:privileges="{Name}[jcr:read,rep:write,rep:indexDefinitionManagement]">
-        <rep:restrictions
-                jcr:primaryType="rep:Restrictions"
-                rep:glob="*/oak:index/*"/>
-    </allow0>
-    <allow1
-            jcr:primaryType="rep:GrantACE"
-            rep:principalName="acs-commons-dispatcher-flush-service"
-            rep:privileges="{Name}[jcr:read,crx:replicate,jcr:removeNode]"/>
-    <allow2
-            jcr:primaryType="rep:GrantACE"
-            rep:principalName="acs-commons-package-replication-status-event-service"
-            rep:privileges="{Name}[jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl]"/>
-    <allow3
-            jcr:primaryType="rep:GrantACE"
-            rep:principalName="acs-commons-ensure-service-user-service"
-            rep:privileges="{Name}[jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl]"/>
-    <allow4
-            jcr:primaryType="rep:GrantACE"
-            rep:principalName="acs-commons-on-deploy-scripts-service"
-            rep:privileges="{Name}[jcr:read]"/>
-    <!--
-    <allow4
-            jcr:primaryType="rep:GrantACE"
-            rep:principalName="acs-commons-package-replication-status-event-service"
-            rep:privileges="{Name}[jcr:modifyProperties]">
-        <rep:restrictions
-                jcr:primaryType="rep:Restrictions"
-                rep:itemNames="{Name}[cq:lastReplicated,cq:lastReplicatedBy,cq:lastReplicatedAction]"/>
-    </allow4>
-    -->
-</jcr:root>
\ No newline at end of file
diff --git a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/dispatcher-flush-service/.content.xml b/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/dispatcher-flush-service/.content.xml
deleted file mode 100644
index 8dead7c892..0000000000
--- a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/dispatcher-flush-service/.content.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-    jcr:primaryType="rep:SystemUser"
-    jcr:uuid="0cdb16c9-534e-3f02-b307-55083160bb30"
-    rep:authorizableId="acs-commons-dispatcher-flush-service"
-    rep:principalName="acs-commons-dispatcher-flush-service"/>
diff --git a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/ensure-service-user/.content.xml b/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/ensure-service-user/.content.xml
deleted file mode 100755
index f2fcd4f959..0000000000
--- a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/ensure-service-user/.content.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-    jcr:primaryType="rep:SystemUser"
-    jcr:uuid="631f75c7-4e6b-3186-82c4-2b5df96de1d8"
-    rep:authorizableId="acs-commons-ensure-service-user-service"
-    rep:principalName="acs-commons-ensure-service-user-service"/>
diff --git a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/on-deploy-scripts-service/.content.xml b/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/on-deploy-scripts-service/.content.xml
deleted file mode 100644
index ce5d2d93d2..0000000000
--- a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/on-deploy-scripts-service/.content.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-    jcr:primaryType="rep:SystemUser"
-    jcr:uuid="7ed78675-7b76-3fe1-b6a9-d3528844f21e"
-    rep:authorizableId="acs-commons-on-deploy-scripts-service"
-    rep:principalName="acs-commons-on-deploy-scripts-service"/>
diff --git a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/package-replication-event-service/.content.xml b/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/package-replication-event-service/.content.xml
deleted file mode 100644
index 15bcdb4342..0000000000
--- a/ui.content/src/main/content/jcr_root/home/users/system/acs-commons/package-replication-event-service/.content.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
-    jcr:primaryType="rep:SystemUser"
-    jcr:uuid="6a14e71d-f983-35e6-8353-cdfa7c15284d"
-    rep:authorizableId="acs-commons-package-replication-status-event-service"
-    rep:principalName="acs-commons-package-replication-status-event-service"/>

From 91571ef1bea2564a45746fb32d7febac7d4082d1 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Tue, 16 Feb 2021 13:11:51 +0100
Subject: [PATCH 05/20] don't rely on principal ACLs as they are only supported
 in newer AEM versions

---
 ...repoinit.RepositoryInitializer-replication-status.config | 2 +-
 ...r.repoinit.RepositoryInitializer-varworkflow-acls.config | 4 ++--
 ...g.jcr.repoinit.RepositoryInitializer-distribution.config | 2 +-
 ...cr.repoinit.RepositoryInitializer-ensure-oakindex.config | 2 +-
 ...ling.jcr.repoinit.RepositoryInitializer-root-acls.config | 6 +++---
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-replication-status.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-replication-status.config
index a4d722dc6d..68f267d5ab 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-replication-status.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-replication-status.config
@@ -1,7 +1,7 @@
 scripts=[
 "# these users and ACLs are only necessary on author
 create service user acs-commons-package-replication-status-event-service with path system/acs-commons
-set principal ACL for acs-commons-package-replication-status-event-service
+set ACL for acs-commons-package-replication-status-event-service
     allow jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl on /
 end
 "
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
index d9fc1dc29c..c9cfa8fb49 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
@@ -1,12 +1,12 @@
 scripts=[
 "# these users and ACLs are only necessary on author
 create service user acs-commons-workflow-remover-service with path system/acs-commons
-set principal ACL for acs-commons-workflow-remover-service
+set ACL for acs-commons-workflow-remover-service
     allow jcr:read, rep:write on /var/workflow/instances
 end
 
 create service user acs-commons-workflowpackagemanager-service with path system/acs-commons
-set principal ACL for acs-commons-workflowpackagemanager-service
+set ACL for acs-commons-workflowpackagemanager-service
     allow jcr:read on /var/workflow/packages
 end
 "
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config
index 569c2009de..fbfb4c944d 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config
@@ -4,7 +4,7 @@ create path /var/acs-commons(nt:folder)
 
 # AEM classic does not know this system user, but creating it below system/acs-commons shouldn't do any harm
 create service user sling-distribution-importer with path system/acs-commons
-set principal ACL for sling-distribution-importer
+set ACL for sling-distribution-importer
     allow jcr:read, rep:write, jcr:versionManagement, jcr:modifyAccessControl ,jcr:readAccessControl, jcr:lockManagement on /var/acs-commons
 end
 "
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-ensure-oakindex.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-ensure-oakindex.config
index 2fec03697b..c1364c93f5 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-ensure-oakindex.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-ensure-oakindex.config
@@ -1,7 +1,7 @@
 scripts=[
 "
 create service user acs-commons-ensure-oak-index-service with path system/acs-commons
-set principal ACL for acs-commons-ensure-oak-index-service
+set ACL for acs-commons-ensure-oak-index-service
     allow jcr:read,rep:write,rep:indexDefinitionManagement on /oak:index
 end
 "
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-root-acls.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-root-acls.config
index dc85b54923..b44685a3a9 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-root-acls.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-root-acls.config
@@ -1,17 +1,17 @@
 scripts=[
 "
 create service user acs-commons-dispatcher-flush-service with path system/acs-commons
-set principal ACL for acs-commons-dispatcher-flush-service
+set ACL for acs-commons-dispatcher-flush-service
     allow jcr:read,crx:replicate,jcr:removeNode on /
 end
 
 create service user acs-commons-ensure-service-user-service with path system/acs-commons
-set principal ACL for acs-commons-ensure-service-user-service
+set ACL for acs-commons-ensure-service-user-service
     allow jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl on /
 end
 
 create service user acs-commons-on-deploy-scripts-service with path system/acs-commons
-set principal ACL for acs-commons-on-deploy-scripts-service
+set ACL for acs-commons-on-deploy-scripts-service
     allow jcr:read on /
 end
 "

From 70d458c3b9ac33573092fd2635ddeddb29a67979 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Wed, 3 Mar 2021 11:38:47 +0100
Subject: [PATCH 06/20] create missing nodes below /var/workflow in AEMaaCS
 before applying ACLs

---
 ...jcr.repoinit.RepositoryInitializer-varworkflow-acls.config | 4 ++++
 ...ing.jcr.repoinit.RepositoryInitializer-distribution.config | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
index c9cfa8fb49..d8b7452922 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
@@ -1,11 +1,15 @@
 scripts=[
 "# these users and ACLs are only necessary on author
 create service user acs-commons-workflow-remover-service with path system/acs-commons
+# the path may not yet exist in AEMaaCS as it is created lazily
+create path /var/workflow/instances(sling:Folder)
 set ACL for acs-commons-workflow-remover-service
     allow jcr:read, rep:write on /var/workflow/instances
 end
 
 create service user acs-commons-workflowpackagemanager-service with path system/acs-commons
+# the path may not yet exist in AEMaaCS as it is created lazily
+create path /var/workflow/packages(sling:Folder)
 set ACL for acs-commons-workflowpackagemanager-service
     allow jcr:read on /var/workflow/packages
 end
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config
index fbfb4c944d..6e3f5f813e 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config
@@ -5,7 +5,7 @@ create path /var/acs-commons(nt:folder)
 # AEM classic does not know this system user, but creating it below system/acs-commons shouldn't do any harm
 create service user sling-distribution-importer with path system/acs-commons
 set ACL for sling-distribution-importer
-    allow jcr:read, rep:write, jcr:versionManagement, jcr:modifyAccessControl ,jcr:readAccessControl, jcr:lockManagement on /var/acs-commons
+    allow jcr:read, rep:write, jcr:versionManagement, jcr:modifyAccessControl, jcr:readAccessControl, jcr:lockManagement on /var/acs-commons
 end
 "
 ]
\ No newline at end of file

From 9019eaf58e073ea19b4e42c6361d813418f07b58 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Wed, 3 Mar 2021 11:44:53 +0100
Subject: [PATCH 07/20] remove oakPal checks around ACEs and authorizables as
 those are set with repoinit

---
 ui.content/pom.xml | 60 ----------------------------------------------
 1 file changed, 60 deletions(-)

diff --git a/ui.content/pom.xml b/ui.content/pom.xml
index ba2895cfc0..fbf5f845f7 100644
--- a/ui.content/pom.xml
+++ b/ui.content/pom.xml
@@ -109,66 +109,6 @@
                                 <denyAllDeletes>true</denyAllDeletes>
                             </config>
                         </check>
-                        <!-- check that rep:policy nodes are actually created by the package -->
-                        <check>
-                            <name>check-expected-policy-paths</name>
-                            <template>basic/expectPaths</template>
-                            <config>
-                                <severity>minor</severity>
-                                <expectedPaths>
-                                    <path>/oak:index/rep:policy</path>
-                                    <path>/conf/rep:policy</path>
-                                    <path>/content/rep:policy</path>
-                                    <path>/content/dam/rep:policy</path>
-                                    <path>/etc/rep:policy</path>
-                                    <path>/etc/acs-commons/bulk-workflow-manager/rep:policy</path>
-                                    <path>/etc/acs-commons/notifications/rep:policy</path>
-                                    <path>/etc/acs-commons/redirect-maps/rep:policy</path>
-                                    <path>/etc/cloudservices/dtm/rep:policy</path>
-                                    <path>/etc/cloudservices/sharethis/rep:policy</path>
-                                    <path>/etc/cloudservices/typekit/rep:policy</path>
-                                    <path>/etc/notification/email/rep:policy</path>
-                                    <path>/etc/workflow/instances/rep:policy</path>
-                                    <path>/home/groups/rep:policy</path>
-                                    <path>/home/users/rep:policy</path>
-                                    <path>/var/workflow/instances/rep:policy</path>
-                                    <path>/var/acs-commons/rep:policy</path>
-                                    <path>/var/acs-commons/httpcache/rep:policy</path>
-                                    <path>/var/acs-commons/mcp/rep:policy</path>
-                                    <path>/var/acs-commons/on-deploy-scripts-status/rep:policy</path>
-                                </expectedPaths>
-                            </config>
-                        </check>
-                        <check>
-                            <name>verify-acls-on-root</name>
-                            <template>basic/expectAces</template>
-                            <!-- since the root rep:policy node will obviously exist regardless, we should be more
-                            specific for these acl entries -->
-                            <config>
-                                <expectedAces>
-                                    <expectedAce>
-                                        principal=acs-commons-ensure-oak-index-service
-                                        ;type=allow;path=/;privileges=jcr:read,rep:write,rep:indexDefinitionManagement
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-dispatcher-flush-service
-                                        ;type=allow;path=/;privileges=jcr:read,crx:replicate,jcr:removeNode
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-package-replication-status-event-service
-                                        ;type=allow;path=/;privileges=jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-ensure-service-user-service
-                                        ;type=allow;path=/;privileges=jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-on-deploy-scripts-service
-                                        ;type=allow;path=/;privileges=jcr:read
-                                    </expectedAce>
-                                </expectedAces>
-                            </config>
-                        </check>
                     </checks>
 
                     <!-- assume that we are installing into an instance where utility pages and configs have already

From b42bc09f61e2741089fd058ae285cbcbb92070ed Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Thu, 4 Mar 2021 09:54:19 -0500
Subject: [PATCH 08/20] Removed test for CM build

---
 .../adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bundle/src/test/java/com/adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java b/bundle/src/test/java/com/adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java
index c9d7877a52..19690bdf11 100644
--- a/bundle/src/test/java/com/adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java
+++ b/bundle/src/test/java/com/adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java
@@ -32,7 +32,8 @@
 
 public class TestMarketoInterfaces {
 
-    @Test
+    //@Test
+    // TODO Fix test running in Cloud Manager
     public void testInterfaces() throws IllegalAccessException, IllegalArgumentException, InvocationTargetException {
         Object[] interfaces = new Object[] { new FormValue() {
         }, new MarketoClientConfiguration() {

From 5bce714fab8a96ed14c44aad9102323aaf6b33f8 Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Thu, 4 Mar 2021 10:19:10 -0500
Subject: [PATCH 09/20] Cloud Manager - Code Quality - suppress warnings

---
 .../acs/commons/dam/AbstractRenditionModifyingProcess.java      | 1 +
 .../java/com/adobe/acs/commons/httpcache/util/CacheUtils.java   | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java b/bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java
index 579a0cd51a..14e66f9a49 100644
--- a/bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java
+++ b/bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java
@@ -125,6 +125,7 @@ public final void execute(WorkItem workItem, WorkflowSession workflowSession, Me
 
     }
 
+    @SuppressWarnings("findsecbugs:PATH_TRAVERSAL_IN")
     void saveImage(Asset asset, Rendition toReplace, Layer layer, String mimetype, double quality, WorkflowHelper workflowHelper)
             throws IOException {
         File tmpFile = File.createTempFile(getTempFileSpecifier(), "." + workflowHelper.getExtension(mimetype));
diff --git a/bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java b/bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java
index b23b279414..5f37357f8a 100644
--- a/bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java
+++ b/bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java
@@ -55,6 +55,8 @@ private CacheUtils() {
      * @param cacheKey
      * @return
      */
+
+    @SuppressWarnings("findsecbugs:PATH_TRAVERSAL_IN")
     public static File createTemporaryCacheFile(CacheKey cacheKey) throws IOException {
         // Create a file in Java temp directory with cacheKey.toSting() as file name.
 

From 0b5efaec9c2b2095930b6a1357a82bc4f4c0420e Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Thu, 4 Mar 2021 11:28:52 -0500
Subject: [PATCH 10/20] Suppress false positives on Potential Path Traversal
 code quality scans

---
 .../acs/commons/dam/AbstractRenditionModifyingProcess.java     | 3 ++-
 .../java/com/adobe/acs/commons/httpcache/util/CacheUtils.java  | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java b/bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java
index 14e66f9a49..015acaad97 100644
--- a/bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java
+++ b/bundle/src/main/java/com/adobe/acs/commons/dam/AbstractRenditionModifyingProcess.java
@@ -124,7 +124,8 @@ public final void execute(WorkItem workItem, WorkflowSession workflowSession, Me
         }
 
     }
-
+    
+    // False positive, file path not controlled by the user
     @SuppressWarnings("findsecbugs:PATH_TRAVERSAL_IN")
     void saveImage(Asset asset, Rendition toReplace, Layer layer, String mimetype, double quality, WorkflowHelper workflowHelper)
             throws IOException {
diff --git a/bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java b/bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java
index 5f37357f8a..d7ba1c9f4b 100644
--- a/bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java
+++ b/bundle/src/main/java/com/adobe/acs/commons/httpcache/util/CacheUtils.java
@@ -55,7 +55,7 @@ private CacheUtils() {
      * @param cacheKey
      * @return
      */
-
+    // False positive, file path not controlled by the user
     @SuppressWarnings("findsecbugs:PATH_TRAVERSAL_IN")
     public static File createTemporaryCacheFile(CacheKey cacheKey) throws IOException {
         // Create a file in Java temp directory with cacheKey.toSting() as file name.

From cc489f0acb223f89cd07f6bc8b9a9ca34afb9ba3 Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Thu, 4 Mar 2021 16:23:11 -0500
Subject: [PATCH 11/20] Fixing issues with Service User creation timing on AEM
 CS startup

---
 ...rviceUser-AutomaticPackageReplication.old} |  0
 ...sers.impl.EnsureServiceUser-FileFetch.old} |  0
 ...s.impl.EnsureServiceUser-RemoteAssets.old} |  0
 ...iceUserMapperImpl.amended-acs-commons.old} |  0
 ...poinit.RepositoryInitializer-aem-cs.config | 32 +++++++++++++++++++
 ...ositoryInitializer-varworkflow-acls.config |  0
 ...serMapperImpl.amended~acs-commons.cfg.json | 26 +++++++++++++++
 7 files changed, 58 insertions(+)
 rename ui.apps/src/main/content/jcr_root/apps/acs-commons/config/{com.adobe.acs.commons.users.impl.EnsureServiceUser-AutomaticPackageReplication.xml => deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-AutomaticPackageReplication.old} (100%)
 rename ui.apps/src/main/content/jcr_root/apps/acs-commons/config/{com.adobe.acs.commons.users.impl.EnsureServiceUser-FileFetch.xml => deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-FileFetch.old} (100%)
 rename ui.apps/src/main/content/jcr_root/apps/acs-commons/config/{com.adobe.acs.commons.users.impl.EnsureServiceUser-RemoteAssets.xml => deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-RemoteAssets.old} (100%)
 rename ui.apps/src/main/content/jcr_root/apps/acs-commons/config/{org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-acs-commons.xml => deprecated.org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-acs-commons.old} (100%)
 create mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
 rename ui.apps/src/main/content/jcr_root/apps/acs-commons/{config.author => config}/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config (100%)
 create mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.cfg.json

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/com.adobe.acs.commons.users.impl.EnsureServiceUser-AutomaticPackageReplication.xml b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-AutomaticPackageReplication.old
similarity index 100%
rename from ui.apps/src/main/content/jcr_root/apps/acs-commons/config/com.adobe.acs.commons.users.impl.EnsureServiceUser-AutomaticPackageReplication.xml
rename to ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-AutomaticPackageReplication.old
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/com.adobe.acs.commons.users.impl.EnsureServiceUser-FileFetch.xml b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-FileFetch.old
similarity index 100%
rename from ui.apps/src/main/content/jcr_root/apps/acs-commons/config/com.adobe.acs.commons.users.impl.EnsureServiceUser-FileFetch.xml
rename to ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-FileFetch.old
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/com.adobe.acs.commons.users.impl.EnsureServiceUser-RemoteAssets.xml b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-RemoteAssets.old
similarity index 100%
rename from ui.apps/src/main/content/jcr_root/apps/acs-commons/config/com.adobe.acs.commons.users.impl.EnsureServiceUser-RemoteAssets.xml
rename to ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-RemoteAssets.old
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-acs-commons.xml b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-acs-commons.old
similarity index 100%
rename from ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-acs-commons.xml
rename to ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-acs-commons.old
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
new file mode 100644
index 0000000000..95ba7016e1
--- /dev/null
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
@@ -0,0 +1,32 @@
+scripts=[
+"
+create path /content/dam(sling:Folder)
+create path /content/cq:tags(sling:Folder)
+
+create path /etc/packages(sling:Folder)
+create path /etc/tags(sling:Folder)
+
+create path /var/workflow(sling:Folder)
+create path /var/workflow/instances(sling:Folder)
+create path /var/workflow/packages(sling:Folder)
+
+create service user acs-commons-automatic-package-replicator-service with path system/acs-commons
+set ACL for acs-commons-automatic-package-replicator-service
+    allow jcr:read,jcr:versionManagement,rep:write,crx:replicate on /etc/packages
+    allow jcr:read on /
+end
+
+create service user acs-commons-file-fetch-service with path system/acs-aem-commons
+set ACL for acs-commons-file-fetch-service
+    allow jcr:read,jcr:versionManagement,rep:write,crx:replicate on /content/dam
+    allow jcr:read on /
+end
+
+create service user acs-commons-remote-assets-service with path system/acs-aem-commons
+set ACL for acs-commons-remote-assets-service
+    allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /content/cq:tags, content/dam, /etc/tags
+    allow jcr:read on /
+end
+"
+]
+
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
similarity index 100%
rename from ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
rename to ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.cfg.json b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.cfg.json
new file mode 100644
index 0000000000..04f8f6c4c4
--- /dev/null
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.cfg.json
@@ -0,0 +1,26 @@
+{
+  "user.mapping": [
+    "com.adobe.acs.acs-aem-commons-bundle:ensure-oak-index=[acs-commons-ensure-oak-index-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:email-service=[acs-commons-email-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:httpcache-jcr-storage-service=[acs-commons-httpcache-jcr-storage-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:review-task-asset-mover=[acs-commons-review-task-asset-mover-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:error-page-handler=[acs-commons-error-page-handler-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:form-helper=[acs-commons-form-helper-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:dispatcher-flush=[acs-commons-dispatcher-flush-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:package-replication-status-event-listener=[acs-commons-package-replication-status-event-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:component-error-handler=[acs-commons-component-error-handler-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:system-notifications=[acs-commons-system-notifications-service]",
+    "com.adobe.acs.acs-aem-commons-bundle-twitter:twitter-updater=[acs-commons-twitter-updater-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:workflow-remover=[acs-commons-workflow-remover-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:bulk-workflow=[acs-commons-bulk-workflow-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:bulk-workflow-runner=[workflow-process-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:ensure-service-user=[acs-commons-ensure-service-user-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:shared-component-props=[acs-commons-shared-component-props-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:manage-controlled-processes=[acs-commons-manage-controlled-processes-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:automatic-package-replicator=[acs-commons-automatic-package-replicator-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:on-deploy-scripts=[acs-commons-on-deploy-scripts-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:remote-assets=[acs-commons-remote-assets-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:workflowpackagemanager-service=[acs-commons-workflowpackagemanager-service]",
+    "com.adobe.acs.acs-aem-commons-bundle:file-fetch=[acs-commons-file-fetch-service]"
+  ]
+}

From 72f5500f28c0fea5b27f4d0ef380610d62211c44 Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Thu, 4 Mar 2021 16:53:28 -0500
Subject: [PATCH 12/20] RepoInit syntax

---
 ...che.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
index 95ba7016e1..2cd7a65a6c 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
@@ -24,7 +24,9 @@ end
 
 create service user acs-commons-remote-assets-service with path system/acs-aem-commons
 set ACL for acs-commons-remote-assets-service
-    allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /content/cq:tags, content/dam, /etc/tags
+    allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /content/cq:tags
+    allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /content/dam, /etc/tags
+    allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /etc/tags
     allow jcr:read on /
 end
 "

From 8b8e0d70d05afeacc4f8395965502046fa6c627d Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Fri, 5 Mar 2021 09:35:58 -0500
Subject: [PATCH 13/20] Kwin feedback

---
 ...e.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config | 5 -----
 ...g.impl.ServiceUserMapperImpl.amended~acs-commons.config} | 6 ++----
 2 files changed, 2 insertions(+), 9 deletions(-)
 rename ui.apps/src/main/content/jcr_root/apps/acs-commons/config/{org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.cfg.json => org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.config} (98%)

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
index 2cd7a65a6c..a9a4976e71 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
@@ -1,15 +1,10 @@
 scripts=[
 "
-create path /content/dam(sling:Folder)
 create path /content/cq:tags(sling:Folder)
 
 create path /etc/packages(sling:Folder)
 create path /etc/tags(sling:Folder)
 
-create path /var/workflow(sling:Folder)
-create path /var/workflow/instances(sling:Folder)
-create path /var/workflow/packages(sling:Folder)
-
 create service user acs-commons-automatic-package-replicator-service with path system/acs-commons
 set ACL for acs-commons-automatic-package-replicator-service
     allow jcr:read,jcr:versionManagement,rep:write,crx:replicate on /etc/packages
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.cfg.json b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.config
similarity index 98%
rename from ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.cfg.json
rename to ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.config
index 04f8f6c4c4..fdf5b4d40a 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.cfg.json
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.config
@@ -1,5 +1,4 @@
-{
-  "user.mapping": [
+user.mapping=[
     "com.adobe.acs.acs-aem-commons-bundle:ensure-oak-index=[acs-commons-ensure-oak-index-service]",
     "com.adobe.acs.acs-aem-commons-bundle:email-service=[acs-commons-email-service]",
     "com.adobe.acs.acs-aem-commons-bundle:httpcache-jcr-storage-service=[acs-commons-httpcache-jcr-storage-service]",
@@ -22,5 +21,4 @@
     "com.adobe.acs.acs-aem-commons-bundle:remote-assets=[acs-commons-remote-assets-service]",
     "com.adobe.acs.acs-aem-commons-bundle:workflowpackagemanager-service=[acs-commons-workflowpackagemanager-service]",
     "com.adobe.acs.acs-aem-commons-bundle:file-fetch=[acs-commons-file-fetch-service]"
-  ]
-}
+]

From cd7dbaf99659ac58df2177c41b66a640910db5c6 Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Fri, 5 Mar 2021 11:02:45 -0500
Subject: [PATCH 14/20] Fixed escaping in multi-line .config

---
 ...eUserMapperImpl.amended~acs-commons.config | 46 +++++++++----------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.config
index fdf5b4d40a..9aed102d50 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~acs-commons.config
@@ -1,24 +1,24 @@
-user.mapping=[
-    "com.adobe.acs.acs-aem-commons-bundle:ensure-oak-index=[acs-commons-ensure-oak-index-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:email-service=[acs-commons-email-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:httpcache-jcr-storage-service=[acs-commons-httpcache-jcr-storage-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:review-task-asset-mover=[acs-commons-review-task-asset-mover-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:error-page-handler=[acs-commons-error-page-handler-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:form-helper=[acs-commons-form-helper-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:dispatcher-flush=[acs-commons-dispatcher-flush-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:package-replication-status-event-listener=[acs-commons-package-replication-status-event-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:component-error-handler=[acs-commons-component-error-handler-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:system-notifications=[acs-commons-system-notifications-service]",
-    "com.adobe.acs.acs-aem-commons-bundle-twitter:twitter-updater=[acs-commons-twitter-updater-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:workflow-remover=[acs-commons-workflow-remover-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:bulk-workflow=[acs-commons-bulk-workflow-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:bulk-workflow-runner=[workflow-process-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:ensure-service-user=[acs-commons-ensure-service-user-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:shared-component-props=[acs-commons-shared-component-props-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:manage-controlled-processes=[acs-commons-manage-controlled-processes-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:automatic-package-replicator=[acs-commons-automatic-package-replicator-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:on-deploy-scripts=[acs-commons-on-deploy-scripts-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:remote-assets=[acs-commons-remote-assets-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:workflowpackagemanager-service=[acs-commons-workflowpackagemanager-service]",
-    "com.adobe.acs.acs-aem-commons-bundle:file-fetch=[acs-commons-file-fetch-service]"
+user.mapping=[ \
+    "com.adobe.acs.acs-aem-commons-bundle:ensure-oak-index\=[acs-commons-ensure-oak-index-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:email-service\=[acs-commons-email-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:httpcache-jcr-storage-service\=[acs-commons-httpcache-jcr-storage-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:review-task-asset-mover\=[acs-commons-review-task-asset-mover-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:error-page-handler\=[acs-commons-error-page-handler-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:form-helper\=[acs-commons-form-helper-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:dispatcher-flush\=[acs-commons-dispatcher-flush-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:package-replication-status-event-listener\=[acs-commons-package-replication-status-event-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:component-error-handler\=[acs-commons-component-error-handler-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:system-notifications\=[acs-commons-system-notifications-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle-twitter:twitter-updater\=[acs-commons-twitter-updater-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:workflow-remover\=[acs-commons-workflow-remover-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:bulk-workflow\=[acs-commons-bulk-workflow-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:bulk-workflow-runner\=[workflow-process-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:ensure-service-user\=[acs-commons-ensure-service-user-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:shared-component-props\=[acs-commons-shared-component-props-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:manage-controlled-processes\=[acs-commons-manage-controlled-processes-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:automatic-package-replicator\=[acs-commons-automatic-package-replicator-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:on-deploy-scripts\=[acs-commons-on-deploy-scripts-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:remote-assets\=[acs-commons-remote-assets-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:workflowpackagemanager-service\=[acs-commons-workflowpackagemanager-service]", \
+    "com.adobe.acs.acs-aem-commons-bundle:file-fetch\=[acs-commons-file-fetch-service]" \
 ]

From 93ef2c49318f817bcc618b5307193f7e612df59a Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Fri, 5 Mar 2021 16:21:26 -0500
Subject: [PATCH 15/20] Moved /apps out of content package (all package)

---
 .../utilities/report-builder/configs/paths-list/.content.xml      | 0
 .../report-builder/configs/paths-list/_cq_dialog/.content.xml     | 0
 .../utilities/report-builder/configs/paths-list/paths-list.jsp    | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename {content => ui.apps}/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/.content.xml (100%)
 rename {content => ui.apps}/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/_cq_dialog/.content.xml (100%)
 rename {content => ui.apps}/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/paths-list.jsp (100%)

diff --git a/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/.content.xml b/ui.apps/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/.content.xml
similarity index 100%
rename from content/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/.content.xml
rename to ui.apps/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/.content.xml
diff --git a/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/_cq_dialog/.content.xml b/ui.apps/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/_cq_dialog/.content.xml
similarity index 100%
rename from content/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/_cq_dialog/.content.xml
rename to ui.apps/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/_cq_dialog/.content.xml
diff --git a/content/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/paths-list.jsp b/ui.apps/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/paths-list.jsp
similarity index 100%
rename from content/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/paths-list.jsp
rename to ui.apps/src/main/content/jcr_root/apps/acs-commons/components/utilities/report-builder/configs/paths-list/paths-list.jsp

From 8e5215df6956763fe4577ef29363ba490ff93e1d Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Sat, 6 Mar 2021 17:44:41 -0500
Subject: [PATCH 16/20] Removal of transformed OSGi configurations

---
 ...impl.EnsureServiceUser-AutomaticPackageReplication.old | 8 --------
 ...acs.commons.users.impl.EnsureServiceUser-FileFetch.old | 8 --------
 ....commons.users.impl.EnsureServiceUser-RemoteAssets.old | 8 --------
 ...ing.impl.ServiceUserMapperImpl.amended-acs-commons.old | 4 ----
 4 files changed, 28 deletions(-)
 delete mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-AutomaticPackageReplication.old
 delete mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-FileFetch.old
 delete mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-RemoteAssets.old
 delete mode 100644 ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-acs-commons.old

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-AutomaticPackageReplication.old b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-AutomaticPackageReplication.old
deleted file mode 100644
index 94b892890c..0000000000
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-AutomaticPackageReplication.old
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0"
-          xmlns:jcr="http://www.jcp.org/jcr/1.0"
-          jcr:primaryType="sling:OsgiConfig"
-          principalName="acs-commons/acs-commons-automatic-package-replicator-service"
-          operation="add"
-          ensure-immediately="{Boolean}true"
-          aces="[type=allow;privileges=jcr:read\,jcr:versionManagement\,rep:write\,crx:replicate;path=/etc/packages,type=allow;privileges=jcr:read;path=/]"/>
\ No newline at end of file
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-FileFetch.old b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-FileFetch.old
deleted file mode 100644
index 2b53f8df0d..0000000000
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-FileFetch.old
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0"
-          xmlns:jcr="http://www.jcp.org/jcr/1.0"
-          jcr:primaryType="sling:OsgiConfig"
-          principalName="acs-commons/acs-commons-file-fetch-service"
-          operation="add"
-          ensure-immediately="{Boolean}true"
-          aces="[type=allow;privileges=jcr:read\,jcr:versionManagement\,rep:write\,crx:replicate;path=/content/dam,type=allow;privileges=jcr:read;path=/]"/>
\ No newline at end of file
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-RemoteAssets.old b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-RemoteAssets.old
deleted file mode 100644
index 73598df62b..0000000000
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.com.adobe.acs.commons.users.impl.EnsureServiceUser-RemoteAssets.old
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0"
-          xmlns:jcr="http://www.jcp.org/jcr/1.0"
-          jcr:primaryType="sling:OsgiConfig"
-          principalName="acs-commons/acs-commons-remote-assets-service"
-          operation="add"
-          ensure-immediately="{Boolean}true"
-          aces="[type=allow;privileges=jcr:read\,jcr:versionManagement\,rep:write\,crx:replicate;path=/content/cq:tags,type=allow;privileges=jcr:read\,jcr:versionManagement\,rep:write\,crx:replicate;path=/content/dam,type=allow;privileges=jcr:read\,jcr:versionManagement\,rep:write\,crx:replicate;path=/etc/tags]"/>
\ No newline at end of file
diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-acs-commons.old b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-acs-commons.old
deleted file mode 100644
index b165337b93..0000000000
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/deprecated.org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-acs-commons.old
+++ /dev/null
@@ -1,4 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0"
-    jcr:primaryType="sling:OsgiConfig"
-    user.mapping="[com.adobe.acs.acs-aem-commons-bundle:ensure-oak-index=acs-commons-ensure-oak-index-service,com.adobe.acs.acs-aem-commons-bundle:email-service=acs-commons-email-service,com.adobe.acs.acs-aem-commons-bundle:httpcache-jcr-storage-service=acs-commons-httpcache-jcr-storage-service,com.adobe.acs.acs-aem-commons-bundle:review-task-asset-mover=acs-commons-review-task-asset-mover-service,com.adobe.acs.acs-aem-commons-bundle:error-page-handler=acs-commons-error-page-handler-service,com.adobe.acs.acs-aem-commons-bundle:form-helper=acs-commons-form-helper-service,com.adobe.acs.acs-aem-commons-bundle:dispatcher-flush=acs-commons-dispatcher-flush-service,com.adobe.acs.acs-aem-commons-bundle:package-replication-status-event-listener=acs-commons-package-replication-status-event-service,com.adobe.acs.acs-aem-commons-bundle:component-error-handler=acs-commons-component-error-handler-service,com.adobe.acs.acs-aem-commons-bundle:system-notifications=acs-commons-system-notifications-service,com.adobe.acs.acs-aem-commons-bundle-twitter:twitter-updater=acs-commons-twitter-updater-service,com.adobe.acs.acs-aem-commons-bundle:workflow-remover=acs-commons-workflow-remover-service,com.adobe.acs.acs-aem-commons-bundle:bulk-workflow=acs-commons-bulk-workflow-service,com.adobe.acs.acs-aem-commons-bundle:bulk-workflow-runner=workflow-process-service,com.adobe.acs.acs-aem-commons-bundle:ensure-service-user=acs-commons-ensure-service-user-service,com.adobe.acs.acs-aem-commons-bundle:shared-component-props=acs-commons-shared-component-props-service,com.adobe.acs.acs-aem-commons-bundle:manage-controlled-processes=acs-commons-manage-controlled-processes-service,com.adobe.acs.acs-aem-commons-bundle:automatic-package-replicator=acs-commons-automatic-package-replicator-service,com.adobe.acs.acs-aem-commons-bundle:on-deploy-scripts=acs-commons-on-deploy-scripts-service,com.adobe.acs.acs-aem-commons-bundle:remote-assets=acs-commons-remote-assets-service,com.adobe.acs.acs-aem-commons-bundle:workflowpackagemanager-service=acs-commons-workflowpackagemanager-service,com.adobe.acs.acs-aem-commons-bundle:file-fetch=acs-commons-file-fetch-service]"/>

From da6106c4331bdd029b715ebb87095aeac5ff867b Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Mon, 8 Mar 2021 09:00:59 +0100
Subject: [PATCH 17/20] prevent race condition by deferring activate() until
 service user mapping is available

---
 .../commons/workflow/impl/WorkflowPackageManagerImpl.java    | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/bundle/src/main/java/com/adobe/acs/commons/workflow/impl/WorkflowPackageManagerImpl.java b/bundle/src/main/java/com/adobe/acs/commons/workflow/impl/WorkflowPackageManagerImpl.java
index 5e5f29efe9..4048bf8240 100644
--- a/bundle/src/main/java/com/adobe/acs/commons/workflow/impl/WorkflowPackageManagerImpl.java
+++ b/bundle/src/main/java/com/adobe/acs/commons/workflow/impl/WorkflowPackageManagerImpl.java
@@ -42,6 +42,7 @@
 import org.apache.sling.api.resource.ResourceResolver;
 import org.apache.sling.api.resource.ResourceResolverFactory;
 import org.apache.sling.commons.osgi.PropertiesUtil;
+import org.apache.sling.serviceusermapping.ServiceUserMapped;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -51,7 +52,6 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -108,6 +108,9 @@ public class WorkflowPackageManagerImpl implements WorkflowPackageManager {
     @Reference
     ResourceResolverFactory resourceResolverFactory;
 
+    @Reference(target = "("+ServiceUserMapped.SUBSERVICENAME+"="+SERVICE_NAME+")")
+    ServiceUserMapped serviceUserMapped;
+
     private String bucketPath;
 
     /**

From 49394e0bc3936986c69af3424a81f0aafa14ef91 Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Mon, 8 Mar 2021 16:31:01 -0500
Subject: [PATCH 18/20] ACS AEM Commons

---
 ...he.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
index a9a4976e71..da0ab80213 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
@@ -1,9 +1,7 @@
 scripts=[
 "
 create path /content/cq:tags(sling:Folder)
-
 create path /etc/packages(sling:Folder)
-create path /etc/tags(sling:Folder)
 
 create service user acs-commons-automatic-package-replicator-service with path system/acs-commons
 set ACL for acs-commons-automatic-package-replicator-service
@@ -21,7 +19,8 @@ create service user acs-commons-remote-assets-service with path system/acs-aem-c
 set ACL for acs-commons-remote-assets-service
     allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /content/cq:tags
     allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /content/dam, /etc/tags
-    allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /etc/tags
+    # If /etc/tags is used, these must be set manually - since if RepoInit defines this structure, it supersedes /content/cq:tags
+    #allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /etc/tags
     allow jcr:read on /
 end
 "

From 83aed1dd9443fae100a8b8db12b711203130784e Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Tue, 9 Mar 2021 15:27:23 -0500
Subject: [PATCH 19/20] Removed /etc/tags from repoinit as this forces use of
 this legacy path to store tags

---
 ...e.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
index da0ab80213..285de682f3 100644
--- a/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
+++ b/ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-aem-cs.config
@@ -1,5 +1,6 @@
 scripts=[
 "
+# These paths must exist otherwise the following ACL applicaiton will fail, resulting in err'ing build 
 create path /content/cq:tags(sling:Folder)
 create path /etc/packages(sling:Folder)
 
@@ -19,9 +20,10 @@ create service user acs-commons-remote-assets-service with path system/acs-aem-c
 set ACL for acs-commons-remote-assets-service
     allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /content/cq:tags
     allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /content/dam, /etc/tags
-    # If /etc/tags is used, these must be set manually - since if RepoInit defines this structure, it supersedes /content/cq:tags
-    #allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /etc/tags
     allow jcr:read on /
+
+    # If /etc/tags is used, these ACLs be set manually - if RepoInit defines this structure, it supersedes the use of /content/cq:tags
+    # allow jcr:read, jcr:versionManagement, rep:write, crx:replicate on /etc/tags
 end
 "
 ]

From 99a68877b205daef24e64fd76dd0b5b1d31ad6f1 Mon Sep 17 00:00:00 2001
From: David Gonzalez <davidjgonzalez@gmail.com>
Date: Tue, 9 Mar 2021 15:27:56 -0500
Subject: [PATCH 20/20] Re-added @Test for this class with note its known to
 fail in Cloud Manager (but not local or Travis)

---
 .../adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bundle/src/test/java/com/adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java b/bundle/src/test/java/com/adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java
index 19690bdf11..d061101d1f 100644
--- a/bundle/src/test/java/com/adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java
+++ b/bundle/src/test/java/com/adobe/acs/commons/marketo/impl/TestMarketoInterfaces.java
@@ -32,8 +32,8 @@
 
 public class TestMarketoInterfaces {
 
-    //@Test
-    // TODO Fix test running in Cloud Manager
+    @Test
+    // This test is known to fail when executed by Cloud Manager's code quality check, however works locally and in Travis
     public void testInterfaces() throws IllegalAccessException, IllegalArgumentException, InvocationTargetException {
         Object[] interfaces = new Object[] { new FormValue() {
         }, new MarketoClientConfiguration() {