diff --git a/actool-example/META-INF/MANIFEST.MF b/actool-example/META-INF/MANIFEST.MF
new file mode 100644
index 0000000..e9d8645
--- /dev/null
+++ b/actool-example/META-INF/MANIFEST.MF
@@ -0,0 +1,5 @@
+Manifest-Version: 1.0
+Content-Package-Id: my_packages:actool-example
+Content-Package-Roots: /apps/actool-example
+Content-Package-Type: application
+
diff --git a/actool-example/META-INF/vault/config.xml b/actool-example/META-INF/vault/config.xml
new file mode 100644
index 0000000..b525f1c
--- /dev/null
+++ b/actool-example/META-INF/vault/config.xml
@@ -0,0 +1,93 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+<vaultfs version="1.1">
+    <!--
+        Defines the content aggregation. The order of the defined aggregates
+        is important for finding the correct aggregator.
+    -->
+    <aggregates>
+        <!--
+            Defines an aggregate that handles nt:file and nt:resource nodes.
+        -->
+        <aggregate type="file" title="File Aggregate"/>
+
+        <!--
+            Defines an aggregate that handles file/folder like nodes. It matches
+            all nt:hierarchyNode nodes that have or define a jcr:content
+            child node and excludes child nodes that are nt:hierarchyNodes.
+        -->
+        <aggregate type="filefolder" title="File/Folder Aggregate"/>
+
+        <!--
+            Defines an aggregate that handles nt:nodeType nodes and serializes
+            them into .cnd notation.
+        -->
+        <aggregate type="nodetype" title="Node Type Aggregate" />
+
+        <!--
+            Defines an aggregate that defines full coverage for certain node
+            types that cannot be covered by the default aggregator.
+        -->
+        <aggregate type="full" title="Full Coverage Aggregate">
+            <matches>
+                <include nodeType="rep:AccessControl" respectSupertype="true" />
+                <include nodeType="rep:Policy" respectSupertype="true" />
+                <include nodeType="cq:Widget" respectSupertype="true" />
+                <include nodeType="cq:EditConfig" respectSupertype="true" />
+                <include nodeType="cq:WorkflowModel" respectSupertype="true" />
+                <include nodeType="vlt:FullCoverage" respectSupertype="true" />
+                <include nodeType="mix:language" respectSupertype="true" />
+                <include nodeType="sling:OsgiConfig" respectSupertype="true" />
+            </matches>
+        </aggregate>
+
+        <!--
+            Defines an aggregate that handles nt:folder like nodes.
+        -->
+        <aggregate type="generic" title="Folder Aggregate">
+            <matches>
+                <include nodeType="nt:folder" respectSupertype="true" />
+            </matches>
+            <contains>
+                <exclude isNode="true" />
+            </contains>
+        </aggregate>
+
+        <!--
+            Defines the default aggregate
+        -->
+        <aggregate type="generic" title="Default Aggregator" isDefault="true">
+            <matches>
+                <!-- all -->
+            </matches>
+            <contains>
+                <exclude nodeType="nt:hierarchyNode" respectSupertype="true" />
+            </contains>
+        </aggregate>
+
+    </aggregates>
+
+    <!--
+      defines the input handlers
+    -->
+    <handlers>
+        <handler type="folder"/>
+        <handler type="file"/>
+        <handler type="nodetype"/>
+        <handler type="generic"/>
+    </handlers>
+</vaultfs>
diff --git a/actool-example/META-INF/vault/definition/.content.xml b/actool-example/META-INF/vault/definition/.content.xml
new file mode 100644
index 0000000..c490fe2
--- /dev/null
+++ b/actool-example/META-INF/vault/definition/.content.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:vlt="http://www.day.com/jcr/vault/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:nt="http://www.jcp.org/jcr/nt/1.0"
+    jcr:created="{Date}2023-10-17T14:05:32.908+09:00"
+    jcr:createdBy="admin"
+    jcr:description=""
+    jcr:lastModified="{Date}2023-10-17T14:05:32.908+09:00"
+    jcr:lastModifiedBy="admin"
+    jcr:primaryType="vlt:PackageDefinition"
+    buildCount="1"
+    builtWith="Adobe Experience Manager-6.5.17.0"
+    group="my_packages"
+    lastUnwrapped="{Date}2023-10-17T14:05:32.908+09:00"
+    lastUnwrappedBy="admin"
+    lastWrapped="{Date}2023-10-17T14:05:32.908+09:00"
+    lastWrappedBy="admin"
+    name="actool-example"
+    version="">
+    <filter jcr:primaryType="nt:unstructured">
+        <f0
+            jcr:primaryType="nt:unstructured"
+            mode="replace"
+            root="/apps/actool-example"
+            rules="[]"/>
+    </filter>
+</jcr:root>
diff --git a/actool-example/META-INF/vault/filter.xml b/actool-example/META-INF/vault/filter.xml
new file mode 100644
index 0000000..c45186e
--- /dev/null
+++ b/actool-example/META-INF/vault/filter.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<workspaceFilter version="1.0">
+    <filter root="/apps/actool-example"/>
+</workspaceFilter>
diff --git a/actool-example/META-INF/vault/nodetypes.cnd b/actool-example/META-INF/vault/nodetypes.cnd
new file mode 100644
index 0000000..8f00f08
--- /dev/null
+++ b/actool-example/META-INF/vault/nodetypes.cnd
@@ -0,0 +1,13 @@
+<'sling'='http://sling.apache.org/jcr/sling/1.0'>
+<'nt'='http://www.jcp.org/jcr/nt/1.0'>
+<'rep'='internal'>
+
+[sling:Folder] > nt:folder
+  - * (undefined) multiple
+  - * (undefined)
+  + * (nt:base) = sling:Folder version
+
+[rep:RepoAccessControllable]
+  mixin
+  + rep:repoPolicy (rep:Policy) protected ignore
+
diff --git a/actool-example/META-INF/vault/properties.xml b/actool-example/META-INF/vault/properties.xml
new file mode 100644
index 0000000..3df5871
--- /dev/null
+++ b/actool-example/META-INF/vault/properties.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<properties>
+<comment>FileVault Package Properties</comment>
+<entry key="description"></entry>
+<entry key="packageType">application</entry>
+<entry key="lastWrappedBy">admin</entry>
+<entry key="packageFormatVersion">2</entry>
+<entry key="group">my_packages</entry>
+<entry key="created">2023-10-17T14:05:32.916+09:00</entry>
+<entry key="lastModifiedBy">admin</entry>
+<entry key="buildCount">1</entry>
+<entry key="lastWrapped">2023-10-17T14:05:32.908+09:00</entry>
+<entry key="version"></entry>
+<entry key="dependencies"></entry>
+<entry key="createdBy">admin</entry>
+<entry key="name">actool-example</entry>
+<entry key="lastModified">2023-10-17T14:05:32.908+09:00</entry>
+</properties>
diff --git a/actool-example/jcr_root/.content.xml b/actool-example/jcr_root/.content.xml
new file mode 100644
index 0000000..8ea9f2a
--- /dev/null
+++ b/actool-example/jcr_root/.content.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+    jcr:mixinTypes="[rep:AccessControllable,rep:RepoAccessControllable]"
+    jcr:primaryType="rep:root"
+    sling:resourceType="sling:redirect"
+    sling:target="/index.html"/>
diff --git a/actool-example/jcr_root/apps/.content.xml b/actool-example/jcr_root/apps/.content.xml
new file mode 100644
index 0000000..54084a8
--- /dev/null
+++ b/actool-example/jcr_root/apps/.content.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
+    jcr:mixinTypes="[rep:AccessControllable]"
+    jcr:primaryType="sling:Folder"/>
diff --git a/actool-example/jcr_root/apps/actool-example/acl-template/fragment-base.author/base.yaml b/actool-example/jcr_root/apps/actool-example/acl-template/fragment-base.author/base.yaml
new file mode 100644
index 0000000..a2de70b
--- /dev/null
+++ b/actool-example/jcr_root/apps/actool-example/acl-template/fragment-base.author/base.yaml
@@ -0,0 +1,206 @@
+# System configuration (all global fragments)
+
+- group_config:
+
+    - fragment-basic-allow:
+
+       - name: 
+         memberOf:
+         path: f
+
+    - fragment-restrict-for-everyone:
+
+       - name: 
+         memberOf:
+         path: f
+
+
+
+
+- ace_config:
+
+
+    - fragment-basic-allow:
+
+       - path: /
+         permission: allow
+         actions: read
+         privileges: 
+         repGlob: 
+
+      ## allows access to nodes that are readable for all users
+      ### /content
+       - path: /content
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: ""
+
+       - path: /content
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: /jcr:*
+
+
+      ### /content/experience-fragments
+       - path: /content/experience-fragments
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: ""
+
+       - path: /content/experience-fragments
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: /jcr:*
+
+
+      ### /content/dam
+       - path: /content/dam
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: ""
+
+       - path: /content/dam
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: /jcr:*
+
+
+      ### /content/dam/projects
+       - path: /content/dam/projects
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: ""
+
+       - path: /content/dam/projects
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: /jcr:*
+
+
+      ### /content/dam/collections
+       - path: /content/dam/collections
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: ""
+
+       - path: /content/dam/collections
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: /jcr:*
+
+
+      ### /content/projects
+       - path: /content/projects
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: ""
+
+       - path: /content/projects
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: /jcr:*
+
+
+      ### /content/cq:tags
+       - path: /content/cq:tags
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: ""
+
+       - path: /content/cq:tags
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: /jcr:*
+
+
+      ### /conf
+       - path: /conf
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: ""
+
+       - path: /conf
+         permission: allow
+         actions: 
+         privileges: jcr:read,jcr:readAccessControl
+         repGlob: /jcr:*
+
+
+    - fragment-restrict-for-everyone:
+
+      # reset acls of the user contents for the built-in groups
+       - path: /content
+         permission: deny
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+
+       - path: /content/experience-fragments
+         permission: deny
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+
+       - path: /content/dam
+         permission: deny
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+
+       - path: /content/dam/projects
+         permission: deny
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+
+       - path: /content/dam/collections
+         permission: deny
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+
+       - path: /content/projects
+         permission: deny
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+
+       - path: /content/cq:tags
+         permission: deny
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+
+       - path: /conf
+         permission: deny
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+
+
+
+
+
diff --git a/actool-example/jcr_root/apps/actool-example/acl-template/we-retail.author/case-study.yaml b/actool-example/jcr_root/apps/actool-example/acl-template/we-retail.author/case-study.yaml
new file mode 100644
index 0000000..178175c
--- /dev/null
+++ b/actool-example/jcr_root/apps/actool-example/acl-template/we-retail.author/case-study.yaml
@@ -0,0 +1,76 @@
+# Role groups for We-Retail
+
+# /content/we-retail/language-masters/it/A1
+# /content/we-retail/language-masters/it/F1
+# /content/we-retail/language-masters/it/A1/B2
+# /content/we-retail/language-masters/it/A1/E2
+# /content/we-retail/language-masters/it/A1/B2/C3
+# /content/we-retail/language-masters/it/A1/B2/D3
+
+
+- group_config:
+    - sample-group:
+       - name: sample group
+         isMemberOf: fragment-restrict-for-everyone,fragment-basic-allow
+
+
+- ace_config:
+
+    - sample-group:
+
+      ## allows access to nodes that are readable for all users
+      ### /content
+       - FOR path IN [/content/we-retail, /content/we-retail/A1]:
+           - path: ${path}
+             permission: allow
+             actions: 
+             privileges: jcr:read
+             repGlob: ""
+ 
+           - path: ${path}
+             permission: allow
+             actions: 
+             privileges: jcr:read
+             repGlob: /jcr:*
+
+       - FOR path IN [/content/we-retail/A1/B2]:
+           - path: ${path}
+             permission: allow
+             actions: read,modify
+             privileges: 
+             repGlob: ""
+ 
+           - path: ${path}
+             permission: allow
+             actions: read,modify
+             privileges: 
+             repGlob: /jcr:*
+
+       - FOR path IN [/content/we-retail/A1/B2/C3,/content/we-retail/F1]:
+           - path: ${path}
+             permission: allow
+             actions: read,modify,create
+             privileges: 
+             repGlob: 
+
+
+       - path: /content/dam
+         permission: allow
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+       - path: /conf
+         permission: allow
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+       - path: /content/we-retail/language-masters/en
+         permission: allow
+         actions: 
+         privileges: jcr:all
+         repGlob: 
+
+
+
diff --git a/actool-example/jcr_root/apps/actool-example/acl-template/we-retail.author/content-group.yaml b/actool-example/jcr_root/apps/actool-example/acl-template/we-retail.author/content-group.yaml
new file mode 100644
index 0000000..db32d99
--- /dev/null
+++ b/actool-example/jcr_root/apps/actool-example/acl-template/we-retail.author/content-group.yaml
@@ -0,0 +1,207 @@
+# Content groups for We-Retail
+- DEF sitePrefix=weretail
+- DEF countryArr=[us, ca, ch, de, fr, es, it]
+- DEF permissionOfRole=:
+      editor: read,modify,create
+      publisher: read,modify,create,delete
+      approver: read,modify,create,delete,acl_read
+
+
+- group_config:
+
+    - FOR country IN ${countryArr}:
+
+        - content-${sitePrefix}-${country}-for-editor:
+          - name: We-Retail ${country} content for editor 
+            isMemberOf: 
+            path: /home/groups/${sitePrefix}
+
+
+        - content-${sitePrefix}-${country}-for-publisher:
+          - name: We-Retail ${country} content for publisher 
+            isMemberOf: 
+            path: /home/groups/${sitePrefix}
+
+
+        - content-${sitePrefix}-${country}-for-approver:
+          - name: We-Retail ${country} content for approver 
+            isMemberOf: workflow-administrators
+            path: /home/groups/${sitePrefix}
+
+
+    - content-${sitePrefix}-language-masters-for-editor:
+      - name: We-Retail language-masters content for editor 
+        isMemberOf: 
+        path: /home/groups/${sitePrefix}
+
+
+    - content-${sitePrefix}-language-masters-for-publisher:
+      - name: We-Retail language-masters content for publisher 
+        isMemberOf: 
+        path: /home/groups/${sitePrefix}
+
+
+    - content-${sitePrefix}-language-masters-for-approver:
+      - name: We-Retail language-masters content for approver 
+        isMemberOf: 
+        path: /home/groups/${sitePrefix}
+
+
+
+
+- ace_config:
+
+    ## for language-masters
+    - FOR country IN ${countryArr}:
+        - FOR role IN ${keys(permissionOfRole)}:
+
+            - content-${sitePrefix}-${country}-for-${role}:
+                - path: /content/we-retail
+                  permission: allow
+                  actions: read
+                  privileges: 
+
+                - path: /content/we-retail/${country}
+                  permission: allow
+                  actions: ${permissionOfRole[role]}
+                  privileges: 
+
+                - path: /content/experience-fragments
+                  permission: allow
+                  actions: ${permissionOfRole[role]}
+                  privileges: 
+
+                - path: /content/dam/we-retail
+                  permission: allow
+                  actions: ${permissionOfRole[role]}
+                  privileges: 
+
+                - path: /content/dam/projects/we-retail
+                  permission: allow
+                  actions: ${permissionOfRole[role]}
+                  privileges: 
+
+                - path: /content/projects
+                  permission: allow
+                  actions: ${permissionOfRole[role]}
+                  privileges: 
+
+                # delete permission is necessary if you want to make a launch
+                - path: /content/launches
+                  permission: allow
+                  actions: read,modify,create,delete
+                  privileges: 
+
+                - path: /content/cq:tags/we-retail
+                  permission: allow
+                  actions: read
+                  privileges: 
+
+                - path: /conf/we-retail/settings/wcm/templates
+                  permission: allow
+                  actions: read
+                  privileges: 
+
+                - path: /conf/we-retail/settings/wcm/policies
+                  permission: allow
+                  actions: read
+                  privileges: 
+
+
+                - IF ${startsWith(role, "publisher") or startsWith(role, "approver")}:
+
+                    - path: /conf
+                      permission: allow
+                      privileges: crx:replicate
+                      restrictions:
+                        rep:glob: '/*/cloudconfigs'
+
+                    - path: /conf
+                      permission: allow
+                      privileges: crx:replicate
+                      restrictions:
+                        rep:glob: '/*/cloudconfigs/*'
+
+                    ## replicate permission of the template and the policiess is necessary if you want to publish pages
+                    - path: /conf/we-retail/settings/wcm/templates
+                      permission: allow
+                      privileges: crx:replicate
+
+                    - path: /conf/we-retail/settings/wcm/policies
+                      permission: allow
+                      privileges: crx:replicate
+
+
+    ## for language-masters
+    - FOR role IN ${keys(permissionOfRole)}:
+
+        - content-${sitePrefix}-language-masters-for-${role}:
+            - path: /content/we-retail
+              permission: allow
+              actions: ${permissionOfRole[role]}
+              privileges: 
+
+            - path: /content/experience-fragments
+              permission: allow
+              actions: ${permissionOfRole[role]}
+              privileges: 
+
+            - path: /content/dam/we-retail
+              permission: allow
+              actions: ${permissionOfRole[role]}
+              privileges: 
+
+            - path: /content/dam/projects/we-retail
+              permission: allow
+              actions: ${permissionOfRole[role]}
+              privileges: 
+
+            - path: /content/projects
+              permission: allow
+              actions: ${permissionOfRole[role]}
+              privileges: 
+
+            # delete permission is necessary if you want to make a launch
+            - path: /content/launches
+              permission: allow
+              actions: read,modify,create,delete
+              privileges: 
+
+            - path: /content/cq:tags/we-retail
+              permission: allow
+              actions: read,modify,create,delete
+              privileges: 
+
+            - path: /conf/we-retail/settings/wcm/templates
+              permission: allow
+              actions: read
+              privileges: 
+
+            - path: /conf/we-retail/settings/wcm/policies
+              permission: allow
+              actions: read
+              privileges: 
+
+
+            - IF ${startsWith(role, "publisher") or startsWith(role, "approver")}:
+
+                - path: /conf
+                  permission: allow
+                  privileges: crx:replicate
+                  restrictions:
+                    rep:glob: '/*/cloudconfigs'
+
+                - path: /conf
+                  permission: allow
+                  privileges: crx:replicate
+                  restrictions:
+                    rep:glob: '/*/cloudconfigs/*'
+
+                ## replicate permission of the template and the policiess is necessary if you want to publish pages
+                - path: /conf/we-retail/settings/wcm/templates
+                  permission: allow
+                  privileges: crx:replicate
+
+                - path: /conf/we-retail/settings/wcm/policies
+                  permission: allow
+                  privileges: crx:replicate
diff --git a/actool-example/jcr_root/apps/actool-example/acl-template/we-retail.author/fragment-role.yaml b/actool-example/jcr_root/apps/actool-example/acl-template/we-retail.author/fragment-role.yaml
new file mode 100644
index 0000000..3ceb484
--- /dev/null
+++ b/actool-example/jcr_root/apps/actool-example/acl-template/we-retail.author/fragment-role.yaml
@@ -0,0 +1,24 @@
+# Role groups for We-Retail
+- DEF sitePrefix=weretail
+- DEF countryLangMasterArr=[us, ca, ch, de, fr, es, it, language-masters]
+
+
+- group_config:
+      - FOR country IN ${countryLangMasterArr}:
+
+          - ${sitePrefix}-${country}-editor:
+            - name: We-Retail ${country} editor 
+              isMemberOf: fragment-restrict-for-everyone,fragment-basic-allow,content-authors,content-weretail-${country}-for-editor
+              path: /home/groups/${sitePrefix}
+
+          - ${sitePrefix}-${country}-publisher:
+            - name: We-Retail ${country} publisher 
+              isMemberOf: fragment-restrict-for-everyone,fragment-basic-allow,content-authors,workflow-users,content-weretail-${country}-for-publisher
+              path: /home/groups/${sitePrefix}
+
+          - ${sitePrefix}-${country}-approver:
+            - name: We-Retail ${country} approver 
+              isMemberOf: fragment-restrict-for-everyone,fragment-basic-allow,content-authors,workflow-administrators,content-weretail-${country}-for-approver
+              path: /home/groups/${sitePrefix}
+
+