pepr 0.12.2 → 0.13.1

package/dist/lib.js

@@ -33,8 +33,9 @@ __export(lib_exports, {
   Capability: () => Capability,
   Log: () => logger_default,
   PeprModule: () => PeprModule,
-  PeprRequest: () => PeprRequest,
+  PeprMutateRequest: () => PeprMutateRequest,
   PeprUtils: () => utils_exports,
+  PeprValidateRequest: () => PeprValidateRequest,
   R: () => R,
   RegisterKind: () => RegisterKind,
   a: () => upstream_exports,
@@ -48,55 +49,63 @@ var k8s = __toESM(require("@kubernetes/client-node"));
 var import_http_status_codes2 = require("http-status-codes");
 var R = __toESM(require("ramda"));
 
+// src/lib/capability.ts
+var import_ramda = require("ramda");
+
 // src/lib/k8s/upstream.ts
 var upstream_exports = {};
 __export(upstream_exports, {
-  APIService: () => import_client_node.V1APIService,
-  CSIDriver: () => import_client_node.V1CSIDriver,
-  CSIStorageCapacity: () => import_client_node.V1CSIStorageCapacity,
-  CertificateSigningRequest: () => import_client_node.V1CertificateSigningRequest,
-  ConfigMap: () => import_client_node.V1ConfigMap,
-  ControllerRevision: () => import_client_node.V1ControllerRevision,
-  CronJob: () => import_client_node.V1CronJob,
-  CustomResourceDefinition: () => import_client_node.V1CustomResourceDefinition,
-  DaemonSet: () => import_client_node.V1DaemonSet,
-  Deployment: () => import_client_node.V1Deployment,
-  EndpointSlice: () => import_client_node.V1EndpointSlice,
+  APIService: () => import_client_node2.V1APIService,
+  CSIDriver: () => import_client_node2.V1CSIDriver,
+  CSIStorageCapacity: () => import_client_node2.V1CSIStorageCapacity,
+  CertificateSigningRequest: () => import_client_node2.V1CertificateSigningRequest,
+  ClusterRole: () => import_client_node2.V1ClusterRole,
+  ClusterRoleBinding: () => import_client_node2.V1ClusterRoleBinding,
+  ConfigMap: () => import_client_node2.V1ConfigMap,
+  ControllerRevision: () => import_client_node2.V1ControllerRevision,
+  CronJob: () => import_client_node2.V1CronJob,
+  CustomResourceDefinition: () => import_client_node2.V1CustomResourceDefinition,
+  DaemonSet: () => import_client_node2.V1DaemonSet,
+  Deployment: () => import_client_node2.V1Deployment,
+  EndpointSlice: () => import_client_node2.V1EndpointSlice,
   GenericKind: () => GenericKind,
-  HorizontalPodAutoscaler: () => import_client_node.V1HorizontalPodAutoscaler,
-  Ingress: () => import_client_node.V1Ingress,
-  IngressClass: () => import_client_node.V1IngressClass,
-  Job: () => import_client_node.V1Job,
-  LimitRange: () => import_client_node.V1LimitRange,
-  LocalSubjectAccessReview: () => import_client_node.V1LocalSubjectAccessReview,
-  MutatingWebhookConfiguration: () => import_client_node.V1MutatingWebhookConfiguration,
-  Namespace: () => import_client_node.V1Namespace,
-  NetworkPolicy: () => import_client_node.V1NetworkPolicy,
-  Node: () => import_client_node.V1Node,
-  PersistentVolume: () => import_client_node.V1PersistentVolume,
-  PersistentVolumeClaim: () => import_client_node.V1PersistentVolumeClaim,
-  Pod: () => import_client_node.V1Pod,
-  PodDisruptionBudget: () => import_client_node.V1PodDisruptionBudget,
-  PodTemplate: () => import_client_node.V1PodTemplate,
-  ReplicaSet: () => import_client_node.V1ReplicaSet,
-  ReplicationController: () => import_client_node.V1ReplicationController,
-  ResourceQuota: () => import_client_node.V1ResourceQuota,
-  RuntimeClass: () => import_client_node.V1RuntimeClass,
-  Secret: () => import_client_node.V1Secret,
-  SelfSubjectAccessReview: () => import_client_node.V1SelfSubjectAccessReview,
-  SelfSubjectRulesReview: () => import_client_node.V1SelfSubjectRulesReview,
-  Service: () => import_client_node.V1Service,
-  ServiceAccount: () => import_client_node.V1ServiceAccount,
-  StatefulSet: () => import_client_node.V1StatefulSet,
-  StorageClass: () => import_client_node.V1StorageClass,
-  SubjectAccessReview: () => import_client_node.V1SubjectAccessReview,
-  TokenReview: () => import_client_node.V1TokenReview,
-  ValidatingWebhookConfiguration: () => import_client_node.V1ValidatingWebhookConfiguration,
-  VolumeAttachment: () => import_client_node.V1VolumeAttachment
+  HorizontalPodAutoscaler: () => import_client_node2.V1HorizontalPodAutoscaler,
+  Ingress: () => import_client_node2.V1Ingress,
+  IngressClass: () => import_client_node2.V1IngressClass,
+  Job: () => import_client_node2.V1Job,
+  LimitRange: () => import_client_node2.V1LimitRange,
+  LocalSubjectAccessReview: () => import_client_node2.V1LocalSubjectAccessReview,
+  MutatingWebhookConfiguration: () => import_client_node2.V1MutatingWebhookConfiguration,
+  Namespace: () => import_client_node2.V1Namespace,
+  NetworkPolicy: () => import_client_node2.V1NetworkPolicy,
+  Node: () => import_client_node2.V1Node,
+  PersistentVolume: () => import_client_node2.V1PersistentVolume,
+  PersistentVolumeClaim: () => import_client_node2.V1PersistentVolumeClaim,
+  Pod: () => import_client_node2.V1Pod,
+  PodDisruptionBudget: () => import_client_node2.V1PodDisruptionBudget,
+  PodTemplate: () => import_client_node2.V1PodTemplate,
+  ReplicaSet: () => import_client_node2.V1ReplicaSet,
+  ReplicationController: () => import_client_node2.V1ReplicationController,
+  ResourceQuota: () => import_client_node2.V1ResourceQuota,
+  Role: () => import_client_node2.V1Role,
+  RoleBinding: () => import_client_node2.V1RoleBinding,
+  RuntimeClass: () => import_client_node2.V1RuntimeClass,
+  Secret: () => import_client_node2.V1Secret,
+  SelfSubjectAccessReview: () => import_client_node2.V1SelfSubjectAccessReview,
+  SelfSubjectRulesReview: () => import_client_node2.V1SelfSubjectRulesReview,
+  Service: () => import_client_node2.V1Service,
+  ServiceAccount: () => import_client_node2.V1ServiceAccount,
+  StatefulSet: () => import_client_node2.V1StatefulSet,
+  StorageClass: () => import_client_node2.V1StorageClass,
+  SubjectAccessReview: () => import_client_node2.V1SubjectAccessReview,
+  TokenReview: () => import_client_node2.V1TokenReview,
+  ValidatingWebhookConfiguration: () => import_client_node2.V1ValidatingWebhookConfiguration,
+  VolumeAttachment: () => import_client_node2.V1VolumeAttachment
 });
-var import_client_node = require("@kubernetes/client-node");
+var import_client_node2 = require("@kubernetes/client-node");
 
 // src/lib/k8s/types.ts
+var import_client_node = require("@kubernetes/client-node");
 var GenericKind = class {
   apiVersion;
   kind;
@@ -105,6 +114,46 @@ var GenericKind = class {
 
 // src/lib/k8s/kinds.ts
 var gvkMap = {
+  /**
+   * Represents a K8s ClusterRole resource.
+   * ClusterRole is a set of permissions that can be bound to a user or group in a cluster-wide scope.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole}
+   */
+  V1ClusterRole: {
+    kind: "ClusterRole",
+    version: "v1",
+    group: "rbac.authorization.k8s.io"
+  },
+  /**
+   * Represents a K8s ClusterRoleBinding resource.
+   * ClusterRoleBinding binds a ClusterRole to a user or group in a cluster-wide scope.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding}
+   */
+  V1ClusterRoleBinding: {
+    kind: "ClusterRoleBinding",
+    version: "v1",
+    group: "rbac.authorization.k8s.io"
+  },
+  /**
+   * Represents a K8s Role resource.
+   * Role is a set of permissions that can be bound to a user or group in a namespace scope.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole}
+   */
+  V1Role: {
+    kind: "Role",
+    version: "v1",
+    group: "rbac.authorization.k8s.io"
+  },
+  /**
+   * Represents a K8s RoleBinding resource.
+   * RoleBinding binds a Role to a user or group in a namespace scope.
+   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding}
+   */
+  V1RoleBinding: {
+    kind: "RoleBinding",
+    version: "v1",
+    group: "rbac.authorization.k8s.io"
+  },
   /**
    * Represents a K8s ConfigMap resource.
    * ConfigMap holds configuration data for pods to consume.
@@ -539,120 +588,51 @@ var RegisterKind = (model, groupVersionKind) => {
   gvkMap[name] = groupVersionKind;
 };
 
+// src/lib/k8s/index.ts
+var isWatchMode = process.env.PEPR_WATCH_MODE === "true";
+
 // src/lib/logger.ts
-var LogLevel = /* @__PURE__ */ ((LogLevel2) => {
-  LogLevel2[LogLevel2["debug"] = 0] = "debug";
-  LogLevel2[LogLevel2["info"] = 1] = "info";
-  LogLevel2[LogLevel2["warn"] = 2] = "warn";
-  LogLevel2[LogLevel2["error"] = 3] = "error";
-  return LogLevel2;
-})(LogLevel || {});
-var Logger = class {
-  _logLevel;
-  /**
-   * Create a new logger instance.
-   * @param logLevel - The minimum log level to log messages for.
-   */
-  constructor(logLevel) {
-    this._logLevel = logLevel;
-  }
-  /**
-   * Change the log level of the logger.
-   * @param logLevel - The log level to log the message at.
-   */
-  SetLogLevel(logLevel) {
-    this._logLevel = LogLevel[logLevel];
-    this.debug(`Log level set to ${logLevel}`);
-  }
-  /**
-   * Log a debug message.
-   * @param message - The message to log.
-   */
-  debug(message, prefix) {
-    this.log(0 /* debug */, message, prefix);
-  }
-  /**
-   * Log an info message.
-   * @param message - The message to log.
-   */
-  info(message, prefix) {
-    this.log(1 /* info */, message, prefix);
-  }
-  /**
-   * Log a warning message.
-   * @param message - The message to log.
-   */
-  warn(message, prefix) {
-    this.log(2 /* warn */, message, prefix);
-  }
-  /**
-   * Log an error message.
-   * @param message - The message to log.
-   */
-  error(message, prefix) {
-    this.log(3 /* error */, message, prefix);
-  }
-  /**
-   * Log a message at the specified log level.
-   * @param logLevel - The log level of the message.
-   * @param message - The message to log.
-   */
-  log(logLevel, message, callerPrefix = "") {
-    const color = {
-      [0 /* debug */]: "\x1B[30m" /* FgBlack */,
-      [1 /* info */]: "\x1B[36m" /* FgCyan */,
-      [2 /* warn */]: "\x1B[33m" /* FgYellow */,
-      [3 /* error */]: "\x1B[31m" /* FgRed */
-    };
-    if (logLevel >= this._logLevel) {
-      let prefix = "[" + LogLevel[logLevel] + "]	" + callerPrefix;
-      prefix = this.colorize(prefix, color[logLevel]);
-      if (typeof message !== "string") {
-        console.log(prefix);
-        console.debug("%o", message);
-      } else {
-        console.log(prefix + "	" + message);
-      }
-    }
-  }
-  colorize(text, color) {
-    return color + text + "\x1B[0m" /* Reset */;
+var import_pino = require("pino");
+var isPrettyLog = process.env.PEPR_PRETTY_LOGS === "true";
+var pretty = {
+  target: "pino-pretty",
+  options: {
+    colorize: true
   }
 };
-var Log = new Logger(1 /* info */);
+var transport = isPrettyLog ? pretty : void 0;
+var Log = (0, import_pino.pino)({
+  transport
+});
 if (process.env.LOG_LEVEL) {
-  Log.SetLogLevel(process.env.LOG_LEVEL);
+  Log.level = process.env.LOG_LEVEL;
 }
 var logger_default = Log;
 
 // src/lib/capability.ts
 var Capability = class {
-  _name;
-  _description;
-  _namespaces;
-  // Currently everything is considered a mutation
-  _mutateOrValidate = "mutate" /* mutate */;
-  _bindings = [];
+  #name;
+  #description;
+  #namespaces;
+  #bindings = [];
   get bindings() {
-    return this._bindings;
+    return this.#bindings;
   }
   get name() {
-    return this._name;
+    return this.#name;
   }
   get description() {
-    return this._description;
+    return this.#description;
   }
   get namespaces() {
-    return this._namespaces || [];
-  }
-  get mutateOrValidate() {
-    return this._mutateOrValidate;
+    return this.#namespaces || [];
   }
   constructor(cfg) {
-    this._name = cfg.name;
-    this._description = cfg.description;
-    this._namespaces = cfg.namespaces;
-    logger_default.info(`Capability ${this._name} registered`);
+    this.#name = cfg.name;
+    this.#description = cfg.description;
+    this.#namespaces = cfg.namespaces;
+    this.When = this.When.bind(this);
+    logger_default.info(`Capability ${this.#name} registered`);
     logger_default.debug(cfg);
   }
   /**
@@ -664,7 +644,7 @@ var Capability = class {
    * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
    * @returns
    */
-  When = (model, kind) => {
+  When(model, kind) {
     const matchedKind = modelToGroupVersionKind(model.name);
     if (!matchedKind && !kind) {
       throw new Error(`Kind not specified for ${model.name}`);
@@ -678,62 +658,74 @@ var Capability = class {
         namespaces: [],
         labels: {},
         annotations: {}
-      },
-      callback: () => void 0
-    };
-    const prefix = `${this._name}: ${model.name}`;
-    logger_default.info(`Binding created`, prefix);
-    const Then = (cb) => {
-      logger_default.info(`Binding action created`, prefix);
-      logger_default.debug(cb.toString(), prefix);
-      this._bindings.push({
-        ...binding,
-        callback: cb
-      });
-      return { Then };
+      }
     };
-    const ThenSet = (merge) => {
-      Then((req) => req.Merge(merge));
-      return { Then };
+    const bindings = this.#bindings;
+    const prefix = `${this.#name}: ${model.name}`;
+    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate };
+    const isNotEmpty = (value) => Object.keys(value).length > 0;
+    const log = (message, cbString) => {
+      const filteredObj = (0, import_ramda.pickBy)(isNotEmpty, binding.filters);
+      logger_default.info(`${message} configured for ${binding.event}`, prefix);
+      logger_default.info(filteredObj, prefix);
+      logger_default.debug(cbString, prefix);
     };
+    function Validate(validateCallback) {
+      if (!isWatchMode) {
+        log("Validate Action", validateCallback.toString());
+        bindings.push({
+          ...binding,
+          isValidate: true,
+          validateCallback
+        });
+      }
+    }
+    function Mutate(mutateCallback) {
+      if (!isWatchMode) {
+        log("Mutate Action", mutateCallback.toString());
+        bindings.push({
+          ...binding,
+          isMutate: true,
+          mutateCallback
+        });
+      }
+      return { Validate };
+    }
     function InNamespace(...namespaces) {
       logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
       binding.filters.namespaces.push(...namespaces);
-      return { WithLabel, WithAnnotation, WithName, Then, ThenSet };
+      return { ...commonChain, WithName };
     }
     function WithName(name) {
       logger_default.debug(`Add name filter ${name}`, prefix);
       binding.filters.name = name;
-      return { WithLabel, WithAnnotation, Then, ThenSet };
+      return commonChain;
     }
     function WithLabel(key, value = "") {
       logger_default.debug(`Add label filter ${key}=${value}`, prefix);
       binding.filters.labels[key] = value;
-      return { WithLabel, WithAnnotation, Then, ThenSet };
+      return commonChain;
     }
-    const WithAnnotation = (key, value = "") => {
+    function WithAnnotation(key, value = "") {
       logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
       binding.filters.annotations[key] = value;
-      return { WithLabel, WithAnnotation, Then, ThenSet };
-    };
-    const bindEvent = (event) => {
+      return commonChain;
+    }
+    function bindEvent(event) {
       binding.event = event;
       return {
+        ...commonChain,
         InNamespace,
-        Then,
-        ThenSet,
-        WithAnnotation,
-        WithLabel,
         WithName
       };
-    };
+    }
     return {
       IsCreatedOrUpdated: () => bindEvent("CREATEORUPDATE" /* CreateOrUpdate */),
       IsCreated: () => bindEvent("CREATE" /* Create */),
       IsUpdated: () => bindEvent("UPDATE" /* Update */),
       IsDeleted: () => bindEvent("DELETE" /* Delete */)
     };
-  };
+  }
 };
 
 // src/lib/fetch.ts
@@ -743,7 +735,7 @@ var fetchRaw = import_node_fetch.default;
 async function fetch(url, init) {
   let data = void 0;
   try {
-    logger_default.debug(`Fetching ${url}`);
+    logger_default.debug(init, `Fetching ${url}`);
     const resp = await fetchRaw(url, init);
     const contentType = resp.headers.get("content-type") || "";
     if (resp.ok) {
@@ -780,16 +772,122 @@ async function fetch(url, init) {
 }
 
 // src/lib/module.ts
-var import_ramda2 = require("ramda");
+var import_ramda4 = require("ramda");
 
 // src/lib/controller.ts
 var import_express = __toESM(require("express"));
 var import_fs = __toESM(require("fs"));
 var import_https = __toESM(require("https"));
 
-// src/lib/processor.ts
+// src/lib/metrics.ts
+var import_perf_hooks = require("perf_hooks");
+var import_prom_client = __toESM(require("prom-client"));
+var loggingPrefix = "MetricsCollector";
+var MetricsCollector = class {
+  #registry;
+  #counters = /* @__PURE__ */ new Map();
+  #summaries = /* @__PURE__ */ new Map();
+  #prefix;
+  #metricNames = {
+    errors: "errors",
+    alerts: "alerts",
+    mutate: "Mutate",
+    validate: "Validate"
+  };
+  /**
+   * Creates a MetricsCollector instance with prefixed metrics.
+   * @param [prefix='pepr'] - The prefix for the metric names.
+   */
+  constructor(prefix = "pepr") {
+    this.#registry = new import_prom_client.Registry();
+    this.#prefix = prefix;
+    this.addCounter(this.#metricNames.errors, "Mutation/Validate errors encountered");
+    this.addCounter(this.#metricNames.alerts, "Mutation/Validate bad api token received");
+    this.addSummary(this.#metricNames.mutate, "Mutation operation summary");
+    this.addSummary(this.#metricNames.validate, "Validation operation summary");
+  }
+  #getMetricName(name) {
+    return `${this.#prefix}_${name}`;
+  }
+  #addMetric(collection, MetricType, name, help) {
+    if (collection.has(this.#getMetricName(name))) {
+      logger_default.debug(`Metric for ${name} already exists`, loggingPrefix);
+      return;
+    }
+    this.incCounter = this.incCounter.bind(this);
+    this.error = this.error.bind(this);
+    this.alert = this.alert.bind(this);
+    this.observeStart = this.observeStart.bind(this);
+    this.observeEnd = this.observeEnd.bind(this);
+    this.getMetrics = this.getMetrics.bind(this);
+    const metric = new MetricType({
+      name: this.#getMetricName(name),
+      help,
+      registers: [this.#registry]
+    });
+    collection.set(this.#getMetricName(name), metric);
+  }
+  addCounter(name, help) {
+    this.#addMetric(this.#counters, import_prom_client.default.Counter, name, help);
+  }
+  addSummary(name, help) {
+    this.#addMetric(this.#summaries, import_prom_client.default.Summary, name, help);
+  }
+  incCounter(name) {
+    this.#counters.get(this.#getMetricName(name))?.inc();
+  }
+  /**
+   * Increments the error counter.
+   */
+  error() {
+    this.incCounter(this.#metricNames.errors);
+  }
+  /**
+   * Increments the alerts counter.
+   */
+  alert() {
+    this.incCounter(this.#metricNames.alerts);
+  }
+  /**
+   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
+   * @returns The timestamp.
+   */
+  observeStart() {
+    return import_perf_hooks.performance.now();
+  }
+  /**
+   * Observes the duration since the provided start time and updates the summary.
+   * @param startTime - The start time.
+   * @param name - The metrics summary to increment.
+   */
+  observeEnd(startTime, name = this.#metricNames.mutate) {
+    this.#summaries.get(this.#getMetricName(name))?.observe(import_perf_hooks.performance.now() - startTime);
+  }
+  /**
+   * Fetches the current metrics from the registry.
+   * @returns The metrics.
+   */
+  async getMetrics() {
+    return this.#registry.metrics();
+  }
+};
+
+// src/lib/mutate-processor.ts
 var import_fast_json_patch = __toESM(require("fast-json-patch"));
 
+// src/lib/errors.ts
+var Errors = {
+  audit: "audit",
+  ignore: "ignore",
+  reject: "reject"
+};
+var ErrorList = Object.values(Errors);
+function ValidateError(error = "") {
+  if (!ErrorList.includes(error)) {
+    throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
+  }
+}
+
 // src/lib/filter.ts
 function shouldSkipRequest(binding, req) {
   const { group, kind, version } = binding.kind || {};
@@ -797,7 +895,6 @@ function shouldSkipRequest(binding, req) {
   const operation = req.operation.toUpperCase();
   const srcObject = operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
   const { metadata } = srcObject || {};
-  console.log(metadata);
   if (!binding.event.includes(operation) && !binding.event.includes("*" /* Any */)) {
     return true;
   }
@@ -842,48 +939,56 @@ function shouldSkipRequest(binding, req) {
   return false;
 }
 
-// src/lib/request.ts
-var import_ramda = require("ramda");
-var PeprRequest = class {
-  /**
-   * Creates a new instance of the Action class.
-   * @param input - The request object containing the Kubernetes resource to modify.
-   */
-  constructor(_input) {
-    this._input = _input;
-    if (_input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda.clone)(_input.oldObject);
-    } else {
-      this.Raw = (0, import_ramda.clone)(_input.object);
-    }
-    if (!this.Raw) {
-      throw new Error("unable to load the request object into PeprRequest.RawP");
-    }
-  }
+// src/lib/mutate-request.ts
+var import_ramda2 = require("ramda");
+var PeprMutateRequest = class {
   Raw;
+  #input;
   get PermitSideEffects() {
-    return !this._input.dryRun;
+    return !this.#input.dryRun;
   }
   /**
    * Indicates whether the request is a dry run.
    * @returns true if the request is a dry run, false otherwise.
    */
   get IsDryRun() {
-    return this._input.dryRun;
+    return this.#input.dryRun;
   }
   /**
    * Provides access to the old resource in the request if available.
    * @returns The old Kubernetes resource object or null if not available.
    */
   get OldResource() {
-    return this._input.oldObject;
+    return this.#input.oldObject;
   }
   /**
    * Provides access to the request object.
    * @returns The request object containing the Kubernetes resource.
    */
   get Request() {
-    return this._input;
+    return this.#input;
+  }
+  /**
+   * Creates a new instance of the action class.
+   * @param input - The request object containing the Kubernetes resource to modify.
+   */
+  constructor(input) {
+    this.#input = input;
+    this.Merge = this.Merge.bind(this);
+    this.SetLabel = this.SetLabel.bind(this);
+    this.SetAnnotation = this.SetAnnotation.bind(this);
+    this.RemoveLabel = this.RemoveLabel.bind(this);
+    this.RemoveAnnotation = this.RemoveAnnotation.bind(this);
+    this.HasLabel = this.HasLabel.bind(this);
+    this.HasAnnotation = this.HasAnnotation.bind(this);
+    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
+      this.Raw = (0, import_ramda2.clone)(input.oldObject);
+    } else {
+      this.Raw = (0, import_ramda2.clone)(input.object);
+    }
+    if (!this.Raw) {
+      throw new Error("unable to load the request object into PeprRequest.RawP");
+    }
   }
   /**
    * Deep merges the provided object with the current resource.
@@ -891,13 +996,13 @@ var PeprRequest = class {
    * @param obj - The object to merge with the current resource.
    */
   Merge(obj) {
-    this.Raw = (0, import_ramda.mergeDeepRight)(this.Raw, obj);
+    this.Raw = (0, import_ramda2.mergeDeepRight)(this.Raw, obj);
   }
   /**
    * Updates a label on the Kubernetes resource.
    * @param key - The key of the label to update.
    * @param value - The value of the label.
-   * @returns The current Action instance for method chaining.
+   * @returns The current action instance for method chaining.
    */
   SetLabel(key, value) {
     const ref = this.Raw;
@@ -910,7 +1015,7 @@ var PeprRequest = class {
    * Updates an annotation on the Kubernetes resource.
    * @param key - The key of the annotation to update.
    * @param value - The value of the annotation.
-   * @returns The current Action instance for method chaining.
+   * @returns The current action instance for method chaining.
    */
   SetAnnotation(key, value) {
     const ref = this.Raw;
@@ -1003,30 +1108,33 @@ function base64Encode(data) {
   return Buffer.from(data).toString("base64");
 }
 
-// src/lib/processor.ts
-async function processor(config, capabilities, req, parentPrefix) {
-  const wrapped = new PeprRequest(req);
+// src/lib/mutate-processor.ts
+async function mutateProcessor(config, capabilities, req, reqMetadata) {
+  const wrapped = new PeprMutateRequest(req);
   const response = {
     uid: req.uid,
     warnings: [],
     allowed: false
   };
-  let matchedCapabilityAction = false;
+  let matchedAction = false;
   let skipDecode = [];
   const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
   if (isSecret) {
     skipDecode = convertFromBase64Map(wrapped.Raw);
   }
-  logger_default.info(`Processing request`, parentPrefix);
+  logger_default.info(reqMetadata, `Processing request`);
   for (const { name, bindings } of capabilities) {
-    const prefix = `${parentPrefix} ${name}:`;
+    const actionMetadata = { ...reqMetadata, name };
     for (const action of bindings) {
+      if (!action.mutateCallback) {
+        continue;
+      }
       if (shouldSkipRequest(action, req)) {
         continue;
       }
-      const label = action.callback.name;
-      logger_default.info(`Processing matched action ${label}`, prefix);
-      matchedCapabilityAction = true;
+      const label = action.mutateCallback.name;
+      logger_default.info(actionMetadata, `Processing matched action ${label}`);
+      matchedAction = true;
       const updateStatus = (status) => {
         if (req.operation == "DELETE") {
           return;
@@ -1038,26 +1146,30 @@ async function processor(config, capabilities, req, parentPrefix) {
       };
       updateStatus("started");
       try {
-        await action.callback(wrapped);
-        logger_default.info(`Action succeeded`, prefix);
+        await action.mutateCallback(wrapped);
+        logger_default.info(actionMetadata, `Action succeeded`);
         updateStatus("succeeded");
       } catch (e) {
+        logger_default.warn(actionMetadata, `Action failed: ${e}`);
+        updateStatus("warning");
         response.warnings = response.warnings || [];
         response.warnings.push(`Action failed: ${e}`);
-        if (config.onError) {
-          logger_default.error(`Action failed: ${e}`, prefix);
-          response.result = "Pepr module configured to reject on error";
-          return response;
-        } else {
-          logger_default.warn(`Action failed: ${e}`, prefix);
-          updateStatus("warning");
+        switch (config.onError) {
+          case Errors.reject:
+            logger_default.error(actionMetadata, `Action failed: ${e}`);
+            response.result = "Pepr module configured to reject on error";
+            return response;
+          case Errors.audit:
+            response.auditAnnotations = response.auditAnnotations || {};
+            response.auditAnnotations[Date.now()] = e;
+            break;
         }
       }
     }
   }
   response.allowed = true;
-  if (!matchedCapabilityAction) {
-    logger_default.info(`No matching capability action found`, parentPrefix);
+  if (!matchedAction) {
+    logger_default.info(reqMetadata, `No matching actions found`);
     return response;
   }
   if (req.operation == "DELETE") {
@@ -1070,126 +1182,200 @@ async function processor(config, capabilities, req, parentPrefix) {
   const patches = import_fast_json_patch.default.compare(req.object, transformed);
   if (patches.length > 0) {
     response.patchType = "JSONPatch";
-    response.patch = Buffer.from(JSON.stringify(patches)).toString("base64");
+    response.patch = base64Encode(JSON.stringify(patches));
   }
   if (response.warnings && response.warnings.length < 1) {
     delete response.warnings;
   }
-  logger_default.debug(patches, parentPrefix);
+  logger_default.debug({ ...reqMetadata, patches }, `Patches generated`);
   return response;
 }
 
-// src/lib/metrics.ts
-var import_prom_client = __toESM(require("prom-client"));
-var import_perf_hooks = require("perf_hooks");
-var MetricsCollector = class {
-  _registry;
-  _errors;
-  _alerts;
-  _summary;
+// src/lib/validate-request.ts
+var import_ramda3 = require("ramda");
+var PeprValidateRequest = class {
+  Raw;
+  #input;
   /**
-   * Creates a MetricsCollector instance with prefixed metrics.
-   * @param {string} [prefix='pepr'] - The prefix for the metric names.
+   * Provides access to the old resource in the request if available.
+   * @returns The old Kubernetes resource object or null if not available.
    */
-  constructor(prefix = "pepr") {
-    this._registry = new import_prom_client.default.Registry();
-    this._errors = new import_prom_client.default.Counter({
-      name: `${prefix}_errors`,
-      help: "error counter",
-      registers: [this._registry]
-    });
-    this._alerts = new import_prom_client.default.Counter({
-      name: `${prefix}_alerts`,
-      help: "alerts counter",
-      registers: [this._registry]
-    });
-    this._summary = new import_prom_client.default.Summary({
-      name: `${prefix}_summary`,
-      help: "summary",
-      registers: [this._registry]
-    });
+  get OldResource() {
+    return this.#input.oldObject;
   }
   /**
-   * Increments the error counter.
+   * Provides access to the request object.
+   * @returns The request object containing the Kubernetes resource.
    */
-  error() {
-    this._errors.inc();
+  get Request() {
+    return this.#input;
   }
   /**
-   * Increments the alerts counter.
+   * Creates a new instance of the Action class.
+   * @param input - The request object containing the Kubernetes resource to modify.
    */
-  alert() {
-    this._alerts.inc();
+  constructor(input) {
+    this.#input = input;
+    this.HasLabel = this.HasLabel.bind(this);
+    this.HasAnnotation = this.HasAnnotation.bind(this);
+    this.Approve = this.Approve.bind(this);
+    this.Deny = this.Deny.bind(this);
+    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
+      this.Raw = (0, import_ramda3.clone)(input.oldObject);
+    } else {
+      this.Raw = (0, import_ramda3.clone)(input.object);
+    }
+    if (!this.Raw) {
+      throw new Error("unable to load the request object into PeprRequest.RawP");
+    }
   }
   /**
-   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
-   * @returns {number} The timestamp.
+   * Check if a label exists on the Kubernetes resource.
+   *
+   * @param key the label key to check
+   * @returns
    */
-  observeStart() {
-    return import_perf_hooks.performance.now();
+  HasLabel(key) {
+    return this.Raw.metadata?.labels?.[key] !== void 0;
   }
   /**
-   * Observes the duration since the provided start time and updates the summary.
-   * @param {number} startTime - The start time.
+   * Check if an annotation exists on the Kubernetes resource.
+   *
+   * @param key the annotation key to check
+   * @returns
    */
-  observeEnd(startTime) {
-    this._summary.observe(import_perf_hooks.performance.now() - startTime);
+  HasAnnotation(key) {
+    return this.Raw.metadata?.annotations?.[key] !== void 0;
   }
   /**
-   * Fetches the current metrics from the registry.
-   * @returns {Promise<string>} The metrics.
+   * Create a validation response that allows the request.
+   *
+   * @returns The validation response.
    */
-  async getMetrics() {
-    return this._registry.metrics();
+  Approve() {
+    return {
+      allowed: true
+    };
+  }
+  /**
+   * Create a validation response that denies the request.
+   *
+   * @param statusMessage Optional status message to return to the user.
+   * @param statusCode Optional status code to return to the user.
+   * @returns The validation response.
+   */
+  Deny(statusMessage, statusCode) {
+    return {
+      allowed: false,
+      statusCode,
+      statusMessage
+    };
   }
 };
 
+// src/lib/validate-processor.ts
+async function validateProcessor(capabilities, req, reqMetadata) {
+  const wrapped = new PeprValidateRequest(req);
+  const response = {
+    uid: req.uid,
+    allowed: true
+    // Assume it's allowed until a validation check fails
+  };
+  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
+  if (isSecret) {
+    convertFromBase64Map(wrapped.Raw);
+  }
+  logger_default.info(reqMetadata, `Processing validation request`);
+  for (const { name, bindings } of capabilities) {
+    const actionMetadata = { ...reqMetadata, name };
+    for (const action of bindings) {
+      if (!action.validateCallback) {
+        continue;
+      }
+      if (shouldSkipRequest(action, req)) {
+        continue;
+      }
+      const label = action.validateCallback.name;
+      logger_default.info(actionMetadata, `Processing matched action ${label}`);
+      try {
+        const resp = await action.validateCallback(wrapped);
+        response.allowed = resp.allowed;
+        if (resp.statusCode || resp.statusMessage) {
+          response.status = {
+            code: resp.statusCode || 400,
+            message: resp.statusMessage || `Validation failed for ${name}`
+          };
+        }
+        logger_default.info(actionMetadata, `Validation Action completed: ${resp.allowed ? "allowed" : "denied"}`);
+      } catch (e) {
+        logger_default.error(actionMetadata, `Action failed: ${e}`);
+        response.allowed = false;
+        response.status = {
+          code: 500,
+          message: `Action failed with error: ${e}`
+        };
+        return response;
+      }
+    }
+  }
+  return response;
+}
+
 // src/lib/controller.ts
-var Controller = class {
+var Controller = class _Controller {
+  // Track whether the server is running
+  #running = false;
+  // Metrics collector
+  #metricsCollector = new MetricsCollector("pepr");
+  // The token used to authenticate requests
+  #token = "";
+  // The express app instance
+  #app = (0, import_express.default)();
+  // Initialized with the constructor
+  #config;
+  #capabilities;
+  #beforeHook;
+  #afterHook;
   constructor(config, capabilities, beforeHook, afterHook) {
-    this.config = config;
-    this.capabilities = capabilities;
-    this.beforeHook = beforeHook;
-    this.afterHook = afterHook;
-    this.app.use(this.logger);
-    this.app.use(import_express.default.json({ limit: "2mb" }));
-    this.app.get("/healthz", this.healthz);
-    this.app.get("/metrics", this.metrics);
-    this.app.post("/mutate/:token", this.mutate);
+    this.#config = config;
+    this.#capabilities = capabilities;
+    this.#beforeHook = beforeHook;
+    this.#afterHook = afterHook;
+    this.startServer = this.startServer.bind(this);
+    this.#app.use(_Controller.#logger);
+    this.#app.use(import_express.default.json({ limit: "2mb" }));
     if (beforeHook) {
-      console.info(`Using beforeHook: ${beforeHook}`);
+      logger_default.info(`Using beforeHook: ${beforeHook}`);
     }
     if (afterHook) {
-      console.info(`Using afterHook: ${afterHook}`);
+      logger_default.info(`Using afterHook: ${afterHook}`);
     }
+    this.#bindEndpoints();
   }
-  app = (0, import_express.default)();
-  running = false;
-  metricsCollector = new MetricsCollector("pepr");
-  // The token used to authenticate requests
-  token = "";
   /** Start the webhook server */
-  startServer = (port) => {
-    if (this.running) {
+  startServer(port) {
+    if (this.#running) {
       throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
     }
     const options = {
       key: import_fs.default.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
       cert: import_fs.default.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt")
     };
-    this.token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
-    console.info(`Using API token: ${this.token}`);
-    if (!this.token) {
-      throw new Error("API token not found");
+    if (!isWatchMode) {
+      this.#token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
+      logger_default.info(`Using API token: ${this.#token}`);
+      if (!this.#token) {
+        throw new Error("API token not found");
+      }
     }
-    const server = import_https.default.createServer(options, this.app).listen(port);
+    const server = import_https.default.createServer(options, this.#app).listen(port);
     server.on("listening", () => {
-      console.log(`Server listening on port ${port}`);
-      this.running = true;
+      logger_default.info(`Server listening on port ${port}`);
+      this.#running = true;
     });
     server.on("error", (e) => {
       if (e.code === "EADDRINUSE") {
-        console.log(
+        logger_default.warn(
           `Address in use, retrying in 2 seconds. If this persists, ensure ${port} is not in use, e.g. "lsof -i :${port}"`
         );
         setTimeout(() => {
@@ -1199,97 +1385,166 @@ var Controller = class {
       }
     });
     process.on("SIGTERM", () => {
-      console.log("Received SIGTERM, closing server");
+      logger_default.info("Received SIGTERM, closing server");
       server.close(() => {
-        console.log("Server closed");
+        logger_default.info("Server closed");
         process.exit(0);
       });
     });
+  }
+  #bindEndpoints = () => {
+    this.#app.get("/healthz", _Controller.#healthz);
+    this.#app.get("/metrics", this.#metrics);
+    if (isWatchMode) {
+      return;
+    }
+    this.#app.use(["/mutate/:token", "/validate/:token"], this.#validateToken);
+    this.#app.post("/mutate/:token", this.#admissionReq("Mutate"));
+    this.#app.post("/validate/:token", this.#admissionReq("Validate"));
   };
-  logger = (req, res, next) => {
-    const startTime = Date.now();
-    res.on("finish", () => {
-      const now = (/* @__PURE__ */ new Date()).toISOString();
-      const elapsedTime = Date.now() - startTime;
-      const message = `[${now}] ${req.method} ${req.originalUrl} [${res.statusCode}] ${elapsedTime} ms
-`;
-      res.statusCode >= 400 ? console.error(message) : console.info(message);
-    });
+  /**
+   * Validate the token in the request path
+   *
+   * @param req The incoming request
+   * @param res The outgoing response
+   * @param next The next middleware function
+   * @returns
+   */
+  #validateToken = (req, res, next) => {
+    const { token } = req.params;
+    if (token !== this.#token) {
+      const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
+      logger_default.warn(err);
+      res.status(401).send(err);
+      this.#metricsCollector.alert();
+      return;
+    }
     next();
   };
-  healthz = (req, res) => {
+  /**
+   * Metrics endpoint handler
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   */
+  #metrics = async (req, res) => {
     try {
-      res.send("OK");
+      res.send(await this.#metricsCollector.getMetrics());
     } catch (err) {
-      console.error(err);
+      logger_default.error(err);
       res.status(500).send("Internal Server Error");
     }
   };
-  metrics = async (req, res) => {
-    try {
-      res.send(await this.metricsCollector.getMetrics());
-    } catch (err) {
-      console.error(err);
-      res.status(500).send("Internal Server Error");
-    }
+  /**
+   * Admission request handler for both mutate and validate requests
+   *
+   * @param admissionKind the type of admission request
+   * @returns the request handler
+   */
+  #admissionReq = (admissionKind) => {
+    return async (req, res) => {
+      const startTime = this.#metricsCollector.observeStart();
+      try {
+        const request = req.body?.request || {};
+        this.#beforeHook && this.#beforeHook(request || {});
+        const name = request?.name ? `/${request.name}` : "";
+        const namespace = request?.namespace || "";
+        const gvk = request?.kind || { group: "", version: "", kind: "" };
+        const reqMetadata = {
+          uid: request.uid,
+          namespace,
+          name
+        };
+        logger_default.info({ ...reqMetadata, gvk, operation: request.operation, admissionKind }, "Incoming request");
+        logger_default.debug({ ...reqMetadata, request }, "Incoming request body");
+        let response;
+        if (admissionKind === "Mutate") {
+          response = await mutateProcessor(this.#config, this.#capabilities, request, reqMetadata);
+        } else {
+          response = await validateProcessor(this.#capabilities, request, reqMetadata);
+        }
+        this.#afterHook && this.#afterHook(response);
+        logger_default.debug({ ...reqMetadata, response }, "Outgoing response");
+        res.send({
+          apiVersion: "admission.k8s.io/v1",
+          kind: "AdmissionReview",
+          response
+        });
+        this.#metricsCollector.observeEnd(startTime, admissionKind);
+      } catch (err) {
+        logger_default.error(err);
+        res.status(500).send("Internal Server Error");
+        this.#metricsCollector.error();
+      }
+    };
   };
-  mutate = async (req, res) => {
-    const startTime = this.metricsCollector.observeStart();
+  /**
+   * Middleware for logging requests
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   * @param next the next middleware function
+   */
+  static #logger(req, res, next) {
+    const startTime = Date.now();
+    res.on("finish", () => {
+      const elapsedTime = Date.now() - startTime;
+      const message = {
+        uid: req.body?.request?.uid,
+        method: req.method,
+        url: req.originalUrl,
+        status: res.statusCode,
+        duration: `${elapsedTime} ms`
+      };
+      res.statusCode >= 300 ? logger_default.warn(message) : logger_default.info(message);
+    });
+    next();
+  }
+  /**
+   * Health check endpoint handler
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   */
+  static #healthz(req, res) {
     try {
-      const { token } = req.params;
-      if (token !== this.token) {
-        const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
-        console.warn(err);
-        res.status(401).send(err);
-        this.metricsCollector.alert();
-        return;
-      }
-      const request = req.body?.request || {};
-      this.beforeHook && this.beforeHook(request || {});
-      const name = request?.name ? `/${request.name}` : "";
-      const namespace = request?.namespace || "";
-      const gvk = request?.kind || { group: "", version: "", kind: "" };
-      const prefix = `${request.uid} ${namespace}${name}`;
-      logger_default.info(`Mutate [${request.operation}] ${gvk.group}/${gvk.version}/${gvk.kind}`, prefix);
-      const response = await processor(this.config, this.capabilities, request, prefix);
-      this.afterHook && this.afterHook(response);
-      logger_default.debug(response, prefix);
-      res.send({
-        apiVersion: "admission.k8s.io/v1",
-        kind: "AdmissionReview",
-        response
-      });
-      this.metricsCollector.observeEnd(startTime);
+      res.send("OK");
     } catch (err) {
-      console.error(err);
+      logger_default.error(err);
       res.status(500).send("Internal Server Error");
-      this.metricsCollector.error();
     }
-  };
+  }
 };
 
 // src/lib/module.ts
-var alwaysIgnore = {
-  namespaces: ["kube-system", "pepr-system"],
-  labels: [{ "pepr.dev": "ignore" }]
-};
 var PeprModule = class {
-  _controller;
+  #controller;
   /**
    * Create a new Pepr runtime
    *
    * @param config The configuration for the Pepr runtime
    * @param capabilities The capabilities to be loaded into the Pepr runtime
-   * @param _deferStart (optional) If set to `true`, the Pepr runtime will not be started automatically. This can be used to start the Pepr runtime manually with `start()`.
+   * @param opts Options for the Pepr runtime
    */
   constructor({ description, pepr }, capabilities = [], opts = {}) {
-    const config = (0, import_ramda2.mergeDeepWith)(import_ramda2.concat, pepr, alwaysIgnore);
+    const config = (0, import_ramda4.clone)(pepr);
     config.description = description;
-    if (process.env.PEPR_MODE === "build") {
-      process.send?.({ capabilities });
+    ValidateError(config.onError);
+    this.start = this.start.bind(this);
+    if (process.env.PEPR_MODE === "build" && process.send) {
+      const exportedCapabilities = [];
+      for (const capability of capabilities) {
+        exportedCapabilities.push({
+          name: capability.name,
+          description: capability.description,
+          namespaces: capability.namespaces,
+          bindings: capability.bindings
+        });
+      }
+      process.send(exportedCapabilities);
       return;
     }
-    this._controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
+    this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
     if (opts.deferStart) {
       return;
     }
@@ -1302,7 +1557,7 @@ var PeprModule = class {
    * @param port
    */
   start(port = 3e3) {
-    this._controller.startServer(port);
+    this.#controller.startServer(port);
   }
 };
 // Annotate the CommonJS export names for ESM import in node:
@@ -1310,8 +1565,9 @@ var PeprModule = class {
   Capability,
   Log,
   PeprModule,
-  PeprRequest,
+  PeprMutateRequest,
   PeprUtils,
+  PeprValidateRequest,
   R,
   RegisterKind,
   a,