pepr 0.13.0 → 0.13.2

package/dist/lib.js

@@ -611,27 +611,28 @@ var logger_default = Log;
 
 // src/lib/capability.ts
 var Capability = class {
-  _name;
-  _description;
-  _namespaces;
-  _bindings = [];
+  #name;
+  #description;
+  #namespaces;
+  #bindings = [];
   get bindings() {
-    return this._bindings;
+    return this.#bindings;
   }
   get name() {
-    return this._name;
+    return this.#name;
   }
   get description() {
-    return this._description;
+    return this.#description;
   }
   get namespaces() {
-    return this._namespaces || [];
+    return this.#namespaces || [];
   }
   constructor(cfg) {
-    this._name = cfg.name;
-    this._description = cfg.description;
-    this._namespaces = cfg.namespaces;
-    logger_default.info(`Capability ${this._name} registered`);
+    this.#name = cfg.name;
+    this.#description = cfg.description;
+    this.#namespaces = cfg.namespaces;
+    this.When = this.When.bind(this);
+    logger_default.info(`Capability ${this.#name} registered`);
     logger_default.debug(cfg);
   }
   /**
@@ -643,7 +644,7 @@ var Capability = class {
    * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
    * @returns
    */
-  When = (model, kind) => {
+  When(model, kind) {
     const matchedKind = modelToGroupVersionKind(model.name);
     if (!matchedKind && !kind) {
       throw new Error(`Kind not specified for ${model.name}`);
@@ -659,7 +660,9 @@ var Capability = class {
         annotations: {}
       }
     };
-    const prefix = `${this._name}: ${model.name}`;
+    const bindings = this.#bindings;
+    const prefix = `${this.#name}: ${model.name}`;
+    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate };
     const isNotEmpty = (value) => Object.keys(value).length > 0;
     const log = (message, cbString) => {
       const filteredObj = (0, import_ramda.pickBy)(isNotEmpty, binding.filters);
@@ -667,27 +670,27 @@ var Capability = class {
       logger_default.info(filteredObj, prefix);
       logger_default.debug(cbString, prefix);
     };
-    const Validate = (validateCallback) => {
+    function Validate(validateCallback) {
       if (!isWatchMode) {
         log("Validate Action", validateCallback.toString());
-        this._bindings.push({
+        bindings.push({
           ...binding,
           isValidate: true,
           validateCallback
         });
       }
-    };
-    const Mutate = (mutateCallback) => {
+    }
+    function Mutate(mutateCallback) {
       if (!isWatchMode) {
         log("Mutate Action", mutateCallback.toString());
-        this._bindings.push({
+        bindings.push({
           ...binding,
           isMutate: true,
           mutateCallback
         });
       }
       return { Validate };
-    };
+    }
     function InNamespace(...namespaces) {
       logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
       binding.filters.namespaces.push(...namespaces);
@@ -703,27 +706,26 @@ var Capability = class {
       binding.filters.labels[key] = value;
       return commonChain;
     }
-    const WithAnnotation = (key, value = "") => {
+    function WithAnnotation(key, value = "") {
       logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
       binding.filters.annotations[key] = value;
       return commonChain;
-    };
-    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate };
-    const bindEvent = (event) => {
+    }
+    function bindEvent(event) {
       binding.event = event;
       return {
         ...commonChain,
         InNamespace,
         WithName
       };
-    };
+    }
     return {
       IsCreatedOrUpdated: () => bindEvent("CREATEORUPDATE" /* CreateOrUpdate */),
       IsCreated: () => bindEvent("CREATE" /* Create */),
       IsUpdated: () => bindEvent("UPDATE" /* Update */),
       IsDeleted: () => bindEvent("DELETE" /* Delete */)
     };
-  };
+  }
 };
 
 // src/lib/fetch.ts
@@ -778,15 +780,15 @@ var import_fs = __toESM(require("fs"));
 var import_https = __toESM(require("https"));
 
 // src/lib/metrics.ts
-var import_prom_client = __toESM(require("prom-client"));
 var import_perf_hooks = require("perf_hooks");
+var import_prom_client = __toESM(require("prom-client"));
 var loggingPrefix = "MetricsCollector";
 var MetricsCollector = class {
-  _registry;
-  _counters = /* @__PURE__ */ new Map();
-  _summaries = /* @__PURE__ */ new Map();
-  _prefix;
-  _metricNames = {
+  #registry;
+  #counters = /* @__PURE__ */ new Map();
+  #summaries = /* @__PURE__ */ new Map();
+  #prefix;
+  #metricNames = {
     errors: "errors",
     alerts: "alerts",
     mutate: "Mutate",
@@ -794,79 +796,98 @@ var MetricsCollector = class {
   };
   /**
    * Creates a MetricsCollector instance with prefixed metrics.
-   * @param {string} [prefix='pepr'] - The prefix for the metric names.
+   * @param [prefix='pepr'] - The prefix for the metric names.
    */
   constructor(prefix = "pepr") {
-    this._registry = new import_prom_client.Registry();
-    this._prefix = prefix;
-    this.addCounter(this._metricNames.errors, "Mutation/Validate errors encountered");
-    this.addCounter(this._metricNames.alerts, "Mutation/Validate bad api token received");
-    this.addSummary(this._metricNames.mutate, "Mutation operation summary");
-    this.addSummary(this._metricNames.validate, "Validation operation summary");
-  }
-  getMetricName(name) {
-    return `${this._prefix}_${name}`;
-  }
-  addMetric(collection, MetricType, name, help) {
-    if (collection.has(this.getMetricName(name))) {
+    this.#registry = new import_prom_client.Registry();
+    this.#prefix = prefix;
+    this.addCounter(this.#metricNames.errors, "Mutation/Validate errors encountered");
+    this.addCounter(this.#metricNames.alerts, "Mutation/Validate bad api token received");
+    this.addSummary(this.#metricNames.mutate, "Mutation operation summary");
+    this.addSummary(this.#metricNames.validate, "Validation operation summary");
+  }
+  #getMetricName(name) {
+    return `${this.#prefix}_${name}`;
+  }
+  #addMetric(collection, MetricType, name, help) {
+    if (collection.has(this.#getMetricName(name))) {
       logger_default.debug(`Metric for ${name} already exists`, loggingPrefix);
       return;
     }
+    this.incCounter = this.incCounter.bind(this);
+    this.error = this.error.bind(this);
+    this.alert = this.alert.bind(this);
+    this.observeStart = this.observeStart.bind(this);
+    this.observeEnd = this.observeEnd.bind(this);
+    this.getMetrics = this.getMetrics.bind(this);
     const metric = new MetricType({
-      name: this.getMetricName(name),
+      name: this.#getMetricName(name),
       help,
-      registers: [this._registry]
+      registers: [this.#registry]
     });
-    collection.set(this.getMetricName(name), metric);
+    collection.set(this.#getMetricName(name), metric);
   }
   addCounter(name, help) {
-    this.addMetric(this._counters, import_prom_client.default.Counter, name, help);
+    this.#addMetric(this.#counters, import_prom_client.default.Counter, name, help);
   }
   addSummary(name, help) {
-    this.addMetric(this._summaries, import_prom_client.default.Summary, name, help);
+    this.#addMetric(this.#summaries, import_prom_client.default.Summary, name, help);
   }
   incCounter(name) {
-    this._counters.get(this.getMetricName(name))?.inc();
+    this.#counters.get(this.#getMetricName(name))?.inc();
   }
   /**
    * Increments the error counter.
    */
   error() {
-    this.incCounter(this._metricNames.errors);
+    this.incCounter(this.#metricNames.errors);
   }
   /**
    * Increments the alerts counter.
    */
   alert() {
-    this.incCounter(this._metricNames.alerts);
+    this.incCounter(this.#metricNames.alerts);
   }
   /**
    * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
-   * @returns {number} The timestamp.
+   * @returns The timestamp.
    */
   observeStart() {
     return import_perf_hooks.performance.now();
   }
   /**
    * Observes the duration since the provided start time and updates the summary.
-   * @param {number} startTime - The start time.
-   * @param {string} name - The metrics summary to increment.
+   * @param startTime - The start time.
+   * @param name - The metrics summary to increment.
    */
-  observeEnd(startTime, name = this._metricNames.mutate) {
-    this._summaries.get(this.getMetricName(name))?.observe(import_perf_hooks.performance.now() - startTime);
+  observeEnd(startTime, name = this.#metricNames.mutate) {
+    this.#summaries.get(this.#getMetricName(name))?.observe(import_perf_hooks.performance.now() - startTime);
   }
   /**
    * Fetches the current metrics from the registry.
-   * @returns {Promise<string>} The metrics.
+   * @returns The metrics.
    */
   async getMetrics() {
-    return this._registry.metrics();
+    return this.#registry.metrics();
   }
 };
 
 // src/lib/mutate-processor.ts
 var import_fast_json_patch = __toESM(require("fast-json-patch"));
 
+// src/lib/errors.ts
+var Errors = {
+  audit: "audit",
+  ignore: "ignore",
+  reject: "reject"
+};
+var ErrorList = Object.values(Errors);
+function ValidateError(error = "") {
+  if (!ErrorList.includes(error)) {
+    throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
+  }
+}
+
 // src/lib/filter.ts
 function shouldSkipRequest(binding, req) {
   const { group, kind, version } = binding.kind || {};
@@ -921,45 +942,53 @@ function shouldSkipRequest(binding, req) {
 // src/lib/mutate-request.ts
 var import_ramda2 = require("ramda");
 var PeprMutateRequest = class {
-  /**
-   * Creates a new instance of the action class.
-   * @param input - The request object containing the Kubernetes resource to modify.
-   */
-  constructor(_input) {
-    this._input = _input;
-    if (_input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda2.clone)(_input.oldObject);
-    } else {
-      this.Raw = (0, import_ramda2.clone)(_input.object);
-    }
-    if (!this.Raw) {
-      throw new Error("unable to load the request object into PeprRequest.RawP");
-    }
-  }
   Raw;
+  #input;
   get PermitSideEffects() {
-    return !this._input.dryRun;
+    return !this.#input.dryRun;
   }
   /**
    * Indicates whether the request is a dry run.
    * @returns true if the request is a dry run, false otherwise.
    */
   get IsDryRun() {
-    return this._input.dryRun;
+    return this.#input.dryRun;
   }
   /**
    * Provides access to the old resource in the request if available.
    * @returns The old Kubernetes resource object or null if not available.
    */
   get OldResource() {
-    return this._input.oldObject;
+    return this.#input.oldObject;
   }
   /**
    * Provides access to the request object.
    * @returns The request object containing the Kubernetes resource.
    */
   get Request() {
-    return this._input;
+    return this.#input;
+  }
+  /**
+   * Creates a new instance of the action class.
+   * @param input - The request object containing the Kubernetes resource to modify.
+   */
+  constructor(input) {
+    this.#input = input;
+    this.Merge = this.Merge.bind(this);
+    this.SetLabel = this.SetLabel.bind(this);
+    this.SetAnnotation = this.SetAnnotation.bind(this);
+    this.RemoveLabel = this.RemoveLabel.bind(this);
+    this.RemoveAnnotation = this.RemoveAnnotation.bind(this);
+    this.HasLabel = this.HasLabel.bind(this);
+    this.HasAnnotation = this.HasAnnotation.bind(this);
+    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
+      this.Raw = (0, import_ramda2.clone)(input.oldObject);
+    } else {
+      this.Raw = (0, import_ramda2.clone)(input.object);
+    }
+    if (!this.Raw) {
+      throw new Error("unable to load the request object into PeprRequest.RawP");
+    }
   }
   /**
    * Deep merges the provided object with the current resource.
@@ -1126,11 +1155,13 @@ async function mutateProcessor(config, capabilities, req, reqMetadata) {
         response.warnings = response.warnings || [];
         response.warnings.push(`Action failed: ${e}`);
         switch (config.onError) {
-          case "reject":
+          case Errors.reject:
             logger_default.error(actionMetadata, `Action failed: ${e}`);
             response.result = "Pepr module configured to reject on error";
             return response;
-          case "audit":
+          case Errors.audit:
+            response.auditAnnotations = response.auditAnnotations || {};
+            response.auditAnnotations[Date.now()] = e;
             break;
         }
       }
@@ -1163,35 +1194,40 @@ async function mutateProcessor(config, capabilities, req, reqMetadata) {
 // src/lib/validate-request.ts
 var import_ramda3 = require("ramda");
 var PeprValidateRequest = class {
-  /**
-   * Creates a new instance of the Action class.
-   * @param input - The request object containing the Kubernetes resource to modify.
-   */
-  constructor(_input) {
-    this._input = _input;
-    if (_input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda3.clone)(_input.oldObject);
-    } else {
-      this.Raw = (0, import_ramda3.clone)(_input.object);
-    }
-    if (!this.Raw) {
-      throw new Error("unable to load the request object into PeprRequest.RawP");
-    }
-  }
   Raw;
+  #input;
   /**
    * Provides access to the old resource in the request if available.
    * @returns The old Kubernetes resource object or null if not available.
    */
   get OldResource() {
-    return this._input.oldObject;
+    return this.#input.oldObject;
   }
   /**
    * Provides access to the request object.
    * @returns The request object containing the Kubernetes resource.
    */
   get Request() {
-    return this._input;
+    return this.#input;
+  }
+  /**
+   * Creates a new instance of the Action class.
+   * @param input - The request object containing the Kubernetes resource to modify.
+   */
+  constructor(input) {
+    this.#input = input;
+    this.HasLabel = this.HasLabel.bind(this);
+    this.HasAnnotation = this.HasAnnotation.bind(this);
+    this.Approve = this.Approve.bind(this);
+    this.Deny = this.Deny.bind(this);
+    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
+      this.Raw = (0, import_ramda3.clone)(input.oldObject);
+    } else {
+      this.Raw = (0, import_ramda3.clone)(input.object);
+    }
+    if (!this.Raw) {
+      throw new Error("unable to load the request object into PeprRequest.RawP");
+    }
   }
   /**
    * Check if a label exists on the Kubernetes resource.
@@ -1245,6 +1281,10 @@ async function validateProcessor(capabilities, req, reqMetadata) {
     allowed: true
     // Assume it's allowed until a validation check fails
   };
+  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
+  if (isSecret) {
+    convertFromBase64Map(wrapped.Raw);
+  }
   logger_default.info(reqMetadata, `Processing validation request`);
   for (const { name, bindings } of capabilities) {
     const actionMetadata = { ...reqMetadata, name };
@@ -1282,40 +1322,39 @@ async function validateProcessor(capabilities, req, reqMetadata) {
 }
 
 // src/lib/controller.ts
-var Controller = class {
-  constructor(_config, _capabilities, _beforeHook, _afterHook) {
-    this._config = _config;
-    this._capabilities = _capabilities;
-    this._beforeHook = _beforeHook;
-    this._afterHook = _afterHook;
-    this._app.use(this.logger);
-    this._app.use(import_express.default.json({ limit: "2mb" }));
-    if (_beforeHook) {
-      logger_default.info(`Using beforeHook: ${_beforeHook}`);
+var Controller = class _Controller {
+  // Track whether the server is running
+  #running = false;
+  // Metrics collector
+  #metricsCollector = new MetricsCollector("pepr");
+  // The token used to authenticate requests
+  #token = "";
+  // The express app instance
+  #app = (0, import_express.default)();
+  // Initialized with the constructor
+  #config;
+  #capabilities;
+  #beforeHook;
+  #afterHook;
+  constructor(config, capabilities, beforeHook, afterHook) {
+    this.#config = config;
+    this.#capabilities = capabilities;
+    this.#beforeHook = beforeHook;
+    this.#afterHook = afterHook;
+    this.startServer = this.startServer.bind(this);
+    this.#app.use(_Controller.#logger);
+    this.#app.use(import_express.default.json({ limit: "2mb" }));
+    if (beforeHook) {
+      logger_default.info(`Using beforeHook: ${beforeHook}`);
     }
-    if (_afterHook) {
-      logger_default.info(`Using afterHook: ${_afterHook}`);
+    if (afterHook) {
+      logger_default.info(`Using afterHook: ${afterHook}`);
     }
-    this.bindEndpoints();
+    this.#bindEndpoints();
   }
-  _app = (0, import_express.default)();
-  _running = false;
-  metricsCollector = new MetricsCollector("pepr");
-  // The token used to authenticate requests
-  _token = "";
-  bindEndpoints = () => {
-    this._app.get("/healthz", this.healthz);
-    this._app.get("/metrics", this.metrics);
-    if (isWatchMode) {
-      return;
-    }
-    this._app.use(["/mutate/:token", "/validate/:token"], this.validateToken);
-    this._app.post("/mutate/:token", this.admissionReq("Mutate"));
-    this._app.post("/validate/:token", this.admissionReq("Validate"));
-  };
   /** Start the webhook server */
-  startServer = (port) => {
-    if (this._running) {
+  startServer(port) {
+    if (this.#running) {
       throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
     }
     const options = {
@@ -1323,16 +1362,16 @@ var Controller = class {
       cert: import_fs.default.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt")
     };
     if (!isWatchMode) {
-      this._token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
-      logger_default.info(`Using API token: ${this._token}`);
-      if (!this._token) {
+      this.#token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
+      logger_default.info(`Using API token: ${this.#token}`);
+      if (!this.#token) {
         throw new Error("API token not found");
       }
     }
-    const server = import_https.default.createServer(options, this._app).listen(port);
+    const server = import_https.default.createServer(options, this.#app).listen(port);
     server.on("listening", () => {
       logger_default.info(`Server listening on port ${port}`);
-      this._running = true;
+      this.#running = true;
     });
     server.on("error", (e) => {
       if (e.code === "EADDRINUSE") {
@@ -1352,28 +1391,16 @@ var Controller = class {
         process.exit(0);
       });
     });
-  };
-  /**
-   * Middleware for logging requests
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   * @param next the next middleware function
-   */
-  logger = (req, res, next) => {
-    const startTime = Date.now();
-    res.on("finish", () => {
-      const elapsedTime = Date.now() - startTime;
-      const message = {
-        uid: req.body?.request?.uid,
-        method: req.method,
-        url: req.originalUrl,
-        status: res.statusCode,
-        duration: `${elapsedTime} ms`
-      };
-      res.statusCode >= 300 ? logger_default.warn(message) : logger_default.info(message);
-    });
-    next();
+  }
+  #bindEndpoints = () => {
+    this.#app.get("/healthz", _Controller.#healthz);
+    this.#app.get("/metrics", this.#metrics);
+    if (isWatchMode) {
+      return;
+    }
+    this.#app.use(["/mutate/:token", "/validate/:token"], this.#validateToken);
+    this.#app.post("/mutate/:token", this.#admissionReq("Mutate"));
+    this.#app.post("/validate/:token", this.#admissionReq("Validate"));
   };
   /**
    * Validate the token in the request path
@@ -1383,40 +1410,26 @@ var Controller = class {
    * @param next The next middleware function
    * @returns
    */
-  validateToken = (req, res, next) => {
+  #validateToken = (req, res, next) => {
     const { token } = req.params;
-    if (token !== this._token) {
+    if (token !== this.#token) {
       const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
       logger_default.warn(err);
       res.status(401).send(err);
-      this.metricsCollector.alert();
+      this.#metricsCollector.alert();
       return;
     }
     next();
   };
-  /**
-   * Health check endpoint handler
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   */
-  healthz = (req, res) => {
-    try {
-      res.send("OK");
-    } catch (err) {
-      logger_default.error(err);
-      res.status(500).send("Internal Server Error");
-    }
-  };
   /**
    * Metrics endpoint handler
    *
    * @param req the incoming request
    * @param res the outgoing response
    */
-  metrics = async (req, res) => {
+  #metrics = async (req, res) => {
     try {
-      res.send(await this.metricsCollector.getMetrics());
+      res.send(await this.#metricsCollector.getMetrics());
     } catch (err) {
       logger_default.error(err);
       res.status(500).send("Internal Server Error");
@@ -1428,12 +1441,12 @@ var Controller = class {
    * @param admissionKind the type of admission request
    * @returns the request handler
    */
-  admissionReq = (admissionKind) => {
+  #admissionReq = (admissionKind) => {
     return async (req, res) => {
-      const startTime = this.metricsCollector.observeStart();
+      const startTime = this.#metricsCollector.observeStart();
       try {
         const request = req.body?.request || {};
-        this._beforeHook && this._beforeHook(request || {});
+        this.#beforeHook && this.#beforeHook(request || {});
         const name = request?.name ? `/${request.name}` : "";
         const namespace = request?.namespace || "";
         const gvk = request?.kind || { group: "", version: "", kind: "" };
@@ -1446,49 +1459,92 @@ var Controller = class {
         logger_default.debug({ ...reqMetadata, request }, "Incoming request body");
         let response;
         if (admissionKind === "Mutate") {
-          response = await mutateProcessor(this._config, this._capabilities, request, reqMetadata);
+          response = await mutateProcessor(this.#config, this.#capabilities, request, reqMetadata);
         } else {
-          response = await validateProcessor(this._capabilities, request, reqMetadata);
+          response = await validateProcessor(this.#capabilities, request, reqMetadata);
         }
-        this._afterHook && this._afterHook(response);
+        this.#afterHook && this.#afterHook(response);
         logger_default.debug({ ...reqMetadata, response }, "Outgoing response");
         res.send({
           apiVersion: "admission.k8s.io/v1",
           kind: "AdmissionReview",
           response
         });
-        this.metricsCollector.observeEnd(startTime, admissionKind);
+        this.#metricsCollector.observeEnd(startTime, admissionKind);
       } catch (err) {
         logger_default.error(err);
         res.status(500).send("Internal Server Error");
-        this.metricsCollector.error();
+        this.#metricsCollector.error();
       }
     };
   };
+  /**
+   * Middleware for logging requests
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   * @param next the next middleware function
+   */
+  static #logger(req, res, next) {
+    const startTime = Date.now();
+    res.on("finish", () => {
+      const elapsedTime = Date.now() - startTime;
+      const message = {
+        uid: req.body?.request?.uid,
+        method: req.method,
+        url: req.originalUrl,
+        status: res.statusCode,
+        duration: `${elapsedTime} ms`
+      };
+      res.statusCode >= 300 ? logger_default.warn(message) : logger_default.info(message);
+    });
+    next();
+  }
+  /**
+   * Health check endpoint handler
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   */
+  static #healthz(req, res) {
+    try {
+      res.send("OK");
+    } catch (err) {
+      logger_default.error(err);
+      res.status(500).send("Internal Server Error");
+    }
+  }
 };
 
 // src/lib/module.ts
 var PeprModule = class {
-  _controller;
+  #controller;
   /**
    * Create a new Pepr runtime
    *
    * @param config The configuration for the Pepr runtime
    * @param capabilities The capabilities to be loaded into the Pepr runtime
-   * @param _deferStart (optional) If set to `true`, the Pepr runtime will not be started automatically. This can be used to start the Pepr runtime manually with `start()`.
+   * @param opts Options for the Pepr runtime
    */
   constructor({ description, pepr }, capabilities = [], opts = {}) {
     const config = (0, import_ramda4.clone)(pepr);
     config.description = description;
-    const validOnErrors = ["ignore", "warn", "fail"];
-    if (!validOnErrors.includes(config.onError || "")) {
-      throw new Error(`Invalid onErrors value: ${config.onError}`);
-    }
+    ValidateError(config.onError);
+    this.start = this.start.bind(this);
     if (process.env.PEPR_MODE === "build" && process.send) {
-      process.send(capabilities);
+      const exportedCapabilities = [];
+      for (const capability of capabilities) {
+        exportedCapabilities.push({
+          name: capability.name,
+          description: capability.description,
+          namespaces: capability.namespaces,
+          bindings: capability.bindings
+        });
+      }
+      process.send(exportedCapabilities);
       return;
     }
-    this._controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
+    this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
     if (opts.deferStart) {
       return;
     }
@@ -1501,7 +1557,7 @@ var PeprModule = class {
    * @param port
    */
   start(port = 3e3) {
-    this._controller.startServer(port);
+    this.#controller.startServer(port);
   }
 };
 // Annotate the CommonJS export names for ESM import in node: