pepr 0.13.3 → 0.14.0

package/dist/lib.js

@@ -31,565 +31,26 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var lib_exports = {};
 __export(lib_exports, {
   Capability: () => Capability,
+  K8s: () => import_kubernetes_fluent_client5.K8s,
   Log: () => logger_default,
   PeprModule: () => PeprModule,
   PeprMutateRequest: () => PeprMutateRequest,
   PeprUtils: () => utils_exports,
   PeprValidateRequest: () => PeprValidateRequest,
   R: () => R,
-  RegisterKind: () => RegisterKind,
-  a: () => upstream_exports,
-  fetch: () => fetch,
-  fetchRaw: () => fetchRaw,
-  fetchStatus: () => import_http_status_codes2.StatusCodes,
-  k8s: () => k8s
+  RegisterKind: () => import_kubernetes_fluent_client5.RegisterKind,
+  a: () => import_kubernetes_fluent_client5.kind,
+  fetch: () => import_kubernetes_fluent_client5.fetch,
+  fetchStatus: () => import_kubernetes_fluent_client5.fetchStatus,
+  kind: () => import_kubernetes_fluent_client5.kind
 });
 module.exports = __toCommonJS(lib_exports);
-var k8s = __toESM(require("@kubernetes/client-node"));
-var import_http_status_codes2 = require("http-status-codes");
+var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
 var R = __toESM(require("ramda"));
 
 // src/lib/capability.ts
-var import_ramda = require("ramda");
-
-// src/lib/k8s/upstream.ts
-var upstream_exports = {};
-__export(upstream_exports, {
-  APIService: () => import_client_node2.V1APIService,
-  CSIDriver: () => import_client_node2.V1CSIDriver,
-  CSIStorageCapacity: () => import_client_node2.V1CSIStorageCapacity,
-  CertificateSigningRequest: () => import_client_node2.V1CertificateSigningRequest,
-  ClusterRole: () => import_client_node2.V1ClusterRole,
-  ClusterRoleBinding: () => import_client_node2.V1ClusterRoleBinding,
-  ConfigMap: () => import_client_node2.V1ConfigMap,
-  ControllerRevision: () => import_client_node2.V1ControllerRevision,
-  CronJob: () => import_client_node2.V1CronJob,
-  CustomResourceDefinition: () => import_client_node2.V1CustomResourceDefinition,
-  DaemonSet: () => import_client_node2.V1DaemonSet,
-  Deployment: () => import_client_node2.V1Deployment,
-  EndpointSlice: () => import_client_node2.V1EndpointSlice,
-  GenericKind: () => GenericKind,
-  HorizontalPodAutoscaler: () => import_client_node2.V1HorizontalPodAutoscaler,
-  Ingress: () => import_client_node2.V1Ingress,
-  IngressClass: () => import_client_node2.V1IngressClass,
-  Job: () => import_client_node2.V1Job,
-  LimitRange: () => import_client_node2.V1LimitRange,
-  LocalSubjectAccessReview: () => import_client_node2.V1LocalSubjectAccessReview,
-  MutatingWebhookConfiguration: () => import_client_node2.V1MutatingWebhookConfiguration,
-  Namespace: () => import_client_node2.V1Namespace,
-  NetworkPolicy: () => import_client_node2.V1NetworkPolicy,
-  Node: () => import_client_node2.V1Node,
-  PersistentVolume: () => import_client_node2.V1PersistentVolume,
-  PersistentVolumeClaim: () => import_client_node2.V1PersistentVolumeClaim,
-  Pod: () => import_client_node2.V1Pod,
-  PodDisruptionBudget: () => import_client_node2.V1PodDisruptionBudget,
-  PodTemplate: () => import_client_node2.V1PodTemplate,
-  ReplicaSet: () => import_client_node2.V1ReplicaSet,
-  ReplicationController: () => import_client_node2.V1ReplicationController,
-  ResourceQuota: () => import_client_node2.V1ResourceQuota,
-  Role: () => import_client_node2.V1Role,
-  RoleBinding: () => import_client_node2.V1RoleBinding,
-  RuntimeClass: () => import_client_node2.V1RuntimeClass,
-  Secret: () => import_client_node2.V1Secret,
-  SelfSubjectAccessReview: () => import_client_node2.V1SelfSubjectAccessReview,
-  SelfSubjectRulesReview: () => import_client_node2.V1SelfSubjectRulesReview,
-  Service: () => import_client_node2.V1Service,
-  ServiceAccount: () => import_client_node2.V1ServiceAccount,
-  StatefulSet: () => import_client_node2.V1StatefulSet,
-  StorageClass: () => import_client_node2.V1StorageClass,
-  SubjectAccessReview: () => import_client_node2.V1SubjectAccessReview,
-  TokenReview: () => import_client_node2.V1TokenReview,
-  ValidatingWebhookConfiguration: () => import_client_node2.V1ValidatingWebhookConfiguration,
-  VolumeAttachment: () => import_client_node2.V1VolumeAttachment
-});
-var import_client_node2 = require("@kubernetes/client-node");
-
-// src/lib/k8s/types.ts
-var import_client_node = require("@kubernetes/client-node");
-var GenericKind = class {
-  apiVersion;
-  kind;
-  metadata;
-};
-
-// src/lib/k8s/kinds.ts
-var gvkMap = {
-  /**
-   * Represents a K8s ClusterRole resource.
-   * ClusterRole is a set of permissions that can be bound to a user or group in a cluster-wide scope.
-   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole}
-   */
-  V1ClusterRole: {
-    kind: "ClusterRole",
-    version: "v1",
-    group: "rbac.authorization.k8s.io"
-  },
-  /**
-   * Represents a K8s ClusterRoleBinding resource.
-   * ClusterRoleBinding binds a ClusterRole to a user or group in a cluster-wide scope.
-   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding}
-   */
-  V1ClusterRoleBinding: {
-    kind: "ClusterRoleBinding",
-    version: "v1",
-    group: "rbac.authorization.k8s.io"
-  },
-  /**
-   * Represents a K8s Role resource.
-   * Role is a set of permissions that can be bound to a user or group in a namespace scope.
-   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole}
-   */
-  V1Role: {
-    kind: "Role",
-    version: "v1",
-    group: "rbac.authorization.k8s.io"
-  },
-  /**
-   * Represents a K8s RoleBinding resource.
-   * RoleBinding binds a Role to a user or group in a namespace scope.
-   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding}
-   */
-  V1RoleBinding: {
-    kind: "RoleBinding",
-    version: "v1",
-    group: "rbac.authorization.k8s.io"
-  },
-  /**
-   * Represents a K8s ConfigMap resource.
-   * ConfigMap holds configuration data for pods to consume.
-   * @see {@link https://kubernetes.io/docs/concepts/configuration/configmap/}
-   */
-  V1ConfigMap: {
-    kind: "ConfigMap",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s Endpoints resource.
-   * Endpoints expose a service's IP addresses and ports to other resources.
-   * @see {@link https://kubernetes.io/docs/concepts/services-networking/service/#endpoints}
-   */
-  V1Endpoint: {
-    kind: "Endpoints",
-    version: "v1",
-    group: "",
-    plural: "endpoints"
-  },
-  /**
-   * Represents a K8s LimitRange resource.
-   * LimitRange enforces constraints on the resource consumption of objects in a namespace.
-   * @see {@link https://kubernetes.io/docs/concepts/policy/limit-range/}
-   */
-  V1LimitRange: {
-    kind: "LimitRange",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s Namespace resource.
-   * Namespace is a way to divide cluster resources between multiple users.
-   * @see {@link https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/}
-   */
-  V1Namespace: {
-    kind: "Namespace",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s Node resource.
-   * Node is a worker machine in Kubernetes.
-   * @see {@link https://kubernetes.io/docs/concepts/architecture/nodes/}
-   */
-  V1Node: {
-    kind: "Node",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s PersistentVolumeClaim resource.
-   * PersistentVolumeClaim is a user's request for and claim to a persistent volume.
-   * @see {@link https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims}
-   */
-  V1PersistentVolumeClaim: {
-    kind: "PersistentVolumeClaim",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s PersistentVolume resource.
-   * PersistentVolume is a piece of storage in the cluster that has been provisioned by an administrator.
-   * @see {@link https://kubernetes.io/docs/concepts/storage/persistent-volumes/}
-   */
-  V1PersistentVolume: {
-    kind: "PersistentVolume",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s Pod resource.
-   * Pod is the smallest and simplest unit in the Kubernetes object model.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/pods/}
-   */
-  V1Pod: {
-    kind: "Pod",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s PodTemplate resource.
-   * PodTemplate is an object that describes the pod that will be created from a higher level abstraction.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/#pod-template}
-   */
-  V1PodTemplate: {
-    kind: "PodTemplate",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s ReplicationController resource.
-   * ReplicationController ensures that a specified number of pod replicas are running at any given time.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/}
-   */
-  V1ReplicationController: {
-    kind: "ReplicationController",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s ResourceQuota resource.
-   * ResourceQuota provides constraints that limit resource consumption per namespace.
-   * @see {@link https://kubernetes.io/docs/concepts/policy/resource-quotas/}
-   */
-  V1ResourceQuota: {
-    kind: "ResourceQuota",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s Secret resource.
-   * Secret holds secret data of a certain type.
-   * @see {@link https://kubernetes.io/docs/concepts/configuration/secret/}
-   */
-  V1Secret: {
-    kind: "Secret",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s ServiceAccount resource.
-   * ServiceAccount is an identity that processes in a pod can use to access the Kubernetes API.
-   * @see {@link https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/}
-   */
-  V1ServiceAccount: {
-    kind: "ServiceAccount",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s Service resource.
-   * Service is an abstraction which defines a logical set of Pods and a policy by which to access them.
-   * @see {@link https://kubernetes.io/docs/concepts/services-networking/service/}
-   */
-  V1Service: {
-    kind: "Service",
-    version: "v1",
-    group: ""
-  },
-  /**
-   * Represents a K8s MutatingWebhookConfiguration resource.
-   * MutatingWebhookConfiguration configures a mutating admission webhook.
-   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly}
-   */
-  V1MutatingWebhookConfiguration: {
-    kind: "MutatingWebhookConfiguration",
-    version: "v1",
-    group: "admissionregistration.k8s.io"
-  },
-  /**
-   * Represents a K8s ValidatingWebhookConfiguration resource.
-   * ValidatingWebhookConfiguration configures a validating admission webhook.
-   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-fly}
-   */
-  V1ValidatingWebhookConfiguration: {
-    kind: "ValidatingWebhookConfiguration",
-    version: "v1",
-    group: "admissionregistration.k8s.io"
-  },
-  /**
-   * Represents a K8s CustomResourceDefinition resource.
-   * CustomResourceDefinition is a custom resource in a Kubernetes cluster.
-   * @see {@link https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/}
-   */
-  V1CustomResourceDefinition: {
-    kind: "CustomResourceDefinition",
-    version: "v1",
-    group: "apiextensions.k8s.io"
-  },
-  /**
-   * Represents a K8s APIService resource.
-   * APIService represents a server for a particular API version and group.
-   * @see {@link https://kubernetes.io/docs/tasks/access-kubernetes-api/setup-extension-api-server/}
-   */
-  V1APIService: {
-    kind: "APIService",
-    version: "v1",
-    group: "apiregistration.k8s.io"
-  },
-  /**
-   * Represents a K8s ControllerRevision resource.
-   * ControllerRevision is used to manage the history of a StatefulSet or DaemonSet.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#revision-history}
-   */
-  V1ControllerRevision: {
-    kind: "ControllerRevision",
-    version: "v1",
-    group: "apps"
-  },
-  /**
-   * Represents a K8s DaemonSet resource.
-   * DaemonSet ensures that all (or some) nodes run a copy of a Pod.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/}
-   */
-  V1DaemonSet: {
-    kind: "DaemonSet",
-    version: "v1",
-    group: "apps"
-  },
-  /**
-   * Represents a K8s Deployment resource.
-   * Deployment provides declarative updates for Pods and ReplicaSets.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/deployment/}
-   */
-  V1Deployment: {
-    kind: "Deployment",
-    version: "v1",
-    group: "apps"
-  },
-  /**
-   * Represents a K8s ReplicaSet resource.
-   * ReplicaSet ensures that a specified number of pod replicas are running at any given time.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/}
-   */
-  V1ReplicaSet: {
-    kind: "ReplicaSet",
-    version: "v1",
-    group: "apps"
-  },
-  /**
-   * Represents a K8s StatefulSet resource.
-   * StatefulSet is used to manage stateful applications.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/}
-   */
-  V1StatefulSet: {
-    kind: "StatefulSet",
-    version: "v1",
-    group: "apps"
-  },
-  /**
-   * Represents a K8s TokenReview resource.
-   * TokenReview attempts to authenticate a token to a known user.
-   * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#tokenreview-v1-authentication-k8s-io}
-   */
-  V1TokenReview: {
-    kind: "TokenReview",
-    version: "v1",
-    group: "authentication.k8s.io"
-  },
-  /**
-   * Represents a K8s LocalSubjectAccessReview resource.
-   * LocalSubjectAccessReview checks whether a specific user can perform a specific action in a specific namespace.
-   * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#localsubjectaccessreview-v1-authorization-k8s-io}
-   */
-  V1LocalSubjectAccessReview: {
-    kind: "LocalSubjectAccessReview",
-    version: "v1",
-    group: "authorization.k8s.io"
-  },
-  /**
-   * Represents a K8s SelfSubjectAccessReview resource.
-   * SelfSubjectAccessReview checks whether the current user can perform a specific action.
-   * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#selfsubjectaccessreview-v1-authorization-k8s-io}
-   */
-  V1SelfSubjectAccessReview: {
-    kind: "SelfSubjectAccessReview",
-    version: "v1",
-    group: "authorization.k8s.io"
-  },
-  /**
-   * Represents a K8s SelfSubjectRulesReview resource.
-   * SelfSubjectRulesReview lists the permissions a specific user has within a namespace.
-   * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#selfsubjectrulesreview-v1-authorization-k8s-io}
-   */
-  V1SelfSubjectRulesReview: {
-    kind: "SelfSubjectRulesReview",
-    version: "v1",
-    group: "authorization.k8s.io"
-  },
-  /**
-   * Represents a K8s SubjectAccessReview resource.
-   * SubjectAccessReview checks whether a specific user can perform a specific action.
-   * @see {@link https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#subjectaccessreview-v1-authorization-k8s-io}
-   */
-  V1SubjectAccessReview: {
-    kind: "SubjectAccessReview",
-    version: "v1",
-    group: "authorization.k8s.io"
-  },
-  /**
-   * Represents a K8s HorizontalPodAutoscaler resource.
-   * HorizontalPodAutoscaler automatically scales the number of Pods in a replication controller, deployment, or replica set.
-   * @see {@link https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/}
-   */
-  V1HorizontalPodAutoscaler: {
-    kind: "HorizontalPodAutoscaler",
-    version: "v2",
-    group: "autoscaling"
-  },
-  /**
-   * Represents a K8s CronJob resource.
-   * CronJob manages time-based jobs, specifically those that run periodically and complete after a successful execution.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/}
-   */
-  V1CronJob: {
-    kind: "CronJob",
-    version: "v1",
-    group: "batch"
-  },
-  /**
-   * Represents a K8s Job resource.
-   * Job represents the configuration of a single job.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/controllers/job/}
-   */
-  V1Job: {
-    kind: "Job",
-    version: "v1",
-    group: "batch"
-  },
-  /**
-   * Represents a K8s CertificateSigningRequest resource.
-   * CertificateSigningRequest represents a certificate signing request.
-   * @see {@link https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/}
-   */
-  V1CertificateSigningRequest: {
-    kind: "CertificateSigningRequest",
-    version: "v1",
-    group: "certificates.k8s.io"
-  },
-  /**
-   * Represents a K8s EndpointSlice resource.
-   * EndpointSlice represents a scalable set of network endpoints for a Kubernetes Service.
-   * @see {@link https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/}
-   */
-  V1EndpointSlice: {
-    kind: "EndpointSlice",
-    version: "v1",
-    group: "discovery.k8s.io"
-  },
-  /**
-   * Represents a K8s IngressClass resource.
-   * IngressClass represents the class of the Ingress, referenced by the Ingress spec.
-   * @see {@link https://kubernetes.io/docs/concepts/services-networking/ingress/}
-   */
-  V1IngressClass: {
-    kind: "IngressClass",
-    version: "v1",
-    group: "networking.k8s.io"
-  },
-  /**
-   * Represents a K8s Ingress resource.
-   * Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.
-   * @see {@link https://kubernetes.io/docs/concepts/services-networking/ingress/}
-   */
-  V1Ingress: {
-    kind: "Ingress",
-    version: "v1",
-    group: "networking.k8s.io",
-    plural: "ingresses"
-  },
-  /**
-   * Represents a K8s NetworkPolicy resource.
-   * NetworkPolicy defines a set of rules for how pods communicate with each other.
-   * @see {@link https://kubernetes.io/docs/concepts/services-networking/network-policies/}
-   */
-  V1NetworkPolicy: {
-    kind: "NetworkPolicy",
-    version: "v1",
-    group: "networking.k8s.io"
-  },
-  /**
-   * Represents a K8s RuntimeClass resource.
-   * RuntimeClass is a cluster-scoped resource that surfaces container runtime properties to the control plane.
-   * @see {@link https://kubernetes.io/docs/concepts/containers/runtime-class/}
-   */
-  V1RuntimeClass: {
-    kind: "RuntimeClass",
-    version: "v1",
-    group: "node.k8s.io"
-  },
-  /**
-   * Represents a K8s PodDisruptionBudget resource.
-   * PodDisruptionBudget is an API object that limits the number of pods of a replicated application that are down simultaneously.
-   * @see {@link https://kubernetes.io/docs/concepts/workloads/pods/disruptions/}
-   */
-  V1PodDisruptionBudget: {
-    kind: "PodDisruptionBudget",
-    version: "v1",
-    group: "policy"
-  },
-  /**
-   * Represents a K8s VolumeAttachment resource.
-   * VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node.
-   * @see {@link https://kubernetes.io/docs/concepts/storage/storage-classes/}
-   */
-  V1VolumeAttachment: {
-    kind: "VolumeAttachment",
-    version: "v1",
-    group: "storage.k8s.io"
-  },
-  /**
-   * Represents a K8s CSIDriver resource.
-   * CSIDriver captures information about a Container Storage Interface (CSI) volume driver.
-   * @see {@link https://kubernetes.io/docs/concepts/storage/volumes/}
-   */
-  V1CSIDriver: {
-    kind: "CSIDriver",
-    version: "v1",
-    group: "storage.k8s.io"
-  },
-  /**
-   * Represents a K8s CSIStorageCapacity resource.
-   * CSIStorageCapacity stores the reported storage capacity of a CSI node or storage class.
-   * @see {@link https://kubernetes.io/docs/concepts/storage/csi/}
-   */
-  V1CSIStorageCapacity: {
-    kind: "CSIStorageCapacity",
-    version: "v1",
-    group: "storage.k8s.io"
-  },
-  /**
-   * Represents a K8s StorageClass resource.
-   * StorageClass is a cluster-scoped resource that provides a way for administrators to describe the classes of storage they offer.
-   * @see {@link https://kubernetes.io/docs/concepts/storage/storage-classes/}
-   */
-  V1StorageClass: {
-    kind: "StorageClass",
-    version: "v1",
-    group: "storage.k8s.io"
-  }
-};
-function modelToGroupVersionKind(key) {
-  return gvkMap[key];
-}
-var RegisterKind = (model, groupVersionKind) => {
-  const name = model.name;
-  if (gvkMap[name]) {
-    throw new Error(`GVK ${name} already registered`);
-  }
-  gvkMap[name] = groupVersionKind;
-};
-
-// src/lib/k8s/index.ts
-var isWatchMode = process.env.PEPR_WATCH_MODE === "true";
+var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
+var import_ramda6 = require("ramda");
 
 // src/lib/logger.ts
 var import_pino = require("pino");
@@ -609,172 +70,10 @@ if (process.env.LOG_LEVEL) {
 }
 var logger_default = Log;
 
-// src/lib/capability.ts
-var Capability = class {
-  #name;
-  #description;
-  #namespaces;
-  #bindings = [];
-  get bindings() {
-    return this.#bindings;
-  }
-  get name() {
-    return this.#name;
-  }
-  get description() {
-    return this.#description;
-  }
-  get namespaces() {
-    return this.#namespaces || [];
-  }
-  constructor(cfg) {
-    this.#name = cfg.name;
-    this.#description = cfg.description;
-    this.#namespaces = cfg.namespaces;
-    this.When = this.When.bind(this);
-    logger_default.info(`Capability ${this.#name} registered`);
-    logger_default.debug(cfg);
-  }
-  /**
-   * The When method is used to register a capability action to be executed when a Kubernetes resource is
-   * processed by Pepr. The action will be executed if the resource matches the specified kind and any
-   * filters that are applied.
-   *
-   * @param model the KubernetesObject model to match
-   * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
-   * @returns
-   */
-  When(model, kind) {
-    const matchedKind = modelToGroupVersionKind(model.name);
-    if (!matchedKind && !kind) {
-      throw new Error(`Kind not specified for ${model.name}`);
-    }
-    const binding = {
-      // If the kind is not specified, use the matched kind from the model
-      kind: kind || matchedKind,
-      event: "*" /* Any */,
-      filters: {
-        name: "",
-        namespaces: [],
-        labels: {},
-        annotations: {}
-      }
-    };
-    const bindings = this.#bindings;
-    const prefix = `${this.#name}: ${model.name}`;
-    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate };
-    const isNotEmpty = (value) => Object.keys(value).length > 0;
-    const log = (message, cbString) => {
-      const filteredObj = (0, import_ramda.pickBy)(isNotEmpty, binding.filters);
-      logger_default.info(`${message} configured for ${binding.event}`, prefix);
-      logger_default.info(filteredObj, prefix);
-      logger_default.debug(cbString, prefix);
-    };
-    function Validate(validateCallback) {
-      if (!isWatchMode) {
-        log("Validate Action", validateCallback.toString());
-        bindings.push({
-          ...binding,
-          isValidate: true,
-          validateCallback
-        });
-      }
-    }
-    function Mutate(mutateCallback) {
-      if (!isWatchMode) {
-        log("Mutate Action", mutateCallback.toString());
-        bindings.push({
-          ...binding,
-          isMutate: true,
-          mutateCallback
-        });
-      }
-      return { Validate };
-    }
-    function InNamespace(...namespaces) {
-      logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
-      binding.filters.namespaces.push(...namespaces);
-      return { ...commonChain, WithName };
-    }
-    function WithName(name) {
-      logger_default.debug(`Add name filter ${name}`, prefix);
-      binding.filters.name = name;
-      return commonChain;
-    }
-    function WithLabel(key, value = "") {
-      logger_default.debug(`Add label filter ${key}=${value}`, prefix);
-      binding.filters.labels[key] = value;
-      return commonChain;
-    }
-    function WithAnnotation(key, value = "") {
-      logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
-      binding.filters.annotations[key] = value;
-      return commonChain;
-    }
-    function bindEvent(event) {
-      binding.event = event;
-      return {
-        ...commonChain,
-        InNamespace,
-        WithName
-      };
-    }
-    return {
-      IsCreatedOrUpdated: () => bindEvent("CREATEORUPDATE" /* CreateOrUpdate */),
-      IsCreated: () => bindEvent("CREATE" /* Create */),
-      IsUpdated: () => bindEvent("UPDATE" /* Update */),
-      IsDeleted: () => bindEvent("DELETE" /* Delete */)
-    };
-  }
-};
-
-// src/lib/fetch.ts
-var import_http_status_codes = require("http-status-codes");
-var import_node_fetch = __toESM(require("node-fetch"));
-var fetchRaw = import_node_fetch.default;
-async function fetch(url, init) {
-  let data = void 0;
-  try {
-    logger_default.debug(init, `Fetching ${url}`);
-    const resp = await fetchRaw(url, init);
-    const contentType = resp.headers.get("content-type") || "";
-    if (resp.ok) {
-      if (contentType.includes("application/json")) {
-        data = await resp.json();
-      } else {
-        data = await resp.text();
-      }
-    }
-    return {
-      data,
-      ok: resp.ok,
-      status: resp.status,
-      statusText: resp.statusText
-    };
-  } catch (e) {
-    if (e instanceof import_node_fetch.FetchError) {
-      logger_default.debug(`Fetch failed: ${e instanceof Error ? e.message : e}`);
-      const status = parseInt(e.code || "400");
-      return {
-        data,
-        ok: false,
-        status,
-        statusText: e.message
-      };
-    }
-    return {
-      data,
-      ok: false,
-      status: import_http_status_codes.StatusCodes.BAD_REQUEST,
-      statusText: "Unknown error"
-    };
-  }
-}
-
 // src/lib/module.ts
 var import_ramda4 = require("ramda");
 
-// src/lib/controller.ts
+// src/lib/controller/index.ts
 var import_express = __toESM(require("express"));
 var import_fs = __toESM(require("fs"));
 var import_https = __toESM(require("https"));
@@ -806,69 +105,55 @@ var MetricsCollector = class {
     this.addSummary(this.#metricNames.mutate, "Mutation operation summary");
     this.addSummary(this.#metricNames.validate, "Validation operation summary");
   }
-  #getMetricName(name) {
-    return `${this.#prefix}_${name}`;
-  }
-  #addMetric(collection, MetricType, name, help) {
+  #getMetricName = (name) => `${this.#prefix}_${name}`;
+  #addMetric = (collection, MetricType, name, help) => {
     if (collection.has(this.#getMetricName(name))) {
       logger_default.debug(`Metric for ${name} already exists`, loggingPrefix);
       return;
     }
-    this.incCounter = this.incCounter.bind(this);
-    this.error = this.error.bind(this);
-    this.alert = this.alert.bind(this);
-    this.observeStart = this.observeStart.bind(this);
-    this.observeEnd = this.observeEnd.bind(this);
-    this.getMetrics = this.getMetrics.bind(this);
     const metric = new MetricType({
       name: this.#getMetricName(name),
       help,
       registers: [this.#registry]
     });
     collection.set(this.#getMetricName(name), metric);
-  }
-  addCounter(name, help) {
+  };
+  addCounter = (name, help) => {
     this.#addMetric(this.#counters, import_prom_client.default.Counter, name, help);
-  }
-  addSummary(name, help) {
+  };
+  addSummary = (name, help) => {
     this.#addMetric(this.#summaries, import_prom_client.default.Summary, name, help);
-  }
-  incCounter(name) {
+  };
+  incCounter = (name) => {
     this.#counters.get(this.#getMetricName(name))?.inc();
-  }
+  };
   /**
    * Increments the error counter.
    */
-  error() {
-    this.incCounter(this.#metricNames.errors);
-  }
+  error = () => this.incCounter(this.#metricNames.errors);
   /**
    * Increments the alerts counter.
    */
-  alert() {
-    this.incCounter(this.#metricNames.alerts);
-  }
-  /**
-   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
-   * @returns The timestamp.
-   */
-  observeStart() {
-    return import_perf_hooks.performance.now();
-  }
+  alert = () => this.incCounter(this.#metricNames.alerts);
   /**
    * Observes the duration since the provided start time and updates the summary.
    * @param startTime - The start time.
    * @param name - The metrics summary to increment.
    */
-  observeEnd(startTime, name = this.#metricNames.mutate) {
+  observeEnd = (startTime, name = this.#metricNames.mutate) => {
     this.#summaries.get(this.#getMetricName(name))?.observe(import_perf_hooks.performance.now() - startTime);
-  }
+  };
   /**
    * Fetches the current metrics from the registry.
    * @returns The metrics.
    */
-  async getMetrics() {
-    return this.#registry.metrics();
+  getMetrics = () => this.#registry.metrics();
+  /**
+   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
+   * @returns The timestamp.
+   */
+  static observeStart() {
+    return import_perf_hooks.performance.now();
   }
 };
 
@@ -888,9 +173,20 @@ function ValidateError(error = "") {
   }
 }
 
+// src/lib/k8s.ts
+var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
+var PeprStore = class extends import_kubernetes_fluent_client.GenericKind {
+};
+var peprStoreGVK = {
+  kind: "PeprStore",
+  version: "v1",
+  group: "pepr.dev"
+};
+(0, import_kubernetes_fluent_client.RegisterKind)(PeprStore, peprStoreGVK);
+
 // src/lib/filter.ts
 function shouldSkipRequest(binding, req, capabilityNamespaces) {
-  const { group, kind, version } = binding.kind || {};
+  const { group, kind: kind2, version } = binding.kind || {};
   const { namespaces, labels, annotations, name } = binding.filters || {};
   const operation = req.operation.toUpperCase();
   const srcObject = operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
@@ -902,7 +198,7 @@ function shouldSkipRequest(binding, req, capabilityNamespaces) {
   if (name && name !== req.name) {
     return true;
   }
-  if (kind !== req.kind.kind) {
+  if (kind2 !== req.kind.kind) {
     return true;
   }
   if (group && group !== req.kind.group) {
@@ -941,7 +237,7 @@ function shouldSkipRequest(binding, req, capabilityNamespaces) {
 }
 
 // src/lib/mutate-request.ts
-var import_ramda2 = require("ramda");
+var import_ramda = require("ramda");
 var PeprMutateRequest = class {
   Raw;
   #input;
@@ -975,17 +271,10 @@ var PeprMutateRequest = class {
    */
   constructor(input) {
     this.#input = input;
-    this.Merge = this.Merge.bind(this);
-    this.SetLabel = this.SetLabel.bind(this);
-    this.SetAnnotation = this.SetAnnotation.bind(this);
-    this.RemoveLabel = this.RemoveLabel.bind(this);
-    this.RemoveAnnotation = this.RemoveAnnotation.bind(this);
-    this.HasLabel = this.HasLabel.bind(this);
-    this.HasAnnotation = this.HasAnnotation.bind(this);
     if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda2.clone)(input.oldObject);
+      this.Raw = (0, import_ramda.clone)(input.oldObject);
     } else {
-      this.Raw = (0, import_ramda2.clone)(input.object);
+      this.Raw = (0, import_ramda.clone)(input.object);
     }
     if (!this.Raw) {
       throw new Error("unable to load the request object into PeprRequest.RawP");
@@ -996,75 +285,75 @@ var PeprMutateRequest = class {
    *
    * @param obj - The object to merge with the current resource.
    */
-  Merge(obj) {
-    this.Raw = (0, import_ramda2.mergeDeepRight)(this.Raw, obj);
-  }
+  Merge = (obj) => {
+    this.Raw = (0, import_ramda.mergeDeepRight)(this.Raw, obj);
+  };
   /**
    * Updates a label on the Kubernetes resource.
    * @param key - The key of the label to update.
    * @param value - The value of the label.
    * @returns The current action instance for method chaining.
    */
-  SetLabel(key, value) {
+  SetLabel = (key, value) => {
     const ref = this.Raw;
     ref.metadata = ref.metadata ?? {};
     ref.metadata.labels = ref.metadata.labels ?? {};
     ref.metadata.labels[key] = value;
     return this;
-  }
+  };
   /**
    * Updates an annotation on the Kubernetes resource.
    * @param key - The key of the annotation to update.
    * @param value - The value of the annotation.
    * @returns The current action instance for method chaining.
    */
-  SetAnnotation(key, value) {
+  SetAnnotation = (key, value) => {
     const ref = this.Raw;
     ref.metadata = ref.metadata ?? {};
     ref.metadata.annotations = ref.metadata.annotations ?? {};
     ref.metadata.annotations[key] = value;
     return this;
-  }
+  };
   /**
    * Removes a label from the Kubernetes resource.
    * @param key - The key of the label to remove.
    * @returns The current Action instance for method chaining.
    */
-  RemoveLabel(key) {
+  RemoveLabel = (key) => {
     if (this.Raw.metadata?.labels?.[key]) {
       delete this.Raw.metadata.labels[key];
     }
     return this;
-  }
+  };
   /**
    * Removes an annotation from the Kubernetes resource.
    * @param key - The key of the annotation to remove.
    * @returns The current Action instance for method chaining.
    */
-  RemoveAnnotation(key) {
+  RemoveAnnotation = (key) => {
     if (this.Raw.metadata?.annotations?.[key]) {
       delete this.Raw.metadata.annotations[key];
     }
     return this;
-  }
+  };
   /**
    * Check if a label exists on the Kubernetes resource.
    *
    * @param key the label key to check
    * @returns
    */
-  HasLabel(key) {
+  HasLabel = (key) => {
     return this.Raw.metadata?.labels?.[key] !== void 0;
-  }
+  };
   /**
    * Check if an annotation exists on the Kubernetes resource.
    *
    * @param key the annotation key to check
    * @returns
    */
-  HasAnnotation(key) {
+  HasAnnotation = (key) => {
     return this.Raw.metadata?.annotations?.[key] !== void 0;
-  }
+  };
 };
 
 // src/lib/utils.ts
@@ -1193,7 +482,7 @@ async function mutateProcessor(config, capabilities, req, reqMetadata) {
 }
 
 // src/lib/validate-request.ts
-var import_ramda3 = require("ramda");
+var import_ramda2 = require("ramda");
 var PeprValidateRequest = class {
   Raw;
   #input;
@@ -1217,17 +506,13 @@ var PeprValidateRequest = class {
    */
   constructor(input) {
     this.#input = input;
-    this.HasLabel = this.HasLabel.bind(this);
-    this.HasAnnotation = this.HasAnnotation.bind(this);
-    this.Approve = this.Approve.bind(this);
-    this.Deny = this.Deny.bind(this);
     if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda3.clone)(input.oldObject);
+      this.Raw = (0, import_ramda2.clone)(input.oldObject);
     } else {
-      this.Raw = (0, import_ramda3.clone)(input.object);
+      this.Raw = (0, import_ramda2.clone)(input.object);
     }
     if (!this.Raw) {
-      throw new Error("unable to load the request object into PeprRequest.RawP");
+      throw new Error("unable to load the request object into PeprRequest.Raw");
     }
   }
   /**
@@ -1236,28 +521,28 @@ var PeprValidateRequest = class {
    * @param key the label key to check
    * @returns
    */
-  HasLabel(key) {
+  HasLabel = (key) => {
     return this.Raw.metadata?.labels?.[key] !== void 0;
-  }
+  };
   /**
    * Check if an annotation exists on the Kubernetes resource.
    *
    * @param key the annotation key to check
    * @returns
    */
-  HasAnnotation(key) {
+  HasAnnotation = (key) => {
     return this.Raw.metadata?.annotations?.[key] !== void 0;
-  }
+  };
   /**
    * Create a validation response that allows the request.
    *
    * @returns The validation response.
    */
-  Approve() {
+  Approve = () => {
     return {
       allowed: true
     };
-  }
+  };
   /**
    * Create a validation response that denies the request.
    *
@@ -1265,13 +550,13 @@ var PeprValidateRequest = class {
    * @param statusCode Optional status code to return to the user.
    * @returns The validation response.
    */
-  Deny(statusMessage, statusCode) {
+  Deny = (statusMessage, statusCode) => {
     return {
       allowed: false,
       statusCode,
       statusMessage
     };
-  }
+  };
 };
 
 // src/lib/validate-processor.ts
@@ -1322,7 +607,125 @@ async function validateProcessor(capabilities, req, reqMetadata) {
   return response;
 }
 
-// src/lib/controller.ts
+// src/lib/controller/store.ts
+var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
+var import_ramda3 = require("ramda");
+var namespace = "pepr-system";
+var debounceBackoff = 5e3;
+var PeprControllerStore = class {
+  #name;
+  #stores = {};
+  #sendDebounce;
+  #onReady;
+  constructor(config, capabilities, onReady) {
+    this.#onReady = onReady;
+    this.#name = `pepr-${config.uuid}-store`;
+    for (const { name, registerStore } of capabilities) {
+      const { store } = registerStore();
+      store.registerSender(this.#send(name));
+      this.#stores[name] = store;
+    }
+    setTimeout(
+      () => (0, import_kubernetes_fluent_client2.K8s)(PeprStore).InNamespace(namespace).Get(this.#name).then(this.#setupWatch).catch(this.#createStoreResource),
+      Math.random() * 3e3
+    );
+  }
+  #setupWatch = () => {
+    void (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { name: this.#name, namespace }).Watch(this.#receive);
+  };
+  #receive = (store) => {
+    logger_default.debug(store, "Pepr Store update");
+    const debounced = () => {
+      const data = store.data || {};
+      for (const name of Object.keys(this.#stores)) {
+        const offset = `${name}-`.length;
+        const filtered = {};
+        for (const key of Object.keys(data)) {
+          if ((0, import_ramda3.startsWith)(name, key)) {
+            filtered[key.slice(offset)] = data[key];
+          }
+        }
+        this.#stores[name].receive(filtered);
+      }
+      if (this.#onReady) {
+        this.#onReady();
+        this.#onReady = void 0;
+      }
+    };
+    clearTimeout(this.#sendDebounce);
+    this.#sendDebounce = setTimeout(debounced, debounceBackoff);
+  };
+  #send = (capabilityName) => {
+    const sendCache = {};
+    const fillCache = (op, key, val) => {
+      if (op === "add") {
+        const path = `/data/${capabilityName}-${key}`;
+        const value = val || "";
+        const cacheIdx = [op, path, value].join(":");
+        sendCache[cacheIdx] = { op, path, value };
+        return;
+      }
+      if (op === "remove") {
+        if (key.length < 1) {
+          throw new Error(`Key is required for REMOVE operation`);
+        }
+        for (const k of key) {
+          const path = `/data/${capabilityName}-${k}`;
+          const cacheIdx = [op, path].join(":");
+          sendCache[cacheIdx] = { op, path };
+        }
+        return;
+      }
+      throw new Error(`Unsupported operation: ${op}`);
+    };
+    const flushCache = async () => {
+      const indexes = Object.keys(sendCache);
+      const payload = Object.values(sendCache);
+      for (const idx of indexes) {
+        delete sendCache[idx];
+      }
+      try {
+        await (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { namespace, name: this.#name }).Patch(payload);
+      } catch (err) {
+        logger_default.error(err, "Pepr store update failure");
+        for (const idx of indexes) {
+          sendCache[idx] = payload[Number(idx)];
+        }
+      }
+    };
+    const sender = async (op, key, val) => {
+      fillCache(op, key, val);
+    };
+    setInterval(() => {
+      if (Object.keys(sendCache).length > 0) {
+        logger_default.debug(sendCache, "Sending updates to Pepr store");
+        void flushCache();
+      }
+    }, debounceBackoff);
+    return sender;
+  };
+  #createStoreResource = async (e) => {
+    logger_default.info(`Pepr store not found, creating...`);
+    logger_default.debug(e);
+    try {
+      await (0, import_kubernetes_fluent_client2.K8s)(PeprStore).Apply({
+        metadata: {
+          name: this.#name,
+          namespace
+        },
+        data: {
+          // JSON Patch will die if the data is empty, so we need to add a placeholder
+          __pepr_do_not_delete__: "k-thx-bye"
+        }
+      });
+      this.#setupWatch();
+    } catch (err) {
+      logger_default.error(err, "Failed to create Pepr store");
+    }
+  };
+};
+
+// src/lib/controller/index.ts
 var Controller = class _Controller {
   // Track whether the server is running
   #running = false;
@@ -1337,24 +740,27 @@ var Controller = class _Controller {
   #capabilities;
   #beforeHook;
   #afterHook;
-  constructor(config, capabilities, beforeHook, afterHook) {
+  constructor(config, capabilities, beforeHook, afterHook, onReady) {
     this.#config = config;
     this.#capabilities = capabilities;
-    this.#beforeHook = beforeHook;
-    this.#afterHook = afterHook;
-    this.startServer = this.startServer.bind(this);
+    new PeprControllerStore(config, capabilities, () => {
+      this.#bindEndpoints();
+      onReady && onReady();
+      logger_default.info("\u2705 Controller startup complete");
+    });
     this.#app.use(_Controller.#logger);
     this.#app.use(import_express.default.json({ limit: "2mb" }));
     if (beforeHook) {
       logger_default.info(`Using beforeHook: ${beforeHook}`);
+      this.#beforeHook = beforeHook;
     }
     if (afterHook) {
       logger_default.info(`Using afterHook: ${afterHook}`);
+      this.#afterHook = afterHook;
     }
-    this.#bindEndpoints();
   }
   /** Start the webhook server */
-  startServer(port) {
+  startServer = (port) => {
     if (this.#running) {
       throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
     }
@@ -1362,7 +768,7 @@ var Controller = class _Controller {
       key: import_fs.default.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
       cert: import_fs.default.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt")
     };
-    if (!isWatchMode) {
+    if (!isWatchMode()) {
       this.#token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
       logger_default.info(`Using API token: ${this.#token}`);
       if (!this.#token) {
@@ -1392,11 +798,11 @@ var Controller = class _Controller {
         process.exit(0);
       });
     });
-  }
+  };
   #bindEndpoints = () => {
     this.#app.get("/healthz", _Controller.#healthz);
     this.#app.get("/metrics", this.#metrics);
-    if (isWatchMode) {
+    if (isWatchMode()) {
       return;
     }
     this.#app.use(["/mutate/:token", "/validate/:token"], this.#validateToken);
@@ -1444,16 +850,16 @@ var Controller = class _Controller {
    */
   #admissionReq = (admissionKind) => {
     return async (req, res) => {
-      const startTime = this.#metricsCollector.observeStart();
+      const startTime = MetricsCollector.observeStart();
       try {
         const request = req.body?.request || {};
         this.#beforeHook && this.#beforeHook(request || {});
         const name = request?.name ? `/${request.name}` : "";
-        const namespace = request?.namespace || "";
+        const namespace2 = request?.namespace || "";
         const gvk = request?.kind || { group: "", version: "", kind: "" };
         const reqMetadata = {
           uid: request.uid,
-          namespace,
+          namespace: namespace2,
           name
         };
         logger_default.info({ ...reqMetadata, gvk, operation: request.operation, admissionKind }, "Incoming request");
@@ -1517,7 +923,44 @@ var Controller = class _Controller {
   }
 };
 
+// src/lib/watch-processor.ts
+var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
+var import_types2 = require("kubernetes-fluent-client/dist/fluent/types");
+function setupWatch(capabilities) {
+  capabilities.flatMap((c) => c.bindings).filter((binding) => binding.isWatch).forEach(runBinding);
+}
+async function runBinding(binding) {
+  const eventToPhaseMap = {
+    ["CREATE" /* Create */]: [import_types2.WatchPhase.Added],
+    ["UPDATE" /* Update */]: [import_types2.WatchPhase.Modified],
+    ["CREATEORUPDATE" /* CreateOrUpdate */]: [import_types2.WatchPhase.Added, import_types2.WatchPhase.Modified],
+    ["DELETE" /* Delete */]: [import_types2.WatchPhase.Deleted],
+    ["*" /* Any */]: [import_types2.WatchPhase.Added, import_types2.WatchPhase.Modified, import_types2.WatchPhase.Deleted]
+  };
+  const phaseMatch = eventToPhaseMap[binding.event] || eventToPhaseMap["*" /* Any */];
+  const watchCfg = {
+    retryMax: 3,
+    retryDelaySec: 5,
+    retryFail(e) {
+      logger_default.error(e, "Watch failed after 3 attempts, giving up");
+      process.exit(1);
+    }
+  };
+  await (0, import_kubernetes_fluent_client3.K8s)(binding.model, binding.filters).Watch((obj, type) => {
+    if (phaseMatch.includes(type)) {
+      try {
+        void binding.watchCallback?.(obj, type);
+      } catch (e) {
+        logger_default.error(e, "Error executing watch callback");
+      }
+    }
+  }, watchCfg);
+}
+
 // src/lib/module.ts
+var isWatchMode = () => process.env.PEPR_WATCH_MODE === "true";
+var isBuildMode = () => process.env.PEPR_MODE === "build";
+var isDevMode = () => process.env.PEPR_MODE === "dev";
 var PeprModule = class {
   #controller;
   /**
@@ -1531,8 +974,10 @@ var PeprModule = class {
     const config = (0, import_ramda4.clone)(pepr);
     config.description = description;
     ValidateError(config.onError);
-    this.start = this.start.bind(this);
-    if (process.env.PEPR_MODE === "build" && process.send) {
+    if (isBuildMode()) {
+      if (!process.send) {
+        throw new Error("process.send is not defined");
+      }
       const exportedCapabilities = [];
       for (const capability of capabilities) {
         exportedCapabilities.push({
@@ -1545,7 +990,11 @@ var PeprModule = class {
       process.send(exportedCapabilities);
       return;
     }
-    this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook);
+    this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook, () => {
+      if (isWatchMode() || isDevMode()) {
+        setupWatch(capabilities);
+      }
+    });
     if (opts.deferStart) {
       return;
     }
@@ -1557,13 +1006,242 @@ var PeprModule = class {
    *
    * @param port
    */
-  start(port = 3e3) {
+  start = (port = 3e3) => {
     this.#controller.startServer(port);
+  };
+};
+
+// src/lib/storage.ts
+var import_ramda5 = require("ramda");
+var Storage = class {
+  #store = {};
+  #send;
+  #subscribers = {};
+  #subscriberId = 0;
+  #readyHandlers = [];
+  registerSender = (send) => {
+    this.#send = send;
+  };
+  receive = (data) => {
+    logger_default.debug(data, `Pepr store data received`);
+    this.#store = data || {};
+    this.#onReady();
+    for (const idx in this.#subscribers) {
+      this.#subscribers[idx]((0, import_ramda5.clone)(this.#store));
+    }
+  };
+  getItem = (key) => {
+    return this.#store[key] || null;
+  };
+  clear = () => {
+    this.#dispatchUpdate("remove", Object.keys(this.#store));
+  };
+  removeItem = (key) => {
+    this.#dispatchUpdate("remove", [key]);
+  };
+  setItem = (key, value) => {
+    this.#dispatchUpdate("add", [key], value);
+  };
+  subscribe = (subscriber) => {
+    const idx = this.#subscriberId++;
+    this.#subscribers[idx] = subscriber;
+    return () => this.unsubscribe(idx);
+  };
+  onReady = (callback) => {
+    this.#readyHandlers.push(callback);
+  };
+  /**
+   * Remove a subscriber from the list of subscribers.
+   * @param idx - The index of the subscriber to remove.
+   */
+  unsubscribe = (idx) => {
+    delete this.#subscribers[idx];
+  };
+  #onReady = () => {
+    for (const handler of this.#readyHandlers) {
+      handler((0, import_ramda5.clone)(this.#store));
+    }
+    this.#onReady = () => {
+    };
+  };
+  /**
+   * Dispatch an update to the store and notify all subscribers.
+   * @param  op - The type of operation to perform.
+   * @param  keys - The keys to update.
+   * @param  [value] - The new value.
+   */
+  #dispatchUpdate = (op, keys, value) => {
+    this.#send(op, keys, value);
+  };
+};
+
+// src/lib/capability.ts
+var registerAdmission = isBuildMode() || !isWatchMode();
+var registerWatch = isBuildMode() || isWatchMode() || isDevMode();
+var Capability = class {
+  #name;
+  #description;
+  #namespaces;
+  #bindings = [];
+  #store = new Storage();
+  #registered = false;
+  /**
+   * Store is a key-value data store that can be used to persist data that should be shared
+   * between requests. Each capability has its own store, and the data is persisted in Kubernetes
+   * in the `pepr-system` namespace.
+   *
+   * Note: You should only access the store from within an action.
+   */
+  Store = {
+    clear: this.#store.clear,
+    getItem: this.#store.getItem,
+    removeItem: this.#store.removeItem,
+    setItem: this.#store.setItem,
+    subscribe: this.#store.subscribe,
+    onReady: this.#store.onReady
+  };
+  get bindings() {
+    return this.#bindings;
+  }
+  get name() {
+    return this.#name;
+  }
+  get description() {
+    return this.#description;
   }
+  get namespaces() {
+    return this.#namespaces || [];
+  }
+  constructor(cfg) {
+    this.#name = cfg.name;
+    this.#description = cfg.description;
+    this.#namespaces = cfg.namespaces;
+    logger_default.info(`Capability ${this.#name} registered`);
+    logger_default.debug(cfg);
+  }
+  /**
+   * Register the store with the capability. This is called automatically by the Pepr controller.
+   *
+   * @param store
+   */
+  registerStore = () => {
+    logger_default.info(`Registering store for ${this.#name}`);
+    if (this.#registered) {
+      throw new Error(`Store already registered for ${this.#name}`);
+    }
+    this.#registered = true;
+    return {
+      store: this.#store
+    };
+  };
+  /**
+   * The When method is used to register a action to be executed when a Kubernetes resource is
+   * processed by Pepr. The action will be executed if the resource matches the specified kind and any
+   * filters that are applied.
+   *
+   * @param model the KubernetesObject model to match
+   * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
+   * @returns
+   */
+  When = (model, kind2) => {
+    const matchedKind = (0, import_kubernetes_fluent_client4.modelToGroupVersionKind)(model.name);
+    if (!matchedKind && !kind2) {
+      throw new Error(`Kind not specified for ${model.name}`);
+    }
+    const binding = {
+      model,
+      // If the kind is not specified, use the matched kind from the model
+      kind: kind2 || matchedKind,
+      event: "*" /* Any */,
+      filters: {
+        name: "",
+        namespaces: [],
+        labels: {},
+        annotations: {}
+      }
+    };
+    const bindings = this.#bindings;
+    const prefix = `${this.#name}: ${model.name}`;
+    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate, Watch };
+    const isNotEmpty = (value) => Object.keys(value).length > 0;
+    const log = (message, cbString) => {
+      const filteredObj = (0, import_ramda6.pickBy)(isNotEmpty, binding.filters);
+      logger_default.info(`${message} configured for ${binding.event}`, prefix);
+      logger_default.info(filteredObj, prefix);
+      logger_default.debug(cbString, prefix);
+    };
+    function Validate(validateCallback) {
+      if (registerAdmission) {
+        log("Validate Action", validateCallback.toString());
+        bindings.push({
+          ...binding,
+          isValidate: true,
+          validateCallback
+        });
+      }
+      return { Watch };
+    }
+    function Mutate(mutateCallback) {
+      if (registerAdmission) {
+        log("Mutate Action", mutateCallback.toString());
+        bindings.push({
+          ...binding,
+          isMutate: true,
+          mutateCallback
+        });
+      }
+      return { Watch, Validate };
+    }
+    function Watch(watchCallback) {
+      if (registerWatch) {
+        log("Watch Action", watchCallback.toString());
+        bindings.push({
+          ...binding,
+          isWatch: true,
+          watchCallback
+        });
+      }
+    }
+    function InNamespace(...namespaces) {
+      logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
+      binding.filters.namespaces.push(...namespaces);
+      return { ...commonChain, WithName };
+    }
+    function WithName(name) {
+      logger_default.debug(`Add name filter ${name}`, prefix);
+      binding.filters.name = name;
+      return commonChain;
+    }
+    function WithLabel(key, value = "") {
+      logger_default.debug(`Add label filter ${key}=${value}`, prefix);
+      binding.filters.labels[key] = value;
+      return commonChain;
+    }
+    function WithAnnotation(key, value = "") {
+      logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
+      binding.filters.annotations[key] = value;
+      return commonChain;
+    }
+    function bindEvent(event) {
+      binding.event = event;
+      return {
+        ...commonChain,
+        InNamespace,
+        WithName
+      };
+    }
+    return {
+      IsCreatedOrUpdated: () => bindEvent("CREATEORUPDATE" /* CreateOrUpdate */),
+      IsCreated: () => bindEvent("CREATE" /* Create */),
+      IsUpdated: () => bindEvent("UPDATE" /* Update */),
+      IsDeleted: () => bindEvent("DELETE" /* Delete */)
+    };
+  };
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   Capability,
+  K8s,
   Log,
   PeprModule,
   PeprMutateRequest,
@@ -1573,8 +1251,7 @@ var PeprModule = class {
   RegisterKind,
   a,
   fetch,
-  fetchRaw,
   fetchStatus,
-  k8s
+  kind
 });
 //# sourceMappingURL=lib.js.map