pepr 0.31.1 → 0.32.1

package/dist/lib.js

@@ -1,1794 +0,0 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/lib.ts
-var lib_exports = {};
-__export(lib_exports, {
-  Capability: () => Capability,
-  K8s: () => import_kubernetes_fluent_client7.K8s,
-  Log: () => logger_default,
-  PeprModule: () => PeprModule,
-  PeprMutateRequest: () => PeprMutateRequest,
-  PeprUtils: () => utils_exports,
-  PeprValidateRequest: () => PeprValidateRequest,
-  R: () => R,
-  RegisterKind: () => import_kubernetes_fluent_client7.RegisterKind,
-  a: () => import_kubernetes_fluent_client7.kind,
-  fetch: () => import_kubernetes_fluent_client7.fetch,
-  fetchStatus: () => import_kubernetes_fluent_client7.fetchStatus,
-  kind: () => import_kubernetes_fluent_client7.kind,
-  sdk: () => sdk_exports
-});
-module.exports = __toCommonJS(lib_exports);
-var import_kubernetes_fluent_client7 = require("kubernetes-fluent-client");
-var R = __toESM(require("ramda"));
-
-// src/lib/capability.ts
-var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
-var import_ramda6 = require("ramda");
-
-// src/lib/logger.ts
-var import_pino = require("pino");
-var isPrettyLog = process.env.PEPR_PRETTY_LOGS === "true";
-var pretty = {
-  target: "pino-pretty",
-  options: {
-    colorize: true
-  }
-};
-var transport = isPrettyLog ? pretty : void 0;
-var pinoTimeFunction = process.env.PINO_TIME_STAMP === "iso" ? () => import_pino.stdTimeFunctions.isoTime() : () => import_pino.stdTimeFunctions.epochTime();
-var Log = (0, import_pino.pino)({
-  transport,
-  timestamp: pinoTimeFunction
-});
-if (process.env.LOG_LEVEL) {
-  Log.level = process.env.LOG_LEVEL;
-}
-var logger_default = Log;
-
-// src/lib/module.ts
-var import_ramda4 = require("ramda");
-
-// src/lib/controller/index.ts
-var import_express = __toESM(require("express"));
-var import_fs = __toESM(require("fs"));
-var import_https = __toESM(require("https"));
-
-// src/lib/metrics.ts
-var import_perf_hooks = require("perf_hooks");
-var import_prom_client = __toESM(require("prom-client"));
-var loggingPrefix = "MetricsCollector";
-var MetricsCollector = class {
-  #registry;
-  #counters = /* @__PURE__ */ new Map();
-  #summaries = /* @__PURE__ */ new Map();
-  #prefix;
-  #metricNames = {
-    errors: "errors",
-    alerts: "alerts",
-    mutate: "Mutate",
-    validate: "Validate"
-  };
-  /**
-   * Creates a MetricsCollector instance with prefixed metrics.
-   * @param [prefix='pepr'] - The prefix for the metric names.
-   */
-  constructor(prefix = "pepr") {
-    this.#registry = new import_prom_client.Registry();
-    this.#prefix = prefix;
-    this.addCounter(this.#metricNames.errors, "Mutation/Validate errors encountered");
-    this.addCounter(this.#metricNames.alerts, "Mutation/Validate bad api token received");
-    this.addSummary(this.#metricNames.mutate, "Mutation operation summary");
-    this.addSummary(this.#metricNames.validate, "Validation operation summary");
-  }
-  #getMetricName = (name) => `${this.#prefix}_${name}`;
-  #addMetric = (collection, MetricType, name, help) => {
-    if (collection.has(this.#getMetricName(name))) {
-      logger_default.debug(`Metric for ${name} already exists`, loggingPrefix);
-      return;
-    }
-    const metric = new MetricType({
-      name: this.#getMetricName(name),
-      help,
-      registers: [this.#registry]
-    });
-    collection.set(this.#getMetricName(name), metric);
-  };
-  addCounter = (name, help) => {
-    this.#addMetric(this.#counters, import_prom_client.default.Counter, name, help);
-  };
-  addSummary = (name, help) => {
-    this.#addMetric(this.#summaries, import_prom_client.default.Summary, name, help);
-  };
-  incCounter = (name) => {
-    this.#counters.get(this.#getMetricName(name))?.inc();
-  };
-  /**
-   * Increments the error counter.
-   */
-  error = () => this.incCounter(this.#metricNames.errors);
-  /**
-   * Increments the alerts counter.
-   */
-  alert = () => this.incCounter(this.#metricNames.alerts);
-  /**
-   * Observes the duration since the provided start time and updates the summary.
-   * @param startTime - The start time.
-   * @param name - The metrics summary to increment.
-   */
-  observeEnd = (startTime, name = this.#metricNames.mutate) => {
-    this.#summaries.get(this.#getMetricName(name))?.observe(import_perf_hooks.performance.now() - startTime);
-  };
-  /**
-   * Fetches the current metrics from the registry.
-   * @returns The metrics.
-   */
-  getMetrics = () => this.#registry.metrics();
-  /**
-   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
-   * @returns The timestamp.
-   */
-  static observeStart() {
-    return import_perf_hooks.performance.now();
-  }
-};
-
-// src/lib/mutate-processor.ts
-var import_fast_json_patch = __toESM(require("fast-json-patch"));
-
-// src/lib/errors.ts
-var Errors = {
-  audit: "audit",
-  ignore: "ignore",
-  reject: "reject"
-};
-var ErrorList = Object.values(Errors);
-function ValidateError(error = "") {
-  if (!ErrorList.includes(error)) {
-    throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
-  }
-}
-
-// src/lib/k8s.ts
-var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
-var PeprStore = class extends import_kubernetes_fluent_client.GenericKind {
-};
-var peprStoreGVK = {
-  kind: "PeprStore",
-  version: "v1",
-  group: "pepr.dev"
-};
-(0, import_kubernetes_fluent_client.RegisterKind)(PeprStore, peprStoreGVK);
-
-// src/lib/filter.ts
-function shouldSkipRequest(binding, req, capabilityNamespaces) {
-  const { group, kind: kind4, version } = binding.kind || {};
-  const { namespaces, labels, annotations, name } = binding.filters || {};
-  const operation = req.operation.toUpperCase();
-  const uid = req.uid;
-  const srcObject = operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
-  const { metadata } = srcObject || {};
-  const combinedNamespaces = [...namespaces, ...capabilityNamespaces];
-  if (!binding.event.includes(operation) && !binding.event.includes("*" /* Any */)) {
-    return true;
-  }
-  if (name && name !== req.name) {
-    return true;
-  }
-  if (kind4 !== req.kind.kind) {
-    return true;
-  }
-  if (group && group !== req.kind.group) {
-    return true;
-  }
-  if (version && version !== req.kind.version) {
-    return true;
-  }
-  if (combinedNamespaces.length && !combinedNamespaces.includes(req.namespace || "") || !namespaces.includes(req.namespace || "") && capabilityNamespaces.length !== 0 && namespaces.length !== 0) {
-    let type = "";
-    let label = "";
-    if (binding.isMutate) {
-      type = "Mutate";
-      label = binding.mutateCallback.name;
-    } else if (binding.isValidate) {
-      type = "Validate";
-      label = binding.validateCallback.name;
-    } else if (binding.isWatch) {
-      type = "Watch";
-      label = binding.watchCallback.name;
-    }
-    logger_default.debug({ uid }, `${type} binding (${label}) does not match request namespace "${req.namespace}"`);
-    return true;
-  }
-  for (const [key, value] of Object.entries(labels)) {
-    const testKey = metadata?.labels?.[key];
-    if (!testKey) {
-      logger_default.debug({ uid }, `Label ${key} does not exist`);
-      return true;
-    }
-    if (value && testKey !== value) {
-      logger_default.debug({ uid }, `${testKey} does not match ${value}`);
-      return true;
-    }
-  }
-  for (const [key, value] of Object.entries(annotations)) {
-    const testKey = metadata?.annotations?.[key];
-    if (!testKey) {
-      logger_default.debug({ uid }, `Annotation ${key} does not exist`);
-      return true;
-    }
-    if (value && testKey !== value) {
-      logger_default.debug({ uid }, `${testKey} does not match ${value}`);
-      return true;
-    }
-  }
-  return false;
-}
-
-// src/lib/mutate-request.ts
-var import_ramda = require("ramda");
-var PeprMutateRequest = class {
-  Raw;
-  #input;
-  get PermitSideEffects() {
-    return !this.#input.dryRun;
-  }
-  /**
-   * Indicates whether the request is a dry run.
-   * @returns true if the request is a dry run, false otherwise.
-   */
-  get IsDryRun() {
-    return this.#input.dryRun;
-  }
-  /**
-   * Provides access to the old resource in the request if available.
-   * @returns The old Kubernetes resource object or null if not available.
-   */
-  get OldResource() {
-    return this.#input.oldObject;
-  }
-  /**
-   * Provides access to the request object.
-   * @returns The request object containing the Kubernetes resource.
-   */
-  get Request() {
-    return this.#input;
-  }
-  /**
-   * Creates a new instance of the action class.
-   * @param input - The request object containing the Kubernetes resource to modify.
-   */
-  constructor(input) {
-    this.#input = input;
-    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda.clone)(input.oldObject);
-    } else {
-      this.Raw = (0, import_ramda.clone)(input.object);
-    }
-    if (!this.Raw) {
-      throw new Error("unable to load the request object into PeprRequest.RawP");
-    }
-  }
-  /**
-   * Deep merges the provided object with the current resource.
-   *
-   * @param obj - The object to merge with the current resource.
-   */
-  Merge = (obj) => {
-    this.Raw = (0, import_ramda.mergeDeepRight)(this.Raw, obj);
-  };
-  /**
-   * Updates a label on the Kubernetes resource.
-   * @param key - The key of the label to update.
-   * @param value - The value of the label.
-   * @returns The current action instance for method chaining.
-   */
-  SetLabel = (key, value) => {
-    const ref = this.Raw;
-    ref.metadata = ref.metadata ?? {};
-    ref.metadata.labels = ref.metadata.labels ?? {};
-    ref.metadata.labels[key] = value;
-    return this;
-  };
-  /**
-   * Updates an annotation on the Kubernetes resource.
-   * @param key - The key of the annotation to update.
-   * @param value - The value of the annotation.
-   * @returns The current action instance for method chaining.
-   */
-  SetAnnotation = (key, value) => {
-    const ref = this.Raw;
-    ref.metadata = ref.metadata ?? {};
-    ref.metadata.annotations = ref.metadata.annotations ?? {};
-    ref.metadata.annotations[key] = value;
-    return this;
-  };
-  /**
-   * Removes a label from the Kubernetes resource.
-   * @param key - The key of the label to remove.
-   * @returns The current Action instance for method chaining.
-   */
-  RemoveLabel = (key) => {
-    if (this.Raw.metadata?.labels?.[key]) {
-      delete this.Raw.metadata.labels[key];
-    }
-    return this;
-  };
-  /**
-   * Removes an annotation from the Kubernetes resource.
-   * @param key - The key of the annotation to remove.
-   * @returns The current Action instance for method chaining.
-   */
-  RemoveAnnotation = (key) => {
-    if (this.Raw.metadata?.annotations?.[key]) {
-      delete this.Raw.metadata.annotations[key];
-    }
-    return this;
-  };
-  /**
-   * Check if a label exists on the Kubernetes resource.
-   *
-   * @param key the label key to check
-   * @returns
-   */
-  HasLabel = (key) => {
-    return this.Raw.metadata?.labels?.[key] !== void 0;
-  };
-  /**
-   * Check if an annotation exists on the Kubernetes resource.
-   *
-   * @param key the annotation key to check
-   * @returns
-   */
-  HasAnnotation = (key) => {
-    return this.Raw.metadata?.annotations?.[key] !== void 0;
-  };
-};
-
-// src/lib/utils.ts
-var utils_exports = {};
-__export(utils_exports, {
-  base64Decode: () => base64Decode,
-  base64Encode: () => base64Encode,
-  convertFromBase64Map: () => convertFromBase64Map,
-  convertToBase64Map: () => convertToBase64Map,
-  isAscii: () => isAscii
-});
-var isAscii = /^[\s\x20-\x7E]*$/;
-function convertToBase64Map(obj, skip) {
-  obj.data = obj.data ?? {};
-  for (const key in obj.data) {
-    const value = obj.data[key];
-    obj.data[key] = skip.includes(key) ? value : base64Encode(value);
-  }
-}
-function convertFromBase64Map(obj) {
-  const skip = [];
-  obj.data = obj.data ?? {};
-  for (const key in obj.data) {
-    if (obj.data[key] == void 0) {
-      obj.data[key] = "";
-    } else {
-      const decoded = base64Decode(obj.data[key]);
-      if (isAscii.test(decoded)) {
-        obj.data[key] = decoded;
-      } else {
-        skip.push(key);
-      }
-    }
-  }
-  logger_default.debug(`Non-ascii data detected in keys: ${skip}, skipping automatic base64 decoding`);
-  return skip;
-}
-function base64Decode(data) {
-  return Buffer.from(data, "base64").toString("utf-8");
-}
-function base64Encode(data) {
-  return Buffer.from(data).toString("base64");
-}
-
-// src/lib/mutate-processor.ts
-async function mutateProcessor(config, capabilities, req, reqMetadata) {
-  const wrapped = new PeprMutateRequest(req);
-  const response = {
-    uid: req.uid,
-    warnings: [],
-    allowed: false
-  };
-  let matchedAction = false;
-  let skipDecode = [];
-  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
-  if (isSecret) {
-    skipDecode = convertFromBase64Map(wrapped.Raw);
-  }
-  logger_default.info(reqMetadata, `Processing request`);
-  for (const { name, bindings, namespaces } of capabilities) {
-    const actionMetadata = { ...reqMetadata, name };
-    for (const action of bindings) {
-      if (!action.mutateCallback) {
-        continue;
-      }
-      if (shouldSkipRequest(action, req, namespaces)) {
-        continue;
-      }
-      const label = action.mutateCallback.name;
-      logger_default.info(actionMetadata, `Processing mutation action (${label})`);
-      matchedAction = true;
-      const updateStatus = (status) => {
-        if (req.operation == "DELETE") {
-          return;
-        }
-        const identifier = `${config.uuid}.pepr.dev/${name}`;
-        wrapped.Raw.metadata = wrapped.Raw.metadata || {};
-        wrapped.Raw.metadata.annotations = wrapped.Raw.metadata.annotations || {};
-        wrapped.Raw.metadata.annotations[identifier] = status;
-      };
-      updateStatus("started");
-      try {
-        await action.mutateCallback(wrapped);
-        logger_default.info(actionMetadata, `Mutation action succeeded (${label})`);
-        updateStatus("succeeded");
-      } catch (e) {
-        logger_default.warn(actionMetadata, `Action failed: ${e}`);
-        updateStatus("warning");
-        response.warnings = response.warnings || [];
-        response.warnings.push(`Action failed: ${e}`);
-        switch (config.onError) {
-          case Errors.reject:
-            logger_default.error(actionMetadata, `Action failed: ${e}`);
-            response.result = "Pepr module configured to reject on error";
-            return response;
-          case Errors.audit:
-            response.auditAnnotations = response.auditAnnotations || {};
-            response.auditAnnotations[Date.now()] = e;
-            break;
-        }
-      }
-    }
-  }
-  response.allowed = true;
-  if (!matchedAction) {
-    logger_default.info(reqMetadata, `No matching actions found`);
-    return response;
-  }
-  if (req.operation == "DELETE") {
-    return response;
-  }
-  const transformed = wrapped.Raw;
-  if (isSecret) {
-    convertToBase64Map(transformed, skipDecode);
-  }
-  const patches = import_fast_json_patch.default.compare(req.object, transformed);
-  if (patches.length > 0) {
-    response.patchType = "JSONPatch";
-    response.patch = base64Encode(JSON.stringify(patches));
-  }
-  if (response.warnings && response.warnings.length < 1) {
-    delete response.warnings;
-  }
-  logger_default.debug({ ...reqMetadata, patches }, `Patches generated`);
-  return response;
-}
-
-// src/lib/validate-request.ts
-var import_ramda2 = require("ramda");
-var PeprValidateRequest = class {
-  Raw;
-  #input;
-  /**
-   * Provides access to the old resource in the request if available.
-   * @returns The old Kubernetes resource object or null if not available.
-   */
-  get OldResource() {
-    return this.#input.oldObject;
-  }
-  /**
-   * Provides access to the request object.
-   * @returns The request object containing the Kubernetes resource.
-   */
-  get Request() {
-    return this.#input;
-  }
-  /**
-   * Creates a new instance of the Action class.
-   * @param input - The request object containing the Kubernetes resource to modify.
-   */
-  constructor(input) {
-    this.#input = input;
-    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda2.clone)(input.oldObject);
-    } else {
-      this.Raw = (0, import_ramda2.clone)(input.object);
-    }
-    if (!this.Raw) {
-      throw new Error("unable to load the request object into PeprRequest.Raw");
-    }
-  }
-  /**
-   * Check if a label exists on the Kubernetes resource.
-   *
-   * @param key the label key to check
-   * @returns
-   */
-  HasLabel = (key) => {
-    return this.Raw.metadata?.labels?.[key] !== void 0;
-  };
-  /**
-   * Check if an annotation exists on the Kubernetes resource.
-   *
-   * @param key the annotation key to check
-   * @returns
-   */
-  HasAnnotation = (key) => {
-    return this.Raw.metadata?.annotations?.[key] !== void 0;
-  };
-  /**
-   * Create a validation response that allows the request.
-   *
-   * @returns The validation response.
-   */
-  Approve = () => {
-    return {
-      allowed: true
-    };
-  };
-  /**
-   * Create a validation response that denies the request.
-   *
-   * @param statusMessage Optional status message to return to the user.
-   * @param statusCode Optional status code to return to the user.
-   * @returns The validation response.
-   */
-  Deny = (statusMessage, statusCode) => {
-    return {
-      allowed: false,
-      statusCode,
-      statusMessage
-    };
-  };
-};
-
-// src/lib/validate-processor.ts
-async function validateProcessor(capabilities, req, reqMetadata) {
-  const wrapped = new PeprValidateRequest(req);
-  const response = [];
-  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
-  if (isSecret) {
-    convertFromBase64Map(wrapped.Raw);
-  }
-  logger_default.info(reqMetadata, `Processing validation request`);
-  for (const { name, bindings, namespaces } of capabilities) {
-    const actionMetadata = { ...reqMetadata, name };
-    for (const action of bindings) {
-      if (!action.validateCallback) {
-        continue;
-      }
-      const localResponse = {
-        uid: req.uid,
-        allowed: true
-        // Assume it's allowed until a validation check fails
-      };
-      if (shouldSkipRequest(action, req, namespaces)) {
-        continue;
-      }
-      const label = action.validateCallback.name;
-      logger_default.info(actionMetadata, `Processing validation action (${label})`);
-      try {
-        const resp = await action.validateCallback(wrapped);
-        localResponse.allowed = resp.allowed;
-        if (resp.statusCode || resp.statusMessage) {
-          localResponse.status = {
-            code: resp.statusCode || 400,
-            message: resp.statusMessage || `Validation failed for ${name}`
-          };
-        }
-        logger_default.info(actionMetadata, `Validation action complete (${label}): ${resp.allowed ? "allowed" : "denied"}`);
-      } catch (e) {
-        logger_default.error(actionMetadata, `Action failed: ${JSON.stringify(e)}`);
-        localResponse.allowed = false;
-        localResponse.status = {
-          code: 500,
-          message: `Action failed with error: ${JSON.stringify(e)}`
-        };
-        return [localResponse];
-      }
-      response.push(localResponse);
-    }
-  }
-  return response;
-}
-
-// src/lib/controller/store.ts
-var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
-var import_ramda3 = require("ramda");
-var namespace = "pepr-system";
-var debounceBackoff = 5e3;
-var PeprControllerStore = class {
-  #name;
-  #stores = {};
-  #sendDebounce;
-  #onReady;
-  constructor(capabilities, name, onReady) {
-    this.#onReady = onReady;
-    this.#name = name;
-    if (name.includes("schedule")) {
-      for (const { name: name2, registerScheduleStore, hasSchedule } of capabilities) {
-        if (hasSchedule !== true) {
-          continue;
-        }
-        const { scheduleStore } = registerScheduleStore();
-        scheduleStore.registerSender(this.#send(name2));
-        this.#stores[name2] = scheduleStore;
-      }
-    } else {
-      for (const { name: name2, registerStore } of capabilities) {
-        const { store } = registerStore();
-        store.registerSender(this.#send(name2));
-        this.#stores[name2] = store;
-      }
-    }
-    setTimeout(
-      () => (0, import_kubernetes_fluent_client2.K8s)(PeprStore).InNamespace(namespace).Get(this.#name).then(this.#setupWatch).catch(this.#createStoreResource),
-      Math.random() * 3e3
-    );
-  }
-  #setupWatch = () => {
-    const watcher = (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { name: this.#name, namespace }).Watch(this.#receive);
-    watcher.start().catch((e) => logger_default.error(e, "Error starting Pepr store watch"));
-  };
-  #receive = (store) => {
-    logger_default.debug(store, "Pepr Store update");
-    const debounced = () => {
-      const data = store.data || {};
-      for (const name of Object.keys(this.#stores)) {
-        const offset = `${name}-`.length;
-        const filtered = {};
-        for (const key of Object.keys(data)) {
-          if ((0, import_ramda3.startsWith)(name, key)) {
-            filtered[key.slice(offset)] = data[key];
-          }
-        }
-        this.#stores[name].receive(filtered);
-      }
-      if (this.#onReady) {
-        this.#onReady();
-        this.#onReady = void 0;
-      }
-    };
-    clearTimeout(this.#sendDebounce);
-    this.#sendDebounce = setTimeout(debounced, this.#onReady ? 0 : debounceBackoff);
-  };
-  #send = (capabilityName) => {
-    const sendCache = {};
-    const fillCache = (op, key, val) => {
-      if (op === "add") {
-        const path = `/data/${capabilityName}-${key}`;
-        const value = val || "";
-        const cacheIdx = [op, path, value].join(":");
-        sendCache[cacheIdx] = { op, path, value };
-        return;
-      }
-      if (op === "remove") {
-        if (key.length < 1) {
-          throw new Error(`Key is required for REMOVE operation`);
-        }
-        for (const k of key) {
-          const path = `/data/${capabilityName}-${k}`;
-          const cacheIdx = [op, path].join(":");
-          sendCache[cacheIdx] = { op, path };
-        }
-        return;
-      }
-      throw new Error(`Unsupported operation: ${op}`);
-    };
-    const flushCache = async () => {
-      const indexes = Object.keys(sendCache);
-      const payload = Object.values(sendCache);
-      for (const idx of indexes) {
-        delete sendCache[idx];
-      }
-      try {
-        await (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { namespace, name: this.#name }).Patch(payload);
-      } catch (err) {
-        logger_default.error(err, "Pepr store update failure");
-        for (const idx of indexes) {
-          sendCache[idx] = payload[Number(idx)];
-        }
-      }
-    };
-    const sender = async (op, key, val) => {
-      fillCache(op, key, val);
-    };
-    setInterval(() => {
-      if (Object.keys(sendCache).length > 0) {
-        logger_default.debug(sendCache, "Sending updates to Pepr store");
-        void flushCache();
-      }
-    }, debounceBackoff);
-    return sender;
-  };
-  #createStoreResource = async (e) => {
-    logger_default.info(`Pepr store not found, creating...`);
-    logger_default.debug(e);
-    try {
-      await (0, import_kubernetes_fluent_client2.K8s)(PeprStore).Apply({
-        metadata: {
-          name: this.#name,
-          namespace
-        },
-        data: {
-          // JSON Patch will die if the data is empty, so we need to add a placeholder
-          __pepr_do_not_delete__: "k-thx-bye"
-        }
-      });
-      this.#setupWatch();
-    } catch (err) {
-      logger_default.error(err, "Failed to create Pepr store");
-    }
-  };
-};
-
-// src/lib/controller/index.ts
-var Controller = class _Controller {
-  // Track whether the server is running
-  #running = false;
-  // Metrics collector
-  #metricsCollector = new MetricsCollector("pepr");
-  // The token used to authenticate requests
-  #token = "";
-  // The express app instance
-  #app = (0, import_express.default)();
-  // Initialized with the constructor
-  #config;
-  #capabilities;
-  #beforeHook;
-  #afterHook;
-  constructor(config, capabilities, beforeHook, afterHook, onReady) {
-    this.#config = config;
-    this.#capabilities = capabilities;
-    new PeprControllerStore(capabilities, `pepr-${config.uuid}-store`, () => {
-      this.#bindEndpoints();
-      onReady && onReady();
-      logger_default.info("\u2705 Controller startup complete");
-      new PeprControllerStore(capabilities, `pepr-${config.uuid}-schedule`, () => {
-        logger_default.info("\u2705 Scheduling processed");
-      });
-    });
-    this.#app.use(_Controller.#logger);
-    this.#app.use(import_express.default.json({ limit: "2mb" }));
-    if (beforeHook) {
-      logger_default.info(`Using beforeHook: ${beforeHook}`);
-      this.#beforeHook = beforeHook;
-    }
-    if (afterHook) {
-      logger_default.info(`Using afterHook: ${afterHook}`);
-      this.#afterHook = afterHook;
-    }
-  }
-  /** Start the webhook server */
-  startServer = (port) => {
-    if (this.#running) {
-      throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
-    }
-    const options = {
-      key: import_fs.default.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
-      cert: import_fs.default.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt")
-    };
-    if (!isWatchMode()) {
-      this.#token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
-      logger_default.info(`Using API token: ${this.#token}`);
-      if (!this.#token) {
-        throw new Error("API token not found");
-      }
-    }
-    const server = import_https.default.createServer(options, this.#app).listen(port);
-    server.on("listening", () => {
-      logger_default.info(`Server listening on port ${port}`);
-      this.#running = true;
-    });
-    server.on("error", (e) => {
-      if (e.code === "EADDRINUSE") {
-        logger_default.warn(
-          `Address in use, retrying in 2 seconds. If this persists, ensure ${port} is not in use, e.g. "lsof -i :${port}"`
-        );
-        setTimeout(() => {
-          server.close();
-          server.listen(port);
-        }, 2e3);
-      }
-    });
-    process.on("SIGTERM", () => {
-      logger_default.info("Received SIGTERM, closing server");
-      server.close(() => {
-        logger_default.info("Server closed");
-        process.exit(0);
-      });
-    });
-  };
-  #bindEndpoints = () => {
-    this.#app.get("/healthz", _Controller.#healthz);
-    this.#app.get("/metrics", this.#metrics);
-    if (isWatchMode()) {
-      return;
-    }
-    this.#app.use(["/mutate/:token", "/validate/:token"], this.#validateToken);
-    this.#app.post("/mutate/:token", this.#admissionReq("Mutate"));
-    this.#app.post("/validate/:token", this.#admissionReq("Validate"));
-  };
-  /**
-   * Validate the token in the request path
-   *
-   * @param req The incoming request
-   * @param res The outgoing response
-   * @param next The next middleware function
-   * @returns
-   */
-  #validateToken = (req, res, next) => {
-    const { token } = req.params;
-    if (token !== this.#token) {
-      const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
-      logger_default.warn(err);
-      res.status(401).send(err);
-      this.#metricsCollector.alert();
-      return;
-    }
-    next();
-  };
-  /**
-   * Metrics endpoint handler
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   */
-  #metrics = async (req, res) => {
-    try {
-      res.send(await this.#metricsCollector.getMetrics());
-    } catch (err) {
-      logger_default.error(err);
-      res.status(500).send("Internal Server Error");
-    }
-  };
-  /**
-   * Admission request handler for both mutate and validate requests
-   *
-   * @param admissionKind the type of admission request
-   * @returns the request handler
-   */
-  #admissionReq = (admissionKind) => {
-    return async (req, res) => {
-      const startTime = MetricsCollector.observeStart();
-      try {
-        const request = req.body?.request || {};
-        this.#beforeHook && this.#beforeHook(request || {});
-        const name = request?.name ? `/${request.name}` : "";
-        const namespace2 = request?.namespace || "";
-        const gvk = request?.kind || { group: "", version: "", kind: "" };
-        const reqMetadata = {
-          uid: request.uid,
-          namespace: namespace2,
-          name
-        };
-        logger_default.info({ ...reqMetadata, gvk, operation: request.operation, admissionKind }, "Incoming request");
-        logger_default.debug({ ...reqMetadata, request }, "Incoming request body");
-        let response;
-        if (admissionKind === "Mutate") {
-          response = await mutateProcessor(this.#config, this.#capabilities, request, reqMetadata);
-        } else {
-          response = await validateProcessor(this.#capabilities, request, reqMetadata);
-        }
-        const responseList = Array.isArray(response) ? response : [response];
-        responseList.map((res2) => {
-          this.#afterHook && this.#afterHook(res2);
-          logger_default.info({ ...reqMetadata, res: res2 }, "Check response");
-        });
-        let kubeAdmissionResponse;
-        if (admissionKind === "Mutate") {
-          kubeAdmissionResponse = response;
-          logger_default.debug({ ...reqMetadata, response }, "Outgoing response");
-          res.send({
-            apiVersion: "admission.k8s.io/v1",
-            kind: "AdmissionReview",
-            response: kubeAdmissionResponse
-          });
-        } else {
-          kubeAdmissionResponse = responseList.length === 0 ? {
-            uid: request.uid,
-            allowed: true,
-            status: { message: "no in-scope validations -- allowed!" }
-          } : {
-            uid: responseList[0].uid,
-            allowed: responseList.filter((r) => !r.allowed).length === 0,
-            status: {
-              message: responseList.filter((rl) => !rl.allowed).map((curr) => curr.status?.message).join("; ")
-            }
-          };
-          res.send({
-            apiVersion: "admission.k8s.io/v1",
-            kind: "AdmissionReview",
-            response: kubeAdmissionResponse
-          });
-        }
-        logger_default.debug({ ...reqMetadata, kubeAdmissionResponse }, "Outgoing response");
-        this.#metricsCollector.observeEnd(startTime, admissionKind);
-      } catch (err) {
-        logger_default.error(err);
-        res.status(500).send("Internal Server Error");
-        this.#metricsCollector.error();
-      }
-    };
-  };
-  /**
-   * Middleware for logging requests
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   * @param next the next middleware function
-   */
-  static #logger(req, res, next) {
-    const startTime = Date.now();
-    res.on("finish", () => {
-      const elapsedTime = Date.now() - startTime;
-      const message = {
-        uid: req.body?.request?.uid,
-        method: req.method,
-        url: req.originalUrl,
-        status: res.statusCode,
-        duration: `${elapsedTime} ms`
-      };
-      res.statusCode >= 300 ? logger_default.warn(message) : logger_default.info(message);
-    });
-    next();
-  }
-  /**
-   * Health check endpoint handler
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   */
-  static #healthz(req, res) {
-    try {
-      res.send("OK");
-    } catch (err) {
-      logger_default.error(err);
-      res.status(500).send("Internal Server Error");
-    }
-  }
-};
-
-// src/lib/watch-processor.ts
-var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
-var import_types2 = require("kubernetes-fluent-client/dist/fluent/types");
-
-// src/lib/helpers.ts
-var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
-
-// src/sdk/sdk.ts
-var sdk_exports = {};
-__export(sdk_exports, {
-  containers: () => containers,
-  getOwnerRefFrom: () => getOwnerRefFrom,
-  sanitizeResourceName: () => sanitizeResourceName,
-  writeEvent: () => writeEvent
-});
-var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
-function containers(request, containerType) {
-  const containers2 = request.Raw.spec?.containers || [];
-  const initContainers = request.Raw.spec?.initContainers || [];
-  const ephemeralContainers = request.Raw.spec?.ephemeralContainers || [];
-  if (containerType === "containers") {
-    return containers2;
-  }
-  if (containerType === "initContainers") {
-    return initContainers;
-  }
-  if (containerType === "ephemeralContainers") {
-    return ephemeralContainers;
-  }
-  return [...containers2, ...initContainers, ...ephemeralContainers];
-}
-async function writeEvent(cr, event, eventType, eventReason, reportingComponent, reportingInstance) {
-  logger_default.debug(cr.metadata, `Writing event: ${event.message}`);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.CoreEvent).Create({
-    type: eventType,
-    reason: eventReason,
-    ...event,
-    // Fixed values
-    metadata: {
-      namespace: cr.metadata.namespace,
-      generateName: cr.metadata.name
-    },
-    involvedObject: {
-      apiVersion: cr.apiVersion,
-      kind: cr.kind,
-      name: cr.metadata.name,
-      namespace: cr.metadata.namespace,
-      uid: cr.metadata.uid
-    },
-    firstTimestamp: /* @__PURE__ */ new Date(),
-    reportingComponent,
-    reportingInstance
-  });
-}
-function getOwnerRefFrom(cr) {
-  const { name, uid } = cr.metadata;
-  return [
-    {
-      apiVersion: cr.apiVersion,
-      kind: cr.kind,
-      uid,
-      name
-    }
-  ];
-}
-function sanitizeResourceName(name) {
-  return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").slice(0, 250).replace(/^[^a-z]+|[^a-z]+$/g, "");
-}
-
-// src/lib/helpers.ts
-function checkOverlap(bindingFilters, objectFilters) {
-  if (Object.keys(bindingFilters).length === 0) {
-    return true;
-  }
-  let matchCount = 0;
-  for (const key in bindingFilters) {
-    if (Object.prototype.hasOwnProperty.call(objectFilters, key)) {
-      const val1 = bindingFilters[key];
-      const val2 = objectFilters[key];
-      if (val1 === "" && key in objectFilters) {
-        matchCount++;
-      } else if (val1 !== "" && val1 === val2) {
-        matchCount++;
-      }
-    }
-  }
-  return matchCount === Object.keys(bindingFilters).length;
-}
-function filterNoMatchReason(binding, obj, capabilityNamespaces) {
-  if (binding.kind && binding.kind.kind === "Namespace" && binding.filters && binding.filters.namespaces.length !== 0) {
-    return `Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.`;
-  }
-  if (typeof obj === "object" && obj !== null && "metadata" in obj && obj.metadata !== void 0 && binding.filters) {
-    if (obj.metadata.labels && !checkOverlap(binding.filters.labels, obj.metadata.labels)) {
-      return `Ignoring Watch Callback: No overlap between binding and object labels. Binding labels ${JSON.stringify(
-        binding.filters.labels
-      )}, Object Labels ${JSON.stringify(obj.metadata.labels)}.`;
-    }
-    if (obj.metadata.annotations && !checkOverlap(binding.filters.annotations, obj.metadata.annotations)) {
-      return `Ignoring Watch Callback: No overlap between binding and object annotations. Binding annotations ${JSON.stringify(
-        binding.filters.annotations
-      )}, Object annotations ${JSON.stringify(obj.metadata.annotations)}.`;
-    }
-  }
-  if (Array.isArray(capabilityNamespaces) && capabilityNamespaces.length > 0 && obj.metadata && obj.metadata.namespace && !capabilityNamespaces.includes(obj.metadata.namespace)) {
-    return `Ignoring Watch Callback: Object is not in the capability namespace. Capability namespaces: ${capabilityNamespaces.join(
-      ", "
-    )}, Object namespace: ${obj.metadata.namespace}.`;
-  }
-  if (Array.isArray(capabilityNamespaces) && capabilityNamespaces.length > 0 && binding.filters && Array.isArray(binding.filters.namespaces) && binding.filters.namespaces.length > 0 && !binding.filters.namespaces.every((ns) => capabilityNamespaces.includes(ns))) {
-    return `Ignoring Watch Callback: Binding namespace is not part of capability namespaces. Capability namespaces: ${capabilityNamespaces.join(
-      ", "
-    )}, Binding namespaces: ${binding.filters.namespaces.join(", ")}.`;
-  }
-  if (binding.filters && Array.isArray(binding.filters.namespaces) && binding.filters.namespaces.length > 0 && obj.metadata && obj.metadata.namespace && !binding.filters.namespaces.includes(obj.metadata.namespace)) {
-    return `Ignoring Watch Callback: Binding namespace and object namespace are not the same. Binding namespaces: ${binding.filters.namespaces.join(
-      ", "
-    )}, Object namespace: ${obj.metadata.namespace}.`;
-  }
-  return "";
-}
-
-// src/lib/queue.ts
-var Queue = class {
-  #queue = [];
-  #pendingPromise = false;
-  #reconcile;
-  constructor() {
-    this.#reconcile = async () => await new Promise((resolve) => resolve());
-  }
-  setReconcile(reconcile) {
-    this.#reconcile = reconcile;
-  }
-  /**
-   * Enqueue adds an item to the queue and returns a promise that resolves when the item is
-   * reconciled.
-   *
-   * @param item The object to reconcile
-   * @returns A promise that resolves when the object is reconciled
-   */
-  enqueue(item, type) {
-    logger_default.debug(`Enqueueing ${item.metadata.namespace}/${item.metadata.name}`);
-    return new Promise((resolve, reject) => {
-      this.#queue.push({ item, type, resolve, reject });
-      return this.#dequeue();
-    });
-  }
-  /**
-   * Dequeue reconciles the next item in the queue
-   *
-   * @returns A promise that resolves when the webapp is reconciled
-   */
-  async #dequeue() {
-    if (this.#pendingPromise) {
-      logger_default.debug("Pending promise, not dequeuing");
-      return false;
-    }
-    const element = this.#queue.shift();
-    if (!element) {
-      logger_default.debug("No element, not dequeuing");
-      return false;
-    }
-    try {
-      this.#pendingPromise = true;
-      if (this.#reconcile) {
-        logger_default.debug(`Reconciling ${element.item.metadata.name}`);
-        await this.#reconcile(element.item, element.type);
-      }
-      element.resolve();
-    } catch (e) {
-      logger_default.debug(`Error reconciling ${element.item.metadata.name}`, { error: e });
-      element.reject(e);
-    } finally {
-      logger_default.debug("Resetting pending promise and dequeuing");
-      this.#pendingPromise = false;
-      await this.#dequeue();
-    }
-  }
-};
-
-// src/lib/watch-processor.ts
-var watchCfg = {
-  retryMax: process.env.PEPR_RETRYMAX ? parseInt(process.env.PEPR_RETRYMAX, 10) : 5,
-  retryDelaySec: process.env.PEPR_RETRYDELAYSECONDS ? parseInt(process.env.PEPR_RETRYDELAYSECONDS, 10) : 5,
-  resyncIntervalSec: process.env.PEPR_RESYNCINTERVALSECONDS ? parseInt(process.env.PEPR_RESYNCINTERVALSECONDS, 10) : 300
-};
-var eventToPhaseMap = {
-  ["CREATE" /* Create */]: [import_types2.WatchPhase.Added],
-  ["UPDATE" /* Update */]: [import_types2.WatchPhase.Modified],
-  ["CREATEORUPDATE" /* CreateOrUpdate */]: [import_types2.WatchPhase.Added, import_types2.WatchPhase.Modified],
-  ["DELETE" /* Delete */]: [import_types2.WatchPhase.Deleted],
-  ["*" /* Any */]: [import_types2.WatchPhase.Added, import_types2.WatchPhase.Modified, import_types2.WatchPhase.Deleted]
-};
-function setupWatch(capabilities) {
-  capabilities.map(
-    (capability) => capability.bindings.filter((binding) => binding.isWatch).forEach((bindingElement) => runBinding(bindingElement, capability.namespaces))
-  );
-}
-async function runBinding(binding, capabilityNamespaces) {
-  const phaseMatch = eventToPhaseMap[binding.event] || eventToPhaseMap["*" /* Any */];
-  logger_default.debug({ watchCfg }, "Effective WatchConfig");
-  const watchCallback = async (obj, type) => {
-    if (phaseMatch.includes(type)) {
-      try {
-        const filterMatch = filterNoMatchReason(binding, obj, capabilityNamespaces);
-        if (filterMatch === "") {
-          await binding.watchCallback?.(obj, type);
-        } else {
-          logger_default.debug(filterMatch);
-        }
-      } catch (e) {
-        logger_default.error(e, "Error executing watch callback");
-      }
-    }
-  };
-  const queue = new Queue();
-  queue.setReconcile(watchCallback);
-  const watcher = (0, import_kubernetes_fluent_client5.K8s)(binding.model, binding.filters).Watch(async (obj, type) => {
-    logger_default.debug(obj, `Watch event ${type} received`);
-    if (binding.isQueue) {
-      await queue.enqueue(obj, type);
-    } else {
-      await watchCallback(obj, type);
-    }
-  }, watchCfg);
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, (err) => {
-    logger_default.error(err, "Watch failed after 5 attempts, giving up");
-    process.exit(1);
-  });
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.CONNECT, (url) => logEvent(import_kubernetes_fluent_client5.WatchEvent.CONNECT, url));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.DATA_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.DATA_ERROR, err.message));
-  watcher.events.on(
-    import_kubernetes_fluent_client5.WatchEvent.RECONNECT,
-    (err, retryCount) => logEvent(import_kubernetes_fluent_client5.WatchEvent.RECONNECT, err ? `Reconnecting after ${retryCount} attempts` : "")
-  );
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.RECONNECT_PENDING, () => logEvent(import_kubernetes_fluent_client5.WatchEvent.RECONNECT_PENDING));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.ABORT, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.ABORT, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.OLD_RESOURCE_VERSION, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.OLD_RESOURCE_VERSION, err));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.NETWORK_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.NETWORK_ERROR, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.LIST_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.LIST_ERROR, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.LIST, (list) => logEvent(import_kubernetes_fluent_client5.WatchEvent.LIST, JSON.stringify(list, void 0, 2)));
-  try {
-    await watcher.start();
-  } catch (err) {
-    logger_default.error(err, "Error starting watch");
-    process.exit(1);
-  }
-}
-function logEvent(type, message = "", obj) {
-  const logMessage = `Watch event ${type} received${message ? `. ${message}.` : "."}`;
-  if (obj) {
-    logger_default.debug(obj, logMessage);
-  } else {
-    logger_default.debug(logMessage);
-  }
-}
-
-// src/lib/module.ts
-var isWatchMode = () => process.env.PEPR_WATCH_MODE === "true";
-var isBuildMode = () => process.env.PEPR_MODE === "build";
-var isDevMode = () => process.env.PEPR_MODE === "dev";
-var PeprModule = class {
-  #controller;
-  /**
-   * Create a new Pepr runtime
-   *
-   * @param config The configuration for the Pepr runtime
-   * @param capabilities The capabilities to be loaded into the Pepr runtime
-   * @param opts Options for the Pepr runtime
-   */
-  constructor({ description, pepr }, capabilities = [], opts = {}) {
-    const config = (0, import_ramda4.clone)(pepr);
-    config.description = description;
-    ValidateError(config.onError);
-    if (isBuildMode()) {
-      if (!process.send) {
-        throw new Error("process.send is not defined");
-      }
-      const exportedCapabilities = [];
-      for (const capability of capabilities) {
-        exportedCapabilities.push({
-          name: capability.name,
-          description: capability.description,
-          namespaces: capability.namespaces,
-          bindings: capability.bindings,
-          hasSchedule: capability.hasSchedule
-        });
-      }
-      process.send(exportedCapabilities);
-      return;
-    }
-    this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook, () => {
-      if (isWatchMode() || isDevMode()) {
-        try {
-          setupWatch(capabilities);
-        } catch (e) {
-          logger_default.error(e, "Error setting up watch");
-          process.exit(1);
-        }
-      }
-    });
-    if (opts.deferStart) {
-      return;
-    }
-    this.start();
-  }
-  /**
-   * Start the Pepr runtime manually.
-   * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
-   *
-   * @param port
-   */
-  start = (port = 3e3) => {
-    this.#controller.startServer(port);
-  };
-};
-
-// src/lib/storage.ts
-var import_ramda5 = require("ramda");
-var MAX_WAIT_TIME = 15e3;
-var Storage = class {
-  #store = {};
-  #send;
-  #subscribers = {};
-  #subscriberId = 0;
-  #readyHandlers = [];
-  registerSender = (send) => {
-    this.#send = send;
-  };
-  receive = (data) => {
-    logger_default.debug(data, `Pepr store data received`);
-    this.#store = data || {};
-    this.#onReady();
-    for (const idx in this.#subscribers) {
-      this.#subscribers[idx]((0, import_ramda5.clone)(this.#store));
-    }
-  };
-  getItem = (key) => {
-    return this.#store[key] || null;
-  };
-  clear = () => {
-    this.#dispatchUpdate("remove", Object.keys(this.#store));
-  };
-  removeItem = (key) => {
-    this.#dispatchUpdate("remove", [key]);
-  };
-  setItem = (key, value) => {
-    this.#dispatchUpdate("add", [key], value);
-  };
-  /**
-   * Creates a promise and subscribes to the store, the promise resolves when
-   * the key and value are seen in the store.
-   *
-   * @param key - The key to add into the store
-   * @param value - The value of the key
-   * @returns
-   */
-  setItemAndWait = (key, value) => {
-    this.#dispatchUpdate("add", [key], value);
-    return new Promise((resolve, reject) => {
-      const unsubscribe = this.subscribe((data) => {
-        if (data[key] === value) {
-          unsubscribe();
-          resolve();
-        }
-      });
-      setTimeout(() => {
-        unsubscribe();
-        return reject();
-      }, MAX_WAIT_TIME);
-    });
-  };
-  /**
-   * Creates a promise and subscribes to the store, the promise resolves when
-   * the key is removed from the store.
-   *
-   * @param key - The key to add into the store
-   * @returns
-   */
-  removeItemAndWait = (key) => {
-    this.#dispatchUpdate("remove", [key]);
-    return new Promise((resolve, reject) => {
-      const unsubscribe = this.subscribe((data) => {
-        if (!Object.hasOwn(data, key)) {
-          unsubscribe();
-          resolve();
-        }
-      });
-      setTimeout(() => {
-        unsubscribe();
-        return reject();
-      }, MAX_WAIT_TIME);
-    });
-  };
-  subscribe = (subscriber) => {
-    const idx = this.#subscriberId++;
-    this.#subscribers[idx] = subscriber;
-    return () => this.unsubscribe(idx);
-  };
-  onReady = (callback) => {
-    this.#readyHandlers.push(callback);
-  };
-  /**
-   * Remove a subscriber from the list of subscribers.
-   * @param idx - The index of the subscriber to remove.
-   */
-  unsubscribe = (idx) => {
-    delete this.#subscribers[idx];
-  };
-  #onReady = () => {
-    for (const handler of this.#readyHandlers) {
-      handler((0, import_ramda5.clone)(this.#store));
-    }
-    this.#onReady = () => {
-    };
-  };
-  /**
-   * Dispatch an update to the store and notify all subscribers.
-   * @param  op - The type of operation to perform.
-   * @param  keys - The keys to update.
-   * @param  [value] - The new value.
-   */
-  #dispatchUpdate = (op, keys, value) => {
-    this.#send(op, keys, value);
-  };
-};
-
-// src/lib/schedule.ts
-var OnSchedule = class {
-  intervalId = null;
-  store;
-  name;
-  completions;
-  every;
-  unit;
-  run;
-  startTime;
-  duration;
-  lastTimestamp;
-  constructor(schedule) {
-    this.name = schedule.name;
-    this.run = schedule.run;
-    this.every = schedule.every;
-    this.unit = schedule.unit;
-    this.startTime = schedule?.startTime;
-    this.completions = schedule?.completions;
-  }
-  setStore(store) {
-    this.store = store;
-    this.startInterval();
-  }
-  startInterval() {
-    this.checkStore();
-    this.getDuration();
-    this.setupInterval();
-  }
-  /**
-   * Checks the store for this schedule and sets the values if it exists
-   * @returns
-   */
-  checkStore() {
-    const result = this.store && this.store.getItem(this.name);
-    if (result) {
-      const storedSchedule = JSON.parse(result);
-      this.completions = storedSchedule?.completions;
-      this.startTime = storedSchedule?.startTime;
-      this.lastTimestamp = storedSchedule?.lastTimestamp;
-    }
-  }
-  /**
-   * Saves the schedule to the store
-   * @returns
-   */
-  saveToStore() {
-    const schedule = {
-      completions: this.completions,
-      startTime: this.startTime,
-      lastTimestamp: /* @__PURE__ */ new Date(),
-      name: this.name
-    };
-    this.store && this.store.setItem(this.name, JSON.stringify(schedule));
-  }
-  /**
-   * Gets the durations in milliseconds
-   */
-  getDuration() {
-    switch (this.unit) {
-      case "seconds":
-        if (this.every < 10)
-          throw new Error("10 Seconds in the smallest interval allowed");
-        this.duration = 1e3 * this.every;
-        break;
-      case "minutes":
-      case "minute":
-        this.duration = 1e3 * 60 * this.every;
-        break;
-      case "hours":
-      case "hour":
-        this.duration = 1e3 * 60 * 60 * this.every;
-        break;
-      default:
-        throw new Error("Invalid time unit");
-    }
-  }
-  /**
-   * Sets up the interval
-   */
-  setupInterval() {
-    const now = /* @__PURE__ */ new Date();
-    let delay;
-    if (this.lastTimestamp && this.startTime) {
-      this.startTime = void 0;
-    }
-    if (this.startTime) {
-      delay = this.startTime.getTime() - now.getTime();
-    } else if (this.lastTimestamp && this.duration) {
-      const lastTimestamp = new Date(this.lastTimestamp);
-      delay = this.duration - (now.getTime() - lastTimestamp.getTime());
-    }
-    if (delay === void 0 || delay <= 0) {
-      this.start();
-    } else {
-      setTimeout(() => {
-        this.start();
-      }, delay);
-    }
-  }
-  /**
-   * Starts the interval
-   */
-  start() {
-    this.intervalId = setInterval(() => {
-      if (this.completions === 0) {
-        this.stop();
-        return;
-      } else {
-        this.run();
-        if (this.completions && this.completions !== 0) {
-          this.completions -= 1;
-        }
-        this.saveToStore();
-      }
-    }, this.duration);
-  }
-  /**
-   * Stops the interval
-   */
-  stop() {
-    if (this.intervalId) {
-      clearInterval(this.intervalId);
-      this.intervalId = null;
-    }
-    this.store && this.store.removeItem(this.name);
-  }
-};
-
-// src/lib/capability.ts
-var registerAdmission = isBuildMode() || !isWatchMode();
-var registerWatch = isBuildMode() || isWatchMode() || isDevMode();
-var Capability = class {
-  #name;
-  #description;
-  #namespaces;
-  #bindings = [];
-  #store = new Storage();
-  #scheduleStore = new Storage();
-  #registered = false;
-  #scheduleRegistered = false;
-  hasSchedule;
-  /**
-   * Run code on a schedule with the capability.
-   *
-   * @param schedule The schedule to run the code on
-   * @returns
-   */
-  OnSchedule = (schedule) => {
-    const { name, every, unit, run, startTime, completions } = schedule;
-    this.hasSchedule = true;
-    if (process.env.PEPR_WATCH_MODE === "true" || process.env.PEPR_MODE === "dev") {
-      const newSchedule = {
-        name,
-        every,
-        unit,
-        run,
-        startTime,
-        completions
-      };
-      this.#scheduleStore.onReady(() => {
-        new OnSchedule(newSchedule).setStore(this.#scheduleStore);
-      });
-    }
-  };
-  /**
-   * Store is a key-value data store that can be used to persist data that should be shared
-   * between requests. Each capability has its own store, and the data is persisted in Kubernetes
-   * in the `pepr-system` namespace.
-   *
-   * Note: You should only access the store from within an action.
-   */
-  Store = {
-    clear: this.#store.clear,
-    getItem: this.#store.getItem,
-    removeItem: this.#store.removeItem,
-    removeItemAndWait: this.#store.removeItemAndWait,
-    setItem: this.#store.setItem,
-    subscribe: this.#store.subscribe,
-    onReady: this.#store.onReady,
-    setItemAndWait: this.#store.setItemAndWait
-  };
-  /**
-   * ScheduleStore is a key-value data store used to persist schedule data that should be shared
-   * between intervals. Each Schedule shares store, and the data is persisted in Kubernetes
-   * in the `pepr-system` namespace.
-   *
-   * Note: There is no direct access to schedule store
-   */
-  ScheduleStore = {
-    clear: this.#scheduleStore.clear,
-    getItem: this.#scheduleStore.getItem,
-    removeItemAndWait: this.#scheduleStore.removeItemAndWait,
-    removeItem: this.#scheduleStore.removeItem,
-    setItemAndWait: this.#scheduleStore.setItemAndWait,
-    setItem: this.#scheduleStore.setItem,
-    subscribe: this.#scheduleStore.subscribe,
-    onReady: this.#scheduleStore.onReady
-  };
-  get bindings() {
-    return this.#bindings;
-  }
-  get name() {
-    return this.#name;
-  }
-  get description() {
-    return this.#description;
-  }
-  get namespaces() {
-    return this.#namespaces || [];
-  }
-  constructor(cfg) {
-    this.#name = cfg.name;
-    this.#description = cfg.description;
-    this.#namespaces = cfg.namespaces;
-    this.hasSchedule = false;
-    logger_default.info(`Capability ${this.#name} registered`);
-    logger_default.debug(cfg);
-  }
-  /**
-   * Register the store with the capability. This is called automatically by the Pepr controller.
-   *
-   * @param store
-   */
-  registerScheduleStore = () => {
-    logger_default.info(`Registering schedule store for ${this.#name}`);
-    if (this.#scheduleRegistered) {
-      throw new Error(`Schedule store already registered for ${this.#name}`);
-    }
-    this.#scheduleRegistered = true;
-    return {
-      scheduleStore: this.#scheduleStore
-    };
-  };
-  /**
-   * Register the store with the capability. This is called automatically by the Pepr controller.
-   *
-   * @param store
-   */
-  registerStore = () => {
-    logger_default.info(`Registering store for ${this.#name}`);
-    if (this.#registered) {
-      throw new Error(`Store already registered for ${this.#name}`);
-    }
-    this.#registered = true;
-    return {
-      store: this.#store
-    };
-  };
-  /**
-   * The When method is used to register a action to be executed when a Kubernetes resource is
-   * processed by Pepr. The action will be executed if the resource matches the specified kind and any
-   * filters that are applied.
-   *
-   * @param model the KubernetesObject model to match
-   * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
-   * @returns
-   */
-  When = (model, kind4) => {
-    const matchedKind = (0, import_kubernetes_fluent_client6.modelToGroupVersionKind)(model.name);
-    if (!matchedKind && !kind4) {
-      throw new Error(`Kind not specified for ${model.name}`);
-    }
-    const binding = {
-      model,
-      // If the kind is not specified, use the matched kind from the model
-      kind: kind4 || matchedKind,
-      event: "*" /* Any */,
-      filters: {
-        name: "",
-        namespaces: [],
-        labels: {},
-        annotations: {}
-      }
-    };
-    const bindings = this.#bindings;
-    const prefix = `${this.#name}: ${model.name}`;
-    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate, Watch, Reconcile };
-    const isNotEmpty = (value) => Object.keys(value).length > 0;
-    const log = (message, cbString) => {
-      const filteredObj = (0, import_ramda6.pickBy)(isNotEmpty, binding.filters);
-      logger_default.info(`${message} configured for ${binding.event}`, prefix);
-      logger_default.info(filteredObj, prefix);
-      logger_default.debug(cbString, prefix);
-    };
-    function Validate(validateCallback) {
-      if (registerAdmission) {
-        log("Validate Action", validateCallback.toString());
-        bindings.push({
-          ...binding,
-          isValidate: true,
-          validateCallback
-        });
-      }
-      return { Watch, Reconcile };
-    }
-    function Mutate(mutateCallback) {
-      if (registerAdmission) {
-        log("Mutate Action", mutateCallback.toString());
-        bindings.push({
-          ...binding,
-          isMutate: true,
-          mutateCallback
-        });
-      }
-      return { Watch, Validate, Reconcile };
-    }
-    function Watch(watchCallback) {
-      if (registerWatch) {
-        log("Watch Action", watchCallback.toString());
-        bindings.push({
-          ...binding,
-          isWatch: true,
-          watchCallback
-        });
-      }
-    }
-    function Reconcile(watchCallback) {
-      if (registerWatch) {
-        log("Reconcile Action", watchCallback.toString());
-        bindings.push({
-          ...binding,
-          isWatch: true,
-          isQueue: true,
-          watchCallback
-        });
-      }
-    }
-    function InNamespace(...namespaces) {
-      logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
-      binding.filters.namespaces.push(...namespaces);
-      return { ...commonChain, WithName };
-    }
-    function WithName(name) {
-      logger_default.debug(`Add name filter ${name}`, prefix);
-      binding.filters.name = name;
-      return commonChain;
-    }
-    function WithLabel(key, value = "") {
-      logger_default.debug(`Add label filter ${key}=${value}`, prefix);
-      binding.filters.labels[key] = value;
-      return commonChain;
-    }
-    function WithAnnotation(key, value = "") {
-      logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
-      binding.filters.annotations[key] = value;
-      return commonChain;
-    }
-    function bindEvent(event) {
-      binding.event = event;
-      return {
-        ...commonChain,
-        InNamespace,
-        WithName
-      };
-    }
-    return {
-      IsCreatedOrUpdated: () => bindEvent("CREATEORUPDATE" /* CreateOrUpdate */),
-      IsCreated: () => bindEvent("CREATE" /* Create */),
-      IsUpdated: () => bindEvent("UPDATE" /* Update */),
-      IsDeleted: () => bindEvent("DELETE" /* Delete */)
-    };
-  };
-};
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  Capability,
-  K8s,
-  Log,
-  PeprModule,
-  PeprMutateRequest,
-  PeprUtils,
-  PeprValidateRequest,
-  R,
-  RegisterKind,
-  a,
-  fetch,
-  fetchStatus,
-  kind,
-  sdk
-});
-//# sourceMappingURL=lib.js.map