pepr 0.32.1 → 0.32.3

package/dist/lib.js

@@ -0,0 +1,1808 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/lib.ts
+var lib_exports = {};
+__export(lib_exports, {
+  Capability: () => Capability,
+  K8s: () => import_kubernetes_fluent_client7.K8s,
+  Log: () => logger_default,
+  PeprModule: () => PeprModule,
+  PeprMutateRequest: () => PeprMutateRequest,
+  PeprUtils: () => utils_exports,
+  PeprValidateRequest: () => PeprValidateRequest,
+  R: () => R,
+  RegisterKind: () => import_kubernetes_fluent_client7.RegisterKind,
+  a: () => import_kubernetes_fluent_client7.kind,
+  fetch: () => import_kubernetes_fluent_client7.fetch,
+  fetchStatus: () => import_kubernetes_fluent_client7.fetchStatus,
+  kind: () => import_kubernetes_fluent_client7.kind,
+  sdk: () => sdk_exports
+});
+module.exports = __toCommonJS(lib_exports);
+var import_kubernetes_fluent_client7 = require("kubernetes-fluent-client");
+var R = __toESM(require("ramda"));
+
+// src/lib/capability.ts
+var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
+var import_ramda6 = require("ramda");
+
+// src/lib/logger.ts
+var import_pino = require("pino");
+var isPrettyLog = process.env.PEPR_PRETTY_LOGS === "true";
+var pretty = {
+  target: "pino-pretty",
+  options: {
+    colorize: true
+  }
+};
+var transport = isPrettyLog ? pretty : void 0;
+var pinoTimeFunction = process.env.PINO_TIME_STAMP === "iso" ? () => import_pino.stdTimeFunctions.isoTime() : () => import_pino.stdTimeFunctions.epochTime();
+var Log = (0, import_pino.pino)({
+  transport,
+  timestamp: pinoTimeFunction
+});
+if (process.env.LOG_LEVEL) {
+  Log.level = process.env.LOG_LEVEL;
+}
+var logger_default = Log;
+
+// src/lib/module.ts
+var import_ramda4 = require("ramda");
+
+// src/lib/controller/index.ts
+var import_express = __toESM(require("express"));
+var import_fs = __toESM(require("fs"));
+var import_https = __toESM(require("https"));
+
+// src/lib/metrics.ts
+var import_perf_hooks = require("perf_hooks");
+var import_prom_client = __toESM(require("prom-client"));
+var loggingPrefix = "MetricsCollector";
+var MetricsCollector = class {
+  #registry;
+  #counters = /* @__PURE__ */ new Map();
+  #summaries = /* @__PURE__ */ new Map();
+  #prefix;
+  #metricNames = {
+    errors: "errors",
+    alerts: "alerts",
+    mutate: "Mutate",
+    validate: "Validate"
+  };
+  /**
+   * Creates a MetricsCollector instance with prefixed metrics.
+   * @param [prefix='pepr'] - The prefix for the metric names.
+   */
+  constructor(prefix = "pepr") {
+    this.#registry = new import_prom_client.Registry();
+    this.#prefix = prefix;
+    this.addCounter(this.#metricNames.errors, "Mutation/Validate errors encountered");
+    this.addCounter(this.#metricNames.alerts, "Mutation/Validate bad api token received");
+    this.addSummary(this.#metricNames.mutate, "Mutation operation summary");
+    this.addSummary(this.#metricNames.validate, "Validation operation summary");
+  }
+  #getMetricName = (name) => `${this.#prefix}_${name}`;
+  #addMetric = (collection, MetricType, name, help) => {
+    if (collection.has(this.#getMetricName(name))) {
+      logger_default.debug(`Metric for ${name} already exists`, loggingPrefix);
+      return;
+    }
+    const metric = new MetricType({
+      name: this.#getMetricName(name),
+      help,
+      registers: [this.#registry]
+    });
+    collection.set(this.#getMetricName(name), metric);
+  };
+  addCounter = (name, help) => {
+    this.#addMetric(this.#counters, import_prom_client.default.Counter, name, help);
+  };
+  addSummary = (name, help) => {
+    this.#addMetric(this.#summaries, import_prom_client.default.Summary, name, help);
+  };
+  incCounter = (name) => {
+    this.#counters.get(this.#getMetricName(name))?.inc();
+  };
+  /**
+   * Increments the error counter.
+   */
+  error = () => this.incCounter(this.#metricNames.errors);
+  /**
+   * Increments the alerts counter.
+   */
+  alert = () => this.incCounter(this.#metricNames.alerts);
+  /**
+   * Observes the duration since the provided start time and updates the summary.
+   * @param startTime - The start time.
+   * @param name - The metrics summary to increment.
+   */
+  observeEnd = (startTime, name = this.#metricNames.mutate) => {
+    this.#summaries.get(this.#getMetricName(name))?.observe(import_perf_hooks.performance.now() - startTime);
+  };
+  /**
+   * Fetches the current metrics from the registry.
+   * @returns The metrics.
+   */
+  getMetrics = () => this.#registry.metrics();
+  /**
+   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
+   * @returns The timestamp.
+   */
+  static observeStart() {
+    return import_perf_hooks.performance.now();
+  }
+};
+
+// src/lib/mutate-processor.ts
+var import_fast_json_patch = __toESM(require("fast-json-patch"));
+
+// src/lib/errors.ts
+var Errors = {
+  audit: "audit",
+  ignore: "ignore",
+  reject: "reject"
+};
+var ErrorList = Object.values(Errors);
+function ValidateError(error = "") {
+  if (!ErrorList.includes(error)) {
+    throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
+  }
+}
+
+// src/lib/k8s.ts
+var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
+var PeprStore = class extends import_kubernetes_fluent_client.GenericKind {
+};
+var peprStoreGVK = {
+  kind: "PeprStore",
+  version: "v1",
+  group: "pepr.dev"
+};
+(0, import_kubernetes_fluent_client.RegisterKind)(PeprStore, peprStoreGVK);
+
+// src/lib/filter.ts
+function shouldSkipRequest(binding, req, capabilityNamespaces) {
+  const { group, kind: kind4, version } = binding.kind || {};
+  const { namespaces, labels, annotations, name } = binding.filters || {};
+  const operation = req.operation.toUpperCase();
+  const uid = req.uid;
+  const srcObject = operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
+  const { metadata } = srcObject || {};
+  const combinedNamespaces = [...namespaces, ...capabilityNamespaces];
+  if (!binding.event.includes(operation) && !binding.event.includes("*" /* Any */)) {
+    return true;
+  }
+  if (name && name !== req.name) {
+    return true;
+  }
+  if (kind4 !== req.kind.kind) {
+    return true;
+  }
+  if (group && group !== req.kind.group) {
+    return true;
+  }
+  if (version && version !== req.kind.version) {
+    return true;
+  }
+  if (combinedNamespaces.length && !combinedNamespaces.includes(req.namespace || "") || !namespaces.includes(req.namespace || "") && capabilityNamespaces.length !== 0 && namespaces.length !== 0) {
+    let type = "";
+    let label = "";
+    if (binding.isMutate) {
+      type = "Mutate";
+      label = binding.mutateCallback.name;
+    } else if (binding.isValidate) {
+      type = "Validate";
+      label = binding.validateCallback.name;
+    } else if (binding.isWatch) {
+      type = "Watch";
+      label = binding.watchCallback.name;
+    }
+    logger_default.debug({ uid }, `${type} binding (${label}) does not match request namespace "${req.namespace}"`);
+    return true;
+  }
+  for (const [key, value] of Object.entries(labels)) {
+    const testKey = metadata?.labels?.[key];
+    if (!testKey) {
+      logger_default.debug({ uid }, `Label ${key} does not exist`);
+      return true;
+    }
+    if (value && testKey !== value) {
+      logger_default.debug({ uid }, `${testKey} does not match ${value}`);
+      return true;
+    }
+  }
+  for (const [key, value] of Object.entries(annotations)) {
+    const testKey = metadata?.annotations?.[key];
+    if (!testKey) {
+      logger_default.debug({ uid }, `Annotation ${key} does not exist`);
+      return true;
+    }
+    if (value && testKey !== value) {
+      logger_default.debug({ uid }, `${testKey} does not match ${value}`);
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/lib/mutate-request.ts
+var import_ramda = require("ramda");
+var PeprMutateRequest = class {
+  Raw;
+  #input;
+  get PermitSideEffects() {
+    return !this.#input.dryRun;
+  }
+  /**
+   * Indicates whether the request is a dry run.
+   * @returns true if the request is a dry run, false otherwise.
+   */
+  get IsDryRun() {
+    return this.#input.dryRun;
+  }
+  /**
+   * Provides access to the old resource in the request if available.
+   * @returns The old Kubernetes resource object or null if not available.
+   */
+  get OldResource() {
+    return this.#input.oldObject;
+  }
+  /**
+   * Provides access to the request object.
+   * @returns The request object containing the Kubernetes resource.
+   */
+  get Request() {
+    return this.#input;
+  }
+  /**
+   * Creates a new instance of the action class.
+   * @param input - The request object containing the Kubernetes resource to modify.
+   */
+  constructor(input) {
+    this.#input = input;
+    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
+      this.Raw = (0, import_ramda.clone)(input.oldObject);
+    } else {
+      this.Raw = (0, import_ramda.clone)(input.object);
+    }
+    if (!this.Raw) {
+      throw new Error("unable to load the request object into PeprRequest.RawP");
+    }
+  }
+  /**
+   * Deep merges the provided object with the current resource.
+   *
+   * @param obj - The object to merge with the current resource.
+   */
+  Merge = (obj) => {
+    this.Raw = (0, import_ramda.mergeDeepRight)(this.Raw, obj);
+  };
+  /**
+   * Updates a label on the Kubernetes resource.
+   * @param key - The key of the label to update.
+   * @param value - The value of the label.
+   * @returns The current action instance for method chaining.
+   */
+  SetLabel = (key, value) => {
+    const ref = this.Raw;
+    ref.metadata = ref.metadata ?? {};
+    ref.metadata.labels = ref.metadata.labels ?? {};
+    ref.metadata.labels[key] = value;
+    return this;
+  };
+  /**
+   * Updates an annotation on the Kubernetes resource.
+   * @param key - The key of the annotation to update.
+   * @param value - The value of the annotation.
+   * @returns The current action instance for method chaining.
+   */
+  SetAnnotation = (key, value) => {
+    const ref = this.Raw;
+    ref.metadata = ref.metadata ?? {};
+    ref.metadata.annotations = ref.metadata.annotations ?? {};
+    ref.metadata.annotations[key] = value;
+    return this;
+  };
+  /**
+   * Removes a label from the Kubernetes resource.
+   * @param key - The key of the label to remove.
+   * @returns The current Action instance for method chaining.
+   */
+  RemoveLabel = (key) => {
+    if (this.Raw.metadata?.labels?.[key]) {
+      delete this.Raw.metadata.labels[key];
+    }
+    return this;
+  };
+  /**
+   * Removes an annotation from the Kubernetes resource.
+   * @param key - The key of the annotation to remove.
+   * @returns The current Action instance for method chaining.
+   */
+  RemoveAnnotation = (key) => {
+    if (this.Raw.metadata?.annotations?.[key]) {
+      delete this.Raw.metadata.annotations[key];
+    }
+    return this;
+  };
+  /**
+   * Check if a label exists on the Kubernetes resource.
+   *
+   * @param key the label key to check
+   * @returns
+   */
+  HasLabel = (key) => {
+    return this.Raw.metadata?.labels?.[key] !== void 0;
+  };
+  /**
+   * Check if an annotation exists on the Kubernetes resource.
+   *
+   * @param key the annotation key to check
+   * @returns
+   */
+  HasAnnotation = (key) => {
+    return this.Raw.metadata?.annotations?.[key] !== void 0;
+  };
+};
+
+// src/lib/utils.ts
+var utils_exports = {};
+__export(utils_exports, {
+  base64Decode: () => base64Decode,
+  base64Encode: () => base64Encode,
+  convertFromBase64Map: () => convertFromBase64Map,
+  convertToBase64Map: () => convertToBase64Map,
+  isAscii: () => isAscii
+});
+var isAscii = /^[\s\x20-\x7E]*$/;
+function convertToBase64Map(obj, skip) {
+  obj.data = obj.data ?? {};
+  for (const key in obj.data) {
+    const value = obj.data[key];
+    obj.data[key] = skip.includes(key) ? value : base64Encode(value);
+  }
+}
+function convertFromBase64Map(obj) {
+  const skip = [];
+  obj.data = obj.data ?? {};
+  for (const key in obj.data) {
+    if (obj.data[key] == void 0) {
+      obj.data[key] = "";
+    } else {
+      const decoded = base64Decode(obj.data[key]);
+      if (isAscii.test(decoded)) {
+        obj.data[key] = decoded;
+      } else {
+        skip.push(key);
+      }
+    }
+  }
+  logger_default.debug(`Non-ascii data detected in keys: ${skip}, skipping automatic base64 decoding`);
+  return skip;
+}
+function base64Decode(data) {
+  return Buffer.from(data, "base64").toString("utf-8");
+}
+function base64Encode(data) {
+  return Buffer.from(data).toString("base64");
+}
+
+// src/lib/mutate-processor.ts
+async function mutateProcessor(config, capabilities, req, reqMetadata) {
+  const wrapped = new PeprMutateRequest(req);
+  const response = {
+    uid: req.uid,
+    warnings: [],
+    allowed: false
+  };
+  let matchedAction = false;
+  let skipDecode = [];
+  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
+  if (isSecret) {
+    skipDecode = convertFromBase64Map(wrapped.Raw);
+  }
+  logger_default.info(reqMetadata, `Processing request`);
+  for (const { name, bindings, namespaces } of capabilities) {
+    const actionMetadata = { ...reqMetadata, name };
+    for (const action of bindings) {
+      if (!action.mutateCallback) {
+        continue;
+      }
+      if (shouldSkipRequest(action, req, namespaces)) {
+        continue;
+      }
+      const label = action.mutateCallback.name;
+      logger_default.info(actionMetadata, `Processing mutation action (${label})`);
+      matchedAction = true;
+      const updateStatus = (status) => {
+        if (req.operation == "DELETE") {
+          return;
+        }
+        const identifier = `${config.uuid}.pepr.dev/${name}`;
+        wrapped.Raw.metadata = wrapped.Raw.metadata || {};
+        wrapped.Raw.metadata.annotations = wrapped.Raw.metadata.annotations || {};
+        wrapped.Raw.metadata.annotations[identifier] = status;
+      };
+      updateStatus("started");
+      try {
+        await action.mutateCallback(wrapped);
+        logger_default.info(actionMetadata, `Mutation action succeeded (${label})`);
+        updateStatus("succeeded");
+      } catch (e) {
+        updateStatus("warning");
+        response.warnings = response.warnings || [];
+        let errorMessage = "";
+        try {
+          if (e.message && e.message !== "[object Object]") {
+            errorMessage = e.message;
+          } else {
+            throw new Error("An error occurred in the mutate action.");
+          }
+        } catch (e2) {
+          errorMessage = "An error occurred with the mutate action.";
+        }
+        logger_default.error(actionMetadata, `Action failed: ${errorMessage}`);
+        response.warnings.push(`Action failed: ${errorMessage}`);
+        switch (config.onError) {
+          case Errors.reject:
+            logger_default.error(actionMetadata, `Action failed: ${errorMessage}`);
+            response.result = "Pepr module configured to reject on error";
+            return response;
+          case Errors.audit:
+            response.auditAnnotations = response.auditAnnotations || {};
+            response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
+            break;
+        }
+      }
+    }
+  }
+  response.allowed = true;
+  if (!matchedAction) {
+    logger_default.info(reqMetadata, `No matching actions found`);
+    return response;
+  }
+  if (req.operation == "DELETE") {
+    return response;
+  }
+  const transformed = wrapped.Raw;
+  if (isSecret) {
+    convertToBase64Map(transformed, skipDecode);
+  }
+  const patches = import_fast_json_patch.default.compare(req.object, transformed);
+  if (patches.length > 0) {
+    response.patchType = "JSONPatch";
+    response.patch = base64Encode(JSON.stringify(patches));
+  }
+  if (response.warnings && response.warnings.length < 1) {
+    delete response.warnings;
+  }
+  logger_default.debug({ ...reqMetadata, patches }, `Patches generated`);
+  return response;
+}
+
+// src/lib/validate-request.ts
+var import_ramda2 = require("ramda");
+var PeprValidateRequest = class {
+  Raw;
+  #input;
+  /**
+   * Provides access to the old resource in the request if available.
+   * @returns The old Kubernetes resource object or null if not available.
+   */
+  get OldResource() {
+    return this.#input.oldObject;
+  }
+  /**
+   * Provides access to the request object.
+   * @returns The request object containing the Kubernetes resource.
+   */
+  get Request() {
+    return this.#input;
+  }
+  /**
+   * Creates a new instance of the Action class.
+   * @param input - The request object containing the Kubernetes resource to modify.
+   */
+  constructor(input) {
+    this.#input = input;
+    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
+      this.Raw = (0, import_ramda2.clone)(input.oldObject);
+    } else {
+      this.Raw = (0, import_ramda2.clone)(input.object);
+    }
+    if (!this.Raw) {
+      throw new Error("unable to load the request object into PeprRequest.Raw");
+    }
+  }
+  /**
+   * Check if a label exists on the Kubernetes resource.
+   *
+   * @param key the label key to check
+   * @returns
+   */
+  HasLabel = (key) => {
+    return this.Raw.metadata?.labels?.[key] !== void 0;
+  };
+  /**
+   * Check if an annotation exists on the Kubernetes resource.
+   *
+   * @param key the annotation key to check
+   * @returns
+   */
+  HasAnnotation = (key) => {
+    return this.Raw.metadata?.annotations?.[key] !== void 0;
+  };
+  /**
+   * Create a validation response that allows the request.
+   *
+   * @returns The validation response.
+   */
+  Approve = () => {
+    return {
+      allowed: true
+    };
+  };
+  /**
+   * Create a validation response that denies the request.
+   *
+   * @param statusMessage Optional status message to return to the user.
+   * @param statusCode Optional status code to return to the user.
+   * @returns The validation response.
+   */
+  Deny = (statusMessage, statusCode) => {
+    return {
+      allowed: false,
+      statusCode,
+      statusMessage
+    };
+  };
+};
+
+// src/lib/validate-processor.ts
+async function validateProcessor(capabilities, req, reqMetadata) {
+  const wrapped = new PeprValidateRequest(req);
+  const response = [];
+  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
+  if (isSecret) {
+    convertFromBase64Map(wrapped.Raw);
+  }
+  logger_default.info(reqMetadata, `Processing validation request`);
+  for (const { name, bindings, namespaces } of capabilities) {
+    const actionMetadata = { ...reqMetadata, name };
+    for (const action of bindings) {
+      if (!action.validateCallback) {
+        continue;
+      }
+      const localResponse = {
+        uid: req.uid,
+        allowed: true
+        // Assume it's allowed until a validation check fails
+      };
+      if (shouldSkipRequest(action, req, namespaces)) {
+        continue;
+      }
+      const label = action.validateCallback.name;
+      logger_default.info(actionMetadata, `Processing validation action (${label})`);
+      try {
+        const resp = await action.validateCallback(wrapped);
+        localResponse.allowed = resp.allowed;
+        if (resp.statusCode || resp.statusMessage) {
+          localResponse.status = {
+            code: resp.statusCode || 400,
+            message: resp.statusMessage || `Validation failed for ${name}`
+          };
+        }
+        logger_default.info(actionMetadata, `Validation action complete (${label}): ${resp.allowed ? "allowed" : "denied"}`);
+      } catch (e) {
+        logger_default.error(actionMetadata, `Action failed: ${JSON.stringify(e)}`);
+        localResponse.allowed = false;
+        localResponse.status = {
+          code: 500,
+          message: `Action failed with error: ${JSON.stringify(e)}`
+        };
+        return [localResponse];
+      }
+      response.push(localResponse);
+    }
+  }
+  return response;
+}
+
+// src/lib/controller/store.ts
+var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
+var import_ramda3 = require("ramda");
+var namespace = "pepr-system";
+var debounceBackoff = 5e3;
+var PeprControllerStore = class {
+  #name;
+  #stores = {};
+  #sendDebounce;
+  #onReady;
+  constructor(capabilities, name, onReady) {
+    this.#onReady = onReady;
+    this.#name = name;
+    if (name.includes("schedule")) {
+      for (const { name: name2, registerScheduleStore, hasSchedule } of capabilities) {
+        if (hasSchedule !== true) {
+          continue;
+        }
+        const { scheduleStore } = registerScheduleStore();
+        scheduleStore.registerSender(this.#send(name2));
+        this.#stores[name2] = scheduleStore;
+      }
+    } else {
+      for (const { name: name2, registerStore } of capabilities) {
+        const { store } = registerStore();
+        store.registerSender(this.#send(name2));
+        this.#stores[name2] = store;
+      }
+    }
+    setTimeout(
+      () => (0, import_kubernetes_fluent_client2.K8s)(PeprStore).InNamespace(namespace).Get(this.#name).then(this.#setupWatch).catch(this.#createStoreResource),
+      Math.random() * 3e3
+    );
+  }
+  #setupWatch = () => {
+    const watcher = (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { name: this.#name, namespace }).Watch(this.#receive);
+    watcher.start().catch((e) => logger_default.error(e, "Error starting Pepr store watch"));
+  };
+  #receive = (store) => {
+    logger_default.debug(store, "Pepr Store update");
+    const debounced = () => {
+      const data = store.data || {};
+      for (const name of Object.keys(this.#stores)) {
+        const offset = `${name}-`.length;
+        const filtered = {};
+        for (const key of Object.keys(data)) {
+          if ((0, import_ramda3.startsWith)(name, key)) {
+            filtered[key.slice(offset)] = data[key];
+          }
+        }
+        this.#stores[name].receive(filtered);
+      }
+      if (this.#onReady) {
+        this.#onReady();
+        this.#onReady = void 0;
+      }
+    };
+    clearTimeout(this.#sendDebounce);
+    this.#sendDebounce = setTimeout(debounced, this.#onReady ? 0 : debounceBackoff);
+  };
+  #send = (capabilityName) => {
+    const sendCache = {};
+    const fillCache = (op, key, val) => {
+      if (op === "add") {
+        const path = `/data/${capabilityName}-${key}`;
+        const value = val || "";
+        const cacheIdx = [op, path, value].join(":");
+        sendCache[cacheIdx] = { op, path, value };
+        return;
+      }
+      if (op === "remove") {
+        if (key.length < 1) {
+          throw new Error(`Key is required for REMOVE operation`);
+        }
+        for (const k of key) {
+          const path = `/data/${capabilityName}-${k}`;
+          const cacheIdx = [op, path].join(":");
+          sendCache[cacheIdx] = { op, path };
+        }
+        return;
+      }
+      throw new Error(`Unsupported operation: ${op}`);
+    };
+    const flushCache = async () => {
+      const indexes = Object.keys(sendCache);
+      const payload = Object.values(sendCache);
+      for (const idx of indexes) {
+        delete sendCache[idx];
+      }
+      try {
+        await (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { namespace, name: this.#name }).Patch(payload);
+      } catch (err) {
+        logger_default.error(err, "Pepr store update failure");
+        if (err.status === 422) {
+          Object.keys(sendCache).forEach((key) => delete sendCache[key]);
+        } else {
+          for (const idx of indexes) {
+            sendCache[idx] = payload[Number(idx)];
+          }
+        }
+      }
+    };
+    const sender = async (op, key, val) => {
+      fillCache(op, key, val);
+    };
+    setInterval(() => {
+      if (Object.keys(sendCache).length > 0) {
+        logger_default.debug(sendCache, "Sending updates to Pepr store");
+        void flushCache();
+      }
+    }, debounceBackoff);
+    return sender;
+  };
+  #createStoreResource = async (e) => {
+    logger_default.info(`Pepr store not found, creating...`);
+    logger_default.debug(e);
+    try {
+      await (0, import_kubernetes_fluent_client2.K8s)(PeprStore).Apply({
+        metadata: {
+          name: this.#name,
+          namespace
+        },
+        data: {
+          // JSON Patch will die if the data is empty, so we need to add a placeholder
+          __pepr_do_not_delete__: "k-thx-bye"
+        }
+      });
+      this.#setupWatch();
+    } catch (err) {
+      logger_default.error(err, "Failed to create Pepr store");
+    }
+  };
+};
+
+// src/lib/controller/index.ts
+var Controller = class _Controller {
+  // Track whether the server is running
+  #running = false;
+  // Metrics collector
+  #metricsCollector = new MetricsCollector("pepr");
+  // The token used to authenticate requests
+  #token = "";
+  // The express app instance
+  #app = (0, import_express.default)();
+  // Initialized with the constructor
+  #config;
+  #capabilities;
+  #beforeHook;
+  #afterHook;
+  constructor(config, capabilities, beforeHook, afterHook, onReady) {
+    this.#config = config;
+    this.#capabilities = capabilities;
+    new PeprControllerStore(capabilities, `pepr-${config.uuid}-store`, () => {
+      this.#bindEndpoints();
+      onReady && onReady();
+      logger_default.info("\u2705 Controller startup complete");
+      new PeprControllerStore(capabilities, `pepr-${config.uuid}-schedule`, () => {
+        logger_default.info("\u2705 Scheduling processed");
+      });
+    });
+    this.#app.use(_Controller.#logger);
+    this.#app.use(import_express.default.json({ limit: "2mb" }));
+    if (beforeHook) {
+      logger_default.info(`Using beforeHook: ${beforeHook}`);
+      this.#beforeHook = beforeHook;
+    }
+    if (afterHook) {
+      logger_default.info(`Using afterHook: ${afterHook}`);
+      this.#afterHook = afterHook;
+    }
+  }
+  /** Start the webhook server */
+  startServer = (port) => {
+    if (this.#running) {
+      throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
+    }
+    const options = {
+      key: import_fs.default.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
+      cert: import_fs.default.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt")
+    };
+    if (!isWatchMode()) {
+      this.#token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
+      logger_default.info(`Using API token: ${this.#token}`);
+      if (!this.#token) {
+        throw new Error("API token not found");
+      }
+    }
+    const server = import_https.default.createServer(options, this.#app).listen(port);
+    server.on("listening", () => {
+      logger_default.info(`Server listening on port ${port}`);
+      this.#running = true;
+    });
+    server.on("error", (e) => {
+      if (e.code === "EADDRINUSE") {
+        logger_default.warn(
+          `Address in use, retrying in 2 seconds. If this persists, ensure ${port} is not in use, e.g. "lsof -i :${port}"`
+        );
+        setTimeout(() => {
+          server.close();
+          server.listen(port);
+        }, 2e3);
+      }
+    });
+    process.on("SIGTERM", () => {
+      logger_default.info("Received SIGTERM, closing server");
+      server.close(() => {
+        logger_default.info("Server closed");
+        process.exit(0);
+      });
+    });
+  };
+  #bindEndpoints = () => {
+    this.#app.get("/healthz", _Controller.#healthz);
+    this.#app.get("/metrics", this.#metrics);
+    if (isWatchMode()) {
+      return;
+    }
+    this.#app.use(["/mutate/:token", "/validate/:token"], this.#validateToken);
+    this.#app.post("/mutate/:token", this.#admissionReq("Mutate"));
+    this.#app.post("/validate/:token", this.#admissionReq("Validate"));
+  };
+  /**
+   * Validate the token in the request path
+   *
+   * @param req The incoming request
+   * @param res The outgoing response
+   * @param next The next middleware function
+   * @returns
+   */
+  #validateToken = (req, res, next) => {
+    const { token } = req.params;
+    if (token !== this.#token) {
+      const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
+      logger_default.warn(err);
+      res.status(401).send(err);
+      this.#metricsCollector.alert();
+      return;
+    }
+    next();
+  };
+  /**
+   * Metrics endpoint handler
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   */
+  #metrics = async (req, res) => {
+    try {
+      res.send(await this.#metricsCollector.getMetrics());
+    } catch (err) {
+      logger_default.error(err, `Error getting metrics`);
+      res.status(500).send("Internal Server Error");
+    }
+  };
+  /**
+   * Admission request handler for both mutate and validate requests
+   *
+   * @param admissionKind the type of admission request
+   * @returns the request handler
+   */
+  #admissionReq = (admissionKind) => {
+    return async (req, res) => {
+      const startTime = MetricsCollector.observeStart();
+      try {
+        const request = req.body?.request || {};
+        this.#beforeHook && this.#beforeHook(request || {});
+        const name = request?.name ? `/${request.name}` : "";
+        const namespace2 = request?.namespace || "";
+        const gvk = request?.kind || { group: "", version: "", kind: "" };
+        const reqMetadata = {
+          uid: request.uid,
+          namespace: namespace2,
+          name
+        };
+        logger_default.info({ ...reqMetadata, gvk, operation: request.operation, admissionKind }, "Incoming request");
+        logger_default.debug({ ...reqMetadata, request }, "Incoming request body");
+        let response;
+        if (admissionKind === "Mutate") {
+          response = await mutateProcessor(this.#config, this.#capabilities, request, reqMetadata);
+        } else {
+          response = await validateProcessor(this.#capabilities, request, reqMetadata);
+        }
+        const responseList = Array.isArray(response) ? response : [response];
+        responseList.map((res2) => {
+          this.#afterHook && this.#afterHook(res2);
+          logger_default.info({ ...reqMetadata, res: res2 }, "Check response");
+        });
+        let kubeAdmissionResponse;
+        if (admissionKind === "Mutate") {
+          kubeAdmissionResponse = response;
+          logger_default.debug({ ...reqMetadata, response }, "Outgoing response");
+          res.send({
+            apiVersion: "admission.k8s.io/v1",
+            kind: "AdmissionReview",
+            response: kubeAdmissionResponse
+          });
+        } else {
+          kubeAdmissionResponse = responseList.length === 0 ? {
+            uid: request.uid,
+            allowed: true,
+            status: { message: "no in-scope validations -- allowed!" }
+          } : {
+            uid: responseList[0].uid,
+            allowed: responseList.filter((r) => !r.allowed).length === 0,
+            status: {
+              message: responseList.filter((rl) => !rl.allowed).map((curr) => curr.status?.message).join("; ")
+            }
+          };
+          res.send({
+            apiVersion: "admission.k8s.io/v1",
+            kind: "AdmissionReview",
+            response: kubeAdmissionResponse
+          });
+        }
+        logger_default.debug({ ...reqMetadata, kubeAdmissionResponse }, "Outgoing response");
+        this.#metricsCollector.observeEnd(startTime, admissionKind);
+      } catch (err) {
+        logger_default.error(err, `Error processing ${admissionKind} request`);
+        res.status(500).send("Internal Server Error");
+        this.#metricsCollector.error();
+      }
+    };
+  };
+  /**
+   * Middleware for logging requests
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   * @param next the next middleware function
+   */
+  static #logger(req, res, next) {
+    const startTime = Date.now();
+    res.on("finish", () => {
+      const elapsedTime = Date.now() - startTime;
+      const message = {
+        uid: req.body?.request?.uid,
+        method: req.method,
+        url: req.originalUrl,
+        status: res.statusCode,
+        duration: `${elapsedTime} ms`
+      };
+      res.statusCode >= 300 ? logger_default.warn(message) : logger_default.info(message);
+    });
+    next();
+  }
+  /**
+   * Health check endpoint handler
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
+   */
+  static #healthz(req, res) {
+    try {
+      res.send("OK");
+    } catch (err) {
+      logger_default.error(err, `Error processing health check`);
+      res.status(500).send("Internal Server Error");
+    }
+  }
+};
+
+// src/lib/watch-processor.ts
+var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
+var import_types2 = require("kubernetes-fluent-client/dist/fluent/types");
+
+// src/lib/helpers.ts
+var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
+
+// src/sdk/sdk.ts
+var sdk_exports = {};
+__export(sdk_exports, {
+  containers: () => containers,
+  getOwnerRefFrom: () => getOwnerRefFrom,
+  sanitizeResourceName: () => sanitizeResourceName,
+  writeEvent: () => writeEvent
+});
+var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
+function containers(request, containerType) {
+  const containers2 = request.Raw.spec?.containers || [];
+  const initContainers = request.Raw.spec?.initContainers || [];
+  const ephemeralContainers = request.Raw.spec?.ephemeralContainers || [];
+  if (containerType === "containers") {
+    return containers2;
+  }
+  if (containerType === "initContainers") {
+    return initContainers;
+  }
+  if (containerType === "ephemeralContainers") {
+    return ephemeralContainers;
+  }
+  return [...containers2, ...initContainers, ...ephemeralContainers];
+}
+async function writeEvent(cr, event, eventType, eventReason, reportingComponent, reportingInstance) {
+  logger_default.debug(cr.metadata, `Writing event: ${event.message}`);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.CoreEvent).Create({
+    type: eventType,
+    reason: eventReason,
+    ...event,
+    // Fixed values
+    metadata: {
+      namespace: cr.metadata.namespace,
+      generateName: cr.metadata.name
+    },
+    involvedObject: {
+      apiVersion: cr.apiVersion,
+      kind: cr.kind,
+      name: cr.metadata.name,
+      namespace: cr.metadata.namespace,
+      uid: cr.metadata.uid
+    },
+    firstTimestamp: /* @__PURE__ */ new Date(),
+    reportingComponent,
+    reportingInstance
+  });
+}
+function getOwnerRefFrom(cr) {
+  const { name, uid } = cr.metadata;
+  return [
+    {
+      apiVersion: cr.apiVersion,
+      kind: cr.kind,
+      uid,
+      name
+    }
+  ];
+}
+function sanitizeResourceName(name) {
+  return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").slice(0, 250).replace(/^[^a-z]+|[^a-z]+$/g, "");
+}
+
+// src/lib/helpers.ts
+function checkOverlap(bindingFilters, objectFilters) {
+  if (Object.keys(bindingFilters).length === 0) {
+    return true;
+  }
+  let matchCount = 0;
+  for (const key in bindingFilters) {
+    if (Object.prototype.hasOwnProperty.call(objectFilters, key)) {
+      const val1 = bindingFilters[key];
+      const val2 = objectFilters[key];
+      if (val1 === "" && key in objectFilters) {
+        matchCount++;
+      } else if (val1 !== "" && val1 === val2) {
+        matchCount++;
+      }
+    }
+  }
+  return matchCount === Object.keys(bindingFilters).length;
+}
+function filterNoMatchReason(binding, obj, capabilityNamespaces) {
+  if (binding.kind && binding.kind.kind === "Namespace" && binding.filters && binding.filters.namespaces.length !== 0) {
+    return `Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.`;
+  }
+  if (typeof obj === "object" && obj !== null && "metadata" in obj && obj.metadata !== void 0 && binding.filters) {
+    if (obj.metadata.labels && !checkOverlap(binding.filters.labels, obj.metadata.labels)) {
+      return `Ignoring Watch Callback: No overlap between binding and object labels. Binding labels ${JSON.stringify(
+        binding.filters.labels
+      )}, Object Labels ${JSON.stringify(obj.metadata.labels)}.`;
+    }
+    if (obj.metadata.annotations && !checkOverlap(binding.filters.annotations, obj.metadata.annotations)) {
+      return `Ignoring Watch Callback: No overlap between binding and object annotations. Binding annotations ${JSON.stringify(
+        binding.filters.annotations
+      )}, Object annotations ${JSON.stringify(obj.metadata.annotations)}.`;
+    }
+  }
+  if (Array.isArray(capabilityNamespaces) && capabilityNamespaces.length > 0 && obj.metadata && obj.metadata.namespace && !capabilityNamespaces.includes(obj.metadata.namespace)) {
+    return `Ignoring Watch Callback: Object is not in the capability namespace. Capability namespaces: ${capabilityNamespaces.join(
+      ", "
+    )}, Object namespace: ${obj.metadata.namespace}.`;
+  }
+  if (Array.isArray(capabilityNamespaces) && capabilityNamespaces.length > 0 && binding.filters && Array.isArray(binding.filters.namespaces) && binding.filters.namespaces.length > 0 && !binding.filters.namespaces.every((ns) => capabilityNamespaces.includes(ns))) {
+    return `Ignoring Watch Callback: Binding namespace is not part of capability namespaces. Capability namespaces: ${capabilityNamespaces.join(
+      ", "
+    )}, Binding namespaces: ${binding.filters.namespaces.join(", ")}.`;
+  }
+  if (binding.filters && Array.isArray(binding.filters.namespaces) && binding.filters.namespaces.length > 0 && obj.metadata && obj.metadata.namespace && !binding.filters.namespaces.includes(obj.metadata.namespace)) {
+    return `Ignoring Watch Callback: Binding namespace and object namespace are not the same. Binding namespaces: ${binding.filters.namespaces.join(
+      ", "
+    )}, Object namespace: ${obj.metadata.namespace}.`;
+  }
+  return "";
+}
+
+// src/lib/queue.ts
+var Queue = class {
+  #queue = [];
+  #pendingPromise = false;
+  #reconcile;
+  constructor() {
+    this.#reconcile = async () => await new Promise((resolve) => resolve());
+  }
+  setReconcile(reconcile) {
+    this.#reconcile = reconcile;
+  }
+  /**
+   * Enqueue adds an item to the queue and returns a promise that resolves when the item is
+   * reconciled.
+   *
+   * @param item The object to reconcile
+   * @returns A promise that resolves when the object is reconciled
+   */
+  enqueue(item, type) {
+    logger_default.debug(`Enqueueing ${item.metadata.namespace}/${item.metadata.name}`);
+    return new Promise((resolve, reject) => {
+      this.#queue.push({ item, type, resolve, reject });
+      return this.#dequeue();
+    });
+  }
+  /**
+   * Dequeue reconciles the next item in the queue
+   *
+   * @returns A promise that resolves when the webapp is reconciled
+   */
+  async #dequeue() {
+    if (this.#pendingPromise) {
+      logger_default.debug("Pending promise, not dequeuing");
+      return false;
+    }
+    const element = this.#queue.shift();
+    if (!element) {
+      logger_default.debug("No element, not dequeuing");
+      return false;
+    }
+    try {
+      this.#pendingPromise = true;
+      if (this.#reconcile) {
+        logger_default.debug(`Reconciling ${element.item.metadata.name}`);
+        await this.#reconcile(element.item, element.type);
+      }
+      element.resolve();
+    } catch (e) {
+      logger_default.debug(`Error reconciling ${element.item.metadata.name}`, { error: e });
+      element.reject(e);
+    } finally {
+      logger_default.debug("Resetting pending promise and dequeuing");
+      this.#pendingPromise = false;
+      await this.#dequeue();
+    }
+  }
+};
+
+// src/lib/watch-processor.ts
+var watchCfg = {
+  retryMax: process.env.PEPR_RETRYMAX ? parseInt(process.env.PEPR_RETRYMAX, 10) : 5,
+  retryDelaySec: process.env.PEPR_RETRYDELAYSECONDS ? parseInt(process.env.PEPR_RETRYDELAYSECONDS, 10) : 5,
+  resyncIntervalSec: process.env.PEPR_RESYNCINTERVALSECONDS ? parseInt(process.env.PEPR_RESYNCINTERVALSECONDS, 10) : 300
+};
+var eventToPhaseMap = {
+  ["CREATE" /* Create */]: [import_types2.WatchPhase.Added],
+  ["UPDATE" /* Update */]: [import_types2.WatchPhase.Modified],
+  ["CREATEORUPDATE" /* CreateOrUpdate */]: [import_types2.WatchPhase.Added, import_types2.WatchPhase.Modified],
+  ["DELETE" /* Delete */]: [import_types2.WatchPhase.Deleted],
+  ["*" /* Any */]: [import_types2.WatchPhase.Added, import_types2.WatchPhase.Modified, import_types2.WatchPhase.Deleted]
+};
+function setupWatch(capabilities) {
+  capabilities.map(
+    (capability) => capability.bindings.filter((binding) => binding.isWatch).forEach((bindingElement) => runBinding(bindingElement, capability.namespaces))
+  );
+}
+async function runBinding(binding, capabilityNamespaces) {
+  const phaseMatch = eventToPhaseMap[binding.event] || eventToPhaseMap["*" /* Any */];
+  logger_default.debug({ watchCfg }, "Effective WatchConfig");
+  const watchCallback = async (obj, type) => {
+    if (phaseMatch.includes(type)) {
+      try {
+        const filterMatch = filterNoMatchReason(binding, obj, capabilityNamespaces);
+        if (filterMatch === "") {
+          await binding.watchCallback?.(obj, type);
+        } else {
+          logger_default.debug(filterMatch);
+        }
+      } catch (e) {
+        logger_default.error(e, "Error executing watch callback");
+      }
+    }
+  };
+  const queue = new Queue();
+  queue.setReconcile(watchCallback);
+  const watcher = (0, import_kubernetes_fluent_client5.K8s)(binding.model, binding.filters).Watch(async (obj, type) => {
+    logger_default.debug(obj, `Watch event ${type} received`);
+    if (binding.isQueue) {
+      await queue.enqueue(obj, type);
+    } else {
+      await watchCallback(obj, type);
+    }
+  }, watchCfg);
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, (err) => {
+    logger_default.error(err, "Watch failed after 5 attempts, giving up");
+    process.exit(1);
+  });
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.CONNECT, (url) => logEvent(import_kubernetes_fluent_client5.WatchEvent.CONNECT, url));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.DATA_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.DATA_ERROR, err.message));
+  watcher.events.on(
+    import_kubernetes_fluent_client5.WatchEvent.RECONNECT,
+    (err, retryCount) => logEvent(import_kubernetes_fluent_client5.WatchEvent.RECONNECT, err ? `Reconnecting after ${retryCount} attempts` : "")
+  );
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.RECONNECT_PENDING, () => logEvent(import_kubernetes_fluent_client5.WatchEvent.RECONNECT_PENDING));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, err.message));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.ABORT, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.ABORT, err.message));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.OLD_RESOURCE_VERSION, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.OLD_RESOURCE_VERSION, err));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.NETWORK_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.NETWORK_ERROR, err.message));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.LIST_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.LIST_ERROR, err.message));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.LIST, (list) => logEvent(import_kubernetes_fluent_client5.WatchEvent.LIST, JSON.stringify(list, void 0, 2)));
+  try {
+    await watcher.start();
+  } catch (err) {
+    logger_default.error(err, "Error starting watch");
+    process.exit(1);
+  }
+}
+function logEvent(type, message = "", obj) {
+  const logMessage = `Watch event ${type} received${message ? `. ${message}.` : "."}`;
+  if (obj) {
+    logger_default.debug(obj, logMessage);
+  } else {
+    logger_default.debug(logMessage);
+  }
+}
+
+// src/lib/module.ts
+var isWatchMode = () => process.env.PEPR_WATCH_MODE === "true";
+var isBuildMode = () => process.env.PEPR_MODE === "build";
+var isDevMode = () => process.env.PEPR_MODE === "dev";
+var PeprModule = class {
+  #controller;
+  /**
+   * Create a new Pepr runtime
+   *
+   * @param config The configuration for the Pepr runtime
+   * @param capabilities The capabilities to be loaded into the Pepr runtime
+   * @param opts Options for the Pepr runtime
+   */
+  constructor({ description, pepr }, capabilities = [], opts = {}) {
+    const config = (0, import_ramda4.clone)(pepr);
+    config.description = description;
+    ValidateError(config.onError);
+    if (isBuildMode()) {
+      if (!process.send) {
+        throw new Error("process.send is not defined");
+      }
+      const exportedCapabilities = [];
+      for (const capability of capabilities) {
+        exportedCapabilities.push({
+          name: capability.name,
+          description: capability.description,
+          namespaces: capability.namespaces,
+          bindings: capability.bindings,
+          hasSchedule: capability.hasSchedule
+        });
+      }
+      process.send(exportedCapabilities);
+      return;
+    }
+    this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook, () => {
+      if (isWatchMode() || isDevMode()) {
+        try {
+          setupWatch(capabilities);
+        } catch (e) {
+          logger_default.error(e, "Error setting up watch");
+          process.exit(1);
+        }
+      }
+    });
+    if (opts.deferStart) {
+      return;
+    }
+    this.start();
+  }
+  /**
+   * Start the Pepr runtime manually.
+   * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
+   *
+   * @param port
+   */
+  start = (port = 3e3) => {
+    this.#controller.startServer(port);
+  };
+};
+
+// src/lib/storage.ts
+var import_ramda5 = require("ramda");
+var MAX_WAIT_TIME = 15e3;
+var Storage = class {
+  #store = {};
+  #send;
+  #subscribers = {};
+  #subscriberId = 0;
+  #readyHandlers = [];
+  registerSender = (send) => {
+    this.#send = send;
+  };
+  receive = (data) => {
+    logger_default.debug(data, `Pepr store data received`);
+    this.#store = data || {};
+    this.#onReady();
+    for (const idx in this.#subscribers) {
+      this.#subscribers[idx]((0, import_ramda5.clone)(this.#store));
+    }
+  };
+  getItem = (key) => {
+    return this.#store[key] || null;
+  };
+  clear = () => {
+    this.#dispatchUpdate("remove", Object.keys(this.#store));
+  };
+  removeItem = (key) => {
+    this.#dispatchUpdate("remove", [key]);
+  };
+  setItem = (key, value) => {
+    this.#dispatchUpdate("add", [key], value);
+  };
+  /**
+   * Creates a promise and subscribes to the store, the promise resolves when
+   * the key and value are seen in the store.
+   *
+   * @param key - The key to add into the store
+   * @param value - The value of the key
+   * @returns
+   */
+  setItemAndWait = (key, value) => {
+    this.#dispatchUpdate("add", [key], value);
+    return new Promise((resolve, reject) => {
+      const unsubscribe = this.subscribe((data) => {
+        if (data[key] === value) {
+          unsubscribe();
+          resolve();
+        }
+      });
+      setTimeout(() => {
+        unsubscribe();
+        return reject();
+      }, MAX_WAIT_TIME);
+    });
+  };
+  /**
+   * Creates a promise and subscribes to the store, the promise resolves when
+   * the key is removed from the store.
+   *
+   * @param key - The key to add into the store
+   * @returns
+   */
+  removeItemAndWait = (key) => {
+    this.#dispatchUpdate("remove", [key]);
+    return new Promise((resolve, reject) => {
+      const unsubscribe = this.subscribe((data) => {
+        if (!Object.hasOwn(data, key)) {
+          unsubscribe();
+          resolve();
+        }
+      });
+      setTimeout(() => {
+        unsubscribe();
+        return reject();
+      }, MAX_WAIT_TIME);
+    });
+  };
+  subscribe = (subscriber) => {
+    const idx = this.#subscriberId++;
+    this.#subscribers[idx] = subscriber;
+    return () => this.unsubscribe(idx);
+  };
+  onReady = (callback) => {
+    this.#readyHandlers.push(callback);
+  };
+  /**
+   * Remove a subscriber from the list of subscribers.
+   * @param idx - The index of the subscriber to remove.
+   */
+  unsubscribe = (idx) => {
+    delete this.#subscribers[idx];
+  };
+  #onReady = () => {
+    for (const handler of this.#readyHandlers) {
+      handler((0, import_ramda5.clone)(this.#store));
+    }
+    this.#onReady = () => {
+    };
+  };
+  /**
+   * Dispatch an update to the store and notify all subscribers.
+   * @param  op - The type of operation to perform.
+   * @param  keys - The keys to update.
+   * @param  [value] - The new value.
+   */
+  #dispatchUpdate = (op, keys, value) => {
+    this.#send(op, keys, value);
+  };
+};
+
+// src/lib/schedule.ts
+var OnSchedule = class {
+  intervalId = null;
+  store;
+  name;
+  completions;
+  every;
+  unit;
+  run;
+  startTime;
+  duration;
+  lastTimestamp;
+  constructor(schedule) {
+    this.name = schedule.name;
+    this.run = schedule.run;
+    this.every = schedule.every;
+    this.unit = schedule.unit;
+    this.startTime = schedule?.startTime;
+    this.completions = schedule?.completions;
+  }
+  setStore(store) {
+    this.store = store;
+    this.startInterval();
+  }
+  startInterval() {
+    this.checkStore();
+    this.getDuration();
+    this.setupInterval();
+  }
+  /**
+   * Checks the store for this schedule and sets the values if it exists
+   * @returns
+   */
+  checkStore() {
+    const result = this.store && this.store.getItem(this.name);
+    if (result) {
+      const storedSchedule = JSON.parse(result);
+      this.completions = storedSchedule?.completions;
+      this.startTime = storedSchedule?.startTime;
+      this.lastTimestamp = storedSchedule?.lastTimestamp;
+    }
+  }
+  /**
+   * Saves the schedule to the store
+   * @returns
+   */
+  saveToStore() {
+    const schedule = {
+      completions: this.completions,
+      startTime: this.startTime,
+      lastTimestamp: /* @__PURE__ */ new Date(),
+      name: this.name
+    };
+    this.store && this.store.setItem(this.name, JSON.stringify(schedule));
+  }
+  /**
+   * Gets the durations in milliseconds
+   */
+  getDuration() {
+    switch (this.unit) {
+      case "seconds":
+        if (this.every < 10)
+          throw new Error("10 Seconds in the smallest interval allowed");
+        this.duration = 1e3 * this.every;
+        break;
+      case "minutes":
+      case "minute":
+        this.duration = 1e3 * 60 * this.every;
+        break;
+      case "hours":
+      case "hour":
+        this.duration = 1e3 * 60 * 60 * this.every;
+        break;
+      default:
+        throw new Error("Invalid time unit");
+    }
+  }
+  /**
+   * Sets up the interval
+   */
+  setupInterval() {
+    const now = /* @__PURE__ */ new Date();
+    let delay;
+    if (this.lastTimestamp && this.startTime) {
+      this.startTime = void 0;
+    }
+    if (this.startTime) {
+      delay = this.startTime.getTime() - now.getTime();
+    } else if (this.lastTimestamp && this.duration) {
+      const lastTimestamp = new Date(this.lastTimestamp);
+      delay = this.duration - (now.getTime() - lastTimestamp.getTime());
+    }
+    if (delay === void 0 || delay <= 0) {
+      this.start();
+    } else {
+      setTimeout(() => {
+        this.start();
+      }, delay);
+    }
+  }
+  /**
+   * Starts the interval
+   */
+  start() {
+    this.intervalId = setInterval(() => {
+      if (this.completions === 0) {
+        this.stop();
+        return;
+      } else {
+        this.run();
+        if (this.completions && this.completions !== 0) {
+          this.completions -= 1;
+        }
+        this.saveToStore();
+      }
+    }, this.duration);
+  }
+  /**
+   * Stops the interval
+   */
+  stop() {
+    if (this.intervalId) {
+      clearInterval(this.intervalId);
+      this.intervalId = null;
+    }
+    this.store && this.store.removeItem(this.name);
+  }
+};
+
+// src/lib/capability.ts
+var registerAdmission = isBuildMode() || !isWatchMode();
+var registerWatch = isBuildMode() || isWatchMode() || isDevMode();
+var Capability = class {
+  #name;
+  #description;
+  #namespaces;
+  #bindings = [];
+  #store = new Storage();
+  #scheduleStore = new Storage();
+  #registered = false;
+  #scheduleRegistered = false;
+  hasSchedule;
+  /**
+   * Run code on a schedule with the capability.
+   *
+   * @param schedule The schedule to run the code on
+   * @returns
+   */
+  OnSchedule = (schedule) => {
+    const { name, every, unit, run, startTime, completions } = schedule;
+    this.hasSchedule = true;
+    if (process.env.PEPR_WATCH_MODE === "true" || process.env.PEPR_MODE === "dev") {
+      const newSchedule = {
+        name,
+        every,
+        unit,
+        run,
+        startTime,
+        completions
+      };
+      this.#scheduleStore.onReady(() => {
+        new OnSchedule(newSchedule).setStore(this.#scheduleStore);
+      });
+    }
+  };
+  /**
+   * Store is a key-value data store that can be used to persist data that should be shared
+   * between requests. Each capability has its own store, and the data is persisted in Kubernetes
+   * in the `pepr-system` namespace.
+   *
+   * Note: You should only access the store from within an action.
+   */
+  Store = {
+    clear: this.#store.clear,
+    getItem: this.#store.getItem,
+    removeItem: this.#store.removeItem,
+    removeItemAndWait: this.#store.removeItemAndWait,
+    setItem: this.#store.setItem,
+    subscribe: this.#store.subscribe,
+    onReady: this.#store.onReady,
+    setItemAndWait: this.#store.setItemAndWait
+  };
+  /**
+   * ScheduleStore is a key-value data store used to persist schedule data that should be shared
+   * between intervals. Each Schedule shares store, and the data is persisted in Kubernetes
+   * in the `pepr-system` namespace.
+   *
+   * Note: There is no direct access to schedule store
+   */
+  ScheduleStore = {
+    clear: this.#scheduleStore.clear,
+    getItem: this.#scheduleStore.getItem,
+    removeItemAndWait: this.#scheduleStore.removeItemAndWait,
+    removeItem: this.#scheduleStore.removeItem,
+    setItemAndWait: this.#scheduleStore.setItemAndWait,
+    setItem: this.#scheduleStore.setItem,
+    subscribe: this.#scheduleStore.subscribe,
+    onReady: this.#scheduleStore.onReady
+  };
+  get bindings() {
+    return this.#bindings;
+  }
+  get name() {
+    return this.#name;
+  }
+  get description() {
+    return this.#description;
+  }
+  get namespaces() {
+    return this.#namespaces || [];
+  }
+  constructor(cfg) {
+    this.#name = cfg.name;
+    this.#description = cfg.description;
+    this.#namespaces = cfg.namespaces;
+    this.hasSchedule = false;
+    logger_default.info(`Capability ${this.#name} registered`);
+    logger_default.debug(cfg);
+  }
+  /**
+   * Register the store with the capability. This is called automatically by the Pepr controller.
+   *
+   * @param store
+   */
+  registerScheduleStore = () => {
+    logger_default.info(`Registering schedule store for ${this.#name}`);
+    if (this.#scheduleRegistered) {
+      throw new Error(`Schedule store already registered for ${this.#name}`);
+    }
+    this.#scheduleRegistered = true;
+    return {
+      scheduleStore: this.#scheduleStore
+    };
+  };
+  /**
+   * Register the store with the capability. This is called automatically by the Pepr controller.
+   *
+   * @param store
+   */
+  registerStore = () => {
+    logger_default.info(`Registering store for ${this.#name}`);
+    if (this.#registered) {
+      throw new Error(`Store already registered for ${this.#name}`);
+    }
+    this.#registered = true;
+    return {
+      store: this.#store
+    };
+  };
+  /**
+   * The When method is used to register a action to be executed when a Kubernetes resource is
+   * processed by Pepr. The action will be executed if the resource matches the specified kind and any
+   * filters that are applied.
+   *
+   * @param model the KubernetesObject model to match
+   * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
+   * @returns
+   */
+  When = (model, kind4) => {
+    const matchedKind = (0, import_kubernetes_fluent_client6.modelToGroupVersionKind)(model.name);
+    if (!matchedKind && !kind4) {
+      throw new Error(`Kind not specified for ${model.name}`);
+    }
+    const binding = {
+      model,
+      // If the kind is not specified, use the matched kind from the model
+      kind: kind4 || matchedKind,
+      event: "*" /* Any */,
+      filters: {
+        name: "",
+        namespaces: [],
+        labels: {},
+        annotations: {}
+      }
+    };
+    const bindings = this.#bindings;
+    const prefix = `${this.#name}: ${model.name}`;
+    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate, Watch, Reconcile };
+    const isNotEmpty = (value) => Object.keys(value).length > 0;
+    const log = (message, cbString) => {
+      const filteredObj = (0, import_ramda6.pickBy)(isNotEmpty, binding.filters);
+      logger_default.info(`${message} configured for ${binding.event}`, prefix);
+      logger_default.info(filteredObj, prefix);
+      logger_default.debug(cbString, prefix);
+    };
+    function Validate(validateCallback) {
+      if (registerAdmission) {
+        log("Validate Action", validateCallback.toString());
+        bindings.push({
+          ...binding,
+          isValidate: true,
+          validateCallback
+        });
+      }
+      return { Watch, Reconcile };
+    }
+    function Mutate(mutateCallback) {
+      if (registerAdmission) {
+        log("Mutate Action", mutateCallback.toString());
+        bindings.push({
+          ...binding,
+          isMutate: true,
+          mutateCallback
+        });
+      }
+      return { Watch, Validate, Reconcile };
+    }
+    function Watch(watchCallback) {
+      if (registerWatch) {
+        log("Watch Action", watchCallback.toString());
+        bindings.push({
+          ...binding,
+          isWatch: true,
+          watchCallback
+        });
+      }
+    }
+    function Reconcile(watchCallback) {
+      if (registerWatch) {
+        log("Reconcile Action", watchCallback.toString());
+        bindings.push({
+          ...binding,
+          isWatch: true,
+          isQueue: true,
+          watchCallback
+        });
+      }
+    }
+    function InNamespace(...namespaces) {
+      logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
+      binding.filters.namespaces.push(...namespaces);
+      return { ...commonChain, WithName };
+    }
+    function WithName(name) {
+      logger_default.debug(`Add name filter ${name}`, prefix);
+      binding.filters.name = name;
+      return commonChain;
+    }
+    function WithLabel(key, value = "") {
+      logger_default.debug(`Add label filter ${key}=${value}`, prefix);
+      binding.filters.labels[key] = value;
+      return commonChain;
+    }
+    function WithAnnotation(key, value = "") {
+      logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
+      binding.filters.annotations[key] = value;
+      return commonChain;
+    }
+    function bindEvent(event) {
+      binding.event = event;
+      return {
+        ...commonChain,
+        InNamespace,
+        WithName
+      };
+    }
+    return {
+      IsCreatedOrUpdated: () => bindEvent("CREATEORUPDATE" /* CreateOrUpdate */),
+      IsCreated: () => bindEvent("CREATE" /* Create */),
+      IsUpdated: () => bindEvent("UPDATE" /* Update */),
+      IsDeleted: () => bindEvent("DELETE" /* Delete */)
+    };
+  };
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  Capability,
+  K8s,
+  Log,
+  PeprModule,
+  PeprMutateRequest,
+  PeprUtils,
+  PeprValidateRequest,
+  R,
+  RegisterKind,
+  a,
+  fetch,
+  fetchStatus,
+  kind,
+  sdk
+});
+//# sourceMappingURL=lib.js.map