pepr 0.35.0 → 0.37.0

package/dist/lib.js

@@ -31,27 +31,27 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var lib_exports = {};
 __export(lib_exports, {
   Capability: () => Capability,
-  K8s: () => import_kubernetes_fluent_client7.K8s,
+  K8s: () => import_kubernetes_fluent_client8.K8s,
   Log: () => logger_default,
   PeprModule: () => PeprModule,
   PeprMutateRequest: () => PeprMutateRequest,
   PeprUtils: () => utils_exports,
   PeprValidateRequest: () => PeprValidateRequest,
   R: () => R,
-  RegisterKind: () => import_kubernetes_fluent_client7.RegisterKind,
-  a: () => import_kubernetes_fluent_client7.kind,
-  fetch: () => import_kubernetes_fluent_client7.fetch,
-  fetchStatus: () => import_kubernetes_fluent_client7.fetchStatus,
-  kind: () => import_kubernetes_fluent_client7.kind,
+  RegisterKind: () => import_kubernetes_fluent_client8.RegisterKind,
+  a: () => import_kubernetes_fluent_client8.kind,
+  fetch: () => import_kubernetes_fluent_client8.fetch,
+  fetchStatus: () => import_kubernetes_fluent_client8.fetchStatus,
+  kind: () => import_kubernetes_fluent_client8.kind,
   sdk: () => sdk_exports
 });
 module.exports = __toCommonJS(lib_exports);
-var import_kubernetes_fluent_client7 = require("kubernetes-fluent-client");
+var import_kubernetes_fluent_client8 = require("kubernetes-fluent-client");
 var R = __toESM(require("ramda"));
 
 // src/lib/capability.ts
-var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
-var import_ramda6 = require("ramda");
+var import_kubernetes_fluent_client7 = require("kubernetes-fluent-client");
+var import_ramda7 = require("ramda");
 
 // src/lib/logger.ts
 var import_pino = require("pino");
@@ -74,7 +74,7 @@ if (process.env.LOG_LEVEL) {
 var logger_default = Log;
 
 // src/lib/module.ts
-var import_ramda4 = require("ramda");
+var import_ramda5 = require("ramda");
 
 // src/lib/controller/index.ts
 var import_express = __toESM(require("express"));
@@ -224,84 +224,151 @@ function ValidateError(error = "") {
   }
 }
 
-// src/lib/k8s.ts
-var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
-var PeprStore = class extends import_kubernetes_fluent_client.GenericKind {
-};
-var peprStoreGVK = {
-  kind: "PeprStore",
-  version: "v1",
-  group: "pepr.dev"
-};
-(0, import_kubernetes_fluent_client.RegisterKind)(PeprStore, peprStoreGVK);
+// src/lib/adjudicators.ts
+var import_ramda = require("ramda");
+var declaredOperation = (0, import_ramda.pipe)((request) => request?.operation, (0, import_ramda.defaultTo)(""));
+var declaredGroup = (0, import_ramda.pipe)((request) => request?.kind?.group, (0, import_ramda.defaultTo)(""));
+var declaredVersion = (0, import_ramda.pipe)((request) => request?.kind?.version, (0, import_ramda.defaultTo)(""));
+var declaredKind = (0, import_ramda.pipe)((request) => request?.kind?.kind, (0, import_ramda.defaultTo)(""));
+var declaredUid = (0, import_ramda.pipe)((request) => request?.uid, (0, import_ramda.defaultTo)(""));
+var carriesDeletionTimestamp = (0, import_ramda.pipe)((obj) => !!obj.metadata?.deletionTimestamp, (0, import_ramda.defaultTo)(false));
+var missingDeletionTimestamp = (0, import_ramda.complement)(carriesDeletionTimestamp);
+var carriedName = (0, import_ramda.pipe)((obj) => obj?.metadata?.name, (0, import_ramda.defaultTo)(""));
+var carriesName = (0, import_ramda.pipe)(carriedName, (0, import_ramda.equals)(""), import_ramda.not);
+var missingName = (0, import_ramda.complement)(carriesName);
+var carriedNamespace = (0, import_ramda.pipe)((obj) => obj?.metadata?.namespace, (0, import_ramda.defaultTo)(""));
+var carriesNamespace = (0, import_ramda.pipe)(carriedNamespace, (0, import_ramda.equals)(""), import_ramda.not);
+var carriedAnnotations = (0, import_ramda.pipe)((obj) => obj?.metadata?.annotations, (0, import_ramda.defaultTo)({}));
+var carriesAnnotations = (0, import_ramda.pipe)(carriedAnnotations, (0, import_ramda.equals)({}), import_ramda.not);
+var carriedLabels = (0, import_ramda.pipe)((obj) => obj?.metadata?.labels, (0, import_ramda.defaultTo)({}));
+var carriesLabels = (0, import_ramda.pipe)(carriedLabels, (0, import_ramda.equals)({}), import_ramda.not);
+var definesDeletionTimestamp = (0, import_ramda.pipe)((binding) => binding?.filters?.deletionTimestamp, (0, import_ramda.defaultTo)(false));
+var ignoresDeletionTimestamp = (0, import_ramda.complement)(definesDeletionTimestamp);
+var definedName = (0, import_ramda.pipe)((binding) => binding?.filters?.name, (0, import_ramda.defaultTo)(""));
+var definesName = (0, import_ramda.pipe)(definedName, (0, import_ramda.equals)(""), import_ramda.not);
+var ignoresName = (0, import_ramda.complement)(definesName);
+var definedNameRegex = (0, import_ramda.pipe)((binding) => binding?.filters?.regexName, (0, import_ramda.defaultTo)(""));
+var definesNameRegex = (0, import_ramda.pipe)(definedNameRegex, (0, import_ramda.equals)(""), import_ramda.not);
+var definedNamespaces = (0, import_ramda.pipe)((binding) => binding?.filters?.namespaces, (0, import_ramda.defaultTo)([]));
+var definesNamespaces = (0, import_ramda.pipe)(definedNamespaces, (0, import_ramda.equals)([]), import_ramda.not);
+var definedNamespaceRegexes = (0, import_ramda.pipe)((binding) => binding?.filters?.regexNamespaces, (0, import_ramda.defaultTo)([]));
+var definesNamespaceRegexes = (0, import_ramda.pipe)(definedNamespaceRegexes, (0, import_ramda.equals)([]), import_ramda.not);
+var definedAnnotations = (0, import_ramda.pipe)((binding) => binding?.filters?.annotations, (0, import_ramda.defaultTo)({}));
+var definesAnnotations = (0, import_ramda.pipe)(definedAnnotations, (0, import_ramda.equals)({}), import_ramda.not);
+var definedLabels = (0, import_ramda.pipe)((binding) => binding?.filters?.labels, (0, import_ramda.defaultTo)({}));
+var definesLabels = (0, import_ramda.pipe)(definedLabels, (0, import_ramda.equals)({}), import_ramda.not);
+var definedEvent = (0, import_ramda.pipe)((binding) => binding?.event, (0, import_ramda.defaultTo)(""));
+var definesDelete = (0, import_ramda.pipe)(definedEvent, (0, import_ramda.equals)("DELETE" /* DELETE */));
+var definedGroup = (0, import_ramda.pipe)((binding) => binding?.kind?.group, (0, import_ramda.defaultTo)(""));
+var definesGroup = (0, import_ramda.pipe)(definedGroup, (0, import_ramda.equals)(""), import_ramda.not);
+var definedVersion = (0, import_ramda.pipe)((binding) => binding?.kind?.version, (0, import_ramda.defaultTo)(""));
+var definesVersion = (0, import_ramda.pipe)(definedVersion, (0, import_ramda.equals)(""), import_ramda.not);
+var definedKind = (0, import_ramda.pipe)((binding) => binding?.kind?.kind, (0, import_ramda.defaultTo)(""));
+var definesKind = (0, import_ramda.pipe)(definedKind, (0, import_ramda.equals)(""), import_ramda.not);
+var definedCategory = (0, import_ramda.pipe)((binding) => {
+  return binding.isFinalize ? "Finalize" : binding.isWatch ? "Watch" : binding.isMutate ? "Mutate" : binding.isValidate ? "Validate" : "";
+});
+var definedCallback = (0, import_ramda.pipe)((binding) => {
+  return binding.isFinalize ? binding.finalizeCallback : binding.isWatch ? binding.watchCallback : binding.isMutate ? binding.mutateCallback : binding.isValidate ? binding.validateCallback : null;
+});
+var definedCallbackName = (0, import_ramda.pipe)(definedCallback, (0, import_ramda.defaultTo)({ name: "" }), (cb) => cb.name);
+var mismatchedDeletionTimestamp = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesDeletionTimestamp),
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), missingDeletionTimestamp)
+]);
+var mismatchedName = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesName),
+  (0, import_ramda.pipe)((bnd, obj) => definedName(bnd) !== carriedName(obj))
+]);
+var mismatchedNameRegex = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesNameRegex),
+  (0, import_ramda.pipe)((bnd, obj) => new RegExp(definedNameRegex(bnd)).test(carriedName(obj)), import_ramda.not)
+]);
+var bindsToKind = (0, import_ramda.curry)(
+  (0, import_ramda.allPass)([(0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definedKind, (0, import_ramda.equals)(""), import_ramda.not), (0, import_ramda.pipe)((bnd, knd) => definedKind(bnd) === knd)])
+);
+var bindsToNamespace = (0, import_ramda.curry)((0, import_ramda.pipe)(bindsToKind(import_ramda.__, "Namespace")));
+var misboundNamespace = (0, import_ramda.allPass)([bindsToNamespace, definesNamespaces]);
+var mismatchedNamespace = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesNamespaces),
+  (0, import_ramda.pipe)((bnd, obj) => definedNamespaces(bnd).includes(carriedNamespace(obj)), import_ramda.not)
+]);
+var mismatchedNamespaceRegex = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesNamespaceRegexes),
+  (0, import_ramda.pipe)(
+    (bnd, obj) => (0, import_ramda.pipe)(
+      (0, import_ramda.any)((rex) => new RegExp(rex).test(carriedNamespace(obj))),
+      import_ramda.not
+    )(definedNamespaceRegexes(bnd))
+  )
+]);
+var metasMismatch = (0, import_ramda.pipe)(
+  (defined, carried) => {
+    const result = { defined, carried, unalike: {} };
+    result.unalike = Object.entries(result.defined).map(([key, val]) => {
+      const keyMissing = !Object.hasOwn(result.carried, key);
+      const noValue = !val;
+      const valMissing = !result.carried[key];
+      return keyMissing ? { [key]: val } : noValue ? {} : valMissing ? { [key]: val } : {};
+    }).reduce((acc, cur) => ({ ...acc, ...cur }), {});
+    return result.unalike;
+  },
+  (unalike) => Object.keys(unalike).length > 0
+);
+var mismatchedAnnotations = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesAnnotations),
+  (0, import_ramda.pipe)((bnd, obj) => metasMismatch(definedAnnotations(bnd), carriedAnnotations(obj)))
+]);
+var mismatchedLabels = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesLabels),
+  (0, import_ramda.pipe)((bnd, obj) => metasMismatch(definedLabels(bnd), carriedLabels(obj)))
+]);
+var uncarryableNamespace = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), carriesNamespace),
+  (0, import_ramda.pipe)((nss, obj) => nss.includes(carriedNamespace(obj)), import_ramda.not)
+]);
+var carriesIgnoredNamespace = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), carriesNamespace),
+  (0, import_ramda.pipe)((nss, obj) => nss.includes(carriedNamespace(obj)))
+]);
+var unbindableNamespaces = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), definesNamespaces),
+  (0, import_ramda.pipe)((nss, bnd) => (0, import_ramda.difference)(definedNamespaces(bnd), nss), import_ramda.length, (0, import_ramda.equals)(0), import_ramda.not)
+]);
+var misboundDeleteWithDeletionTimestamp = (0, import_ramda.allPass)([definesDelete, definesDeletionTimestamp]);
+var operationMatchesEvent = (0, import_ramda.anyPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), (0, import_ramda.equals)("*" /* Any */)),
+  (0, import_ramda.pipe)((op, evt) => op === evt),
+  (0, import_ramda.pipe)((op, evt) => op ? evt.includes(op) : false)
+]);
+var mismatchedEvent = (0, import_ramda.pipe)(
+  (binding, request) => operationMatchesEvent(declaredOperation(request), definedEvent(binding)),
+  import_ramda.not
+);
+var mismatchedGroup = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesGroup),
+  (0, import_ramda.pipe)((binding, request) => definedGroup(binding) !== declaredGroup(request))
+]);
+var mismatchedVersion = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesVersion),
+  (0, import_ramda.pipe)((binding, request) => definedVersion(binding) !== declaredVersion(request))
+]);
+var mismatchedKind = (0, import_ramda.allPass)([
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesKind),
+  (0, import_ramda.pipe)((binding, request) => definedKind(binding) !== declaredKind(request))
+]);
 
 // src/lib/filter.ts
-function shouldSkipRequest(binding, req, capabilityNamespaces) {
-  const { group, kind: kind4, version } = binding.kind || {};
-  const { namespaces, labels, annotations, name } = binding.filters || {};
-  const operation = req.operation.toUpperCase();
-  const uid = req.uid;
-  const srcObject = operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
-  const { metadata } = srcObject || {};
-  const combinedNamespaces = [...namespaces, ...capabilityNamespaces];
-  if (!binding.event.includes(operation) && !binding.event.includes("*" /* Any */)) {
-    return true;
-  }
-  if (name && name !== req.name) {
-    return true;
-  }
-  if (kind4 !== req.kind.kind) {
-    return true;
-  }
-  if (group && group !== req.kind.group) {
-    return true;
-  }
-  if (version && version !== req.kind.version) {
-    return true;
-  }
-  if (combinedNamespaces.length && !combinedNamespaces.includes(req.namespace || "") || !namespaces.includes(req.namespace || "") && capabilityNamespaces.length !== 0 && namespaces.length !== 0) {
-    let type = "";
-    let label = "";
-    if (binding.isMutate) {
-      type = "Mutate";
-      label = binding.mutateCallback.name;
-    } else if (binding.isValidate) {
-      type = "Validate";
-      label = binding.validateCallback.name;
-    } else if (binding.isWatch) {
-      type = "Watch";
-      label = binding.watchCallback.name;
-    }
-    logger_default.debug({ uid }, `${type} binding (${label}) does not match request namespace "${req.namespace}"`);
-    return true;
-  }
-  for (const [key, value] of Object.entries(labels)) {
-    const testKey = metadata?.labels?.[key];
-    if (!testKey) {
-      logger_default.debug({ uid }, `Label ${key} does not exist`);
-      return true;
-    }
-    if (value && testKey !== value) {
-      logger_default.debug({ uid }, `${testKey} does not match ${value}`);
-      return true;
-    }
-  }
-  for (const [key, value] of Object.entries(annotations)) {
-    const testKey = metadata?.annotations?.[key];
-    if (!testKey) {
-      logger_default.debug({ uid }, `Annotation ${key} does not exist`);
-      return true;
-    }
-    if (value && testKey !== value) {
-      logger_default.debug({ uid }, `${testKey} does not match ${value}`);
-      return true;
-    }
-  }
-  return false;
+function shouldSkipRequest(binding, req, capabilityNamespaces, ignoredNamespaces) {
+  const obj = req.operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
+  return misboundDeleteWithDeletionTimestamp(binding) ? true : mismatchedDeletionTimestamp(binding, obj) ? true : mismatchedEvent(binding, req) ? true : mismatchedName(binding, obj) ? true : mismatchedGroup(binding, req) ? true : mismatchedVersion(binding, req) ? true : mismatchedKind(binding, req) ? true : unbindableNamespaces(capabilityNamespaces, binding) ? true : uncarryableNamespace(capabilityNamespaces, obj) ? true : mismatchedNamespace(binding, obj) ? true : mismatchedLabels(binding, obj) ? true : mismatchedAnnotations(binding, obj) ? true : mismatchedNamespaceRegex(binding, obj) ? true : mismatchedNameRegex(binding, obj) ? true : carriesIgnoredNamespace(ignoredNamespaces, obj) ? true : false;
 }
 
 // src/lib/mutate-request.ts
-var import_ramda = require("ramda");
+var import_ramda2 = require("ramda");
 var PeprMutateRequest = class {
   Raw;
   #input;
@@ -336,9 +403,9 @@ var PeprMutateRequest = class {
   constructor(input) {
     this.#input = input;
     if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda.clone)(input.oldObject);
+      this.Raw = (0, import_ramda2.clone)(input.oldObject);
     } else {
-      this.Raw = (0, import_ramda.clone)(input.object);
+      this.Raw = (0, import_ramda2.clone)(input.object);
     }
     if (!this.Raw) {
       throw new Error("unable to load the request object into PeprRequest.RawP");
@@ -350,7 +417,7 @@ var PeprMutateRequest = class {
    * @param obj - The object to merge with the current resource.
    */
   Merge = (obj) => {
-    this.Raw = (0, import_ramda.mergeDeepRight)(this.Raw, obj);
+    this.Raw = (0, import_ramda2.mergeDeepRight)(this.Raw, obj);
   };
   /**
    * Updates a label on the Kubernetes resource.
@@ -483,7 +550,7 @@ async function mutateProcessor(config, capabilities, req, reqMetadata) {
       if (!action.mutateCallback) {
         continue;
       }
-      if (shouldSkipRequest(action, req, namespaces)) {
+      if (shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces)) {
         continue;
       }
       const label = action.mutateCallback.name;
@@ -556,7 +623,7 @@ async function mutateProcessor(config, capabilities, req, reqMetadata) {
 }
 
 // src/lib/validate-request.ts
-var import_ramda2 = require("ramda");
+var import_ramda3 = require("ramda");
 var PeprValidateRequest = class {
   Raw;
   #input;
@@ -581,9 +648,9 @@ var PeprValidateRequest = class {
   constructor(input) {
     this.#input = input;
     if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda2.clone)(input.oldObject);
+      this.Raw = (0, import_ramda3.clone)(input.oldObject);
     } else {
-      this.Raw = (0, import_ramda2.clone)(input.object);
+      this.Raw = (0, import_ramda3.clone)(input.object);
     }
     if (!this.Raw) {
       throw new Error("unable to load the request object into PeprRequest.Raw");
@@ -634,7 +701,7 @@ var PeprValidateRequest = class {
 };
 
 // src/lib/validate-processor.ts
-async function validateProcessor(capabilities, req, reqMetadata) {
+async function validateProcessor(config, capabilities, req, reqMetadata) {
   const wrapped = new PeprValidateRequest(req);
   const response = [];
   const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
@@ -653,7 +720,7 @@ async function validateProcessor(capabilities, req, reqMetadata) {
         allowed: true
         // Assume it's allowed until a validation check fails
       };
-      if (shouldSkipRequest(action, req, namespaces)) {
+      if (shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces)) {
         continue;
       }
       const label = action.validateCallback.name;
@@ -685,7 +752,21 @@ async function validateProcessor(capabilities, req, reqMetadata) {
 
 // src/lib/controller/store.ts
 var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
-var import_ramda3 = require("ramda");
+var import_ramda4 = require("ramda");
+
+// src/lib/k8s.ts
+var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
+var PeprStore = class extends import_kubernetes_fluent_client.GenericKind {
+};
+var peprStoreGVK = {
+  kind: "PeprStore",
+  version: "v1",
+  group: "pepr.dev"
+};
+(0, import_kubernetes_fluent_client.RegisterKind)(PeprStore, peprStoreGVK);
+
+// src/lib/controller/store.ts
+var redactedValue = "**redacted**";
 var namespace = "pepr-system";
 var debounceBackoff = 5e3;
 var PeprControllerStore = class {
@@ -722,7 +803,7 @@ var PeprControllerStore = class {
     watcher.start().catch((e) => logger_default.error(e, "Error starting Pepr store watch"));
   };
   #migrateAndSetupWatch = async (store) => {
-    logger_default.debug(store, "Pepr Store migration");
+    logger_default.debug(redactedStore(store), "Pepr Store migration");
     const data = store.data || {};
     const migrateCache = {};
     const flushCache = async () => {
@@ -732,7 +813,9 @@ var PeprControllerStore = class {
         delete migrateCache[idx];
       }
       try {
-        await (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { namespace, name: this.#name }).Patch(payload);
+        if (payload.length > 0) {
+          await (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { namespace, name: this.#name }).Patch(payload);
+        }
       } catch (err) {
         logger_default.error(err, "Pepr store update failure");
         if (err.status === 422) {
@@ -768,7 +851,7 @@ var PeprControllerStore = class {
     for (const name of Object.keys(this.#stores)) {
       const offset = `${name}-`.length;
       for (const key of Object.keys(data)) {
-        if ((0, import_ramda3.startsWith)(name, key) && !(0, import_ramda3.startsWith)(`${name}-v2`, key)) {
+        if ((0, import_ramda4.startsWith)(name, key) && !(0, import_ramda4.startsWith)(`${name}-v2`, key)) {
           fillCache(name, "remove", [key.slice(offset)], data[key]);
           fillCache(name, "add", [key.slice(offset)], data[key]);
         }
@@ -778,14 +861,14 @@ var PeprControllerStore = class {
     this.#setupWatch();
   };
   #receive = (store) => {
-    logger_default.debug(store, "Pepr Store update");
+    logger_default.debug(redactedStore(store), "Pepr Store update");
     const debounced = () => {
       const data = store.data || {};
       for (const name of Object.keys(this.#stores)) {
         const offset = `${name}-`.length;
         const filtered = {};
         for (const key of Object.keys(data)) {
-          if ((0, import_ramda3.startsWith)(name, key)) {
+          if ((0, import_ramda4.startsWith)(name, key)) {
             filtered[key.slice(offset)] = data[key];
           }
         }
@@ -829,7 +912,9 @@ var PeprControllerStore = class {
         delete sendCache[idx];
       }
       try {
-        await (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { namespace, name: this.#name }).Patch(payload);
+        if (payload.length > 0) {
+          await (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { namespace, name: this.#name }).Patch(payload);
+        }
       } catch (err) {
         logger_default.error(err, "Pepr store update failure");
         if (err.status === 422) {
@@ -846,7 +931,7 @@ var PeprControllerStore = class {
     };
     setInterval(() => {
       if (Object.keys(sendCache).length > 0) {
-        logger_default.debug(sendCache, "Sending updates to Pepr store");
+        logger_default.debug(redactedPatch(sendCache), "Sending updates to Pepr store");
         void flushCache();
       }
     }, debounceBackoff);
@@ -872,8 +957,38 @@ var PeprControllerStore = class {
     }
   };
 };
+function redactedStore(store) {
+  const redacted = process.env.PEPR_STORE_REDACT_VALUES === "true";
+  return {
+    ...store,
+    data: Object.keys(store.data).reduce((acc, key) => {
+      acc[key] = redacted ? redactedValue : store.data[key];
+      return acc;
+    }, {})
+  };
+}
+function redactedPatch(patch = {}) {
+  const redacted = process.env.PEPR_STORE_REDACT_VALUES === "true";
+  if (!redacted) {
+    return patch;
+  }
+  const redactedCache = {};
+  Object.keys(patch).forEach((key) => {
+    const operation = patch[key];
+    const redactedKey = key.includes(":") ? key.substring(0, key.lastIndexOf(":")) + ":**redacted**" : key;
+    const redactedOperation = {
+      ...operation,
+      ..."value" in operation ? { value: "**redacted**" } : {}
+    };
+    redactedCache[redactedKey] = redactedOperation;
+  });
+  return redactedCache;
+}
 
 // src/lib/controller/index.ts
+if (!process.env.PEPR_NODE_WARNINGS) {
+  process.removeAllListeners("warning");
+}
 var Controller = class _Controller {
   // Track whether the server is running
   #running = false;
@@ -933,7 +1048,7 @@ var Controller = class _Controller {
     });
     server.on("error", (e) => {
       if (e.code === "EADDRINUSE") {
-        logger_default.warn(
+        logger_default.info(
           `Address in use, retrying in 2 seconds. If this persists, ensure ${port} is not in use, e.g. "lsof -i :${port}"`
         );
         setTimeout(() => {
@@ -972,7 +1087,7 @@ var Controller = class _Controller {
     const { token } = req.params;
     if (token !== this.#token) {
       const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
-      logger_default.warn(err);
+      logger_default.info(err);
       res.status(401).send(err);
       this.#metricsCollector.alert();
       return;
@@ -1019,7 +1134,7 @@ var Controller = class _Controller {
         if (admissionKind === "Mutate") {
           response = await mutateProcessor(this.#config, this.#capabilities, request, reqMetadata);
         } else {
-          response = await validateProcessor(this.#capabilities, request, reqMetadata);
+          response = await validateProcessor(this.#config, this.#capabilities, request, reqMetadata);
         }
         const responseList = Array.isArray(response) ? response : [response];
         responseList.map((res2) => {
@@ -1080,7 +1195,7 @@ var Controller = class _Controller {
         status: res.statusCode,
         duration: `${elapsedTime} ms`
       };
-      res.statusCode >= 300 ? logger_default.warn(message) : logger_default.info(message);
+      logger_default.info(message);
     });
     next();
   }
@@ -1101,8 +1216,8 @@ var Controller = class _Controller {
 };
 
 // src/lib/watch-processor.ts
-var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
-var import_types2 = require("kubernetes-fluent-client/dist/fluent/types");
+var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
+var import_types6 = require("kubernetes-fluent-client/dist/fluent/types");
 
 // src/lib/helpers.ts
 var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
@@ -1154,14 +1269,17 @@ async function writeEvent(cr, event, eventType, eventReason, reportingComponent,
     reportingInstance
   });
 }
-function getOwnerRefFrom(cr) {
-  const { name, uid } = cr.metadata;
+function getOwnerRefFrom(customResource, blockOwnerDeletion, controller) {
+  const { apiVersion, kind: kind4, metadata } = customResource;
+  const { name, uid } = metadata;
   return [
     {
-      apiVersion: cr.apiVersion,
-      kind: cr.kind,
+      apiVersion,
+      kind: kind4,
       uid,
-      name
+      name,
+      ...blockOwnerDeletion !== void 0 && { blockOwnerDeletion },
+      ...controller !== void 0 && { controller }
     }
   ];
 }
@@ -1170,80 +1288,97 @@ function sanitizeResourceName(name) {
 }
 
 // src/lib/helpers.ts
-function checkOverlap(bindingFilters, objectFilters) {
-  if (Object.keys(bindingFilters).length === 0) {
-    return true;
-  }
-  let matchCount = 0;
-  for (const key in bindingFilters) {
-    if (Object.prototype.hasOwnProperty.call(objectFilters, key)) {
-      const val1 = bindingFilters[key];
-      const val2 = objectFilters[key];
-      if (val1 === "" && key in objectFilters) {
-        matchCount++;
-      } else if (val1 !== "" && val1 === val2) {
-        matchCount++;
-      }
-    }
-  }
-  return matchCount === Object.keys(bindingFilters).length;
+function filterNoMatchReason(binding, obj, capabilityNamespaces, ignoredNamespaces) {
+  const prefix = "Ignoring Watch Callback:";
+  return mismatchedDeletionTimestamp(binding, obj) ? `${prefix} Binding defines deletionTimestamp but Object does not carry it.` : mismatchedName(binding, obj) ? `${prefix} Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` : misboundNamespace(binding) ? `${prefix} Cannot use namespace filter on a namespace object.` : mismatchedLabels(binding, obj) ? `${prefix} Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(obj))}'.` : mismatchedAnnotations(binding, obj) ? `${prefix} Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.` : uncarryableNamespace(capabilityNamespaces, obj) ? `${prefix} Object carries namespace '${carriedNamespace(obj)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : unbindableNamespaces(capabilityNamespaces, binding) ? `${prefix} Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : mismatchedNamespace(binding, obj) ? `${prefix} Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(obj)}'.` : mismatchedNamespaceRegex(binding, obj) ? `${prefix} Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(obj)}'.` : mismatchedNameRegex(binding, obj) ? `${prefix} Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(obj)}'.` : carriesIgnoredNamespace(ignoredNamespaces, obj) ? `${prefix} Object carries namespace '${carriedNamespace(obj)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.` : "";
 }
-function filterNoMatchReason(binding, obj, capabilityNamespaces) {
-  if (binding.kind && binding.kind.kind === "Namespace" && binding.filters && binding.filters.namespaces.length !== 0) {
-    return `Ignoring Watch Callback: Cannot use a namespace filter in a namespace object.`;
-  }
-  if (typeof obj === "object" && obj !== null && "metadata" in obj && obj.metadata !== void 0 && binding.filters) {
-    if (obj.metadata.labels && !checkOverlap(binding.filters.labels, obj.metadata.labels)) {
-      return `Ignoring Watch Callback: No overlap between binding and object labels. Binding labels ${JSON.stringify(
-        binding.filters.labels
-      )}, Object Labels ${JSON.stringify(obj.metadata.labels)}.`;
-    }
-    if (obj.metadata.annotations && !checkOverlap(binding.filters.annotations, obj.metadata.annotations)) {
-      return `Ignoring Watch Callback: No overlap between binding and object annotations. Binding annotations ${JSON.stringify(
-        binding.filters.annotations
-      )}, Object annotations ${JSON.stringify(obj.metadata.annotations)}.`;
-    }
+
+// src/lib/finalizer.ts
+var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
+function addFinalizer(request) {
+  if (request.Request.operation === "DELETE" /* DELETE */) {
+    return;
   }
-  if (Array.isArray(capabilityNamespaces) && capabilityNamespaces.length > 0 && obj.metadata && obj.metadata.namespace && !capabilityNamespaces.includes(obj.metadata.namespace)) {
-    return `Ignoring Watch Callback: Object is not in the capability namespace. Capability namespaces: ${capabilityNamespaces.join(
-      ", "
-    )}, Object namespace: ${obj.metadata.namespace}.`;
+  if (request.Request.operation === "UPDATE" /* UPDATE */ && request.Raw.metadata?.deletionTimestamp) {
+    return;
   }
-  if (Array.isArray(capabilityNamespaces) && capabilityNamespaces.length > 0 && binding.filters && Array.isArray(binding.filters.namespaces) && binding.filters.namespaces.length > 0 && !binding.filters.namespaces.every((ns) => capabilityNamespaces.includes(ns))) {
-    return `Ignoring Watch Callback: Binding namespace is not part of capability namespaces. Capability namespaces: ${capabilityNamespaces.join(
-      ", "
-    )}, Binding namespaces: ${binding.filters.namespaces.join(", ")}.`;
+  const peprFinal = "pepr.dev/finalizer";
+  const finalizers = request.Raw.metadata?.finalizers || [];
+  if (!finalizers.includes(peprFinal)) {
+    finalizers.push(peprFinal);
   }
-  if (binding.filters && Array.isArray(binding.filters.namespaces) && binding.filters.namespaces.length > 0 && obj.metadata && obj.metadata.namespace && !binding.filters.namespaces.includes(obj.metadata.namespace)) {
-    return `Ignoring Watch Callback: Binding namespace and object namespace are not the same. Binding namespaces: ${binding.filters.namespaces.join(
-      ", "
-    )}, Object namespace: ${obj.metadata.namespace}.`;
+  request.Merge({ metadata: { finalizers } });
+}
+async function removeFinalizer(binding, obj) {
+  const peprFinal = "pepr.dev/finalizer";
+  const meta = obj.metadata;
+  const resource = `${meta.namespace || "ClusterScoped"}/${meta.name}`;
+  logger_default.debug({ obj }, `Removing finalizer '${peprFinal}' from '${resource}'`);
+  const { model, kind: kind4 } = binding;
+  try {
+    (0, import_kubernetes_fluent_client5.RegisterKind)(model, kind4);
+  } catch (e) {
+    const expected = e.message === `GVK ${model.name} already registered`;
+    if (!expected) {
+      logger_default.error({ model, kind: kind4, error: e }, `Error registering "${kind4}" during finalization.`);
+      return;
+    }
   }
-  return "";
+  const finalizers = meta.finalizers?.filter((f) => f !== peprFinal) || [];
+  obj = await (0, import_kubernetes_fluent_client5.K8s)(model, meta).Patch([
+    {
+      op: "replace",
+      path: `/metadata/finalizers`,
+      value: finalizers
+    }
+  ]);
+  logger_default.debug({ obj }, `Removed finalizer '${peprFinal}' from '${resource}'`);
 }
 
 // src/lib/queue.ts
+var import_node_crypto = require("node:crypto");
 var Queue = class {
+  #name;
+  #uid;
   #queue = [];
   #pendingPromise = false;
-  #reconcile;
-  constructor() {
-    this.#reconcile = async () => await new Promise((resolve) => resolve());
+  constructor(name) {
+    this.#name = name;
+    this.#uid = `${Date.now()}-${(0, import_node_crypto.randomBytes)(2).toString("hex")}`;
   }
-  setReconcile(reconcile) {
-    this.#reconcile = reconcile;
+  label() {
+    return { name: this.#name, uid: this.#uid };
+  }
+  stats() {
+    return {
+      queue: this.label(),
+      stats: {
+        length: this.#queue.length
+      }
+    };
   }
   /**
    * Enqueue adds an item to the queue and returns a promise that resolves when the item is
    * reconciled.
    *
    * @param item The object to reconcile
+   * @param type The watch phase requested for reconcile
+   * @param reconcile The callback to enqueue for reconcile
    * @returns A promise that resolves when the object is reconciled
    */
-  enqueue(item, type) {
-    logger_default.debug(`Enqueueing ${item.metadata.namespace}/${item.metadata.name}`);
+  enqueue(item, phase, reconcile) {
+    const note = {
+      queue: this.label(),
+      item: {
+        name: item.metadata?.name,
+        namespace: item.metadata?.namespace,
+        resourceVersion: item.metadata?.resourceVersion
+      }
+    };
+    logger_default.debug(note, "Enqueueing");
     return new Promise((resolve, reject) => {
-      this.#queue.push({ item, type, resolve, reject });
+      this.#queue.push({ item, phase, callback: reconcile, resolve, reject });
+      logger_default.debug(this.stats(), "Queue stats - push");
       return this.#dequeue();
     });
   }
@@ -1264,15 +1399,23 @@ var Queue = class {
     }
     try {
       this.#pendingPromise = true;
-      if (this.#reconcile) {
-        logger_default.debug(`Reconciling ${element.item.metadata.name}`);
-        await this.#reconcile(element.item, element.type);
-      }
+      const note = {
+        queue: this.label(),
+        item: {
+          name: element.item.metadata?.name,
+          namespace: element.item.metadata?.namespace,
+          resourceVersion: element.item.metadata?.resourceVersion
+        }
+      };
+      logger_default.debug(note, "Reconciling");
+      await element.callback(element.item, element.phase);
+      logger_default.debug(note, "Reconciled");
       element.resolve();
     } catch (e) {
       logger_default.debug(`Error reconciling ${element.item.metadata.name}`, { error: e });
       element.reject(e);
     } finally {
+      logger_default.debug(this.stats(), "Queue stats - shift");
       logger_default.debug("Resetting pending promise and dequeuing");
       this.#pendingPromise = false;
       await this.#dequeue();
@@ -1281,16 +1424,29 @@ var Queue = class {
 };
 
 // src/lib/watch-processor.ts
-var queueRecord = {};
-function queueRecordKey(obj) {
-  const options = ["singular", "sharded"];
-  const d3fault = "singular";
+var queues = {};
+function queueKey(obj) {
+  const options = ["kind", "kindNs", "kindNsName", "global"];
+  const d3fault = "kind";
   let strat = process.env.PEPR_RECONCILE_STRATEGY || d3fault;
   strat = options.includes(strat) ? strat : d3fault;
   const ns = obj.metadata?.namespace ?? "cluster-scoped";
   const kind4 = obj.kind ?? "UnknownKind";
   const name = obj.metadata?.name ?? "Unnamed";
-  return strat === "singular" ? `${kind4}/${ns}` : `${kind4}/${name}/${ns}`;
+  const lookup = {
+    kind: `${kind4}`,
+    kindNs: `${kind4}/${ns}`,
+    kindNsName: `${kind4}/${ns}/${name}`,
+    global: "global"
+  };
+  return lookup[strat];
+}
+function getOrCreateQueue(obj) {
+  const key = queueKey(obj);
+  if (!queues[key]) {
+    queues[key] = new Queue(key);
+  }
+  return queues[key];
 }
 var watchCfg = {
   resyncFailureMax: process.env.PEPR_RESYNC_FAILURE_MAX ? parseInt(process.env.PEPR_RESYNC_FAILURE_MAX, 10) : 5,
@@ -1299,26 +1455,37 @@ var watchCfg = {
   relistIntervalSec: process.env.PEPR_RELIST_INTERVAL_SECONDS ? parseInt(process.env.PEPR_RELIST_INTERVAL_SECONDS, 10) : 600
 };
 var eventToPhaseMap = {
-  ["CREATE" /* Create */]: [import_types2.WatchPhase.Added],
-  ["UPDATE" /* Update */]: [import_types2.WatchPhase.Modified],
-  ["CREATEORUPDATE" /* CreateOrUpdate */]: [import_types2.WatchPhase.Added, import_types2.WatchPhase.Modified],
-  ["DELETE" /* Delete */]: [import_types2.WatchPhase.Deleted],
-  ["*" /* Any */]: [import_types2.WatchPhase.Added, import_types2.WatchPhase.Modified, import_types2.WatchPhase.Deleted]
+  ["CREATE" /* Create */]: [import_types6.WatchPhase.Added],
+  ["UPDATE" /* Update */]: [import_types6.WatchPhase.Modified],
+  ["CREATEORUPDATE" /* CreateOrUpdate */]: [import_types6.WatchPhase.Added, import_types6.WatchPhase.Modified],
+  ["DELETE" /* Delete */]: [import_types6.WatchPhase.Deleted],
+  ["*" /* Any */]: [import_types6.WatchPhase.Added, import_types6.WatchPhase.Modified, import_types6.WatchPhase.Deleted]
 };
-function setupWatch(capabilities) {
+function setupWatch(capabilities, ignoredNamespaces) {
   capabilities.map(
-    (capability) => capability.bindings.filter((binding) => binding.isWatch).forEach((bindingElement) => runBinding(bindingElement, capability.namespaces))
+    (capability) => capability.bindings.filter((binding) => binding.isWatch).forEach((bindingElement) => runBinding(bindingElement, capability.namespaces, ignoredNamespaces))
   );
 }
-async function runBinding(binding, capabilityNamespaces) {
+async function runBinding(binding, capabilityNamespaces, ignoredNamespaces) {
   const phaseMatch = eventToPhaseMap[binding.event] || eventToPhaseMap["*" /* Any */];
   logger_default.debug({ watchCfg }, "Effective WatchConfig");
-  const watchCallback = async (obj, type) => {
-    if (phaseMatch.includes(type)) {
+  const watchCallback = async (obj, phase) => {
+    if (phaseMatch.includes(phase)) {
       try {
-        const filterMatch = filterNoMatchReason(binding, obj, capabilityNamespaces);
+        const filterMatch = filterNoMatchReason(binding, obj, capabilityNamespaces, ignoredNamespaces);
         if (filterMatch === "") {
-          await binding.watchCallback?.(obj, type);
+          if (binding.isFinalize) {
+            if (!obj.metadata?.deletionTimestamp) {
+              return;
+            }
+            try {
+              await binding.finalizeCallback?.(obj);
+            } finally {
+              await removeFinalizer(binding, obj);
+            }
+          } else {
+            await binding.watchCallback?.(obj, phase);
+          }
         } else {
           logger_default.debug(filterMatch);
         }
@@ -1327,46 +1494,39 @@ async function runBinding(binding, capabilityNamespaces) {
       }
     }
   };
-  function getOrCreateQueue(key) {
-    if (!queueRecord[key]) {
-      queueRecord[key] = new Queue();
-      queueRecord[key].setReconcile(watchCallback);
-    }
-    return queueRecord[key];
-  }
-  const watcher = (0, import_kubernetes_fluent_client5.K8s)(binding.model, binding.filters).Watch(async (obj, type) => {
-    logger_default.debug(obj, `Watch event ${type} received`);
-    const queue = getOrCreateQueue(queueRecordKey(obj));
+  const watcher = (0, import_kubernetes_fluent_client6.K8s)(binding.model, binding.filters).Watch(async (obj, phase) => {
+    logger_default.debug(obj, `Watch event ${phase} received`);
     if (binding.isQueue) {
-      await queue.enqueue(obj, type);
+      const queue = getOrCreateQueue(obj);
+      await queue.enqueue(obj, phase, watchCallback);
     } else {
-      await watchCallback(obj, type);
+      await watchCallback(obj, phase);
     }
   }, watchCfg);
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, (err) => {
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, (err) => {
     logger_default.error(err, "Watch failed after 5 attempts, giving up");
     process.exit(1);
   });
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.CONNECT, (url) => logEvent(import_kubernetes_fluent_client5.WatchEvent.CONNECT, url));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.DATA_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.DATA_ERROR, err.message));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.CONNECT, (url) => logEvent(import_kubernetes_fluent_client6.WatchEvent.CONNECT, url));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.DATA_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.DATA_ERROR, err.message));
   watcher.events.on(
-    import_kubernetes_fluent_client5.WatchEvent.RECONNECT,
-    (retryCount) => logEvent(import_kubernetes_fluent_client5.WatchEvent.RECONNECT, `Reconnecting after ${retryCount} attempt${retryCount === 1 ? "" : "s"}`)
+    import_kubernetes_fluent_client6.WatchEvent.RECONNECT,
+    (retryCount) => logEvent(import_kubernetes_fluent_client6.WatchEvent.RECONNECT, `Reconnecting after ${retryCount} attempt${retryCount === 1 ? "" : "s"}`)
   );
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.RECONNECT_PENDING, () => logEvent(import_kubernetes_fluent_client5.WatchEvent.RECONNECT_PENDING));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.ABORT, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.ABORT, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.OLD_RESOURCE_VERSION, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.OLD_RESOURCE_VERSION, err));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.NETWORK_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.NETWORK_ERROR, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.LIST_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.LIST_ERROR, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.LIST, (list) => logEvent(import_kubernetes_fluent_client5.WatchEvent.LIST, JSON.stringify(list, void 0, 2)));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.CACHE_MISS, (windowName) => {
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.RECONNECT_PENDING, () => logEvent(import_kubernetes_fluent_client6.WatchEvent.RECONNECT_PENDING));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, err.message));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.ABORT, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.ABORT, err.message));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.OLD_RESOURCE_VERSION, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.OLD_RESOURCE_VERSION, err));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.NETWORK_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.NETWORK_ERROR, err.message));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.LIST_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.LIST_ERROR, err.message));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.LIST, (list) => logEvent(import_kubernetes_fluent_client6.WatchEvent.LIST, JSON.stringify(list, void 0, 2)));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.CACHE_MISS, (windowName) => {
     metricsCollector.incCacheMiss(windowName);
   });
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.INIT_CACHE_MISS, (windowName) => {
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.INIT_CACHE_MISS, (windowName) => {
     metricsCollector.initCacheMissWindow(windowName);
   });
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.INC_RESYNC_FAILURE_COUNT, (retryCount) => {
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.INC_RESYNC_FAILURE_COUNT, (retryCount) => {
     metricsCollector.incRetryCount(retryCount);
   });
   try {
@@ -1376,8 +1536,8 @@ async function runBinding(binding, capabilityNamespaces) {
     process.exit(1);
   }
 }
-function logEvent(type, message = "", obj) {
-  const logMessage = `Watch event ${type} received${message ? `. ${message}.` : "."}`;
+function logEvent(event, message = "", obj) {
+  const logMessage = `Watch event ${event} received${message ? `. ${message}.` : "."}`;
   if (obj) {
     logger_default.debug(obj, logMessage);
   } else {
@@ -1399,7 +1559,7 @@ var PeprModule = class {
    * @param opts Options for the Pepr runtime
    */
   constructor({ description, pepr }, capabilities = [], opts = {}) {
-    const config = (0, import_ramda4.clone)(pepr);
+    const config = (0, import_ramda5.clone)(pepr);
     config.description = description;
     ValidateError(config.onError);
     if (isBuildMode()) {
@@ -1422,7 +1582,7 @@ var PeprModule = class {
     this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook, () => {
       if (isWatchMode() || isDevMode()) {
         try {
-          setupWatch(capabilities);
+          setupWatch(capabilities, pepr?.alwaysIgnore?.namespaces);
         } catch (e) {
           logger_default.error(e, "Error setting up watch");
           process.exit(1);
@@ -1446,7 +1606,7 @@ var PeprModule = class {
 };
 
 // src/lib/storage.ts
-var import_ramda5 = require("ramda");
+var import_ramda6 = require("ramda");
 var import_json_pointer = __toESM(require("json-pointer"));
 var MAX_WAIT_TIME = 15e3;
 var STORE_VERSION_PREFIX = "v2";
@@ -1466,11 +1626,10 @@ var Storage = class {
     this.#send = send;
   };
   receive = (data) => {
-    logger_default.debug(data, `Pepr store data received`);
     this.#store = data || {};
     this.#onReady();
     for (const idx in this.#subscribers) {
-      this.#subscribers[idx]((0, import_ramda5.clone)(this.#store));
+      this.#subscribers[idx]((0, import_ramda6.clone)(this.#store));
     }
   };
   getItem = (key) => {
@@ -1481,7 +1640,7 @@ var Storage = class {
     return null;
   };
   clear = () => {
-    this.#dispatchUpdate(
+    Object.keys(this.#store).length > 0 && this.#dispatchUpdate(
       "remove",
       Object.keys(this.#store).map((key) => import_json_pointer.default.escape(key))
     );
@@ -1554,7 +1713,7 @@ var Storage = class {
   };
   #onReady = () => {
     for (const handler of this.#readyHandlers) {
-      handler((0, import_ramda5.clone)(this.#store));
+      handler((0, import_ramda6.clone)(this.#store));
     }
     this.#onReady = () => {
     };
@@ -1734,6 +1893,9 @@ var Capability = class {
       });
     }
   };
+  getScheduleStore() {
+    return this.#scheduleStore;
+  }
   /**
    * Store is a key-value data store that can be used to persist data that should be shared
    * between requests. Each capability has its own store, and the data is persisted in Kubernetes
@@ -1828,7 +1990,7 @@ var Capability = class {
    * @returns
    */
   When = (model, kind4) => {
-    const matchedKind = (0, import_kubernetes_fluent_client6.modelToGroupVersionKind)(model.name);
+    const matchedKind = (0, import_kubernetes_fluent_client7.modelToGroupVersionKind)(model.name);
     if (!matchedKind && !kind4) {
       throw new Error(`Kind not specified for ${model.name}`);
     }
@@ -1840,16 +2002,19 @@ var Capability = class {
       filters: {
         name: "",
         namespaces: [],
+        regexNamespaces: [],
+        regexName: "",
         labels: {},
-        annotations: {}
+        annotations: {},
+        deletionTimestamp: false
       }
     };
     const bindings = this.#bindings;
     const prefix = `${this.#name}: ${model.name}`;
-    const commonChain = { WithLabel, WithAnnotation, Mutate, Validate, Watch, Reconcile };
+    const commonChain = { WithLabel, WithAnnotation, WithDeletionTimestamp, Mutate, Validate, Watch, Reconcile, Alias };
     const isNotEmpty = (value) => Object.keys(value).length > 0;
     const log = (message, cbString) => {
-      const filteredObj = (0, import_ramda6.pickBy)(isNotEmpty, binding.filters);
+      const filteredObj = (0, import_ramda7.pickBy)(isNotEmpty, binding.filters);
       logger_default.info(`${message} configured for ${binding.event}`, prefix);
       logger_default.info(filteredObj, prefix);
       logger_default.debug(cbString, prefix);
@@ -1857,10 +2022,14 @@ var Capability = class {
     function Validate(validateCallback) {
       if (registerAdmission) {
         log("Validate Action", validateCallback.toString());
+        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
         bindings.push({
           ...binding,
           isValidate: true,
-          validateCallback
+          validateCallback: async (req, logger = aliasLogger) => {
+            logger_default.info(`Executing validate action with alias: ${binding.alias || "no alias provided"}`);
+            return await validateCallback(req, logger);
+          }
         });
       }
       return { Watch, Reconcile };
@@ -1868,10 +2037,14 @@ var Capability = class {
     function Mutate(mutateCallback) {
       if (registerAdmission) {
         log("Mutate Action", mutateCallback.toString());
+        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
         bindings.push({
           ...binding,
           isMutate: true,
-          mutateCallback
+          mutateCallback: async (req, logger = aliasLogger) => {
+            logger_default.info(`Executing mutation action with alias: ${binding.alias || "no alias provided"}`);
+            await mutateCallback(req, logger);
+          }
         });
       }
       return { Watch, Validate, Reconcile };
@@ -1879,28 +2052,80 @@ var Capability = class {
     function Watch(watchCallback) {
       if (registerWatch) {
         log("Watch Action", watchCallback.toString());
+        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
         bindings.push({
           ...binding,
           isWatch: true,
-          watchCallback
+          watchCallback: async (update, phase, logger = aliasLogger) => {
+            logger_default.info(`Executing watch action with alias: ${binding.alias || "no alias provided"}`);
+            await watchCallback(update, phase, logger);
+          }
         });
       }
+      return { Finalize };
     }
-    function Reconcile(watchCallback) {
+    function Reconcile(reconcileCallback) {
       if (registerWatch) {
-        log("Reconcile Action", watchCallback.toString());
+        log("Reconcile Action", reconcileCallback.toString());
+        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
         bindings.push({
           ...binding,
           isWatch: true,
           isQueue: true,
-          watchCallback
+          watchCallback: async (update, phase, logger = aliasLogger) => {
+            logger_default.info(`Executing reconcile action with alias: ${binding.alias || "no alias provided"}`);
+            await reconcileCallback(update, phase, logger);
+          }
         });
       }
+      return { Finalize };
+    }
+    function Finalize(finalizeCallback) {
+      log("Finalize Action", finalizeCallback.toString());
+      const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
+      if (registerAdmission) {
+        const mutateBinding = {
+          ...binding,
+          isMutate: true,
+          isFinalize: true,
+          event: "*" /* Any */,
+          mutateCallback: addFinalizer
+        };
+        bindings.push(mutateBinding);
+      }
+      if (registerWatch) {
+        const watchBinding = {
+          ...binding,
+          isWatch: true,
+          isFinalize: true,
+          event: "UPDATE" /* Update */,
+          finalizeCallback: async (update, logger = aliasLogger) => {
+            logger_default.info(`Executing finalize action with alias: ${binding.alias || "no alias provided"}`);
+            await finalizeCallback(update, logger);
+          }
+        };
+        bindings.push(watchBinding);
+      }
     }
     function InNamespace(...namespaces) {
       logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
       binding.filters.namespaces.push(...namespaces);
-      return { ...commonChain, WithName };
+      return { ...commonChain, WithName, WithNameRegex };
+    }
+    function InNamespaceRegex(...namespaces) {
+      logger_default.debug(`Add regex namespaces filter ${namespaces}`, prefix);
+      binding.filters.regexNamespaces.push(...namespaces.map((regex) => regex.source));
+      return { ...commonChain, WithName, WithNameRegex };
+    }
+    function WithDeletionTimestamp() {
+      logger_default.debug("Add deletionTimestamp filter");
+      binding.filters.deletionTimestamp = true;
+      return commonChain;
+    }
+    function WithNameRegex(regexName) {
+      logger_default.debug(`Add regex name filter ${regexName}`, prefix);
+      binding.filters.regexName = regexName.source;
+      return commonChain;
     }
     function WithName(name) {
       logger_default.debug(`Add name filter ${name}`, prefix);
@@ -1917,12 +2142,21 @@ var Capability = class {
       binding.filters.annotations[key] = value;
       return commonChain;
     }
+    function Alias(alias) {
+      logger_default.debug(`Adding prefix alias ${alias}`, prefix);
+      binding.alias = alias;
+      return commonChain;
+    }
     function bindEvent(event) {
       binding.event = event;
       return {
         ...commonChain,
         InNamespace,
-        WithName
+        InNamespaceRegex,
+        WithName,
+        WithNameRegex,
+        WithDeletionTimestamp,
+        Alias
       };
     }
     return {