pepr 0.37.1 → 0.37.2

package/package.json

@@ -13,7 +13,7 @@
     "/dist",
     "/src"
   ],
-  "version": "0.37.1",
+  "version": "0.37.2",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {

package/src/cli/init/index.ts

@@ -33,7 +33,7 @@ export default function (program: RootCmd) {
     .option("--description <string>", "Explain the purpose of the new module.")
     .option("--name <string>", "Set the name of the new module.")
     .option("--skip-post-init", "Skip npm install, git init, and VSCode launch.")
-    .option(`--errorBehavior <${ErrorList.join("|")}>`, "Set a errorBehavior.", Errors.reject)
+    .option(`--errorBehavior <${ErrorList.join("|")}>`, "Set an errorBehavior.", Errors.reject)
     .hook("preAction", async thisCommand => {
       // TODO: Overrides for testing. Don't be so gross with Node CLI testing
       // TODO: See pepr/#1140

package/src/fixtures/data/create-pod.json

@@ -39,7 +39,8 @@
       "labels": {
         "app.kubernetes.io/name": "cool-name-podinfo",
         "pod-template-hash": "66bbff7cf4",
-        "zarf-agent": "patched"
+        "zarf-agent": "patched",
+        "test-op": "create"
       },
       "name": "cool-name-podinfo-66bbff7cf4-fwhl2",
       "namespace": "helm-releasename",

package/src/fixtures/data/delete-pod.json

@@ -36,7 +36,8 @@
       "labels": {
         "app.kubernetes.io/name": "cool-name-podinfo",
         "pod-template-hash": "66bbff7cf4",
-        "zarf-agent": "patched"
+        "zarf-agent": "patched",
+        "test-op": "delete"
       },
       "name": "cool-name-podinfo-66bbff7cf4-fwhl2",
       "namespace": "helm-releasename",

package/src/lib/adjudicators.test.ts

@@ -550,11 +550,13 @@ describe("metasMismatch", () => {
     [{ anno: "tate" }, {}, true],
     [{ anno: "tate" }, { anno: "" }, true],
     [{ anno: "tate" }, { anno: "tate" }, false],
+    [{ anno: "tate" }, { anno: "tato" }, true],
 
     [{ an: "no", ta: "te" }, { an: "" }, true],
     [{ an: "no", ta: "te" }, { an: "no" }, true],
     [{ an: "no", ta: "te" }, { an: "no", ta: "" }, true],
     [{ an: "no", ta: "te" }, { an: "no", ta: "te" }, false],
+    [{ an: "no", ta: "te" }, { an: "no", ta: "to" }, true],
   ])("given left %j and right %j, returns %s", (bnd, obj, expected) => {
     const result = sut.metasMismatch(bnd, obj);
 
@@ -575,10 +577,12 @@ describe("mismatchedAnnotations", () => {
     [{ filters: { annotations: { anno: "tate" } } }, {}, true],
     [{ filters: { annotations: { anno: "tate" } } }, { metadata: { annotations: { anno: "" } } }, true],
     [{ filters: { annotations: { anno: "tate" } } }, { metadata: { annotations: { anno: "tate" } } }, false],
+    [{ filters: { annotations: { anno: "tate" } } }, { metadata: { annotations: { anno: "tato" } } }, true],
 
     [{ filters: { annotations: { an: "no", ta: "te" } } }, { metadata: { annotations: { an: "" } } }, true],
     [{ filters: { annotations: { an: "no", ta: "te" } } }, { metadata: { annotations: { an: "no" } } }, true],
     [{ filters: { annotations: { an: "no", ta: "te" } } }, { metadata: { annotations: { an: "no", ta: "" } } }, true],
+    [{ filters: { annotations: { an: "no", ta: "te" } } }, { metadata: { annotations: { an: "no", ta: "to" } } }, true],
     [
       { filters: { annotations: { an: "no", ta: "te" } } },
       { metadata: { annotations: { an: "no", ta: "te" } } },

package/src/lib/adjudicators.ts

@@ -162,12 +162,14 @@ export const metasMismatch = pipe(
         const keyMissing = !Object.hasOwn(result.carried, key);
         const noValue = !val;
         const valMissing = !result.carried[key];
+        const valDiffers = result.carried[key] !== result.defined[key];
 
         // prettier-ignore
         return (
           keyMissing ? { [key]: val } :
           noValue ? {} :
           valMissing ? { [key]: val } :
+          valDiffers ? { [key]: val } :
           {}
         )
       })

package/src/lib/filter.test.ts

@@ -58,6 +58,7 @@ describe("Fuzzing shouldSkipRequest", () => {
     );
   });
 });
+
 describe("Property-Based Testing shouldSkipRequest", () => {
   test("should only skip requests that do not match the binding criteria", () => {
     fc.assert(
@@ -96,7 +97,7 @@ describe("Property-Based Testing shouldSkipRequest", () => {
         fc.array(fc.string()),
         (binding, req, capabilityNamespaces) => {
           const shouldSkip = shouldSkipRequest(binding as Binding, req as AdmissionRequest, capabilityNamespaces);
-          expect(typeof shouldSkip).toBe("boolean");
+          expect(typeof shouldSkip).toBe("string");
         },
       ),
       { numRuns: 100 },
@@ -113,7 +114,7 @@ test("create: should reject when regex name does not match", () => {
       name: "",
       namespaces: [],
       regexNamespaces: [],
-      regexName: new RegExp(/^default$/).source,
+      regexName: "^default$",
       labels: {},
       annotations: {},
       deletionTimestamp: false,
@@ -121,8 +122,11 @@ test("create: should reject when regex name does not match", () => {
     callback,
   };
   const pod = CreatePod();
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines name regex '.*' but Object carries '.*'./,
+  );
 });
+
 test("create: should not reject when regex name does match", () => {
   const binding = {
     model: kind.Pod,
@@ -132,7 +136,7 @@ test("create: should not reject when regex name does match", () => {
       name: "",
       namespaces: [],
       regexNamespaces: [],
-      regexName: new RegExp(/^cool/).source,
+      regexName: "^cool",
       labels: {},
       annotations: {},
       deletionTimestamp: false,
@@ -140,8 +144,9 @@ test("create: should not reject when regex name does match", () => {
     callback,
   };
   const pod = CreatePod();
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
+
 test("delete: should reject when regex name does not match", () => {
   const binding = {
     model: kind.Pod,
@@ -151,7 +156,7 @@ test("delete: should reject when regex name does not match", () => {
       name: "",
       namespaces: [],
       regexNamespaces: [],
-      regexName: new RegExp(/^default$/).source,
+      regexName: "^default$",
       labels: {},
       annotations: {},
       deletionTimestamp: false,
@@ -159,8 +164,11 @@ test("delete: should reject when regex name does not match", () => {
     callback,
   };
   const pod = DeletePod();
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines name regex '.*' but Object carries '.*'./,
+  );
 });
+
 test("delete: should not reject when regex name does match", () => {
   const binding = {
     model: kind.Pod,
@@ -170,7 +178,7 @@ test("delete: should not reject when regex name does match", () => {
       name: "",
       namespaces: [],
       regexNamespaces: [],
-      regexName: new RegExp(/^cool/).source,
+      regexName: "^cool",
       labels: {},
       annotations: {},
       deletionTimestamp: false,
@@ -178,7 +186,7 @@ test("delete: should not reject when regex name does match", () => {
     callback,
   };
   const pod = DeletePod();
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
 
 test("create: should not reject when regex namespace does match", () => {
@@ -189,7 +197,7 @@ test("create: should not reject when regex namespace does match", () => {
     filters: {
       name: "",
       namespaces: [],
-      regexNamespaces: [new RegExp(/^helm/).source],
+      regexNamespaces: ["^helm"],
       regexName: "",
       labels: {},
       annotations: {},
@@ -198,7 +206,7 @@ test("create: should not reject when regex namespace does match", () => {
     callback,
   };
   const pod = CreatePod();
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
 
 test("create: should reject when regex namespace does not match", () => {
@@ -209,7 +217,7 @@ test("create: should reject when regex namespace does not match", () => {
     filters: {
       name: "",
       namespaces: [],
-      regexNamespaces: [new RegExp(/^argo/).source],
+      regexNamespaces: ["^argo"],
       regexName: "",
       labels: {},
       annotations: {},
@@ -218,7 +226,9 @@ test("create: should reject when regex namespace does not match", () => {
     callback,
   };
   const pod = CreatePod();
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines namespace regexes '.*' but Object carries '.*'./,
+  );
 });
 
 test("delete: should reject when regex namespace does not match", () => {
@@ -227,9 +237,9 @@ test("delete: should reject when regex namespace does not match", () => {
     event: Event.Any,
     kind: podKind,
     filters: {
-      name: "bleh",
+      name: "",
       namespaces: [],
-      regexNamespaces: [new RegExp(/^argo/).source],
+      regexNamespaces: ["^argo"],
       regexName: "",
       labels: {},
       annotations: {},
@@ -238,7 +248,9 @@ test("delete: should reject when regex namespace does not match", () => {
     callback,
   };
   const pod = DeletePod();
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines namespace regexes '.*' but Object carries '.*'./,
+  );
 });
 
 test("delete: should not reject when regex namespace does match", () => {
@@ -249,7 +261,7 @@ test("delete: should not reject when regex namespace does match", () => {
     filters: {
       name: "",
       namespaces: [],
-      regexNamespaces: [new RegExp(/^helm/).source],
+      regexNamespaces: ["^helm"],
       regexName: "",
       labels: {},
       annotations: {},
@@ -258,7 +270,7 @@ test("delete: should not reject when regex namespace does match", () => {
     callback,
   };
   const pod = DeletePod();
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
 
 test("delete: should reject when name does not match", () => {
@@ -270,7 +282,7 @@ test("delete: should reject when name does not match", () => {
       name: "bleh",
       namespaces: [],
       regexNamespaces: [],
-      regexName: new RegExp(/^not-cool/).source,
+      regexName: "^not-cool",
       labels: {},
       annotations: {},
       deletionTimestamp: false,
@@ -278,13 +290,20 @@ test("delete: should reject when name does not match", () => {
     callback,
   };
   const pod = DeletePod();
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines name '.*' but Object carries '.*'./,
+  );
 });
+
 test("should reject when kind does not match", () => {
   const binding = {
     model: kind.Pod,
     event: Event.Any,
-    kind: modelToGroupVersionKind(kind.CronJob.name),
+    kind: {
+      group: "",
+      version: "v1",
+      kind: "Nope",
+    },
     filters: {
       name: "",
       namespaces: [],
@@ -298,14 +317,20 @@ test("should reject when kind does not match", () => {
   };
   const pod = CreatePod();
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines kind '.*' but Request declares '.*'./,
+  );
 });
 
 test("should reject when group does not match", () => {
   const binding = {
     model: kind.Pod,
     event: Event.Any,
-    kind: modelToGroupVersionKind(kind.CronJob.name),
+    kind: {
+      group: "Nope",
+      version: "v1",
+      kind: "Pod",
+    },
     filters: {
       name: "",
       namespaces: [],
@@ -319,7 +344,9 @@ test("should reject when group does not match", () => {
   };
   const pod = CreatePod();
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines group '.*' but Request declares '.*'./,
+  );
 });
 
 test("should reject when version does not match", () => {
@@ -328,7 +355,7 @@ test("should reject when version does not match", () => {
     event: Event.Any,
     kind: {
       group: "",
-      version: "v2",
+      version: "Nope",
       kind: "Pod",
     },
     filters: {
@@ -344,7 +371,9 @@ test("should reject when version does not match", () => {
   };
   const pod = CreatePod();
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines version '.*' but Request declares '.*'./,
+  );
 });
 
 test("should allow when group, version, and kind match", () => {
@@ -365,7 +394,7 @@ test("should allow when group, version, and kind match", () => {
   };
   const pod = CreatePod();
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
 
 test("should allow when kind match and others are empty", () => {
@@ -390,7 +419,7 @@ test("should allow when kind match and others are empty", () => {
   };
   const pod = CreatePod();
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
 
 test("should reject when the capability namespace does not match", () => {
@@ -411,7 +440,9 @@ test("should reject when the capability namespace does not match", () => {
   };
   const pod = CreatePod();
 
-  expect(shouldSkipRequest(binding, pod, ["bleh", "bleh2"])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, ["bleh", "bleh2"])).toMatch(
+    /Ignoring Admission Callback: Object carries namespace '.*' but namespaces allowed by Capability are '.*'./,
+  );
 });
 
 test("should reject when namespace does not match", () => {
@@ -432,7 +463,9 @@ test("should reject when namespace does not match", () => {
   };
   const pod = CreatePod();
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines namespaces '.*' but Object carries '.*'./,
+  );
 });
 
 test("should allow when namespace is match", () => {
@@ -453,7 +486,7 @@ test("should allow when namespace is match", () => {
   };
   const pod = CreatePod();
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
 
 test("should reject when label does not match", () => {
@@ -476,7 +509,9 @@ test("should reject when label does not match", () => {
   };
   const pod = CreatePod();
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines labels '.*' but Object carries '.*'./,
+  );
 });
 
 test("should allow when label is match", () => {
@@ -507,7 +542,7 @@ test("should allow when label is match", () => {
     test2: "test2",
   };
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
 
 test("should reject when annotation does not match", () => {
@@ -530,7 +565,9 @@ test("should reject when annotation does not match", () => {
   };
   const pod = CreatePod();
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines annotations '.*' but Object carries '.*'./,
+  );
 });
 
 test("should allow when annotation is match", () => {
@@ -561,7 +598,7 @@ test("should allow when annotation is match", () => {
     test2: "test2",
   };
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
 
 test("should use `oldObject` when the operation is `DELETE`", () => {
@@ -576,21 +613,19 @@ test("should use `oldObject` when the operation is `DELETE`", () => {
       regexName: "",
       deletionTimestamp: false,
       labels: {
-        "app.kubernetes.io/name": "cool-name-podinfo",
-      },
-      annotations: {
-        "prometheus.io/scrape": "true",
+        "test-op": "delete",
       },
+      annotations: {},
     },
     callback,
   };
 
   const pod = DeletePod();
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
 
-test("should skip processing when deletionTimestamp is not present on pod", () => {
+test("should allow when deletionTimestamp is present on pod", () => {
   const binding = {
     model: kind.Pod,
     event: Event.Any,
@@ -612,16 +647,17 @@ test("should skip processing when deletionTimestamp is not present on pod", () =
 
   const pod = CreatePod();
   pod.object.metadata = pod.object.metadata || {};
+  pod.object.metadata!.deletionTimestamp = new Date("2021-09-01T00:00:00Z");
   pod.object.metadata.annotations = {
     foo: "bar",
     test: "test1",
     test2: "test2",
   };
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(true);
+  expect(shouldSkipRequest(binding, pod, [])).toBe("");
 });
 
-test("should processing when deletionTimestamp is not present on pod", () => {
+test("should reject when deletionTimestamp is not present on pod", () => {
   const binding = {
     model: kind.Pod,
     event: Event.Any,
@@ -643,12 +679,13 @@ test("should processing when deletionTimestamp is not present on pod", () => {
 
   const pod = CreatePod();
   pod.object.metadata = pod.object.metadata || {};
-  pod.object.metadata!.deletionTimestamp = new Date("2021-09-01T00:00:00Z");
   pod.object.metadata.annotations = {
     foo: "bar",
     test: "test1",
     test2: "test2",
   };
 
-  expect(shouldSkipRequest(binding, pod, [])).toBe(false);
+  expect(shouldSkipRequest(binding, pod, [])).toMatch(
+    /Ignoring Admission Callback: Binding defines deletionTimestamp but Object does not carry it./,
+  );
 });

package/src/lib/filter.ts

@@ -4,6 +4,24 @@
 import { AdmissionRequest, Binding, Operation } from "./types";
 import {
   carriesIgnoredNamespace,
+  carriedName,
+  definedEvent,
+  declaredOperation,
+  definedName,
+  definedGroup,
+  declaredGroup,
+  definedVersion,
+  declaredVersion,
+  definedKind,
+  declaredKind,
+  definedNamespaces,
+  carriedNamespace,
+  definedLabels,
+  carriedLabels,
+  definedAnnotations,
+  carriedAnnotations,
+  definedNamespaceRegexes,
+  definedNameRegex,
   misboundDeleteWithDeletionTimestamp,
   mismatchedDeletionTimestamp,
   mismatchedAnnotations,
@@ -32,27 +50,94 @@ export function shouldSkipRequest(
   req: AdmissionRequest,
   capabilityNamespaces: string[],
   ignoredNamespaces?: string[],
-): boolean {
+): string {
+  const prefix = "Ignoring Admission Callback:";
   const obj = req.operation === Operation.DELETE ? req.oldObject : req.object;
 
   // prettier-ignore
   return (
-    misboundDeleteWithDeletionTimestamp(binding) ? true :
-    mismatchedDeletionTimestamp(binding, obj) ? true :
-    mismatchedEvent(binding, req) ? true :
-    mismatchedName(binding, obj) ? true :
-    mismatchedGroup(binding, req) ? true :
-    mismatchedVersion(binding, req) ? true :
-    mismatchedKind(binding, req) ? true :
-    unbindableNamespaces(capabilityNamespaces, binding) ? true :
-    uncarryableNamespace(capabilityNamespaces, obj) ? true :
-    mismatchedNamespace(binding, obj) ? true :
-    mismatchedLabels(binding, obj) ? true :
-    mismatchedAnnotations(binding, obj) ? true :
-    mismatchedNamespaceRegex(binding, obj) ? true :
-    mismatchedNameRegex(binding, obj) ? true :
-    carriesIgnoredNamespace(ignoredNamespaces, obj) ? true :
-
-    false
+    misboundDeleteWithDeletionTimestamp(binding) ? 
+      `${prefix} Cannot use deletionTimestamp filter on a DELETE operation.` :
+
+    mismatchedDeletionTimestamp(binding, obj) ?
+      `${prefix} Binding defines deletionTimestamp but Object does not carry it.` :
+
+    mismatchedEvent(binding, req) ?
+      (
+        `${prefix} Binding defines event '${definedEvent(binding)}' but ` +
+        `Request declares '${declaredOperation(req)}'.`
+      ) :
+
+    mismatchedName(binding, obj) ?
+      `${prefix} Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` :
+
+    mismatchedGroup(binding, req) ?
+      (
+        `${prefix} Binding defines group '${definedGroup(binding)}' but ` +
+        `Request declares '${declaredGroup(req)}'.`
+      ) :
+
+    mismatchedVersion(binding, req) ?
+      (
+        `${prefix} Binding defines version '${definedVersion(binding)}' but ` +
+        `Request declares '${declaredVersion(req)}'.`
+      ) :
+
+    mismatchedKind(binding, req) ?
+      (
+        `${prefix} Binding defines kind '${definedKind(binding)}' but ` +
+        `Request declares '${declaredKind(req)}'.`
+      ) :
+
+    unbindableNamespaces(capabilityNamespaces, binding) ?
+      (
+        `${prefix} Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} ` +
+        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+      ) :
+
+    uncarryableNamespace(capabilityNamespaces, obj) ?
+      (
+        `${prefix} Object carries namespace '${carriedNamespace(obj)}' ` +
+        `but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
+      ) :
+
+    mismatchedNamespace(binding, obj) ?
+      (
+        `${prefix} Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' ` +
+        `but Object carries '${carriedNamespace(obj)}'.`
+      ) :
+
+    mismatchedLabels(binding, obj) ?
+      (
+        `${prefix} Binding defines labels '${JSON.stringify(definedLabels(binding))}' ` +
+        `but Object carries '${JSON.stringify(carriedLabels(obj))}'.`
+      ) :
+
+    mismatchedAnnotations(binding, obj) ?
+      (
+        `${prefix} Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' ` +
+        `but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.`
+      ) :
+
+    mismatchedNamespaceRegex(binding, obj) ?
+      (
+        `${prefix} Binding defines namespace regexes ` +
+        `'${JSON.stringify(definedNamespaceRegexes(binding))}' ` +
+        `but Object carries '${carriedNamespace(obj)}'.`
+      ) :
+
+    mismatchedNameRegex(binding, obj) ?
+      (
+        `${prefix} Binding defines name regex '${definedNameRegex(binding)}' ` +
+        `but Object carries '${carriedName(obj)}'.`
+      ) :
+
+    carriesIgnoredNamespace(ignoredNamespaces, obj) ?
+      (
+        `${prefix} Object carries namespace '${carriedNamespace(obj)}' ` +
+        `but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.`
+      ) :
+
+    ""
   );
 }

package/src/lib/mutate-processor.ts

@@ -50,7 +50,9 @@ export async function mutateProcessor(
       }
 
       // Continue to the next action without doing anything if this one should be skipped
-      if (shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces)) {
+      const shouldSkip = shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces);
+      if (shouldSkip !== "") {
+        Log.debug(shouldSkip);
         continue;
       }
 

package/src/lib/validate-processor.ts

@@ -44,7 +44,9 @@ export async function validateProcessor(
       };
 
       // Continue to the next action without doing anything if this one should be skipped
-      if (shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces)) {
+      const shouldSkip = shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces);
+      if (shouldSkip !== "") {
+        Log.debug(shouldSkip);
         continue;
       }