pepr 0.37.2 → 0.37.3

package/dist/lib.js

@@ -1,2193 +0,0 @@
-"use strict";
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/lib.ts
-var lib_exports = {};
-__export(lib_exports, {
-  Capability: () => Capability,
-  K8s: () => import_kubernetes_fluent_client8.K8s,
-  Log: () => logger_default,
-  PeprModule: () => PeprModule,
-  PeprMutateRequest: () => PeprMutateRequest,
-  PeprUtils: () => utils_exports,
-  PeprValidateRequest: () => PeprValidateRequest,
-  R: () => R,
-  RegisterKind: () => import_kubernetes_fluent_client8.RegisterKind,
-  a: () => import_kubernetes_fluent_client8.kind,
-  fetch: () => import_kubernetes_fluent_client8.fetch,
-  fetchStatus: () => import_kubernetes_fluent_client8.fetchStatus,
-  kind: () => import_kubernetes_fluent_client8.kind,
-  sdk: () => sdk_exports
-});
-module.exports = __toCommonJS(lib_exports);
-var import_kubernetes_fluent_client8 = require("kubernetes-fluent-client");
-var R = __toESM(require("ramda"));
-
-// src/lib/capability.ts
-var import_kubernetes_fluent_client7 = require("kubernetes-fluent-client");
-var import_ramda7 = require("ramda");
-
-// src/lib/logger.ts
-var import_pino = require("pino");
-var isPrettyLog = process.env.PEPR_PRETTY_LOGS === "true";
-var pretty = {
-  target: "pino-pretty",
-  options: {
-    colorize: true
-  }
-};
-var transport = isPrettyLog ? pretty : void 0;
-var pinoTimeFunction = process.env.PINO_TIME_STAMP === "iso" ? () => import_pino.stdTimeFunctions.isoTime() : () => import_pino.stdTimeFunctions.epochTime();
-var Log = (0, import_pino.pino)({
-  transport,
-  timestamp: pinoTimeFunction
-});
-if (process.env.LOG_LEVEL) {
-  Log.level = process.env.LOG_LEVEL;
-}
-var logger_default = Log;
-
-// src/lib/module.ts
-var import_ramda5 = require("ramda");
-
-// src/lib/controller/index.ts
-var import_express = __toESM(require("express"));
-var import_fs = __toESM(require("fs"));
-var import_https = __toESM(require("https"));
-
-// src/lib/metrics.ts
-var import_perf_hooks = require("perf_hooks");
-var import_prom_client = __toESM(require("prom-client"));
-var loggingPrefix = "MetricsCollector";
-var MetricsCollector = class {
-  #registry;
-  #counters = /* @__PURE__ */ new Map();
-  #gauges = /* @__PURE__ */ new Map();
-  #summaries = /* @__PURE__ */ new Map();
-  #prefix;
-  #cacheMissWindows = /* @__PURE__ */ new Map();
-  #metricNames = {
-    errors: "errors",
-    alerts: "alerts",
-    mutate: "mutate",
-    validate: "validate",
-    cacheMiss: "cache_miss",
-    resyncFailureCount: "resync_failure_count"
-  };
-  /**
-   * Creates a MetricsCollector instance with prefixed metrics.
-   * @param [prefix='pepr'] - The prefix for the metric names.
-   */
-  constructor(prefix = "pepr") {
-    this.#registry = new import_prom_client.Registry();
-    this.#prefix = prefix;
-    this.addCounter(this.#metricNames.errors, "Mutation/Validate errors encountered");
-    this.addCounter(this.#metricNames.alerts, "Mutation/Validate bad api token received");
-    this.addSummary(this.#metricNames.mutate, "Mutation operation summary");
-    this.addSummary(this.#metricNames.validate, "Validation operation summary");
-    this.addGauge(this.#metricNames.cacheMiss, "Number of cache misses per window", ["window"]);
-    this.addGauge(this.#metricNames.resyncFailureCount, "Number of failures per resync operation", ["count"]);
-  }
-  #getMetricName = (name) => `${this.#prefix}_${name}`;
-  #addMetric = (collection, MetricType, name, help, labelNames) => {
-    if (collection.has(this.#getMetricName(name))) {
-      logger_default.debug(`Metric for ${name} already exists`, loggingPrefix);
-      return;
-    }
-    const metric = new MetricType({
-      name: this.#getMetricName(name),
-      help,
-      registers: [this.#registry],
-      labelNames
-    });
-    collection.set(this.#getMetricName(name), metric);
-  };
-  addCounter = (name, help) => {
-    this.#addMetric(this.#counters, import_prom_client.default.Counter, name, help, []);
-  };
-  addSummary = (name, help) => {
-    this.#addMetric(this.#summaries, import_prom_client.default.Summary, name, help, []);
-  };
-  addGauge = (name, help, labelNames) => {
-    this.#addMetric(this.#gauges, import_prom_client.default.Gauge, name, help, labelNames);
-  };
-  incCounter = (name) => {
-    this.#counters.get(this.#getMetricName(name))?.inc();
-  };
-  incGauge = (name, labels, value = 1) => {
-    this.#gauges.get(this.#getMetricName(name))?.inc(labels || {}, value);
-  };
-  /**
-   * Increments the error counter.
-   */
-  error = () => this.incCounter(this.#metricNames.errors);
-  /**
-   * Increments the alerts counter.
-   */
-  alert = () => this.incCounter(this.#metricNames.alerts);
-  /**
-   * Observes the duration since the provided start time and updates the summary.
-   * @param startTime - The start time.
-   * @param name - The metrics summary to increment.
-   */
-  observeEnd = (startTime, name = this.#metricNames.mutate) => {
-    this.#summaries.get(this.#getMetricName(name))?.observe(import_perf_hooks.performance.now() - startTime);
-  };
-  /**
-   * Fetches the current metrics from the registry.
-   * @returns The metrics.
-   */
-  getMetrics = () => this.#registry.metrics();
-  /**
-   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
-   * @returns The timestamp.
-   */
-  static observeStart() {
-    return import_perf_hooks.performance.now();
-  }
-  /**
-   * Increments the cache miss gauge for a given label.
-   * @param label - The label for the cache miss.
-   */
-  incCacheMiss = (window) => {
-    this.incGauge(this.#metricNames.cacheMiss, { window });
-  };
-  /**
-   * Increments the retry count gauge.
-   * @param count - The count to increment by.
-   */
-  incRetryCount = (count) => {
-    this.incGauge(this.#metricNames.resyncFailureCount, { count });
-  };
-  /**
-   * Initializes the cache miss gauge for a given label.
-   * @param label - The label for the cache miss.
-   */
-  initCacheMissWindow = (window) => {
-    this.#rollCacheMissWindows();
-    this.#gauges.get(this.#getMetricName(this.#metricNames.cacheMiss))?.set({ window }, 0);
-    this.#cacheMissWindows.set(window, 0);
-  };
-  /**
-   * Manages the size of the cache miss gauge map.
-   */
-  #rollCacheMissWindows = () => {
-    const maxCacheMissWindows = process.env.PEPR_MAX_CACHE_MISS_WINDOWS ? parseInt(process.env.PEPR_MAX_CACHE_MISS_WINDOWS, 10) : void 0;
-    if (maxCacheMissWindows !== void 0 && this.#cacheMissWindows.size >= maxCacheMissWindows) {
-      const firstKey = this.#cacheMissWindows.keys().next().value;
-      this.#cacheMissWindows.delete(firstKey);
-      this.#gauges.get(this.#getMetricName(this.#metricNames.cacheMiss))?.remove({ window: firstKey });
-    }
-  };
-};
-var metricsCollector = new MetricsCollector("pepr");
-
-// src/lib/mutate-processor.ts
-var import_fast_json_patch = __toESM(require("fast-json-patch"));
-
-// src/lib/errors.ts
-var Errors = {
-  audit: "audit",
-  ignore: "ignore",
-  reject: "reject"
-};
-var ErrorList = Object.values(Errors);
-function ValidateError(error = "") {
-  if (!ErrorList.includes(error)) {
-    throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
-  }
-}
-
-// src/lib/adjudicators.ts
-var import_ramda = require("ramda");
-var declaredOperation = (0, import_ramda.pipe)((request) => request?.operation, (0, import_ramda.defaultTo)(""));
-var declaredGroup = (0, import_ramda.pipe)((request) => request?.kind?.group, (0, import_ramda.defaultTo)(""));
-var declaredVersion = (0, import_ramda.pipe)((request) => request?.kind?.version, (0, import_ramda.defaultTo)(""));
-var declaredKind = (0, import_ramda.pipe)((request) => request?.kind?.kind, (0, import_ramda.defaultTo)(""));
-var declaredUid = (0, import_ramda.pipe)((request) => request?.uid, (0, import_ramda.defaultTo)(""));
-var carriesDeletionTimestamp = (0, import_ramda.pipe)((obj) => !!obj.metadata?.deletionTimestamp, (0, import_ramda.defaultTo)(false));
-var missingDeletionTimestamp = (0, import_ramda.complement)(carriesDeletionTimestamp);
-var carriedName = (0, import_ramda.pipe)((obj) => obj?.metadata?.name, (0, import_ramda.defaultTo)(""));
-var carriesName = (0, import_ramda.pipe)(carriedName, (0, import_ramda.equals)(""), import_ramda.not);
-var missingName = (0, import_ramda.complement)(carriesName);
-var carriedNamespace = (0, import_ramda.pipe)((obj) => obj?.metadata?.namespace, (0, import_ramda.defaultTo)(""));
-var carriesNamespace = (0, import_ramda.pipe)(carriedNamespace, (0, import_ramda.equals)(""), import_ramda.not);
-var carriedAnnotations = (0, import_ramda.pipe)((obj) => obj?.metadata?.annotations, (0, import_ramda.defaultTo)({}));
-var carriesAnnotations = (0, import_ramda.pipe)(carriedAnnotations, (0, import_ramda.equals)({}), import_ramda.not);
-var carriedLabels = (0, import_ramda.pipe)((obj) => obj?.metadata?.labels, (0, import_ramda.defaultTo)({}));
-var carriesLabels = (0, import_ramda.pipe)(carriedLabels, (0, import_ramda.equals)({}), import_ramda.not);
-var definesDeletionTimestamp = (0, import_ramda.pipe)((binding) => binding?.filters?.deletionTimestamp, (0, import_ramda.defaultTo)(false));
-var ignoresDeletionTimestamp = (0, import_ramda.complement)(definesDeletionTimestamp);
-var definedName = (0, import_ramda.pipe)((binding) => binding?.filters?.name, (0, import_ramda.defaultTo)(""));
-var definesName = (0, import_ramda.pipe)(definedName, (0, import_ramda.equals)(""), import_ramda.not);
-var ignoresName = (0, import_ramda.complement)(definesName);
-var definedNameRegex = (0, import_ramda.pipe)((binding) => binding?.filters?.regexName, (0, import_ramda.defaultTo)(""));
-var definesNameRegex = (0, import_ramda.pipe)(definedNameRegex, (0, import_ramda.equals)(""), import_ramda.not);
-var definedNamespaces = (0, import_ramda.pipe)((binding) => binding?.filters?.namespaces, (0, import_ramda.defaultTo)([]));
-var definesNamespaces = (0, import_ramda.pipe)(definedNamespaces, (0, import_ramda.equals)([]), import_ramda.not);
-var definedNamespaceRegexes = (0, import_ramda.pipe)((binding) => binding?.filters?.regexNamespaces, (0, import_ramda.defaultTo)([]));
-var definesNamespaceRegexes = (0, import_ramda.pipe)(definedNamespaceRegexes, (0, import_ramda.equals)([]), import_ramda.not);
-var definedAnnotations = (0, import_ramda.pipe)((binding) => binding?.filters?.annotations, (0, import_ramda.defaultTo)({}));
-var definesAnnotations = (0, import_ramda.pipe)(definedAnnotations, (0, import_ramda.equals)({}), import_ramda.not);
-var definedLabels = (0, import_ramda.pipe)((binding) => binding?.filters?.labels, (0, import_ramda.defaultTo)({}));
-var definesLabels = (0, import_ramda.pipe)(definedLabels, (0, import_ramda.equals)({}), import_ramda.not);
-var definedEvent = (0, import_ramda.pipe)((binding) => binding?.event, (0, import_ramda.defaultTo)(""));
-var definesDelete = (0, import_ramda.pipe)(definedEvent, (0, import_ramda.equals)("DELETE" /* DELETE */));
-var definedGroup = (0, import_ramda.pipe)((binding) => binding?.kind?.group, (0, import_ramda.defaultTo)(""));
-var definesGroup = (0, import_ramda.pipe)(definedGroup, (0, import_ramda.equals)(""), import_ramda.not);
-var definedVersion = (0, import_ramda.pipe)((binding) => binding?.kind?.version, (0, import_ramda.defaultTo)(""));
-var definesVersion = (0, import_ramda.pipe)(definedVersion, (0, import_ramda.equals)(""), import_ramda.not);
-var definedKind = (0, import_ramda.pipe)((binding) => binding?.kind?.kind, (0, import_ramda.defaultTo)(""));
-var definesKind = (0, import_ramda.pipe)(definedKind, (0, import_ramda.equals)(""), import_ramda.not);
-var definedCategory = (0, import_ramda.pipe)((binding) => {
-  return binding.isFinalize ? "Finalize" : binding.isWatch ? "Watch" : binding.isMutate ? "Mutate" : binding.isValidate ? "Validate" : "";
-});
-var definedCallback = (0, import_ramda.pipe)((binding) => {
-  return binding.isFinalize ? binding.finalizeCallback : binding.isWatch ? binding.watchCallback : binding.isMutate ? binding.mutateCallback : binding.isValidate ? binding.validateCallback : null;
-});
-var definedCallbackName = (0, import_ramda.pipe)(definedCallback, (0, import_ramda.defaultTo)({ name: "" }), (cb) => cb.name);
-var mismatchedDeletionTimestamp = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesDeletionTimestamp),
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), missingDeletionTimestamp)
-]);
-var mismatchedName = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesName),
-  (0, import_ramda.pipe)((bnd, obj) => definedName(bnd) !== carriedName(obj))
-]);
-var mismatchedNameRegex = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesNameRegex),
-  (0, import_ramda.pipe)((bnd, obj) => new RegExp(definedNameRegex(bnd)).test(carriedName(obj)), import_ramda.not)
-]);
-var bindsToKind = (0, import_ramda.curry)(
-  (0, import_ramda.allPass)([(0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definedKind, (0, import_ramda.equals)(""), import_ramda.not), (0, import_ramda.pipe)((bnd, knd) => definedKind(bnd) === knd)])
-);
-var bindsToNamespace = (0, import_ramda.curry)((0, import_ramda.pipe)(bindsToKind(import_ramda.__, "Namespace")));
-var misboundNamespace = (0, import_ramda.allPass)([bindsToNamespace, definesNamespaces]);
-var mismatchedNamespace = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesNamespaces),
-  (0, import_ramda.pipe)((bnd, obj) => definedNamespaces(bnd).includes(carriedNamespace(obj)), import_ramda.not)
-]);
-var mismatchedNamespaceRegex = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesNamespaceRegexes),
-  (0, import_ramda.pipe)(
-    (bnd, obj) => (0, import_ramda.pipe)(
-      (0, import_ramda.any)((rex) => new RegExp(rex).test(carriedNamespace(obj))),
-      import_ramda.not
-    )(definedNamespaceRegexes(bnd))
-  )
-]);
-var metasMismatch = (0, import_ramda.pipe)(
-  (defined, carried) => {
-    const result = { defined, carried, unalike: {} };
-    result.unalike = Object.entries(result.defined).map(([key, val]) => {
-      const keyMissing = !Object.hasOwn(result.carried, key);
-      const noValue = !val;
-      const valMissing = !result.carried[key];
-      const valDiffers = result.carried[key] !== result.defined[key];
-      return keyMissing ? { [key]: val } : noValue ? {} : valMissing ? { [key]: val } : valDiffers ? { [key]: val } : {};
-    }).reduce((acc, cur) => ({ ...acc, ...cur }), {});
-    return result.unalike;
-  },
-  (unalike) => Object.keys(unalike).length > 0
-);
-var mismatchedAnnotations = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesAnnotations),
-  (0, import_ramda.pipe)((bnd, obj) => metasMismatch(definedAnnotations(bnd), carriedAnnotations(obj)))
-]);
-var mismatchedLabels = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesLabels),
-  (0, import_ramda.pipe)((bnd, obj) => metasMismatch(definedLabels(bnd), carriedLabels(obj)))
-]);
-var uncarryableNamespace = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), carriesNamespace),
-  (0, import_ramda.pipe)((nss, obj) => nss.includes(carriedNamespace(obj)), import_ramda.not)
-]);
-var carriesIgnoredNamespace = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), carriesNamespace),
-  (0, import_ramda.pipe)((nss, obj) => nss.includes(carriedNamespace(obj)))
-]);
-var unbindableNamespaces = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), definesNamespaces),
-  (0, import_ramda.pipe)((nss, bnd) => (0, import_ramda.difference)(definedNamespaces(bnd), nss), import_ramda.length, (0, import_ramda.equals)(0), import_ramda.not)
-]);
-var misboundDeleteWithDeletionTimestamp = (0, import_ramda.allPass)([definesDelete, definesDeletionTimestamp]);
-var operationMatchesEvent = (0, import_ramda.anyPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), (0, import_ramda.equals)("*" /* Any */)),
-  (0, import_ramda.pipe)((op, evt) => op === evt),
-  (0, import_ramda.pipe)((op, evt) => op ? evt.includes(op) : false)
-]);
-var mismatchedEvent = (0, import_ramda.pipe)(
-  (binding, request) => operationMatchesEvent(declaredOperation(request), definedEvent(binding)),
-  import_ramda.not
-);
-var mismatchedGroup = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesGroup),
-  (0, import_ramda.pipe)((binding, request) => definedGroup(binding) !== declaredGroup(request))
-]);
-var mismatchedVersion = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesVersion),
-  (0, import_ramda.pipe)((binding, request) => definedVersion(binding) !== declaredVersion(request))
-]);
-var mismatchedKind = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesKind),
-  (0, import_ramda.pipe)((binding, request) => definedKind(binding) !== declaredKind(request))
-]);
-
-// src/lib/filter.ts
-function shouldSkipRequest(binding, req, capabilityNamespaces, ignoredNamespaces) {
-  const prefix = "Ignoring Admission Callback:";
-  const obj = req.operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
-  return misboundDeleteWithDeletionTimestamp(binding) ? `${prefix} Cannot use deletionTimestamp filter on a DELETE operation.` : mismatchedDeletionTimestamp(binding, obj) ? `${prefix} Binding defines deletionTimestamp but Object does not carry it.` : mismatchedEvent(binding, req) ? `${prefix} Binding defines event '${definedEvent(binding)}' but Request declares '${declaredOperation(req)}'.` : mismatchedName(binding, obj) ? `${prefix} Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` : mismatchedGroup(binding, req) ? `${prefix} Binding defines group '${definedGroup(binding)}' but Request declares '${declaredGroup(req)}'.` : mismatchedVersion(binding, req) ? `${prefix} Binding defines version '${definedVersion(binding)}' but Request declares '${declaredVersion(req)}'.` : mismatchedKind(binding, req) ? `${prefix} Binding defines kind '${definedKind(binding)}' but Request declares '${declaredKind(req)}'.` : unbindableNamespaces(capabilityNamespaces, binding) ? `${prefix} Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : uncarryableNamespace(capabilityNamespaces, obj) ? `${prefix} Object carries namespace '${carriedNamespace(obj)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : mismatchedNamespace(binding, obj) ? `${prefix} Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(obj)}'.` : mismatchedLabels(binding, obj) ? `${prefix} Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(obj))}'.` : mismatchedAnnotations(binding, obj) ? `${prefix} Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.` : mismatchedNamespaceRegex(binding, obj) ? `${prefix} Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(obj)}'.` : mismatchedNameRegex(binding, obj) ? `${prefix} Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(obj)}'.` : carriesIgnoredNamespace(ignoredNamespaces, obj) ? `${prefix} Object carries namespace '${carriedNamespace(obj)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.` : "";
-}
-
-// src/lib/mutate-request.ts
-var import_ramda2 = require("ramda");
-var PeprMutateRequest = class {
-  Raw;
-  #input;
-  get PermitSideEffects() {
-    return !this.#input.dryRun;
-  }
-  /**
-   * Indicates whether the request is a dry run.
-   * @returns true if the request is a dry run, false otherwise.
-   */
-  get IsDryRun() {
-    return this.#input.dryRun;
-  }
-  /**
-   * Provides access to the old resource in the request if available.
-   * @returns The old Kubernetes resource object or null if not available.
-   */
-  get OldResource() {
-    return this.#input.oldObject;
-  }
-  /**
-   * Provides access to the request object.
-   * @returns The request object containing the Kubernetes resource.
-   */
-  get Request() {
-    return this.#input;
-  }
-  /**
-   * Creates a new instance of the action class.
-   * @param input - The request object containing the Kubernetes resource to modify.
-   */
-  constructor(input) {
-    this.#input = input;
-    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda2.clone)(input.oldObject);
-    } else {
-      this.Raw = (0, import_ramda2.clone)(input.object);
-    }
-    if (!this.Raw) {
-      throw new Error("unable to load the request object into PeprRequest.RawP");
-    }
-  }
-  /**
-   * Deep merges the provided object with the current resource.
-   *
-   * @param obj - The object to merge with the current resource.
-   */
-  Merge = (obj) => {
-    this.Raw = (0, import_ramda2.mergeDeepRight)(this.Raw, obj);
-  };
-  /**
-   * Updates a label on the Kubernetes resource.
-   * @param key - The key of the label to update.
-   * @param value - The value of the label.
-   * @returns The current action instance for method chaining.
-   */
-  SetLabel = (key, value) => {
-    const ref = this.Raw;
-    ref.metadata = ref.metadata ?? {};
-    ref.metadata.labels = ref.metadata.labels ?? {};
-    ref.metadata.labels[key] = value;
-    return this;
-  };
-  /**
-   * Updates an annotation on the Kubernetes resource.
-   * @param key - The key of the annotation to update.
-   * @param value - The value of the annotation.
-   * @returns The current action instance for method chaining.
-   */
-  SetAnnotation = (key, value) => {
-    const ref = this.Raw;
-    ref.metadata = ref.metadata ?? {};
-    ref.metadata.annotations = ref.metadata.annotations ?? {};
-    ref.metadata.annotations[key] = value;
-    return this;
-  };
-  /**
-   * Removes a label from the Kubernetes resource.
-   * @param key - The key of the label to remove.
-   * @returns The current Action instance for method chaining.
-   */
-  RemoveLabel = (key) => {
-    if (this.Raw.metadata?.labels?.[key]) {
-      delete this.Raw.metadata.labels[key];
-    }
-    return this;
-  };
-  /**
-   * Removes an annotation from the Kubernetes resource.
-   * @param key - The key of the annotation to remove.
-   * @returns The current Action instance for method chaining.
-   */
-  RemoveAnnotation = (key) => {
-    if (this.Raw.metadata?.annotations?.[key]) {
-      delete this.Raw.metadata.annotations[key];
-    }
-    return this;
-  };
-  /**
-   * Check if a label exists on the Kubernetes resource.
-   *
-   * @param key the label key to check
-   * @returns
-   */
-  HasLabel = (key) => {
-    return this.Raw.metadata?.labels?.[key] !== void 0;
-  };
-  /**
-   * Check if an annotation exists on the Kubernetes resource.
-   *
-   * @param key the annotation key to check
-   * @returns
-   */
-  HasAnnotation = (key) => {
-    return this.Raw.metadata?.annotations?.[key] !== void 0;
-  };
-};
-
-// src/lib/utils.ts
-var utils_exports = {};
-__export(utils_exports, {
-  base64Decode: () => base64Decode,
-  base64Encode: () => base64Encode,
-  convertFromBase64Map: () => convertFromBase64Map,
-  convertToBase64Map: () => convertToBase64Map,
-  isAscii: () => isAscii
-});
-var isAscii = /^[\s\x20-\x7E]*$/;
-function convertToBase64Map(obj, skip) {
-  obj.data = obj.data ?? {};
-  for (const key in obj.data) {
-    const value = obj.data[key];
-    obj.data[key] = skip.includes(key) ? value : base64Encode(value);
-  }
-}
-function convertFromBase64Map(obj) {
-  const skip = [];
-  obj.data = obj.data ?? {};
-  for (const key in obj.data) {
-    if (obj.data[key] == void 0) {
-      obj.data[key] = "";
-    } else {
-      const decoded = base64Decode(obj.data[key]);
-      if (isAscii.test(decoded)) {
-        obj.data[key] = decoded;
-      } else {
-        skip.push(key);
-      }
-    }
-  }
-  logger_default.debug(`Non-ascii data detected in keys: ${skip}, skipping automatic base64 decoding`);
-  return skip;
-}
-function base64Decode(data) {
-  return Buffer.from(data, "base64").toString("utf-8");
-}
-function base64Encode(data) {
-  return Buffer.from(data).toString("base64");
-}
-
-// src/lib/mutate-processor.ts
-async function mutateProcessor(config, capabilities, req, reqMetadata) {
-  const wrapped = new PeprMutateRequest(req);
-  const response = {
-    uid: req.uid,
-    warnings: [],
-    allowed: false
-  };
-  let matchedAction = false;
-  let skipDecode = [];
-  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
-  if (isSecret) {
-    skipDecode = convertFromBase64Map(wrapped.Raw);
-  }
-  logger_default.info(reqMetadata, `Processing request`);
-  for (const { name, bindings, namespaces } of capabilities) {
-    const actionMetadata = { ...reqMetadata, name };
-    for (const action of bindings) {
-      if (!action.mutateCallback) {
-        continue;
-      }
-      const shouldSkip = shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces);
-      if (shouldSkip !== "") {
-        logger_default.debug(shouldSkip);
-        continue;
-      }
-      const label = action.mutateCallback.name;
-      logger_default.info(actionMetadata, `Processing mutation action (${label})`);
-      matchedAction = true;
-      const updateStatus = (status) => {
-        if (req.operation == "DELETE") {
-          return;
-        }
-        const identifier = `${config.uuid}.pepr.dev/${name}`;
-        wrapped.Raw.metadata = wrapped.Raw.metadata || {};
-        wrapped.Raw.metadata.annotations = wrapped.Raw.metadata.annotations || {};
-        wrapped.Raw.metadata.annotations[identifier] = status;
-      };
-      updateStatus("started");
-      try {
-        await action.mutateCallback(wrapped);
-        logger_default.info(actionMetadata, `Mutation action succeeded (${label})`);
-        updateStatus("succeeded");
-      } catch (e) {
-        updateStatus("warning");
-        response.warnings = response.warnings || [];
-        let errorMessage = "";
-        try {
-          if (e.message && e.message !== "[object Object]") {
-            errorMessage = e.message;
-          } else {
-            throw new Error("An error occurred in the mutate action.");
-          }
-        } catch (e2) {
-          errorMessage = "An error occurred with the mutate action.";
-        }
-        logger_default.error(actionMetadata, `Action failed: ${errorMessage}`);
-        response.warnings.push(`Action failed: ${errorMessage}`);
-        switch (config.onError) {
-          case Errors.reject:
-            logger_default.error(actionMetadata, `Action failed: ${errorMessage}`);
-            response.result = "Pepr module configured to reject on error";
-            return response;
-          case Errors.audit:
-            response.auditAnnotations = response.auditAnnotations || {};
-            response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
-            break;
-        }
-      }
-    }
-  }
-  response.allowed = true;
-  if (!matchedAction) {
-    logger_default.info(reqMetadata, `No matching actions found`);
-    return response;
-  }
-  if (req.operation == "DELETE") {
-    return response;
-  }
-  const transformed = wrapped.Raw;
-  if (isSecret) {
-    convertToBase64Map(transformed, skipDecode);
-  }
-  const patches = import_fast_json_patch.default.compare(req.object, transformed);
-  if (patches.length > 0) {
-    response.patchType = "JSONPatch";
-    response.patch = base64Encode(JSON.stringify(patches));
-  }
-  if (response.warnings && response.warnings.length < 1) {
-    delete response.warnings;
-  }
-  logger_default.debug({ ...reqMetadata, patches }, `Patches generated`);
-  return response;
-}
-
-// src/lib/validate-request.ts
-var import_ramda3 = require("ramda");
-var PeprValidateRequest = class {
-  Raw;
-  #input;
-  /**
-   * Provides access to the old resource in the request if available.
-   * @returns The old Kubernetes resource object or null if not available.
-   */
-  get OldResource() {
-    return this.#input.oldObject;
-  }
-  /**
-   * Provides access to the request object.
-   * @returns The request object containing the Kubernetes resource.
-   */
-  get Request() {
-    return this.#input;
-  }
-  /**
-   * Creates a new instance of the Action class.
-   * @param input - The request object containing the Kubernetes resource to modify.
-   */
-  constructor(input) {
-    this.#input = input;
-    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda3.clone)(input.oldObject);
-    } else {
-      this.Raw = (0, import_ramda3.clone)(input.object);
-    }
-    if (!this.Raw) {
-      throw new Error("unable to load the request object into PeprRequest.Raw");
-    }
-  }
-  /**
-   * Check if a label exists on the Kubernetes resource.
-   *
-   * @param key the label key to check
-   * @returns
-   */
-  HasLabel = (key) => {
-    return this.Raw.metadata?.labels?.[key] !== void 0;
-  };
-  /**
-   * Check if an annotation exists on the Kubernetes resource.
-   *
-   * @param key the annotation key to check
-   * @returns
-   */
-  HasAnnotation = (key) => {
-    return this.Raw.metadata?.annotations?.[key] !== void 0;
-  };
-  /**
-   * Create a validation response that allows the request.
-   *
-   * @returns The validation response.
-   */
-  Approve = () => {
-    return {
-      allowed: true
-    };
-  };
-  /**
-   * Create a validation response that denies the request.
-   *
-   * @param statusMessage Optional status message to return to the user.
-   * @param statusCode Optional status code to return to the user.
-   * @returns The validation response.
-   */
-  Deny = (statusMessage, statusCode) => {
-    return {
-      allowed: false,
-      statusCode,
-      statusMessage
-    };
-  };
-};
-
-// src/lib/validate-processor.ts
-async function validateProcessor(config, capabilities, req, reqMetadata) {
-  const wrapped = new PeprValidateRequest(req);
-  const response = [];
-  const isSecret = req.kind.version == "v1" && req.kind.kind == "Secret";
-  if (isSecret) {
-    convertFromBase64Map(wrapped.Raw);
-  }
-  logger_default.info(reqMetadata, `Processing validation request`);
-  for (const { name, bindings, namespaces } of capabilities) {
-    const actionMetadata = { ...reqMetadata, name };
-    for (const action of bindings) {
-      if (!action.validateCallback) {
-        continue;
-      }
-      const localResponse = {
-        uid: req.uid,
-        allowed: true
-        // Assume it's allowed until a validation check fails
-      };
-      const shouldSkip = shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces);
-      if (shouldSkip !== "") {
-        logger_default.debug(shouldSkip);
-        continue;
-      }
-      const label = action.validateCallback.name;
-      logger_default.info(actionMetadata, `Processing validation action (${label})`);
-      try {
-        const resp = await action.validateCallback(wrapped);
-        localResponse.allowed = resp.allowed;
-        if (resp.statusCode || resp.statusMessage) {
-          localResponse.status = {
-            code: resp.statusCode || 400,
-            message: resp.statusMessage || `Validation failed for ${name}`
-          };
-        }
-        logger_default.info(actionMetadata, `Validation action complete (${label}): ${resp.allowed ? "allowed" : "denied"}`);
-      } catch (e) {
-        logger_default.error(actionMetadata, `Action failed: ${JSON.stringify(e)}`);
-        localResponse.allowed = false;
-        localResponse.status = {
-          code: 500,
-          message: `Action failed with error: ${JSON.stringify(e)}`
-        };
-        return [localResponse];
-      }
-      response.push(localResponse);
-    }
-  }
-  return response;
-}
-
-// src/lib/controller/store.ts
-var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
-var import_ramda4 = require("ramda");
-
-// src/lib/k8s.ts
-var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
-var PeprStore = class extends import_kubernetes_fluent_client.GenericKind {
-};
-var peprStoreGVK = {
-  kind: "PeprStore",
-  version: "v1",
-  group: "pepr.dev"
-};
-(0, import_kubernetes_fluent_client.RegisterKind)(PeprStore, peprStoreGVK);
-
-// src/lib/controller/store.ts
-var redactedValue = "**redacted**";
-var namespace = "pepr-system";
-var debounceBackoff = 5e3;
-var PeprControllerStore = class {
-  #name;
-  #stores = {};
-  #sendDebounce;
-  #onReady;
-  constructor(capabilities, name, onReady) {
-    this.#onReady = onReady;
-    this.#name = name;
-    if (name.includes("schedule")) {
-      for (const { name: name2, registerScheduleStore, hasSchedule } of capabilities) {
-        if (hasSchedule !== true) {
-          continue;
-        }
-        const { scheduleStore } = registerScheduleStore();
-        scheduleStore.registerSender(this.#send(name2));
-        this.#stores[name2] = scheduleStore;
-      }
-    } else {
-      for (const { name: name2, registerStore } of capabilities) {
-        const { store } = registerStore();
-        store.registerSender(this.#send(name2));
-        this.#stores[name2] = store;
-      }
-    }
-    setTimeout(
-      () => (0, import_kubernetes_fluent_client2.K8s)(PeprStore).InNamespace(namespace).Get(this.#name).then(async (store) => await this.#migrateAndSetupWatch(store)).catch(this.#createStoreResource),
-      Math.random() * 3e3
-    );
-  }
-  #setupWatch = () => {
-    const watcher = (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { name: this.#name, namespace }).Watch(this.#receive);
-    watcher.start().catch((e) => logger_default.error(e, "Error starting Pepr store watch"));
-  };
-  #migrateAndSetupWatch = async (store) => {
-    logger_default.debug(redactedStore(store), "Pepr Store migration");
-    const data = store.data || {};
-    const migrateCache = {};
-    const flushCache = async () => {
-      const indexes = Object.keys(migrateCache);
-      const payload = Object.values(migrateCache);
-      for (const idx of indexes) {
-        delete migrateCache[idx];
-      }
-      try {
-        if (payload.length > 0) {
-          await (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { namespace, name: this.#name }).Patch(payload);
-        }
-      } catch (err) {
-        logger_default.error(err, "Pepr store update failure");
-        if (err.status === 422) {
-          Object.keys(migrateCache).forEach((key) => delete migrateCache[key]);
-        } else {
-          for (const idx of indexes) {
-            migrateCache[idx] = payload[Number(idx)];
-          }
-        }
-      }
-    };
-    const fillCache = (name, op, key, val) => {
-      if (op === "add") {
-        const path = `/data/${name}-v2-${key}`;
-        const value = val || "";
-        const cacheIdx = [op, path, value].join(":");
-        migrateCache[cacheIdx] = { op, path, value };
-        return;
-      }
-      if (op === "remove") {
-        if (key.length < 1) {
-          throw new Error(`Key is required for REMOVE operation`);
-        }
-        for (const k of key) {
-          const path = `/data/${name}-${k}`;
-          const cacheIdx = [op, path].join(":");
-          migrateCache[cacheIdx] = { op, path };
-        }
-        return;
-      }
-      throw new Error(`Unsupported operation: ${op}`);
-    };
-    for (const name of Object.keys(this.#stores)) {
-      const offset = `${name}-`.length;
-      for (const key of Object.keys(data)) {
-        if ((0, import_ramda4.startsWith)(name, key) && !(0, import_ramda4.startsWith)(`${name}-v2`, key)) {
-          fillCache(name, "remove", [key.slice(offset)], data[key]);
-          fillCache(name, "add", [key.slice(offset)], data[key]);
-        }
-      }
-    }
-    await flushCache();
-    this.#setupWatch();
-  };
-  #receive = (store) => {
-    logger_default.debug(redactedStore(store), "Pepr Store update");
-    const debounced = () => {
-      const data = store.data || {};
-      for (const name of Object.keys(this.#stores)) {
-        const offset = `${name}-`.length;
-        const filtered = {};
-        for (const key of Object.keys(data)) {
-          if ((0, import_ramda4.startsWith)(name, key)) {
-            filtered[key.slice(offset)] = data[key];
-          }
-        }
-        this.#stores[name].receive(filtered);
-      }
-      if (this.#onReady) {
-        this.#onReady();
-        this.#onReady = void 0;
-      }
-    };
-    clearTimeout(this.#sendDebounce);
-    this.#sendDebounce = setTimeout(debounced, this.#onReady ? 0 : debounceBackoff);
-  };
-  #send = (capabilityName) => {
-    const sendCache = {};
-    const fillCache = (op, key, val) => {
-      if (op === "add") {
-        const path = `/data/${capabilityName}-${key}`;
-        const value = val || "";
-        const cacheIdx = [op, path, value].join(":");
-        sendCache[cacheIdx] = { op, path, value };
-        return;
-      }
-      if (op === "remove") {
-        if (key.length < 1) {
-          throw new Error(`Key is required for REMOVE operation`);
-        }
-        for (const k of key) {
-          const path = `/data/${capabilityName}-${k}`;
-          const cacheIdx = [op, path].join(":");
-          sendCache[cacheIdx] = { op, path };
-        }
-        return;
-      }
-      throw new Error(`Unsupported operation: ${op}`);
-    };
-    const flushCache = async () => {
-      const indexes = Object.keys(sendCache);
-      const payload = Object.values(sendCache);
-      for (const idx of indexes) {
-        delete sendCache[idx];
-      }
-      try {
-        if (payload.length > 0) {
-          await (0, import_kubernetes_fluent_client2.K8s)(PeprStore, { namespace, name: this.#name }).Patch(payload);
-        }
-      } catch (err) {
-        logger_default.error(err, "Pepr store update failure");
-        if (err.status === 422) {
-          Object.keys(sendCache).forEach((key) => delete sendCache[key]);
-        } else {
-          for (const idx of indexes) {
-            sendCache[idx] = payload[Number(idx)];
-          }
-        }
-      }
-    };
-    const sender = async (op, key, val) => {
-      fillCache(op, key, val);
-    };
-    setInterval(() => {
-      if (Object.keys(sendCache).length > 0) {
-        logger_default.debug(redactedPatch(sendCache), "Sending updates to Pepr store");
-        void flushCache();
-      }
-    }, debounceBackoff);
-    return sender;
-  };
-  #createStoreResource = async (e) => {
-    logger_default.info(`Pepr store not found, creating...`);
-    logger_default.debug(e);
-    try {
-      await (0, import_kubernetes_fluent_client2.K8s)(PeprStore).Apply({
-        metadata: {
-          name: this.#name,
-          namespace
-        },
-        data: {
-          // JSON Patch will die if the data is empty, so we need to add a placeholder
-          __pepr_do_not_delete__: "k-thx-bye"
-        }
-      });
-      this.#setupWatch();
-    } catch (err) {
-      logger_default.error(err, "Failed to create Pepr store");
-    }
-  };
-};
-function redactedStore(store) {
-  const redacted = process.env.PEPR_STORE_REDACT_VALUES === "true";
-  return {
-    ...store,
-    data: Object.keys(store.data).reduce((acc, key) => {
-      acc[key] = redacted ? redactedValue : store.data[key];
-      return acc;
-    }, {})
-  };
-}
-function redactedPatch(patch = {}) {
-  const redacted = process.env.PEPR_STORE_REDACT_VALUES === "true";
-  if (!redacted) {
-    return patch;
-  }
-  const redactedCache = {};
-  Object.keys(patch).forEach((key) => {
-    const operation = patch[key];
-    const redactedKey = key.includes(":") ? key.substring(0, key.lastIndexOf(":")) + ":**redacted**" : key;
-    const redactedOperation = {
-      ...operation,
-      ..."value" in operation ? { value: "**redacted**" } : {}
-    };
-    redactedCache[redactedKey] = redactedOperation;
-  });
-  return redactedCache;
-}
-
-// src/lib/controller/index.ts
-if (!process.env.PEPR_NODE_WARNINGS) {
-  process.removeAllListeners("warning");
-}
-var Controller = class _Controller {
-  // Track whether the server is running
-  #running = false;
-  // Metrics collector
-  #metricsCollector = metricsCollector;
-  // The token used to authenticate requests
-  #token = "";
-  // The express app instance
-  #app = (0, import_express.default)();
-  // Initialized with the constructor
-  #config;
-  #capabilities;
-  #beforeHook;
-  #afterHook;
-  constructor(config, capabilities, beforeHook, afterHook, onReady) {
-    this.#config = config;
-    this.#capabilities = capabilities;
-    new PeprControllerStore(capabilities, `pepr-${config.uuid}-store`, () => {
-      this.#bindEndpoints();
-      onReady && onReady();
-      logger_default.info("\u2705 Controller startup complete");
-      new PeprControllerStore(capabilities, `pepr-${config.uuid}-schedule`, () => {
-        logger_default.info("\u2705 Scheduling processed");
-      });
-    });
-    this.#app.use(_Controller.#logger);
-    this.#app.use(import_express.default.json({ limit: "2mb" }));
-    if (beforeHook) {
-      logger_default.info(`Using beforeHook: ${beforeHook}`);
-      this.#beforeHook = beforeHook;
-    }
-    if (afterHook) {
-      logger_default.info(`Using afterHook: ${afterHook}`);
-      this.#afterHook = afterHook;
-    }
-  }
-  /** Start the webhook server */
-  startServer = (port) => {
-    if (this.#running) {
-      throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
-    }
-    const options = {
-      key: import_fs.default.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
-      cert: import_fs.default.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt")
-    };
-    if (!isWatchMode()) {
-      this.#token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
-      logger_default.info(`Using API token: ${this.#token}`);
-      if (!this.#token) {
-        throw new Error("API token not found");
-      }
-    }
-    const server = import_https.default.createServer(options, this.#app).listen(port);
-    server.on("listening", () => {
-      logger_default.info(`Server listening on port ${port}`);
-      this.#running = true;
-    });
-    server.on("error", (e) => {
-      if (e.code === "EADDRINUSE") {
-        logger_default.info(
-          `Address in use, retrying in 2 seconds. If this persists, ensure ${port} is not in use, e.g. "lsof -i :${port}"`
-        );
-        setTimeout(() => {
-          server.close();
-          server.listen(port);
-        }, 2e3);
-      }
-    });
-    process.on("SIGTERM", () => {
-      logger_default.info("Received SIGTERM, closing server");
-      server.close(() => {
-        logger_default.info("Server closed");
-        process.exit(0);
-      });
-    });
-  };
-  #bindEndpoints = () => {
-    this.#app.get("/healthz", _Controller.#healthz);
-    this.#app.get("/metrics", this.#metrics);
-    if (isWatchMode()) {
-      return;
-    }
-    this.#app.use(["/mutate/:token", "/validate/:token"], this.#validateToken);
-    this.#app.post("/mutate/:token", this.#admissionReq("Mutate"));
-    this.#app.post("/validate/:token", this.#admissionReq("Validate"));
-  };
-  /**
-   * Validate the token in the request path
-   *
-   * @param req The incoming request
-   * @param res The outgoing response
-   * @param next The next middleware function
-   * @returns
-   */
-  #validateToken = (req, res, next) => {
-    const { token } = req.params;
-    if (token !== this.#token) {
-      const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
-      logger_default.info(err);
-      res.status(401).send(err);
-      this.#metricsCollector.alert();
-      return;
-    }
-    next();
-  };
-  /**
-   * Metrics endpoint handler
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   */
-  #metrics = async (req, res) => {
-    try {
-      res.send(await this.#metricsCollector.getMetrics());
-    } catch (err) {
-      logger_default.error(err, `Error getting metrics`);
-      res.status(500).send("Internal Server Error");
-    }
-  };
-  /**
-   * Admission request handler for both mutate and validate requests
-   *
-   * @param admissionKind the type of admission request
-   * @returns the request handler
-   */
-  #admissionReq = (admissionKind) => {
-    return async (req, res) => {
-      const startTime = MetricsCollector.observeStart();
-      try {
-        const request = req.body?.request || {};
-        this.#beforeHook && this.#beforeHook(request || {});
-        const name = request?.name ? `/${request.name}` : "";
-        const namespace2 = request?.namespace || "";
-        const gvk = request?.kind || { group: "", version: "", kind: "" };
-        const reqMetadata = {
-          uid: request.uid,
-          namespace: namespace2,
-          name
-        };
-        logger_default.info({ ...reqMetadata, gvk, operation: request.operation, admissionKind }, "Incoming request");
-        logger_default.debug({ ...reqMetadata, request }, "Incoming request body");
-        let response;
-        if (admissionKind === "Mutate") {
-          response = await mutateProcessor(this.#config, this.#capabilities, request, reqMetadata);
-        } else {
-          response = await validateProcessor(this.#config, this.#capabilities, request, reqMetadata);
-        }
-        const responseList = Array.isArray(response) ? response : [response];
-        responseList.map((res2) => {
-          this.#afterHook && this.#afterHook(res2);
-          logger_default.info({ ...reqMetadata, res: res2 }, "Check response");
-        });
-        let kubeAdmissionResponse;
-        if (admissionKind === "Mutate") {
-          kubeAdmissionResponse = response;
-          logger_default.debug({ ...reqMetadata, response }, "Outgoing response");
-          res.send({
-            apiVersion: "admission.k8s.io/v1",
-            kind: "AdmissionReview",
-            response: kubeAdmissionResponse
-          });
-        } else {
-          kubeAdmissionResponse = responseList.length === 0 ? {
-            uid: request.uid,
-            allowed: true,
-            status: { message: "no in-scope validations -- allowed!" }
-          } : {
-            uid: responseList[0].uid,
-            allowed: responseList.filter((r) => !r.allowed).length === 0,
-            status: {
-              message: responseList.filter((rl) => !rl.allowed).map((curr) => curr.status?.message).join("; ")
-            }
-          };
-          res.send({
-            apiVersion: "admission.k8s.io/v1",
-            kind: "AdmissionReview",
-            response: kubeAdmissionResponse
-          });
-        }
-        logger_default.debug({ ...reqMetadata, kubeAdmissionResponse }, "Outgoing response");
-        this.#metricsCollector.observeEnd(startTime, admissionKind);
-      } catch (err) {
-        logger_default.error(err, `Error processing ${admissionKind} request`);
-        res.status(500).send("Internal Server Error");
-        this.#metricsCollector.error();
-      }
-    };
-  };
-  /**
-   * Middleware for logging requests
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   * @param next the next middleware function
-   */
-  static #logger(req, res, next) {
-    const startTime = Date.now();
-    res.on("finish", () => {
-      const elapsedTime = Date.now() - startTime;
-      const message = {
-        uid: req.body?.request?.uid,
-        method: req.method,
-        url: req.originalUrl,
-        status: res.statusCode,
-        duration: `${elapsedTime} ms`
-      };
-      logger_default.info(message);
-    });
-    next();
-  }
-  /**
-   * Health check endpoint handler
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   */
-  static #healthz(req, res) {
-    try {
-      res.send("OK");
-    } catch (err) {
-      logger_default.error(err, `Error processing health check`);
-      res.status(500).send("Internal Server Error");
-    }
-  }
-};
-
-// src/lib/watch-processor.ts
-var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
-var import_types6 = require("kubernetes-fluent-client/dist/fluent/types");
-
-// src/lib/helpers.ts
-var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
-
-// src/sdk/sdk.ts
-var sdk_exports = {};
-__export(sdk_exports, {
-  containers: () => containers,
-  getOwnerRefFrom: () => getOwnerRefFrom,
-  sanitizeResourceName: () => sanitizeResourceName,
-  writeEvent: () => writeEvent
-});
-var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
-function containers(request, containerType) {
-  const containers2 = request.Raw.spec?.containers || [];
-  const initContainers = request.Raw.spec?.initContainers || [];
-  const ephemeralContainers = request.Raw.spec?.ephemeralContainers || [];
-  if (containerType === "containers") {
-    return containers2;
-  }
-  if (containerType === "initContainers") {
-    return initContainers;
-  }
-  if (containerType === "ephemeralContainers") {
-    return ephemeralContainers;
-  }
-  return [...containers2, ...initContainers, ...ephemeralContainers];
-}
-async function writeEvent(cr, event, eventType, eventReason, reportingComponent, reportingInstance) {
-  logger_default.debug(cr.metadata, `Writing event: ${event.message}`);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.CoreEvent).Create({
-    type: eventType,
-    reason: eventReason,
-    ...event,
-    // Fixed values
-    metadata: {
-      namespace: cr.metadata.namespace,
-      generateName: cr.metadata.name
-    },
-    involvedObject: {
-      apiVersion: cr.apiVersion,
-      kind: cr.kind,
-      name: cr.metadata.name,
-      namespace: cr.metadata.namespace,
-      uid: cr.metadata.uid
-    },
-    firstTimestamp: /* @__PURE__ */ new Date(),
-    reportingComponent,
-    reportingInstance
-  });
-}
-function getOwnerRefFrom(customResource, blockOwnerDeletion, controller) {
-  const { apiVersion, kind: kind4, metadata } = customResource;
-  const { name, uid } = metadata;
-  return [
-    {
-      apiVersion,
-      kind: kind4,
-      uid,
-      name,
-      ...blockOwnerDeletion !== void 0 && { blockOwnerDeletion },
-      ...controller !== void 0 && { controller }
-    }
-  ];
-}
-function sanitizeResourceName(name) {
-  return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").slice(0, 250).replace(/^[^a-z]+|[^a-z]+$/g, "");
-}
-
-// src/lib/helpers.ts
-function filterNoMatchReason(binding, obj, capabilityNamespaces, ignoredNamespaces) {
-  const prefix = "Ignoring Watch Callback:";
-  return mismatchedDeletionTimestamp(binding, obj) ? `${prefix} Binding defines deletionTimestamp but Object does not carry it.` : mismatchedName(binding, obj) ? `${prefix} Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` : misboundNamespace(binding) ? `${prefix} Cannot use namespace filter on a namespace object.` : mismatchedLabels(binding, obj) ? `${prefix} Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(obj))}'.` : mismatchedAnnotations(binding, obj) ? `${prefix} Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.` : uncarryableNamespace(capabilityNamespaces, obj) ? `${prefix} Object carries namespace '${carriedNamespace(obj)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : unbindableNamespaces(capabilityNamespaces, binding) ? `${prefix} Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : mismatchedNamespace(binding, obj) ? `${prefix} Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(obj)}'.` : mismatchedNamespaceRegex(binding, obj) ? `${prefix} Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(obj)}'.` : mismatchedNameRegex(binding, obj) ? `${prefix} Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(obj)}'.` : carriesIgnoredNamespace(ignoredNamespaces, obj) ? `${prefix} Object carries namespace '${carriedNamespace(obj)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.` : "";
-}
-
-// src/lib/finalizer.ts
-var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
-function addFinalizer(request) {
-  if (request.Request.operation === "DELETE" /* DELETE */) {
-    return;
-  }
-  if (request.Request.operation === "UPDATE" /* UPDATE */ && request.Raw.metadata?.deletionTimestamp) {
-    return;
-  }
-  const peprFinal = "pepr.dev/finalizer";
-  const finalizers = request.Raw.metadata?.finalizers || [];
-  if (!finalizers.includes(peprFinal)) {
-    finalizers.push(peprFinal);
-  }
-  request.Merge({ metadata: { finalizers } });
-}
-async function removeFinalizer(binding, obj) {
-  const peprFinal = "pepr.dev/finalizer";
-  const meta = obj.metadata;
-  const resource = `${meta.namespace || "ClusterScoped"}/${meta.name}`;
-  logger_default.debug({ obj }, `Removing finalizer '${peprFinal}' from '${resource}'`);
-  const { model, kind: kind4 } = binding;
-  try {
-    (0, import_kubernetes_fluent_client5.RegisterKind)(model, kind4);
-  } catch (e) {
-    const expected = e.message === `GVK ${model.name} already registered`;
-    if (!expected) {
-      logger_default.error({ model, kind: kind4, error: e }, `Error registering "${kind4}" during finalization.`);
-      return;
-    }
-  }
-  const finalizers = meta.finalizers?.filter((f) => f !== peprFinal) || [];
-  obj = await (0, import_kubernetes_fluent_client5.K8s)(model, meta).Patch([
-    {
-      op: "replace",
-      path: `/metadata/finalizers`,
-      value: finalizers
-    }
-  ]);
-  logger_default.debug({ obj }, `Removed finalizer '${peprFinal}' from '${resource}'`);
-}
-
-// src/lib/queue.ts
-var import_node_crypto = require("node:crypto");
-var Queue = class {
-  #name;
-  #uid;
-  #queue = [];
-  #pendingPromise = false;
-  constructor(name) {
-    this.#name = name;
-    this.#uid = `${Date.now()}-${(0, import_node_crypto.randomBytes)(2).toString("hex")}`;
-  }
-  label() {
-    return { name: this.#name, uid: this.#uid };
-  }
-  stats() {
-    return {
-      queue: this.label(),
-      stats: {
-        length: this.#queue.length
-      }
-    };
-  }
-  /**
-   * Enqueue adds an item to the queue and returns a promise that resolves when the item is
-   * reconciled.
-   *
-   * @param item The object to reconcile
-   * @param type The watch phase requested for reconcile
-   * @param reconcile The callback to enqueue for reconcile
-   * @returns A promise that resolves when the object is reconciled
-   */
-  enqueue(item, phase, reconcile) {
-    const note = {
-      queue: this.label(),
-      item: {
-        name: item.metadata?.name,
-        namespace: item.metadata?.namespace,
-        resourceVersion: item.metadata?.resourceVersion
-      }
-    };
-    logger_default.debug(note, "Enqueueing");
-    return new Promise((resolve, reject) => {
-      this.#queue.push({ item, phase, callback: reconcile, resolve, reject });
-      logger_default.debug(this.stats(), "Queue stats - push");
-      return this.#dequeue();
-    });
-  }
-  /**
-   * Dequeue reconciles the next item in the queue
-   *
-   * @returns A promise that resolves when the webapp is reconciled
-   */
-  async #dequeue() {
-    if (this.#pendingPromise) {
-      logger_default.debug("Pending promise, not dequeuing");
-      return false;
-    }
-    const element = this.#queue.shift();
-    if (!element) {
-      logger_default.debug("No element, not dequeuing");
-      return false;
-    }
-    try {
-      this.#pendingPromise = true;
-      const note = {
-        queue: this.label(),
-        item: {
-          name: element.item.metadata?.name,
-          namespace: element.item.metadata?.namespace,
-          resourceVersion: element.item.metadata?.resourceVersion
-        }
-      };
-      logger_default.debug(note, "Reconciling");
-      await element.callback(element.item, element.phase);
-      logger_default.debug(note, "Reconciled");
-      element.resolve();
-    } catch (e) {
-      logger_default.debug(`Error reconciling ${element.item.metadata.name}`, { error: e });
-      element.reject(e);
-    } finally {
-      logger_default.debug(this.stats(), "Queue stats - shift");
-      logger_default.debug("Resetting pending promise and dequeuing");
-      this.#pendingPromise = false;
-      await this.#dequeue();
-    }
-  }
-};
-
-// src/lib/watch-processor.ts
-var queues = {};
-function queueKey(obj) {
-  const options = ["kind", "kindNs", "kindNsName", "global"];
-  const d3fault = "kind";
-  let strat = process.env.PEPR_RECONCILE_STRATEGY || d3fault;
-  strat = options.includes(strat) ? strat : d3fault;
-  const ns = obj.metadata?.namespace ?? "cluster-scoped";
-  const kind4 = obj.kind ?? "UnknownKind";
-  const name = obj.metadata?.name ?? "Unnamed";
-  const lookup = {
-    kind: `${kind4}`,
-    kindNs: `${kind4}/${ns}`,
-    kindNsName: `${kind4}/${ns}/${name}`,
-    global: "global"
-  };
-  return lookup[strat];
-}
-function getOrCreateQueue(obj) {
-  const key = queueKey(obj);
-  if (!queues[key]) {
-    queues[key] = new Queue(key);
-  }
-  return queues[key];
-}
-var watchCfg = {
-  resyncFailureMax: process.env.PEPR_RESYNC_FAILURE_MAX ? parseInt(process.env.PEPR_RESYNC_FAILURE_MAX, 10) : 5,
-  resyncDelaySec: process.env.PEPR_RESYNC_DELAY_SECONDS ? parseInt(process.env.PEPR_RESYNC_DELAY_SECONDS, 10) : 5,
-  lastSeenLimitSeconds: process.env.PEPR_LAST_SEEN_LIMIT_SECONDS ? parseInt(process.env.PEPR_LAST_SEEN_LIMIT_SECONDS, 10) : 300,
-  relistIntervalSec: process.env.PEPR_RELIST_INTERVAL_SECONDS ? parseInt(process.env.PEPR_RELIST_INTERVAL_SECONDS, 10) : 600
-};
-var eventToPhaseMap = {
-  ["CREATE" /* Create */]: [import_types6.WatchPhase.Added],
-  ["UPDATE" /* Update */]: [import_types6.WatchPhase.Modified],
-  ["CREATEORUPDATE" /* CreateOrUpdate */]: [import_types6.WatchPhase.Added, import_types6.WatchPhase.Modified],
-  ["DELETE" /* Delete */]: [import_types6.WatchPhase.Deleted],
-  ["*" /* Any */]: [import_types6.WatchPhase.Added, import_types6.WatchPhase.Modified, import_types6.WatchPhase.Deleted]
-};
-function setupWatch(capabilities, ignoredNamespaces) {
-  capabilities.map(
-    (capability) => capability.bindings.filter((binding) => binding.isWatch).forEach((bindingElement) => runBinding(bindingElement, capability.namespaces, ignoredNamespaces))
-  );
-}
-async function runBinding(binding, capabilityNamespaces, ignoredNamespaces) {
-  const phaseMatch = eventToPhaseMap[binding.event] || eventToPhaseMap["*" /* Any */];
-  logger_default.debug({ watchCfg }, "Effective WatchConfig");
-  const watchCallback = async (obj, phase) => {
-    if (phaseMatch.includes(phase)) {
-      try {
-        const filterMatch = filterNoMatchReason(binding, obj, capabilityNamespaces, ignoredNamespaces);
-        if (filterMatch === "") {
-          if (binding.isFinalize) {
-            if (!obj.metadata?.deletionTimestamp) {
-              return;
-            }
-            try {
-              await binding.finalizeCallback?.(obj);
-            } finally {
-              await removeFinalizer(binding, obj);
-            }
-          } else {
-            await binding.watchCallback?.(obj, phase);
-          }
-        } else {
-          logger_default.debug(filterMatch);
-        }
-      } catch (e) {
-        logger_default.error(e, "Error executing watch callback");
-      }
-    }
-  };
-  const watcher = (0, import_kubernetes_fluent_client6.K8s)(binding.model, binding.filters).Watch(async (obj, phase) => {
-    logger_default.debug(obj, `Watch event ${phase} received`);
-    if (binding.isQueue) {
-      const queue = getOrCreateQueue(obj);
-      await queue.enqueue(obj, phase, watchCallback);
-    } else {
-      await watchCallback(obj, phase);
-    }
-  }, watchCfg);
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, (err) => {
-    logger_default.error(err, "Watch failed after 5 attempts, giving up");
-    process.exit(1);
-  });
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.CONNECT, (url) => logEvent(import_kubernetes_fluent_client6.WatchEvent.CONNECT, url));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.DATA_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.DATA_ERROR, err.message));
-  watcher.events.on(
-    import_kubernetes_fluent_client6.WatchEvent.RECONNECT,
-    (retryCount) => logEvent(import_kubernetes_fluent_client6.WatchEvent.RECONNECT, `Reconnecting after ${retryCount} attempt${retryCount === 1 ? "" : "s"}`)
-  );
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.RECONNECT_PENDING, () => logEvent(import_kubernetes_fluent_client6.WatchEvent.RECONNECT_PENDING));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, err.message));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.ABORT, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.ABORT, err.message));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.OLD_RESOURCE_VERSION, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.OLD_RESOURCE_VERSION, err));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.NETWORK_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.NETWORK_ERROR, err.message));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.LIST_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.LIST_ERROR, err.message));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.LIST, (list) => logEvent(import_kubernetes_fluent_client6.WatchEvent.LIST, JSON.stringify(list, void 0, 2)));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.CACHE_MISS, (windowName) => {
-    metricsCollector.incCacheMiss(windowName);
-  });
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.INIT_CACHE_MISS, (windowName) => {
-    metricsCollector.initCacheMissWindow(windowName);
-  });
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.INC_RESYNC_FAILURE_COUNT, (retryCount) => {
-    metricsCollector.incRetryCount(retryCount);
-  });
-  try {
-    await watcher.start();
-  } catch (err) {
-    logger_default.error(err, "Error starting watch");
-    process.exit(1);
-  }
-}
-function logEvent(event, message = "", obj) {
-  const logMessage = `Watch event ${event} received${message ? `. ${message}.` : "."}`;
-  if (obj) {
-    logger_default.debug(obj, logMessage);
-  } else {
-    logger_default.debug(logMessage);
-  }
-}
-
-// src/lib/module.ts
-var isWatchMode = () => process.env.PEPR_WATCH_MODE === "true";
-var isBuildMode = () => process.env.PEPR_MODE === "build";
-var isDevMode = () => process.env.PEPR_MODE === "dev";
-var PeprModule = class {
-  #controller;
-  /**
-   * Create a new Pepr runtime
-   *
-   * @param config The configuration for the Pepr runtime
-   * @param capabilities The capabilities to be loaded into the Pepr runtime
-   * @param opts Options for the Pepr runtime
-   */
-  constructor({ description, pepr }, capabilities = [], opts = {}) {
-    const config = (0, import_ramda5.clone)(pepr);
-    config.description = description;
-    ValidateError(config.onError);
-    if (isBuildMode()) {
-      if (!process.send) {
-        throw new Error("process.send is not defined");
-      }
-      const exportedCapabilities = [];
-      for (const capability of capabilities) {
-        exportedCapabilities.push({
-          name: capability.name,
-          description: capability.description,
-          namespaces: capability.namespaces,
-          bindings: capability.bindings,
-          hasSchedule: capability.hasSchedule
-        });
-      }
-      process.send(exportedCapabilities);
-      return;
-    }
-    this.#controller = new Controller(config, capabilities, opts.beforeHook, opts.afterHook, () => {
-      if (isWatchMode() || isDevMode()) {
-        try {
-          setupWatch(capabilities, pepr?.alwaysIgnore?.namespaces);
-        } catch (e) {
-          logger_default.error(e, "Error setting up watch");
-          process.exit(1);
-        }
-      }
-    });
-    if (opts.deferStart) {
-      return;
-    }
-    this.start();
-  }
-  /**
-   * Start the Pepr runtime manually.
-   * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
-   *
-   * @param port
-   */
-  start = (port = 3e3) => {
-    this.#controller.startServer(port);
-  };
-};
-
-// src/lib/storage.ts
-var import_ramda6 = require("ramda");
-var import_json_pointer = __toESM(require("json-pointer"));
-var MAX_WAIT_TIME = 15e3;
-var STORE_VERSION_PREFIX = "v2";
-function v2StoreKey(key) {
-  return `${STORE_VERSION_PREFIX}-${import_json_pointer.default.escape(key)}`;
-}
-function v2UnescapedStoreKey(key) {
-  return `${STORE_VERSION_PREFIX}-${key}`;
-}
-var Storage = class {
-  #store = {};
-  #send;
-  #subscribers = {};
-  #subscriberId = 0;
-  #readyHandlers = [];
-  registerSender = (send) => {
-    this.#send = send;
-  };
-  receive = (data) => {
-    this.#store = data || {};
-    this.#onReady();
-    for (const idx in this.#subscribers) {
-      this.#subscribers[idx]((0, import_ramda6.clone)(this.#store));
-    }
-  };
-  getItem = (key) => {
-    const result = this.#store[v2UnescapedStoreKey(key)] || null;
-    if (result !== null && typeof result !== "function" && typeof result !== "object") {
-      return result;
-    }
-    return null;
-  };
-  clear = () => {
-    Object.keys(this.#store).length > 0 && this.#dispatchUpdate(
-      "remove",
-      Object.keys(this.#store).map((key) => import_json_pointer.default.escape(key))
-    );
-  };
-  removeItem = (key) => {
-    this.#dispatchUpdate("remove", [v2StoreKey(key)]);
-  };
-  setItem = (key, value) => {
-    this.#dispatchUpdate("add", [v2StoreKey(key)], value);
-  };
-  /**
-   * Creates a promise and subscribes to the store, the promise resolves when
-   * the key and value are seen in the store.
-   *
-   * @param key - The key to add into the store
-   * @param value - The value of the key
-   * @returns
-   */
-  setItemAndWait = (key, value) => {
-    this.#dispatchUpdate("add", [v2StoreKey(key)], value);
-    return new Promise((resolve, reject) => {
-      const unsubscribe = this.subscribe((data) => {
-        if (data[`${v2UnescapedStoreKey(key)}`] === value) {
-          unsubscribe();
-          resolve();
-        }
-      });
-      setTimeout(() => {
-        unsubscribe();
-        return reject();
-      }, MAX_WAIT_TIME);
-    });
-  };
-  /**
-   * Creates a promise and subscribes to the store, the promise resolves when
-   * the key is removed from the store.
-   *
-   * @param key - The key to add into the store
-   * @returns
-   */
-  removeItemAndWait = (key) => {
-    this.#dispatchUpdate("remove", [v2StoreKey(key)]);
-    return new Promise((resolve, reject) => {
-      const unsubscribe = this.subscribe((data) => {
-        if (!Object.hasOwn(data, `${v2UnescapedStoreKey(key)}`)) {
-          unsubscribe();
-          resolve();
-        }
-      });
-      setTimeout(() => {
-        unsubscribe();
-        return reject();
-      }, MAX_WAIT_TIME);
-    });
-  };
-  subscribe = (subscriber) => {
-    const idx = this.#subscriberId++;
-    this.#subscribers[idx] = subscriber;
-    return () => this.unsubscribe(idx);
-  };
-  onReady = (callback) => {
-    this.#readyHandlers.push(callback);
-  };
-  /**
-   * Remove a subscriber from the list of subscribers.
-   * @param idx - The index of the subscriber to remove.
-   */
-  unsubscribe = (idx) => {
-    delete this.#subscribers[idx];
-  };
-  #onReady = () => {
-    for (const handler of this.#readyHandlers) {
-      handler((0, import_ramda6.clone)(this.#store));
-    }
-    this.#onReady = () => {
-    };
-  };
-  /**
-   * Dispatch an update to the store and notify all subscribers.
-   * @param  op - The type of operation to perform.
-   * @param  keys - The keys to update.
-   * @param  [value] - The new value.
-   */
-  #dispatchUpdate = (op, keys, value) => {
-    this.#send(op, keys, value);
-  };
-};
-
-// src/lib/schedule.ts
-var OnSchedule = class {
-  intervalId = null;
-  store;
-  name;
-  completions;
-  every;
-  unit;
-  run;
-  startTime;
-  duration;
-  lastTimestamp;
-  constructor(schedule) {
-    this.name = schedule.name;
-    this.run = schedule.run;
-    this.every = schedule.every;
-    this.unit = schedule.unit;
-    this.startTime = schedule?.startTime;
-    this.completions = schedule?.completions;
-  }
-  setStore(store) {
-    this.store = store;
-    this.startInterval();
-  }
-  startInterval() {
-    this.checkStore();
-    this.getDuration();
-    this.setupInterval();
-  }
-  /**
-   * Checks the store for this schedule and sets the values if it exists
-   * @returns
-   */
-  checkStore() {
-    const result = this.store && this.store.getItem(this.name);
-    if (result) {
-      const storedSchedule = JSON.parse(result);
-      this.completions = storedSchedule?.completions;
-      this.startTime = storedSchedule?.startTime;
-      this.lastTimestamp = storedSchedule?.lastTimestamp;
-    }
-  }
-  /**
-   * Saves the schedule to the store
-   * @returns
-   */
-  saveToStore() {
-    const schedule = {
-      completions: this.completions,
-      startTime: this.startTime,
-      lastTimestamp: /* @__PURE__ */ new Date(),
-      name: this.name
-    };
-    this.store && this.store.setItem(this.name, JSON.stringify(schedule));
-  }
-  /**
-   * Gets the durations in milliseconds
-   */
-  getDuration() {
-    switch (this.unit) {
-      case "seconds":
-        if (this.every < 10) throw new Error("10 Seconds in the smallest interval allowed");
-        this.duration = 1e3 * this.every;
-        break;
-      case "minutes":
-      case "minute":
-        this.duration = 1e3 * 60 * this.every;
-        break;
-      case "hours":
-      case "hour":
-        this.duration = 1e3 * 60 * 60 * this.every;
-        break;
-      default:
-        throw new Error("Invalid time unit");
-    }
-  }
-  /**
-   * Sets up the interval
-   */
-  setupInterval() {
-    const now = /* @__PURE__ */ new Date();
-    let delay;
-    if (this.lastTimestamp && this.startTime) {
-      this.startTime = void 0;
-    }
-    if (this.startTime) {
-      delay = this.startTime.getTime() - now.getTime();
-    } else if (this.lastTimestamp && this.duration) {
-      const lastTimestamp = new Date(this.lastTimestamp);
-      delay = this.duration - (now.getTime() - lastTimestamp.getTime());
-    }
-    if (delay === void 0 || delay <= 0) {
-      this.start();
-    } else {
-      setTimeout(() => {
-        this.start();
-      }, delay);
-    }
-  }
-  /**
-   * Starts the interval
-   */
-  start() {
-    this.intervalId = setInterval(() => {
-      if (this.completions === 0) {
-        this.stop();
-        return;
-      } else {
-        this.run();
-        if (this.completions && this.completions !== 0) {
-          this.completions -= 1;
-        }
-        this.saveToStore();
-      }
-    }, this.duration);
-  }
-  /**
-   * Stops the interval
-   */
-  stop() {
-    if (this.intervalId) {
-      clearInterval(this.intervalId);
-      this.intervalId = null;
-    }
-    this.store && this.store.removeItem(this.name);
-  }
-};
-
-// src/lib/capability.ts
-var registerAdmission = isBuildMode() || !isWatchMode();
-var registerWatch = isBuildMode() || isWatchMode() || isDevMode();
-var Capability = class {
-  #name;
-  #description;
-  #namespaces;
-  #bindings = [];
-  #store = new Storage();
-  #scheduleStore = new Storage();
-  #registered = false;
-  #scheduleRegistered = false;
-  hasSchedule;
-  /**
-   * Run code on a schedule with the capability.
-   *
-   * @param schedule The schedule to run the code on
-   * @returns
-   */
-  OnSchedule = (schedule) => {
-    const { name, every, unit, run, startTime, completions } = schedule;
-    this.hasSchedule = true;
-    if (process.env.PEPR_WATCH_MODE === "true" || process.env.PEPR_MODE === "dev") {
-      const newSchedule = {
-        name,
-        every,
-        unit,
-        run,
-        startTime,
-        completions
-      };
-      this.#scheduleStore.onReady(() => {
-        new OnSchedule(newSchedule).setStore(this.#scheduleStore);
-      });
-    }
-  };
-  getScheduleStore() {
-    return this.#scheduleStore;
-  }
-  /**
-   * Store is a key-value data store that can be used to persist data that should be shared
-   * between requests. Each capability has its own store, and the data is persisted in Kubernetes
-   * in the `pepr-system` namespace.
-   *
-   * Note: You should only access the store from within an action.
-   */
-  Store = {
-    clear: this.#store.clear,
-    getItem: this.#store.getItem,
-    removeItem: this.#store.removeItem,
-    removeItemAndWait: this.#store.removeItemAndWait,
-    setItem: this.#store.setItem,
-    subscribe: this.#store.subscribe,
-    onReady: this.#store.onReady,
-    setItemAndWait: this.#store.setItemAndWait
-  };
-  /**
-   * ScheduleStore is a key-value data store used to persist schedule data that should be shared
-   * between intervals. Each Schedule shares store, and the data is persisted in Kubernetes
-   * in the `pepr-system` namespace.
-   *
-   * Note: There is no direct access to schedule store
-   */
-  ScheduleStore = {
-    clear: this.#scheduleStore.clear,
-    getItem: this.#scheduleStore.getItem,
-    removeItemAndWait: this.#scheduleStore.removeItemAndWait,
-    removeItem: this.#scheduleStore.removeItem,
-    setItemAndWait: this.#scheduleStore.setItemAndWait,
-    setItem: this.#scheduleStore.setItem,
-    subscribe: this.#scheduleStore.subscribe,
-    onReady: this.#scheduleStore.onReady
-  };
-  get bindings() {
-    return this.#bindings;
-  }
-  get name() {
-    return this.#name;
-  }
-  get description() {
-    return this.#description;
-  }
-  get namespaces() {
-    return this.#namespaces || [];
-  }
-  constructor(cfg) {
-    this.#name = cfg.name;
-    this.#description = cfg.description;
-    this.#namespaces = cfg.namespaces;
-    this.hasSchedule = false;
-    logger_default.info(`Capability ${this.#name} registered`);
-    logger_default.debug(cfg);
-  }
-  /**
-   * Register the store with the capability. This is called automatically by the Pepr controller.
-   *
-   * @param store
-   */
-  registerScheduleStore = () => {
-    logger_default.info(`Registering schedule store for ${this.#name}`);
-    if (this.#scheduleRegistered) {
-      throw new Error(`Schedule store already registered for ${this.#name}`);
-    }
-    this.#scheduleRegistered = true;
-    return {
-      scheduleStore: this.#scheduleStore
-    };
-  };
-  /**
-   * Register the store with the capability. This is called automatically by the Pepr controller.
-   *
-   * @param store
-   */
-  registerStore = () => {
-    logger_default.info(`Registering store for ${this.#name}`);
-    if (this.#registered) {
-      throw new Error(`Store already registered for ${this.#name}`);
-    }
-    this.#registered = true;
-    return {
-      store: this.#store
-    };
-  };
-  /**
-   * The When method is used to register a action to be executed when a Kubernetes resource is
-   * processed by Pepr. The action will be executed if the resource matches the specified kind and any
-   * filters that are applied.
-   *
-   * @param model the KubernetesObject model to match
-   * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
-   * @returns
-   */
-  When = (model, kind4) => {
-    const matchedKind = (0, import_kubernetes_fluent_client7.modelToGroupVersionKind)(model.name);
-    if (!matchedKind && !kind4) {
-      throw new Error(`Kind not specified for ${model.name}`);
-    }
-    const binding = {
-      model,
-      // If the kind is not specified, use the matched kind from the model
-      kind: kind4 || matchedKind,
-      event: "*" /* Any */,
-      filters: {
-        name: "",
-        namespaces: [],
-        regexNamespaces: [],
-        regexName: "",
-        labels: {},
-        annotations: {},
-        deletionTimestamp: false
-      }
-    };
-    const bindings = this.#bindings;
-    const prefix = `${this.#name}: ${model.name}`;
-    const commonChain = { WithLabel, WithAnnotation, WithDeletionTimestamp, Mutate, Validate, Watch, Reconcile, Alias };
-    const isNotEmpty = (value) => Object.keys(value).length > 0;
-    const log = (message, cbString) => {
-      const filteredObj = (0, import_ramda7.pickBy)(isNotEmpty, binding.filters);
-      logger_default.info(`${message} configured for ${binding.event}`, prefix);
-      logger_default.info(filteredObj, prefix);
-      logger_default.debug(cbString, prefix);
-    };
-    function Validate(validateCallback) {
-      if (registerAdmission) {
-        log("Validate Action", validateCallback.toString());
-        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
-        bindings.push({
-          ...binding,
-          isValidate: true,
-          validateCallback: async (req, logger = aliasLogger) => {
-            logger_default.info(`Executing validate action with alias: ${binding.alias || "no alias provided"}`);
-            return await validateCallback(req, logger);
-          }
-        });
-      }
-      return { Watch, Reconcile };
-    }
-    function Mutate(mutateCallback) {
-      if (registerAdmission) {
-        log("Mutate Action", mutateCallback.toString());
-        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
-        bindings.push({
-          ...binding,
-          isMutate: true,
-          mutateCallback: async (req, logger = aliasLogger) => {
-            logger_default.info(`Executing mutation action with alias: ${binding.alias || "no alias provided"}`);
-            await mutateCallback(req, logger);
-          }
-        });
-      }
-      return { Watch, Validate, Reconcile };
-    }
-    function Watch(watchCallback) {
-      if (registerWatch) {
-        log("Watch Action", watchCallback.toString());
-        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
-        bindings.push({
-          ...binding,
-          isWatch: true,
-          watchCallback: async (update, phase, logger = aliasLogger) => {
-            logger_default.info(`Executing watch action with alias: ${binding.alias || "no alias provided"}`);
-            await watchCallback(update, phase, logger);
-          }
-        });
-      }
-      return { Finalize };
-    }
-    function Reconcile(reconcileCallback) {
-      if (registerWatch) {
-        log("Reconcile Action", reconcileCallback.toString());
-        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
-        bindings.push({
-          ...binding,
-          isWatch: true,
-          isQueue: true,
-          watchCallback: async (update, phase, logger = aliasLogger) => {
-            logger_default.info(`Executing reconcile action with alias: ${binding.alias || "no alias provided"}`);
-            await reconcileCallback(update, phase, logger);
-          }
-        });
-      }
-      return { Finalize };
-    }
-    function Finalize(finalizeCallback) {
-      log("Finalize Action", finalizeCallback.toString());
-      const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
-      if (registerAdmission) {
-        const mutateBinding = {
-          ...binding,
-          isMutate: true,
-          isFinalize: true,
-          event: "*" /* Any */,
-          mutateCallback: addFinalizer
-        };
-        bindings.push(mutateBinding);
-      }
-      if (registerWatch) {
-        const watchBinding = {
-          ...binding,
-          isWatch: true,
-          isFinalize: true,
-          event: "UPDATE" /* Update */,
-          finalizeCallback: async (update, logger = aliasLogger) => {
-            logger_default.info(`Executing finalize action with alias: ${binding.alias || "no alias provided"}`);
-            await finalizeCallback(update, logger);
-          }
-        };
-        bindings.push(watchBinding);
-      }
-    }
-    function InNamespace(...namespaces) {
-      logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
-      binding.filters.namespaces.push(...namespaces);
-      return { ...commonChain, WithName, WithNameRegex };
-    }
-    function InNamespaceRegex(...namespaces) {
-      logger_default.debug(`Add regex namespaces filter ${namespaces}`, prefix);
-      binding.filters.regexNamespaces.push(...namespaces.map((regex) => regex.source));
-      return { ...commonChain, WithName, WithNameRegex };
-    }
-    function WithDeletionTimestamp() {
-      logger_default.debug("Add deletionTimestamp filter");
-      binding.filters.deletionTimestamp = true;
-      return commonChain;
-    }
-    function WithNameRegex(regexName) {
-      logger_default.debug(`Add regex name filter ${regexName}`, prefix);
-      binding.filters.regexName = regexName.source;
-      return commonChain;
-    }
-    function WithName(name) {
-      logger_default.debug(`Add name filter ${name}`, prefix);
-      binding.filters.name = name;
-      return commonChain;
-    }
-    function WithLabel(key, value = "") {
-      logger_default.debug(`Add label filter ${key}=${value}`, prefix);
-      binding.filters.labels[key] = value;
-      return commonChain;
-    }
-    function WithAnnotation(key, value = "") {
-      logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
-      binding.filters.annotations[key] = value;
-      return commonChain;
-    }
-    function Alias(alias) {
-      logger_default.debug(`Adding prefix alias ${alias}`, prefix);
-      binding.alias = alias;
-      return commonChain;
-    }
-    function bindEvent(event) {
-      binding.event = event;
-      return {
-        ...commonChain,
-        InNamespace,
-        InNamespaceRegex,
-        WithName,
-        WithNameRegex,
-        WithDeletionTimestamp,
-        Alias
-      };
-    }
-    return {
-      IsCreatedOrUpdated: () => bindEvent("CREATEORUPDATE" /* CreateOrUpdate */),
-      IsCreated: () => bindEvent("CREATE" /* Create */),
-      IsUpdated: () => bindEvent("UPDATE" /* Update */),
-      IsDeleted: () => bindEvent("DELETE" /* Delete */)
-    };
-  };
-};
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  Capability,
-  K8s,
-  Log,
-  PeprModule,
-  PeprMutateRequest,
-  PeprUtils,
-  PeprValidateRequest,
-  R,
-  RegisterKind,
-  a,
-  fetch,
-  fetchStatus,
-  kind,
-  sdk
-});
-//# sourceMappingURL=lib.js.map