npm - pepr - Versions diffs - 0.40.1 → 0.42.0 - Mend

pepr 0.40.1 → 0.42.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

package/README.md +11 -5
package/dist/cli/build.d.ts.map +1 -1
package/dist/cli/deploy.d.ts.map +1 -1
package/dist/cli/init/templates.d.ts +2 -2
package/dist/cli.js +228 -179
package/dist/controller.js +52 -27
package/dist/lib/assets/index.d.ts.map +1 -1
package/dist/lib/capability.d.ts.map +1 -1
package/dist/lib/controller/index.d.ts.map +1 -1
package/dist/lib/controller/index.util.d.ts +10 -0
package/dist/lib/controller/index.util.d.ts.map +1 -0
package/dist/lib/controller/store.d.ts +1 -1
package/dist/lib/deploymentChecks.d.ts +3 -0
package/dist/lib/deploymentChecks.d.ts.map +1 -0
package/dist/lib/enums.d.ts +5 -5
package/dist/lib/enums.d.ts.map +1 -1
package/dist/lib/filesystemService.d.ts +2 -0
package/dist/lib/filesystemService.d.ts.map +1 -0
package/dist/lib/filter/adjudicators/adjudicators.d.ts +73 -0
package/dist/lib/filter/adjudicators/adjudicators.d.ts.map +1 -0
package/dist/lib/filter/adjudicators/defaultTestObjects.d.ts +7 -0
package/dist/lib/filter/adjudicators/defaultTestObjects.d.ts.map +1 -0
package/dist/lib/helpers.d.ts +1 -4
package/dist/lib/helpers.d.ts.map +1 -1
package/dist/lib/schedule.d.ts.map +1 -1
package/dist/lib/storage.d.ts +1 -1
package/dist/lib/storage.d.ts.map +1 -1
package/dist/lib/{logger.d.ts → telemetry/logger.d.ts} +1 -1
package/dist/lib/telemetry/logger.d.ts.map +1 -0
package/dist/lib/{metrics.d.ts → telemetry/metrics.d.ts} +3 -1
package/dist/lib/telemetry/metrics.d.ts.map +1 -0
package/dist/lib/types.d.ts +10 -9
package/dist/lib/types.d.ts.map +1 -1
package/dist/lib.d.ts +1 -1
package/dist/lib.d.ts.map +1 -1
package/dist/lib.js +151 -126
package/dist/lib.js.map +4 -4
package/dist/sdk/sdk.d.ts +3 -4
package/dist/sdk/sdk.d.ts.map +1 -1
package/package.json +5 -5
package/src/cli/build.ts +2 -1
package/src/cli/deploy.ts +2 -1
package/src/cli/init/templates.ts +1 -1
package/src/lib/assets/deploy.ts +1 -1
package/src/lib/assets/destroy.ts +1 -1
package/src/lib/assets/index.ts +102 -81
package/src/lib/assets/webhooks.ts +2 -2
package/src/lib/capability.ts +8 -9
package/src/lib/controller/index.ts +32 -62
package/src/lib/controller/index.util.ts +47 -0
package/src/lib/controller/store.ts +2 -2
package/src/lib/controller/storeCache.ts +1 -1
package/src/lib/deploymentChecks.ts +43 -0
package/src/lib/enums.ts +5 -5
package/src/lib/filesystemService.ts +16 -0
package/src/lib/filter/{adjudicators.ts → adjudicators/adjudicators.ts} +67 -35
package/src/lib/filter/adjudicators/defaultTestObjects.ts +46 -0
package/src/lib/filter/filter.ts +1 -1
package/src/lib/finalizer.ts +1 -1
package/src/lib/helpers.ts +31 -88
package/src/lib/mutate-processor.ts +1 -1
package/src/lib/queue.ts +1 -1
package/src/lib/schedule.ts +8 -8
package/src/lib/storage.ts +17 -17
package/src/lib/{logger.ts → telemetry/logger.ts} +1 -1
package/src/lib/{metrics.ts → telemetry/metrics.ts} +18 -17
package/src/lib/types.ts +12 -9
package/src/lib/utils.ts +1 -1
package/src/lib/validate-processor.ts +1 -1
package/src/lib/watch-processor.ts +8 -8
package/src/lib.ts +1 -1
package/src/runtime/controller.ts +1 -1
package/src/sdk/sdk.ts +6 -9
package/src/templates/capabilities/hello-pepr.ts +19 -9
package/dist/lib/filter/adjudicators.d.ts +0 -69
package/dist/lib/filter/adjudicators.d.ts.map +0 -1
package/dist/lib/logger.d.ts.map +0 -1
package/dist/lib/metrics.d.ts.map +0 -1

package/dist/cli.js CHANGED Viewed

@@ -170,10 +170,10 @@ function genCert(key, name2, issuer) {
 // src/lib/assets/deploy.ts
 var import_crypto = __toESM(require("crypto"));
-var import_fs3 = require("fs");
-var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
+var import_fs2 = require("fs");
+var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
-// src/lib/logger.ts
+// src/lib/telemetry/logger.ts
 var import_pino = require("pino");
 var isPrettyLog = true;
 var pretty = {
@@ -277,17 +277,13 @@ function watcherService(name2) {
 // src/lib/assets/pods.ts
 var import_zlib = require("zlib");
-// src/lib/helpers.ts
-var import_fs2 = require("fs");
-var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
 // src/sdk/sdk.ts
 var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
 function sanitizeResourceName(name2) {
   return name2.toLowerCase().replace(/[^a-z0-9]+/g, "-").slice(0, 250).replace(/^[^a-z]+|[^a-z]+$/g, "");
 }
-// src/lib/filter/adjudicators.ts
+// src/lib/filter/adjudicators/adjudicators.ts
 var import_ramda = require("ramda");
 var declaredOperation = (0, import_ramda.pipe)(
   (request) => request?.operation,
@@ -311,23 +307,49 @@ var carriesDeletionTimestamp = (0, import_ramda.pipe)(
   (0, import_ramda.defaultTo)(false)
 );
 var missingDeletionTimestamp = (0, import_ramda.complement)(carriesDeletionTimestamp);
-var carriedKind = (0, import_ramda.pipe)((kubernetesObject) => kubernetesObject?.metadata?.kind, (0, import_ramda.defaultTo)("not set"));
-var carriedVersion = (0, import_ramda.pipe)((kubernetesObject) => kubernetesObject?.metadata?.version, (0, import_ramda.defaultTo)("not set"));
-var carriedName = (0, import_ramda.pipe)((kubernetesObject) => kubernetesObject?.metadata?.name, (0, import_ramda.defaultTo)(""));
+var carriedKind = (0, import_ramda.pipe)(
+  (kubernetesObject) => kubernetesObject?.kind,
+  (0, import_ramda.defaultTo)("not set")
+);
+var carriedVersion = (0, import_ramda.pipe)(
+  (kubernetesObject) => kubernetesObject?.metadata?.resourceVersion,
+  (0, import_ramda.defaultTo)("not set")
+);
+var carriedName = (0, import_ramda.pipe)(
+  (kubernetesObject) => kubernetesObject?.metadata?.name,
+  (0, import_ramda.defaultTo)("")
+);
 var carriesName = (0, import_ramda.pipe)(carriedName, (0, import_ramda.equals)(""), import_ramda.not);
 var missingName = (0, import_ramda.complement)(carriesName);
-var carriedNamespace = (0, import_ramda.pipe)((kubernetesObject) => kubernetesObject?.metadata?.namespace, (0, import_ramda.defaultTo)(""));
+var carriedNamespace = (0, import_ramda.pipe)(
+  (kubernetesObject) => kubernetesObject?.metadata?.namespace,
+  (0, import_ramda.defaultTo)("")
+);
 var carriesNamespace = (0, import_ramda.pipe)(carriedNamespace, (0, import_ramda.equals)(""), import_ramda.not);
-var carriedAnnotations = (0, import_ramda.pipe)((kubernetesObject) => kubernetesObject?.metadata?.annotations, (0, import_ramda.defaultTo)({}));
+var carriedAnnotations = (0, import_ramda.pipe)(
+  (kubernetesObject) => kubernetesObject?.metadata?.annotations,
+  (0, import_ramda.defaultTo)({})
+);
 var carriesAnnotations = (0, import_ramda.pipe)(carriedAnnotations, (0, import_ramda.equals)({}), import_ramda.not);
-var carriedLabels = (0, import_ramda.pipe)((kubernetesObject) => kubernetesObject?.metadata?.labels, (0, import_ramda.defaultTo)({}));
+var carriedLabels = (0, import_ramda.pipe)(
+  (kubernetesObject) => kubernetesObject?.metadata?.labels,
+  (0, import_ramda.defaultTo)({})
+);
 var carriesLabels = (0, import_ramda.pipe)(carriedLabels, (0, import_ramda.equals)({}), import_ramda.not);
-var definesDeletionTimestamp = (0, import_ramda.pipe)((binding) => binding?.filters?.deletionTimestamp, (0, import_ramda.defaultTo)(false));
+var definesDeletionTimestamp = (0, import_ramda.pipe)(
+  (binding) => binding?.filters?.deletionTimestamp ?? false,
+  (0, import_ramda.defaultTo)(false)
+);
 var ignoresDeletionTimestamp = (0, import_ramda.complement)(definesDeletionTimestamp);
-var definedName = (0, import_ramda.pipe)((binding) => binding?.filters?.name, (0, import_ramda.defaultTo)(""));
+var definedName = (0, import_ramda.pipe)((binding) => {
+  return binding.filters.name;
+}, (0, import_ramda.defaultTo)(""));
 var definesName = (0, import_ramda.pipe)(definedName, (0, import_ramda.equals)(""), import_ramda.not);
 var ignoresName = (0, import_ramda.complement)(definesName);
-var definedNameRegex = (0, import_ramda.pipe)((binding) => binding?.filters?.regexName, (0, import_ramda.defaultTo)(""));
+var definedNameRegex = (0, import_ramda.pipe)(
+  (binding) => binding.filters?.regexName,
+  (0, import_ramda.defaultTo)("")
+);
 var definesNameRegex = (0, import_ramda.pipe)(definedNameRegex, (0, import_ramda.equals)(""), import_ramda.not);
 var definedNamespaces = (0, import_ramda.pipe)((binding) => binding?.filters?.namespaces, (0, import_ramda.defaultTo)([]));
 var definesNamespaces = (0, import_ramda.pipe)(definedNamespaces, (0, import_ramda.equals)([]), import_ramda.not);
@@ -337,20 +359,22 @@ var definedAnnotations = (0, import_ramda.pipe)((binding) => binding?.filters?.a
 var definesAnnotations = (0, import_ramda.pipe)(definedAnnotations, (0, import_ramda.equals)({}), import_ramda.not);
 var definedLabels = (0, import_ramda.pipe)((binding) => binding?.filters?.labels, (0, import_ramda.defaultTo)({}));
 var definesLabels = (0, import_ramda.pipe)(definedLabels, (0, import_ramda.equals)({}), import_ramda.not);
-var definedEvent = (0, import_ramda.pipe)((binding) => binding?.event, (0, import_ramda.defaultTo)(""));
+var definedEvent = (binding) => {
+  return binding.event;
+};
 var definesDelete = (0, import_ramda.pipe)(definedEvent, (0, import_ramda.equals)("DELETE" /* DELETE */));
 var definedGroup = (0, import_ramda.pipe)((binding) => binding?.kind?.group, (0, import_ramda.defaultTo)(""));
 var definesGroup = (0, import_ramda.pipe)(definedGroup, (0, import_ramda.equals)(""), import_ramda.not);
-var definedVersion = (0, import_ramda.pipe)((binding) => binding?.kind?.version, (0, import_ramda.defaultTo)(""));
+var definedVersion = (0, import_ramda.pipe)(
+  (binding) => binding?.kind?.version,
+  (0, import_ramda.defaultTo)("")
+);
 var definesVersion = (0, import_ramda.pipe)(definedVersion, (0, import_ramda.equals)(""), import_ramda.not);
 var definedKind = (0, import_ramda.pipe)((binding) => binding?.kind?.kind, (0, import_ramda.defaultTo)(""));
 var definesKind = (0, import_ramda.pipe)(definedKind, (0, import_ramda.equals)(""), import_ramda.not);
-var definedCategory = (0, import_ramda.pipe)((binding) => {
-  return binding.isFinalize ? "Finalize" : binding.isWatch ? "Watch" : binding.isMutate ? "Mutate" : binding.isValidate ? "Validate" : "";
-});
-var definedCallback = (0, import_ramda.pipe)((binding) => {
+var definedCallback = (binding) => {
   return binding.isFinalize ? binding.finalizeCallback : binding.isWatch ? binding.watchCallback : binding.isMutate ? binding.mutateCallback : binding.isValidate ? binding.validateCallback : null;
-});
+};
 var definedCallbackName = (0, import_ramda.pipe)(definedCallback, (0, import_ramda.defaultTo)({ name: "" }), (callback) => callback.name);
 var mismatchedDeletionTimestamp = (0, import_ramda.allPass)([
   (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesDeletionTimestamp),
@@ -432,8 +456,8 @@ var unbindableNamespaces = (0, import_ramda.allPass)([
 ]);
 var misboundDeleteWithDeletionTimestamp = (0, import_ramda.allPass)([definesDelete, definesDeletionTimestamp]);
 var operationMatchesEvent = (0, import_ramda.anyPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), (0, import_ramda.equals)("*" /* Any */)),
-  (0, import_ramda.pipe)((operation, event) => operation === event),
+  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), (0, import_ramda.equals)("*" /* ANY */)),
+  (0, import_ramda.pipe)((operation, event) => operation.valueOf() === event.valueOf()),
   (0, import_ramda.pipe)((operation, event) => operation ? event.includes(operation) : false)
 ]);
 var mismatchedEvent = (0, import_ramda.pipe)(
@@ -455,11 +479,7 @@ var mismatchedKind = (0, import_ramda.allPass)([
 // src/lib/helpers.ts
 function matchesRegex(pattern, testString) {
-  if (!pattern) {
-    return false;
-  }
-  const regex = new RegExp(pattern);
-  return regex.test(testString);
+  return new RegExp(pattern).test(testString);
 }
 var ValidationError = class extends Error {
 };
@@ -500,17 +520,6 @@ function createRBACMap(capabilities) {
     return acc;
   }, {});
 }
-async function createDirectoryIfNotExists(path) {
-  try {
-    await import_fs2.promises.access(path);
-  } catch (error) {
-    if (error.code === "ENOENT") {
-      await import_fs2.promises.mkdir(path, { recursive: true });
-    } else {
-      throw error;
-    }
-  }
-}
 function hasEveryOverlap(array1, array2) {
   if (!Array.isArray(array1) || !Array.isArray(array2)) {
     return false;
@@ -549,7 +558,9 @@ function generateWatchNamespaceError(ignoredNamespaces, bindingNamespaces, capab
 function namespaceComplianceValidator(capability, ignoredNamespaces) {
   const { namespaces: capabilityNamespaces, bindings, name: name2 } = capability;
   const bindingNamespaces = bindings.flatMap((binding) => binding.filters.namespaces);
-  const bindingRegexNamespaces = bindings.flatMap((binding) => binding.filters.regexNamespaces || []);
+  const bindingRegexNamespaces = bindings.flatMap(
+    (binding) => binding.filters.regexNamespaces || []
+  );
   const namespaceError = generateWatchNamespaceError(
     ignoredNamespaces ? ignoredNamespaces : [],
     bindingNamespaces,
@@ -582,40 +593,6 @@ function namespaceComplianceValidator(capability, ignoredNamespaces) {
     }
   }
 }
-async function checkDeploymentStatus(namespace2) {
-  const deployments = await (0, import_kubernetes_fluent_client2.K8s)(import_kubernetes_fluent_client2.kind.Deployment).InNamespace(namespace2).Get();
-  let status = false;
-  let readyCount = 0;
-  for (const deployment2 of deployments.items) {
-    const readyReplicas = deployment2.status?.readyReplicas ? deployment2.status?.readyReplicas : 0;
-    if (deployment2.status?.readyReplicas !== deployment2.spec?.replicas) {
-      logger_default.info(
-        `Waiting for deployment ${deployment2.metadata?.name} rollout to finish: ${readyReplicas} of ${deployment2.spec?.replicas} replicas are available`
-      );
-    } else {
-      logger_default.info(
-        `Deployment ${deployment2.metadata?.name} rolled out: ${readyReplicas} of ${deployment2.spec?.replicas} replicas are available`
-      );
-      readyCount++;
-    }
-  }
-  if (readyCount === deployments.items.length) {
-    status = true;
-  }
-  return status;
-}
-async function namespaceDeploymentsReady(namespace2 = "pepr-system") {
-  logger_default.info(`Checking ${namespace2} deployments status...`);
-  let ready = false;
-  while (!ready) {
-    ready = await checkDeploymentStatus(namespace2);
-    if (ready) {
-      return ready;
-    }
-    await new Promise((resolve5) => setTimeout(resolve5, 1e3));
-  }
-  logger_default.info(`All ${namespace2} deployments are ready`);
-}
 function secretOverLimit(str) {
   const encoder = new TextEncoder();
   const encoded = encoder.encode(str);
@@ -1103,19 +1080,19 @@ function storeRoleBinding(name2) {
 }
 // src/lib/k8s.ts
-var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
-var Store = class extends import_kubernetes_fluent_client3.GenericKind {
+var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
+var Store = class extends import_kubernetes_fluent_client2.GenericKind {
 };
 var peprStoreGVK = {
   kind: "PeprStore",
   version: "v1",
   group: "pepr.dev"
 };
-(0, import_kubernetes_fluent_client3.RegisterKind)(Store, peprStoreGVK);
+(0, import_kubernetes_fluent_client2.RegisterKind)(Store, peprStoreGVK);
 // src/lib/assets/store.ts
-var { group, version, kind: kind3 } = peprStoreGVK;
-var singular = kind3.toLocaleLowerCase();
+var { group, version, kind: kind2 } = peprStoreGVK;
+var singular = kind2.toLocaleLowerCase();
 var plural = `${singular}s`;
 var name = `${plural}.${group}`;
 var peprStoreCRD = {
@@ -1151,7 +1128,7 @@ var peprStoreCRD = {
     names: {
       plural,
       singular,
-      kind: kind3
+      kind: kind2
     }
   }
 };
@@ -1178,8 +1155,8 @@ async function generateWebhookRules(assets, isMutateWebhook) {
         continue;
       }
       const operations = [];
-      if (event === "CREATEORUPDATE" /* CreateOrUpdate */) {
-        operations.push("CREATE" /* Create */, "UPDATE" /* Update */);
+      if (event === "CREATEORUPDATE" /* CREATE_OR_UPDATE */) {
+        operations.push("CREATE" /* CREATE */, "UPDATE" /* UPDATE */);
       } else {
         operations.push(event);
       }
@@ -1256,12 +1233,12 @@ async function webhookConfig(assets, mutateOrValidate, timeoutSeconds = 10) {
 // src/lib/assets/deploy.ts
 async function deployImagePullSecret(imagePullSecret, name2) {
   try {
-    await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Namespace).Get("pepr-system");
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Get("pepr-system");
   } catch {
-    await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Namespace).Apply(namespace());
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Apply(namespace());
   }
   try {
-    await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Secret).Apply(
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(
       {
         apiVersion: "v1",
         kind: "Secret",
@@ -1284,29 +1261,29 @@ async function deploy(assets, force, webhookTimeout) {
   logger_default.info("Establishing connection to Kubernetes");
   const { name: name2, host, path } = assets;
   logger_default.info("Applying pepr-system namespace");
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Namespace).Apply(namespace(assets.config.customLabels?.namespace));
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Apply(namespace(assets.config.customLabels?.namespace));
   const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
   if (mutateWebhook) {
     logger_default.info("Applying mutating webhook");
-    await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.MutatingWebhookConfiguration).Apply(mutateWebhook, { force });
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.MutatingWebhookConfiguration).Apply(mutateWebhook, { force });
   } else {
     logger_default.info("Mutating webhook not needed, removing if it exists");
-    await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.MutatingWebhookConfiguration).Delete(name2);
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.MutatingWebhookConfiguration).Delete(name2);
   }
   const validateWebhook = await webhookConfig(assets, "validate", webhookTimeout);
   if (validateWebhook) {
     logger_default.info("Applying validating webhook");
-    await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.ValidatingWebhookConfiguration).Apply(validateWebhook, { force });
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ValidatingWebhookConfiguration).Apply(validateWebhook, { force });
   } else {
     logger_default.info("Validating webhook not needed, removing if it exists");
-    await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.ValidatingWebhookConfiguration).Delete(name2);
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ValidatingWebhookConfiguration).Delete(name2);
   }
   logger_default.info("Applying the Pepr Store CRD if it doesn't exist");
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.CustomResourceDefinition).Apply(peprStoreCRD, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.CustomResourceDefinition).Apply(peprStoreCRD, { force });
   if (host) {
     return;
   }
-  const code = await import_fs3.promises.readFile(path);
+  const code = await import_fs2.promises.readFile(path);
   const hash = import_crypto.default.createHash("sha256").update(code).digest("hex");
   if (code.length < 1) {
     throw new Error("No code provided");
@@ -1319,46 +1296,46 @@ async function setupRBAC(name2, capabilities, force, config) {
   const { rbacMode, rbac } = config;
   logger_default.info("Applying cluster role binding");
   const crb = clusterRoleBinding(name2);
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.ClusterRoleBinding).Apply(crb, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ClusterRoleBinding).Apply(crb, { force });
   logger_default.info("Applying cluster role");
   const cr = clusterRole(name2, capabilities, rbacMode, rbac);
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.ClusterRole).Apply(cr, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ClusterRole).Apply(cr, { force });
   logger_default.info("Applying service account");
   const sa = serviceAccount(name2);
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.ServiceAccount).Apply(sa, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ServiceAccount).Apply(sa, { force });
   logger_default.info("Applying store role");
   const role = storeRole(name2);
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Role).Apply(role, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Role).Apply(role, { force });
   logger_default.info("Applying store role binding");
   const roleBinding = storeRoleBinding(name2);
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.RoleBinding).Apply(roleBinding, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.RoleBinding).Apply(roleBinding, { force });
 }
 async function setupController(assets, code, hash, force) {
   const { name: name2 } = assets;
   logger_default.info("Applying module secret");
   const mod = moduleSecret(name2, code, hash);
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Secret).Apply(mod, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(mod, { force });
   logger_default.info("Applying controller service");
   const svc = service(name2);
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Service).Apply(svc, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Service).Apply(svc, { force });
   logger_default.info("Applying TLS secret");
   const tls = tlsSecret(name2, assets.tls);
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Secret).Apply(tls, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(tls, { force });
   logger_default.info("Applying API token secret");
   const apiToken = apiTokenSecret(name2, assets.apiToken);
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Secret).Apply(apiToken, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(apiToken, { force });
   logger_default.info("Applying deployment");
   const dep = deployment(assets, hash, assets.buildTimestamp);
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Deployment).Apply(dep, { force });
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Deployment).Apply(dep, { force });
 }
 async function setupWatcher(assets, hash, force) {
   const watchDeployment = watcher(assets, hash, assets.buildTimestamp);
   if (watchDeployment) {
     logger_default.info("Applying watcher deployment");
-    await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Deployment).Apply(watchDeployment, { force });
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Deployment).Apply(watchDeployment, { force });
     logger_default.info("Applying watcher service");
     const watchSvc = watcherService(assets.name);
-    await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Service).Apply(watchSvc, { force });
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Service).Apply(watchSvc, { force });
   }
 }
@@ -1390,7 +1367,7 @@ function loadCapabilities(path) {
 // src/lib/assets/yaml.ts
 var import_client_node = require("@kubernetes/client-node");
 var import_crypto2 = __toESM(require("crypto"));
-var import_fs4 = require("fs");
+var import_fs3 = require("fs");
 async function overridesFile({ hash, name: name2, image, config, apiToken, capabilities }, path) {
   const rbacOverrides = clusterRole(name2, capabilities, config.rbacMode, config.rbac).rules;
   const overrides = {
@@ -1541,7 +1518,7 @@ async function overridesFile({ hash, name: name2, image, config, apiToken, capab
       }
     }
   };
-  await import_fs4.promises.writeFile(path, (0, import_client_node.dumpYaml)(overrides, { noRefs: true, forceQuotes: true }));
+  await import_fs3.promises.writeFile(path, (0, import_client_node.dumpYaml)(overrides, { noRefs: true, forceQuotes: true }));
 }
 function zarfYaml({ name: name2, image, config }, path) {
   const zarfCfg = {
@@ -1598,7 +1575,7 @@ function zarfYamlChart({ name: name2, image, config }, path) {
 }
 async function allYaml(assets, imagePullSecret) {
   const { name: name2, tls, apiToken, path, config } = assets;
-  const code = await import_fs4.promises.readFile(path);
+  const code = await import_fs3.promises.readFile(path);
   assets.hash = import_crypto2.default.createHash("sha256").update(code).digest("hex");
   const mutateWebhook = await webhookConfig(assets, "mutate", assets.config.webhookTimeout);
   const validateWebhook = await webhookConfig(assets, "validate", assets.config.webhookTimeout);
@@ -1884,6 +1861,73 @@ function serviceMonitorTemplate(name2) {
 // src/lib/assets/index.ts
 var import_fs5 = require("fs");
+// src/lib/filesystemService.ts
+var import_fs4 = require("fs");
+async function createDirectoryIfNotExists(path) {
+  try {
+    await import_fs4.promises.access(path);
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      await import_fs4.promises.mkdir(path, { recursive: true });
+    } else {
+      throw error;
+    }
+  }
+}
+// src/lib/assets/index.ts
+function toYaml(obj) {
+  return (0, import_client_node2.dumpYaml)(obj, { noRefs: true });
+}
+function createWebhookYaml(assets, webhookConfiguration) {
+  const yaml = toYaml(webhookConfiguration);
+  return replaceString(
+    replaceString(
+      replaceString(yaml, assets.name, "{{ .Values.uuid }}"),
+      assets.config.onError === "reject" ? "Fail" : "Ignore",
+      "{{ .Values.admission.failurePolicy }}"
+    ),
+    `${assets.config.webhookTimeout}` || "10",
+    "{{ .Values.admission.webhookTimeout }}"
+  );
+}
+function helmLayout(basePath, unique) {
+  const helm = {
+    dirs: {
+      chart: (0, import_path.resolve)(`${basePath}/${unique}-chart`)
+    },
+    files: {}
+  };
+  helm.dirs = {
+    ...helm.dirs,
+    charts: `${helm.dirs.chart}/charts`,
+    tmpls: `${helm.dirs.chart}/templates`
+  };
+  helm.files = {
+    ...helm.files,
+    valuesYaml: `${helm.dirs.chart}/values.yaml`,
+    chartYaml: `${helm.dirs.chart}/Chart.yaml`,
+    namespaceYaml: `${helm.dirs.tmpls}/namespace.yaml`,
+    watcherServiceYaml: `${helm.dirs.tmpls}/watcher-service.yaml`,
+    admissionServiceYaml: `${helm.dirs.tmpls}/admission-service.yaml`,
+    mutationWebhookYaml: `${helm.dirs.tmpls}/mutation-webhook.yaml`,
+    validationWebhookYaml: `${helm.dirs.tmpls}/validation-webhook.yaml`,
+    admissionDeploymentYaml: `${helm.dirs.tmpls}/admission-deployment.yaml`,
+    admissionServiceMonitorYaml: `${helm.dirs.tmpls}/admission-service-monitor.yaml`,
+    watcherDeploymentYaml: `${helm.dirs.tmpls}/watcher-deployment.yaml`,
+    watcherServiceMonitorYaml: `${helm.dirs.tmpls}/watcher-service-monitor.yaml`,
+    tlsSecretYaml: `${helm.dirs.tmpls}/tls-secret.yaml`,
+    apiTokenSecretYaml: `${helm.dirs.tmpls}/api-token-secret.yaml`,
+    moduleSecretYaml: `${helm.dirs.tmpls}/module-secret.yaml`,
+    storeRoleYaml: `${helm.dirs.tmpls}/store-role.yaml`,
+    storeRoleBindingYaml: `${helm.dirs.tmpls}/store-role-binding.yaml`,
+    clusterRoleYaml: `${helm.dirs.tmpls}/cluster-role.yaml`,
+    clusterRoleBindingYaml: `${helm.dirs.tmpls}/cluster-role-binding.yaml`,
+    serviceAccountYaml: `${helm.dirs.tmpls}/service-account.yaml`
+  };
+  return helm;
+}
 var Assets = class {
   constructor(config, path, host) {
     this.config = config;
@@ -1921,82 +1965,48 @@ var Assets = class {
     }
     return allYaml(this, imagePullSecret);
   };
+  /* eslint max-statements: ["warn", 21] */
   generateHelmChart = async (basePath) => {
-    const CHART_DIR = `${basePath}/${this.config.uuid}-chart`;
-    const CHAR_TEMPLATES_DIR = `${CHART_DIR}/templates`;
-    const valuesPath = (0, import_path.resolve)(CHART_DIR, `values.yaml`);
-    const chartPath = (0, import_path.resolve)(CHART_DIR, `Chart.yaml`);
-    const nsPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `namespace.yaml`);
-    const watcherSVCPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `watcher-service.yaml`);
-    const admissionSVCPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `admission-service.yaml`);
-    const mutationWebhookPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `mutation-webhook.yaml`);
-    const validationWebhookPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `validation-webhook.yaml`);
-    const admissionDeployPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `admission-deployment.yaml`);
-    const admissionServiceMonitorPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `admission-service-monitor.yaml`);
-    const watcherDeployPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `watcher-deployment.yaml`);
-    const watcherServiceMonitorPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `watcher-service-monitor.yaml`);
-    const tlsSecretPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `tls-secret.yaml`);
-    const apiTokenSecretPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `api-token-secret.yaml`);
-    const moduleSecretPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `module-secret.yaml`);
-    const storeRolePath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `store-role.yaml`);
-    const storeRoleBindingPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `store-role-binding.yaml`);
-    const clusterRolePath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `cluster-role.yaml`);
-    const clusterRoleBindingPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `cluster-role-binding.yaml`);
-    const serviceAccountPath = (0, import_path.resolve)(CHAR_TEMPLATES_DIR, `service-account.yaml`);
+    const helm = helmLayout(basePath, this.config.uuid);
     try {
-      await createDirectoryIfNotExists(CHART_DIR);
-      await createDirectoryIfNotExists(`${CHART_DIR}/charts`);
-      await createDirectoryIfNotExists(`${CHAR_TEMPLATES_DIR}`);
-      await overridesFile(this, valuesPath);
-      await import_fs5.promises.writeFile(chartPath, dedent(chartYaml(this.config.uuid, this.config.description || "")));
-      await import_fs5.promises.writeFile(nsPath, dedent(nsTemplate()));
+      await Promise.all(
+        Object.values(helm.dirs).sort((l, r) => l.split("/").length - r.split("/").length).map(async (dir) => await createDirectoryIfNotExists(dir))
+      );
       const code = await import_fs5.promises.readFile(this.path);
-      await import_fs5.promises.writeFile(watcherSVCPath, (0, import_client_node2.dumpYaml)(watcherService(this.name), { noRefs: true }));
-      await import_fs5.promises.writeFile(admissionSVCPath, (0, import_client_node2.dumpYaml)(service(this.name), { noRefs: true }));
-      await import_fs5.promises.writeFile(tlsSecretPath, (0, import_client_node2.dumpYaml)(tlsSecret(this.name, this.tls), { noRefs: true }));
-      await import_fs5.promises.writeFile(apiTokenSecretPath, (0, import_client_node2.dumpYaml)(apiTokenSecret(this.name, this.apiToken), { noRefs: true }));
-      await import_fs5.promises.writeFile(moduleSecretPath, (0, import_client_node2.dumpYaml)(moduleSecret(this.name, code, this.hash), { noRefs: true }));
-      await import_fs5.promises.writeFile(storeRolePath, (0, import_client_node2.dumpYaml)(storeRole(this.name), { noRefs: true }));
-      await import_fs5.promises.writeFile(storeRoleBindingPath, (0, import_client_node2.dumpYaml)(storeRoleBinding(this.name), { noRefs: true }));
-      await import_fs5.promises.writeFile(clusterRolePath, dedent(clusterRoleTemplate()));
-      await import_fs5.promises.writeFile(clusterRoleBindingPath, (0, import_client_node2.dumpYaml)(clusterRoleBinding(this.name), { noRefs: true }));
-      await import_fs5.promises.writeFile(serviceAccountPath, (0, import_client_node2.dumpYaml)(serviceAccount(this.name), { noRefs: true }));
-      const mutateWebhook = await webhookConfig(this, "mutate", this.config.webhookTimeout);
-      const validateWebhook = await webhookConfig(this, "validate", this.config.webhookTimeout);
-      const watchDeployment = watcher(this, this.hash, this.buildTimestamp);
+      const pairs = [
+        [helm.files.chartYaml, () => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
+        [helm.files.namespaceYaml, () => dedent(nsTemplate())],
+        [helm.files.watcherServiceYaml, () => toYaml(watcherService(this.name))],
+        [helm.files.admissionServiceYaml, () => toYaml(service(this.name))],
+        [helm.files.tlsSecretYaml, () => toYaml(tlsSecret(this.name, this.tls))],
+        [helm.files.apiTokenSecretYaml, () => toYaml(apiTokenSecret(this.name, this.apiToken))],
+        [helm.files.storeRoleYaml, () => toYaml(storeRole(this.name))],
+        [helm.files.storeRoleBindingYaml, () => toYaml(storeRoleBinding(this.name))],
+        [helm.files.clusterRoleYaml, () => dedent(clusterRoleTemplate())],
+        [helm.files.clusterRoleBindingYaml, () => toYaml(clusterRoleBinding(this.name))],
+        [helm.files.serviceAccountYaml, () => toYaml(serviceAccount(this.name))],
+        [helm.files.moduleSecretYaml, () => toYaml(moduleSecret(this.name, code, this.hash))]
+      ];
+      await Promise.all(pairs.map(async ([file, content]) => await import_fs5.promises.writeFile(file, content())));
+      await overridesFile(this, helm.files.valuesYaml);
+      const [mutateWebhook, validateWebhook] = await Promise.all([
+        webhookConfig(this, "mutate", this.config.webhookTimeout),
+        webhookConfig(this, "validate", this.config.webhookTimeout)
+      ]);
       if (validateWebhook || mutateWebhook) {
-        await import_fs5.promises.writeFile(admissionDeployPath, dedent(admissionDeployTemplate(this.buildTimestamp)));
-        await import_fs5.promises.writeFile(admissionServiceMonitorPath, dedent(serviceMonitorTemplate("admission")));
+        await import_fs5.promises.writeFile(helm.files.admissionDeploymentYaml, dedent(admissionDeployTemplate(this.buildTimestamp)));
+        await import_fs5.promises.writeFile(helm.files.admissionServiceMonitorYaml, dedent(serviceMonitorTemplate("admission")));
       }
       if (mutateWebhook) {
-        const yamlMutateWebhook = (0, import_client_node2.dumpYaml)(mutateWebhook, { noRefs: true });
-        const mutateWebhookTemplate = replaceString(
-          replaceString(
-            replaceString(yamlMutateWebhook, this.name, "{{ .Values.uuid }}"),
-            this.config.onError === "reject" ? "Fail" : "Ignore",
-            "{{ .Values.admission.failurePolicy }}"
-          ),
-          `${this.config.webhookTimeout}` || "10",
-          "{{ .Values.admission.webhookTimeout }}"
-        );
-        await import_fs5.promises.writeFile(mutationWebhookPath, mutateWebhookTemplate);
+        await import_fs5.promises.writeFile(helm.files.mutationWebhookYaml, createWebhookYaml(this, mutateWebhook));
       }
       if (validateWebhook) {
-        const yamlValidateWebhook = (0, import_client_node2.dumpYaml)(validateWebhook, { noRefs: true });
-        const validateWebhookTemplate = replaceString(
-          replaceString(
-            replaceString(yamlValidateWebhook, this.name, "{{ .Values.uuid }}"),
-            this.config.onError === "reject" ? "Fail" : "Ignore",
-            "{{ .Values.admission.failurePolicy }}"
-          ),
-          `${this.config.webhookTimeout}` || "10",
-          "{{ .Values.admission.webhookTimeout }}"
-        );
-        await import_fs5.promises.writeFile(validationWebhookPath, validateWebhookTemplate);
+        await import_fs5.promises.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this, validateWebhook));
       }
+      const watchDeployment = watcher(this, this.hash, this.buildTimestamp);
       if (watchDeployment) {
-        await import_fs5.promises.writeFile(watcherDeployPath, dedent(watcherDeployTemplate(this.buildTimestamp)));
-        await import_fs5.promises.writeFile(watcherServiceMonitorPath, dedent(serviceMonitorTemplate("watcher")));
+        await import_fs5.promises.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
+        await import_fs5.promises.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));
       }
     } catch (err) {
       console.error(`Error generating helm chart: ${err.message}`);
@@ -2211,8 +2221,8 @@ var hello_pepr_samples_default = [
 var gitIgnore = "# Ignore node_modules and Pepr build artifacts\nnode_modules\ndist\ninsecure*\n";
 var readmeMd = '# Pepr Module\n\nThis is a Pepr Module. [Pepr](https://github.com/defenseunicorns/pepr) is a type-safe Kubernetes middleware system.\n\nThe `capabilities` directory contains all the capabilities for this module. By default,\na capability is a single typescript file in the format of `capability-name.ts` that is\nimported in the root `pepr.ts` file as `import { HelloPepr } from "./capabilities/hello-pepr";`.\nBecause this is typescript, you can organize this however you choose, e.g. creating a sub-folder\nper-capability or common logic in shared files or folders.\n\nExample Structure:\n\n```\nModule Root\n\u251C\u2500\u2500 package.json\n\u251C\u2500\u2500 pepr.ts\n\u2514\u2500\u2500 capabilities\n    \u251C\u2500\u2500 example-one.ts\n    \u251C\u2500\u2500 example-three.ts\n    \u2514\u2500\u2500 example-two.ts\n```\n';
 var peprTS = 'import { PeprModule } from "pepr";\n// cfg loads your pepr configuration from package.json\nimport cfg from "./package.json";\n\n// HelloPepr is a demo capability that is included with Pepr. Comment or delete the line below to remove it.\nimport { HelloPepr } from "./capabilities/hello-pepr";\n\n/**\n * This is the main entrypoint for this Pepr module. It is run when the module is started.\n * This is where you register your Pepr configurations and capabilities.\n */\nnew PeprModule(cfg, [\n  // "HelloPepr" is a demo capability that is included with Pepr. Comment or delete the line below to remove it.\n  HelloPepr,\n\n  // Your additional capabilities go here\n]);\n';
-var helloPeprTS = 'import {\n  Capability,\n  K8s,\n  Log,\n  PeprMutateRequest,\n  RegisterKind,\n  a,\n  fetch,\n  fetchStatus,\n  kind,\n} from "pepr";\nimport nock from "nock";\n\n/**\n *  The HelloPepr Capability is an example capability to demonstrate some general concepts of Pepr.\n *  To test this capability you run `pepr dev`and then run the following command:\n *  `kubectl apply -f capabilities/hello-pepr.samples.yaml`\n */\nexport const HelloPepr = new Capability({\n  name: "hello-pepr",\n  description: "A simple example capability to show how things work.",\n  namespaces: ["pepr-demo", "pepr-demo-2"],\n});\n\n// Use the \'When\' function to create a new action, use \'Store\' to persist data\nconst { When, Store } = HelloPepr;\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Namespace)                                   *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action removes the label `remove-me` when a Namespace is created.\n * Note we don\'t need to specify the namespace here, because we\'ve already specified\n * it in the Capability definition above.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .Mutate(ns => ns.RemoveLabel("remove-me"));\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Watch Action with K8s SSA (Namespace)                           *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action watches for the `pepr-demo-2` namespace to be created, then creates a ConfigMap with\n * the name `pepr-ssa-demo` and adds the namespace UID to the ConfigMap data. Because Pepr uses\n * server-side apply for this operation, the ConfigMap will be created or updated if it already exists.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .WithName("pepr-demo-2")\n  .Watch(async ns => {\n    Log.info("Namespace pepr-demo-2 was created.");\n\n    try {\n      // Apply the ConfigMap using K8s server-side apply\n      await K8s(kind.ConfigMap).Apply({\n        metadata: {\n          name: "pepr-ssa-demo",\n          namespace: "pepr-demo-2",\n        },\n        data: {\n          "ns-uid": ns.metadata.uid,\n        },\n      });\n    } catch (error) {\n      // You can use the Log object to log messages to the Pepr controller pod\n      Log.error(error, "Failed to apply ConfigMap using server-side apply.");\n    }\n\n    // You can share data between actions using the Store, including between different types of actions\n    Store.setItem("watch-data", "This data was stored by a Watch Action.");\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 1)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is a single action. They can be in the same file or put imported from other files.\n * In this example, when a ConfigMap is created with the name `example-1`, then add a label and annotation.\n *\n * Equivalent to manually running:\n * `kubectl label configmap example-1 pepr=was-here`\n * `kubectl annotate configmap example-1 pepr.dev=annotations-work-too`\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request\n      .SetLabel("pepr", "was-here")\n      .SetAnnotation("pepr.dev", "annotations-work-too");\n\n    // Use the Store to persist data between requests and Pepr controller pods\n    Store.setItem("example-1", "was-here");\n\n    // This data is written asynchronously and can be read back via `Store.getItem()` or `Store.subscribe()`\n    Store.setItem("example-1-data", JSON.stringify(request.Raw.data));\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate & Validate Actions (CM Example 2)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This combines 3 different types of actions: \'Mutate\', \'Validate\', and \'Watch\'. The order\n * of the actions is required, but each action is optional. In this example, when a ConfigMap is created\n * with the name `example-2`, then add a label and annotation, validate that the ConfigMap has the label\n * `pepr`, and log the request.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    // This Mutate Action will mutate the request before it is persisted to the cluster\n\n    // Use `request.Merge()` to merge the new data with the existing data\n    request.Merge({\n      metadata: {\n        labels: {\n          pepr: "was-here",\n        },\n        annotations: {\n          "pepr.dev": "annotations-work-too",\n        },\n      },\n    });\n  })\n  .Validate(request => {\n    // This Validate Action will validate the request before it is persisted to the cluster\n\n    // Approve the request if the ConfigMap has the label \'pepr\'\n    if (request.HasLabel("pepr")) {\n      return request.Approve();\n    }\n\n    // Otherwise, deny the request with an error message (optional)\n    return request.Deny("ConfigMap must have label \'pepr\'");\n  })\n  .Watch((cm, phase) => {\n    // This Watch Action will watch the ConfigMap after it has been persisted to the cluster\n    Log.info(cm, `ConfigMap was ${phase} with the name example-2`);\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 2a)                               *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action shows a simple validation that will deny any ConfigMap that has the\n * annotation `evil`. Note that the `Deny()` function takes an optional second parameter that is a\n * user-defined status code to return.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .Validate(request => {\n    if (request.HasAnnotation("evil")) {\n      return request.Deny("No evil CM annotations allowed.", 400);\n    }\n\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 3)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action combines different styles. Unlike the previous actions, this one will look\n * for any ConfigMap in the `pepr-demo` namespace that has the label `change=by-label` during either\n * CREATE or UPDATE. Note that all conditions added such as `WithName()`, `WithLabel()`, `InNamespace()`,\n * are ANDs so all conditions must be true for the request to be processed.\n */\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("change", "by-label")\n  .Mutate(request => {\n    // The K8s object e are going to mutate\n    const cm = request.Raw;\n\n    // Get the username and uid of the K8s request\n    const { username, uid } = request.Request.userInfo;\n\n    // Store some data about the request in the configmap\n    cm.data["username"] = username;\n    cm.data["uid"] = uid;\n\n    // You can still mix other ways of making changes too\n    request.SetAnnotation("pepr.dev", "making-waves");\n  });\n\n// This action validates the label `change=by-label` is deleted\nWhen(a.ConfigMap)\n  .IsDeleted()\n  .WithLabel("change", "by-label")\n  .Validate(request => {\n    // Log and then always approve the request\n    Log.info("CM with label \'change=by-label\' was deleted.");\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action show how you can use the `Mutate()` function without an inline function.\n * This is useful if you want to keep your actions small and focused on a single task,\n * or if you want to reuse the same function in multiple actions.\n */\nWhen(a.ConfigMap).IsCreated().WithName("example-4").Mutate(example4Cb);\n\n// This function uses the complete type definition, but is not required.\nfunction example4Cb(cm: PeprMutateRequest<a.ConfigMap>) {\n  cm.SetLabel("pepr.dev/first", "true");\n  cm.SetLabel("pepr.dev/second", "true");\n  cm.SetLabel("pepr.dev/third", "true");\n}\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4a)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is the same as Example 4, except this only operates on a CM in the `pepr-demo-2` namespace.\n * Note because the Capability defines namespaces, the namespace specified here must be one of those.\n * Alternatively, you can remove the namespace from the Capability definition and specify it here.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .InNamespace("pepr-demo-2")\n  .WithName("example-4a")\n  .Mutate(example4Cb);\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 5)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action is a bit more complex. It will look for any ConfigMap in the `pepr-demo`\n * namespace that has the label `chuck-norris` during CREATE. When it finds one, it will fetch a\n * random Chuck Norris joke from the API and add it to the ConfigMap. This is a great example of how\n * you can use Pepr to make changes to your K8s objects based on external data.\n *\n * Note the use of the `async` keyword. This is required for any action that uses `await` or `fetch()`.\n *\n * Also note we are passing a type to the `fetch()` function. This is optional, but it will help you\n * avoid mistakes when working with the data returned from the API. You can also use the `as` keyword to\n * cast the data returned from the API.\n *\n * These are equivalent:\n * ```ts\n * const joke = await fetch<TheChuckNorrisJoke>("https://icanhazdadjoke.com/");\n * const joke = await fetch("https://icanhazdadjoke.com/") as TheChuckNorrisJoke;\n * ```\n *\n * Alternatively, you can drop the type completely:\n *\n * ```ts\n * fetch("https://icanhazdadjoke.com")\n * ```\n */\ninterface TheChuckNorrisJoke {\n  id: string;\n  joke: string;\n  status: number;\n}\n\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("chuck-norris")\n  .Mutate(cm => cm.SetLabel("got-jokes", "true"))\n  .Watch(async cm => {\n    const jokeURL = "https://icanhazdadjoke.com/";\n\n    // Set up Nock to mock the API calls globally with header matching\n    nock(jokeURL).get("/").reply(200, {\n      id: "R7UfaahVfFd",\n      joke: "Funny joke goes here.",\n      status: 200,\n    });\n\n    // Try/catch is not needed as a response object will always be returned\n    const response = await fetch<TheChuckNorrisJoke>(jokeURL, {\n      headers: {\n        Accept: "application/json",\n      },\n    });\n\n    // Instead, check the `response.ok` field\n    if (response.ok) {\n      const { joke } = response.data;\n      // Add Joke to the Store\n      await Store.setItemAndWait(jokeURL, joke);\n      // Add the Chuck Norris joke to the configmap\n      try {\n        await K8s(kind.ConfigMap).Apply({\n          metadata: {\n            name: cm.metadata.name,\n            namespace: cm.metadata.namespace,\n          },\n          data: {\n            "chuck-says": Store.getItem(jokeURL),\n          },\n        });\n      } catch (error) {\n        Log.error(error, "Failed to apply ConfigMap using server-side apply.", {\n          cm,\n        });\n      }\n    }\n\n    // You can also assert on different HTTP response codes\n    if (response.status === fetchStatus.NOT_FOUND) {\n      // Do something else\n      return;\n    }\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Secret Base64 Handling)                      *\n * ---------------------------------------------------------------------------------------------------\n *\n * The K8s JS client provides incomplete support for base64 encoding/decoding handling for secrets,\n * unlike the GO client. To make this less painful, Pepr automatically handles base64 encoding/decoding\n * secret data before and after the action is executed.\n */\nWhen(a.Secret)\n  .IsCreated()\n  .WithName("secret-1")\n  .Mutate(request => {\n    const secret = request.Raw;\n\n    // This will be encoded at the end of all processing back to base64: "Y2hhbmdlLXdpdGhvdXQtZW5jb2Rpbmc="\n    secret.data.magic = "change-without-encoding";\n\n    // You can modify the data directly, and it will be encoded at the end of all processing\n    secret.data.example += " - modified by Pepr";\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Untyped Custom Resource)                     *\n * ---------------------------------------------------------------------------------------------------\n *\n * Out of the box, Pepr supports all the standard Kubernetes objects. However, you can also create\n * your own types. This is useful if you are working with an Operator that creates custom resources.\n * There are two ways to do this, the first is to use the `When()` function with a `GenericKind`,\n * the second is to create a new class that extends `GenericKind` and use the `RegisterKind()` function.\n *\n * This example shows how to use the `When()` function with a `GenericKind`. Note that you\n * must specify the `group`, `version`, and `kind` of the object (if applicable). This is how Pepr knows\n * if the action should be triggered or not. Since we are using a `GenericKind`,\n * Pepr will not be able to provide any intellisense for the object, so you will need to refer to the\n * Kubernetes API documentation for the object you are working with.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-1\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```\n */\nWhen(a.GenericKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n})\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr without type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Typed Custom Resource)                       *\n * ---------------------------------------------------------------------------------------------------\n *\n * This example shows how to use the `RegisterKind()` function to create a new type. This is useful\n * if you are working with an Operator that creates custom resources and you want to have intellisense\n * for the object. Note that you must specify the `group`, `version`, and `kind` of the object (if applicable)\n * as this is how Pepr knows if the action should be triggered or not.\n *\n * Once you register a new Kind with Pepr, you can use the `When()` function with the new Kind. Ideally,\n * you should register custom Kinds at the top of your Capability file or Pepr Module so they are available\n * to all actions, but we are putting it here for demonstration purposes.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-2\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```*\n */\nclass UnicornKind extends a.GenericKind {\n  spec: {\n    /**\n     * JSDoc comments can be added to explain more details about the field.\n     *\n     * @example\n     * ```ts\n     * request.Raw.spec.message = "Hello Pepr!";\n     * ```\n     * */\n    message: string;\n    counter: number;\n  };\n}\n\nRegisterKind(UnicornKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n});\n\nWhen(UnicornKind)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr with type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * A callback function that is called once the Pepr Store is fully loaded.\n */\nStore.onReady(data => {\n  Log.info(data, "Pepr Store Ready");\n});\n';
-var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, files: ["/dist", "/src", "!src/**/*.test.ts", "!dist/**/*.test.d.ts*"], version: "0.40.1", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { ci: "npm ci", "gen-data-json": "node hack/build-template-data.js", prebuild: "rm -fr dist/* && npm run gen-data-json", version: "node scripts/set-version.js", build: "tsc && node build.mjs && npm pack", "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .", test: "npm run test:unit && npm run test:journey", "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'", "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run", "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi", "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm", "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system", "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:prep && npm run test:journey:upgrade", "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts", "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write", prepare: `if [ "$NODE_ENV" != 'production' ]; then husky; fi` }, dependencies: { "@types/ramda": "0.30.2", express: "4.21.1", "fast-json-patch": "3.1.1", "follow-redirects": "1.15.9", "http-status-codes": "^2.3.0", "json-pointer": "^0.6.2", "kubernetes-fluent-client": "3.3.4", pino: "9.5.0", "pino-pretty": "13.0.0", "prom-client": "15.1.3", ramda: "0.30.1", sigstore: "3.0.0" }, devDependencies: { "@commitlint/cli": "19.6.0", "@commitlint/config-conventional": "19.6.0", "@fast-check/jest": "^2.0.1", "@jest/globals": "29.7.0", "@types/eslint": "9.6.1", "@types/express": "5.0.0", "@types/follow-redirects": "1.14.4", "@types/json-pointer": "^1.0.34", "@types/node": "22.x.x", "@types/node-forge": "1.3.11", "@types/uuid": "10.0.0", "fast-check": "^3.19.0", husky: "^9.1.6", jest: "29.7.0", "js-yaml": "^4.1.0", nock: "^13.5.4", "ts-jest": "29.2.5" }, peerDependencies: { "@types/prompts": "2.4.9", "@typescript-eslint/eslint-plugin": "7.18.0", "@typescript-eslint/parser": "7.18.0", commander: "12.1.0", esbuild: "0.23.0", eslint: "8.57.0", "node-forge": "1.3.1", prettier: "3.3.3", prompts: "2.4.2", typescript: "5.3.3", uuid: "10.0.0" } };
+var helloPeprTS = 'import {\n  Capability,\n  K8s,\n  Log,\n  PeprMutateRequest,\n  RegisterKind,\n  a,\n  fetch,\n  fetchStatus,\n  kind,\n} from "pepr";\nimport { MockAgent, setGlobalDispatcher } from "undici";\n\n/**\n *  The HelloPepr Capability is an example capability to demonstrate some general concepts of Pepr.\n *  To test this capability you run `pepr dev`and then run the following command:\n *  `kubectl apply -f capabilities/hello-pepr.samples.yaml`\n */\nexport const HelloPepr = new Capability({\n  name: "hello-pepr",\n  description: "A simple example capability to show how things work.",\n  namespaces: ["pepr-demo", "pepr-demo-2"],\n});\n\n// Use the \'When\' function to create a new action, use \'Store\' to persist data\nconst { When, Store } = HelloPepr;\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Namespace)                                   *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action removes the label `remove-me` when a Namespace is created.\n * Note we don\'t need to specify the namespace here, because we\'ve already specified\n * it in the Capability definition above.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .Mutate(ns => ns.RemoveLabel("remove-me"));\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Watch Action with K8s SSA (Namespace)                           *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action watches for the `pepr-demo-2` namespace to be created, then creates a ConfigMap with\n * the name `pepr-ssa-demo` and adds the namespace UID to the ConfigMap data. Because Pepr uses\n * server-side apply for this operation, the ConfigMap will be created or updated if it already exists.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .WithName("pepr-demo-2")\n  .Watch(async ns => {\n    Log.info("Namespace pepr-demo-2 was created.");\n\n    try {\n      // Apply the ConfigMap using K8s server-side apply\n      await K8s(kind.ConfigMap).Apply({\n        metadata: {\n          name: "pepr-ssa-demo",\n          namespace: "pepr-demo-2",\n        },\n        data: {\n          "ns-uid": ns.metadata.uid,\n        },\n      });\n    } catch (error) {\n      // You can use the Log object to log messages to the Pepr controller pod\n      Log.error(error, "Failed to apply ConfigMap using server-side apply.");\n    }\n\n    // You can share data between actions using the Store, including between different types of actions\n    Store.setItem("watch-data", "This data was stored by a Watch Action.");\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 1)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is a single action. They can be in the same file or put imported from other files.\n * In this example, when a ConfigMap is created with the name `example-1`, then add a label and annotation.\n *\n * Equivalent to manually running:\n * `kubectl label configmap example-1 pepr=was-here`\n * `kubectl annotate configmap example-1 pepr.dev=annotations-work-too`\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request\n      .SetLabel("pepr", "was-here")\n      .SetAnnotation("pepr.dev", "annotations-work-too");\n\n    // Use the Store to persist data between requests and Pepr controller pods\n    Store.setItem("example-1", "was-here");\n\n    // This data is written asynchronously and can be read back via `Store.getItem()` or `Store.subscribe()`\n    Store.setItem("example-1-data", JSON.stringify(request.Raw.data));\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate & Validate Actions (CM Example 2)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This combines 3 different types of actions: \'Mutate\', \'Validate\', and \'Watch\'. The order\n * of the actions is required, but each action is optional. In this example, when a ConfigMap is created\n * with the name `example-2`, then add a label and annotation, validate that the ConfigMap has the label\n * `pepr`, and log the request.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    // This Mutate Action will mutate the request before it is persisted to the cluster\n\n    // Use `request.Merge()` to merge the new data with the existing data\n    request.Merge({\n      metadata: {\n        labels: {\n          pepr: "was-here",\n        },\n        annotations: {\n          "pepr.dev": "annotations-work-too",\n        },\n      },\n    });\n  })\n  .Validate(request => {\n    // This Validate Action will validate the request before it is persisted to the cluster\n\n    // Approve the request if the ConfigMap has the label \'pepr\'\n    if (request.HasLabel("pepr")) {\n      return request.Approve();\n    }\n\n    // Otherwise, deny the request with an error message (optional)\n    return request.Deny("ConfigMap must have label \'pepr\'");\n  })\n  .Watch((cm, phase) => {\n    // This Watch Action will watch the ConfigMap after it has been persisted to the cluster\n    Log.info(cm, `ConfigMap was ${phase} with the name example-2`);\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 2a)                               *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action shows a simple validation that will deny any ConfigMap that has the\n * annotation `evil`. Note that the `Deny()` function takes an optional second parameter that is a\n * user-defined status code to return.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .Validate(request => {\n    if (request.HasAnnotation("evil")) {\n      return request.Deny("No evil CM annotations allowed.", 400);\n    }\n\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 3)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action combines different styles. Unlike the previous actions, this one will look\n * for any ConfigMap in the `pepr-demo` namespace that has the label `change=by-label` during either\n * CREATE or UPDATE. Note that all conditions added such as `WithName()`, `WithLabel()`, `InNamespace()`,\n * are ANDs so all conditions must be true for the request to be processed.\n */\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("change", "by-label")\n  .Mutate(request => {\n    // The K8s object e are going to mutate\n    const cm = request.Raw;\n\n    // Get the username and uid of the K8s request\n    const { username, uid } = request.Request.userInfo;\n\n    // Store some data about the request in the configmap\n    cm.data["username"] = username;\n    cm.data["uid"] = uid;\n\n    // You can still mix other ways of making changes too\n    request.SetAnnotation("pepr.dev", "making-waves");\n  });\n\n// This action validates the label `change=by-label` is deleted\nWhen(a.ConfigMap)\n  .IsDeleted()\n  .WithLabel("change", "by-label")\n  .Validate(request => {\n    // Log and then always approve the request\n    Log.info("CM with label \'change=by-label\' was deleted.");\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action show how you can use the `Mutate()` function without an inline function.\n * This is useful if you want to keep your actions small and focused on a single task,\n * or if you want to reuse the same function in multiple actions.\n */\nWhen(a.ConfigMap).IsCreated().WithName("example-4").Mutate(example4Cb);\n\n// This function uses the complete type definition, but is not required.\nfunction example4Cb(cm: PeprMutateRequest<a.ConfigMap>) {\n  cm.SetLabel("pepr.dev/first", "true");\n  cm.SetLabel("pepr.dev/second", "true");\n  cm.SetLabel("pepr.dev/third", "true");\n}\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4a)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is the same as Example 4, except this only operates on a CM in the `pepr-demo-2` namespace.\n * Note because the Capability defines namespaces, the namespace specified here must be one of those.\n * Alternatively, you can remove the namespace from the Capability definition and specify it here.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .InNamespace("pepr-demo-2")\n  .WithName("example-4a")\n  .Mutate(example4Cb);\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 5)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action is a bit more complex. It will look for any ConfigMap in the `pepr-demo`\n * namespace that has the label `chuck-norris` during CREATE. When it finds one, it will fetch a\n * random Chuck Norris joke from the API and add it to the ConfigMap. This is a great example of how\n * you can use Pepr to make changes to your K8s objects based on external data.\n *\n * Note the use of the `async` keyword. This is required for any action that uses `await` or `fetch()`.\n *\n * Also note we are passing a type to the `fetch()` function. This is optional, but it will help you\n * avoid mistakes when working with the data returned from the API. You can also use the `as` keyword to\n * cast the data returned from the API.\n *\n * These are equivalent:\n * ```ts\n * const joke = await fetch<TheChuckNorrisJoke>("https://icanhazdadjoke.com/");\n * const joke = await fetch("https://icanhazdadjoke.com/") as TheChuckNorrisJoke;\n * ```\n *\n * Alternatively, you can drop the type completely:\n *\n * ```ts\n * fetch("https://icanhazdadjoke.com")\n * ```\n */\ninterface TheChuckNorrisJoke {\n  id: string;\n  joke: string;\n  status: number;\n}\n\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("chuck-norris")\n  .Mutate(cm => cm.SetLabel("got-jokes", "true"))\n  .Watch(async cm => {\n    const jokeURL = "https://icanhazdadjoke.com";\n\n    const mockAgent: MockAgent = new MockAgent();\n    setGlobalDispatcher(mockAgent);\n    const mockClient = mockAgent.get(jokeURL);\n    mockClient.intercept({ path: "/", method: "GET" }).reply(\n      200,\n      {\n        id: "R7UfaahVfFd",\n        joke: "Funny joke goes here.",\n        status: 200,\n      },\n      {\n        headers: {\n          "Content-Type": "application/json; charset=utf-8",\n        },\n      },\n    );\n\n    // Try/catch is not needed as a response object will always be returned\n    const response = await fetch<TheChuckNorrisJoke>(jokeURL, {\n      headers: {\n        Accept: "application/json",\n      },\n    });\n\n    // Instead, check the `response.ok` field\n    if (response.ok) {\n      const { joke } = response.data;\n      // Add Joke to the Store\n      await Store.setItemAndWait(jokeURL, joke);\n      // Add the Chuck Norris joke to the configmap\n      try {\n        await K8s(kind.ConfigMap).Apply({\n          metadata: {\n            name: cm.metadata.name,\n            namespace: cm.metadata.namespace,\n          },\n          data: {\n            "chuck-says": Store.getItem(jokeURL),\n          },\n        });\n      } catch (error) {\n        Log.error(error, "Failed to apply ConfigMap using server-side apply.", {\n          cm,\n        });\n      }\n    }\n\n    // You can also assert on different HTTP response codes\n    if (response.status === fetchStatus.NOT_FOUND) {\n      // Do something else\n      return;\n    }\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Secret Base64 Handling)                      *\n * ---------------------------------------------------------------------------------------------------\n *\n * The K8s JS client provides incomplete support for base64 encoding/decoding handling for secrets,\n * unlike the GO client. To make this less painful, Pepr automatically handles base64 encoding/decoding\n * secret data before and after the action is executed.\n */\nWhen(a.Secret)\n  .IsCreated()\n  .WithName("secret-1")\n  .Mutate(request => {\n    const secret = request.Raw;\n\n    // This will be encoded at the end of all processing back to base64: "Y2hhbmdlLXdpdGhvdXQtZW5jb2Rpbmc="\n    secret.data.magic = "change-without-encoding";\n\n    // You can modify the data directly, and it will be encoded at the end of all processing\n    secret.data.example += " - modified by Pepr";\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Untyped Custom Resource)                     *\n * ---------------------------------------------------------------------------------------------------\n *\n * Out of the box, Pepr supports all the standard Kubernetes objects. However, you can also create\n * your own types. This is useful if you are working with an Operator that creates custom resources.\n * There are two ways to do this, the first is to use the `When()` function with a `GenericKind`,\n * the second is to create a new class that extends `GenericKind` and use the `RegisterKind()` function.\n *\n * This example shows how to use the `When()` function with a `GenericKind`. Note that you\n * must specify the `group`, `version`, and `kind` of the object (if applicable). This is how Pepr knows\n * if the action should be triggered or not. Since we are using a `GenericKind`,\n * Pepr will not be able to provide any intellisense for the object, so you will need to refer to the\n * Kubernetes API documentation for the object you are working with.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-1\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```\n */\nWhen(a.GenericKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n})\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr without type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Typed Custom Resource)                       *\n * ---------------------------------------------------------------------------------------------------\n *\n * This example shows how to use the `RegisterKind()` function to create a new type. This is useful\n * if you are working with an Operator that creates custom resources and you want to have intellisense\n * for the object. Note that you must specify the `group`, `version`, and `kind` of the object (if applicable)\n * as this is how Pepr knows if the action should be triggered or not.\n *\n * Once you register a new Kind with Pepr, you can use the `When()` function with the new Kind. Ideally,\n * you should register custom Kinds at the top of your Capability file or Pepr Module so they are available\n * to all actions, but we are putting it here for demonstration purposes.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-2\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```*\n */\nclass UnicornKind extends a.GenericKind {\n  spec: {\n    /**\n     * JSDoc comments can be added to explain more details about the field.\n     *\n     * @example\n     * ```ts\n     * request.Raw.spec.message = "Hello Pepr!";\n     * ```\n     * */\n    message: string;\n    counter: number;\n  };\n}\n\nRegisterKind(UnicornKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n});\n\nWhen(UnicornKind)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr with type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * A callback function that is called once the Pepr Store is fully loaded.\n */\nStore.onReady(data => {\n  Log.info(data, "Pepr Store Ready");\n});\n';
+var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, files: ["/dist", "/src", "!src/**/*.test.ts", "!dist/**/*.test.d.ts*"], version: "0.42.0", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { ci: "npm ci", "gen-data-json": "node hack/build-template-data.js", prebuild: "rm -fr dist/* && npm run gen-data-json", version: "node scripts/set-version.js", build: "tsc && node build.mjs && npm pack", "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .", test: "npm run test:unit && npm run test:journey", "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'", "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run", "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi", "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm", "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system", "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:prep && npm run test:journey:upgrade", "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts", "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write", prepare: `if [ "$NODE_ENV" != 'production' ]; then husky; fi` }, dependencies: { "@types/ramda": "0.30.2", express: "4.21.2", "fast-json-patch": "3.1.1", "follow-redirects": "1.15.9", "http-status-codes": "^2.3.0", "json-pointer": "^0.6.2", "kubernetes-fluent-client": "3.3.7", pino: "9.5.0", "pino-pretty": "13.0.0", "prom-client": "15.1.3", ramda: "0.30.1", sigstore: "3.0.0" }, devDependencies: { "@commitlint/cli": "19.6.0", "@commitlint/config-conventional": "19.6.0", "@fast-check/jest": "^2.0.1", "@jest/globals": "29.7.0", "@types/eslint": "9.6.1", "@types/express": "5.0.0", "@types/follow-redirects": "1.14.4", "@types/json-pointer": "^1.0.34", "@types/node": "22.x.x", "@types/node-forge": "1.3.11", "@types/uuid": "10.0.0", "fast-check": "^3.19.0", husky: "^9.1.6", jest: "29.7.0", "js-yaml": "^4.1.0", "ts-jest": "29.2.5", undici: "^7.0.1" }, peerDependencies: { "@types/prompts": "2.4.9", "@typescript-eslint/eslint-plugin": "7.18.0", "@typescript-eslint/parser": "7.18.0", commander: "12.1.0", esbuild: "0.23.0", eslint: "8.57.0", "node-forge": "1.3.1", prettier: "3.3.3", prompts: "2.4.2", typescript: "5.3.3", uuid: "10.0.0" } };
 // src/templates/pepr.code-snippets.json
 var pepr_code_snippets_default = {
@@ -2339,7 +2349,7 @@ function genPkgJSON(opts, pgkVerOverride) {
     },
     dependencies: {
       pepr: pgkVerOverride || version2,
-      nock: "13.5.4"
+      undici: "^7.0.1"
     },
     devDependencies: {
       typescript
@@ -2717,6 +2727,45 @@ async function buildModule(reloader, entryPoint = peprTS2, embed = true) {
 // src/cli/deploy.ts
 var import_prompts = __toESM(require("prompts"));
+// src/lib/deploymentChecks.ts
+var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
+async function checkDeploymentStatus(namespace2) {
+  const deployments = await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.Deployment).InNamespace(namespace2).Get();
+  let status = false;
+  let readyCount = 0;
+  for (const deployment2 of deployments.items) {
+    const readyReplicas = deployment2.status?.readyReplicas ? deployment2.status?.readyReplicas : 0;
+    if (deployment2.status?.readyReplicas !== deployment2.spec?.replicas) {
+      logger_default.info(
+        `Waiting for deployment ${deployment2.metadata?.name} rollout to finish: ${readyReplicas} of ${deployment2.spec?.replicas} replicas are available`
+      );
+    } else {
+      logger_default.info(
+        `Deployment ${deployment2.metadata?.name} rolled out: ${readyReplicas} of ${deployment2.spec?.replicas} replicas are available`
+      );
+      readyCount++;
+    }
+  }
+  if (readyCount === deployments.items.length) {
+    status = true;
+  }
+  return status;
+}
+async function namespaceDeploymentsReady(namespace2 = "pepr-system") {
+  logger_default.info(`Checking ${namespace2} deployments status...`);
+  let ready = false;
+  while (!ready) {
+    ready = await checkDeploymentStatus(namespace2);
+    if (ready) {
+      return ready;
+    }
+    await new Promise((resolve5) => setTimeout(resolve5, 1e3));
+  }
+  logger_default.info(`All ${namespace2} deployments are ready`);
+}
+// src/cli/deploy.ts
 function deploy_default(program2) {
   program2.command("deploy").description("Deploy a Pepr Module").option("-i, --image [image]", "Override the image tag").option("--confirm", "Skip confirmation prompt").option("--pullSecret <name>", "Deploy imagePullSecret for Controller private registry").option("--docker-server <server>", "Docker server address").option("--docker-username <username>", "Docker registry username").option("--docker-email <email>", "Email for Docker registry").option("--docker-password <password>", "Password for Docker registry").option("--force", "Force deploy the module, override manager field").action(async (opts) => {
     let imagePullSecret;