pepr 0.42.1 → 0.42.3

package/dist/lib.js

@@ -49,9 +49,9 @@ module.exports = __toCommonJS(lib_exports);
 var import_kubernetes_fluent_client8 = require("kubernetes-fluent-client");
 var R = __toESM(require("ramda"));
 
-// src/lib/capability.ts
-var import_kubernetes_fluent_client7 = require("kubernetes-fluent-client");
-var import_ramda7 = require("ramda");
+// src/lib/core/capability.ts
+var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
+var import_ramda8 = require("ramda");
 
 // src/lib/telemetry/logger.ts
 var import_pino = require("pino");
@@ -101,8 +101,8 @@ function redactedPatch(patch = {}) {
 }
 var logger_default = Log;
 
-// src/lib/module.ts
-var import_ramda5 = require("ramda");
+// src/lib/core/module.ts
+var import_ramda6 = require("ramda");
 
 // src/lib/controller/index.ts
 var import_express = __toESM(require("express"));
@@ -238,21 +238,9 @@ var MetricsCollector = class {
 };
 var metricsCollector = new MetricsCollector("pepr");
 
-// src/lib/mutate-processor.ts
+// src/lib/processors/mutate-processor.ts
 var import_fast_json_patch = __toESM(require("fast-json-patch"));
-
-// src/lib/errors.ts
-var Errors = {
-  audit: "audit",
-  ignore: "ignore",
-  reject: "reject"
-};
-var ErrorList = Object.values(Errors);
-function ValidateError(error = "") {
-  if (!ErrorList.includes(error)) {
-    throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
-  }
-}
+var import_ramda3 = require("ramda");
 
 // src/lib/filter/adjudicators/adjudicators.ts
 var import_ramda = require("ramda");
@@ -401,8 +389,15 @@ var mismatchedLabels = (0, import_ramda.allPass)([
 ]);
 var uncarryableNamespace = (0, import_ramda.allPass)([
   (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), carriesNamespace),
-  (0, import_ramda.pipe)((namespaceSelector, kubernetesObject) => namespaceSelector.includes(carriedNamespace(kubernetesObject)), import_ramda.not)
+  (0, import_ramda.pipe)((namespaceSelector, kubernetesObject) => {
+    if (kubernetesObject?.kind === "Namespace") {
+      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+    }
+    if (carriesNamespace(kubernetesObject)) {
+      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+    }
+    return true;
+  }, import_ramda.not)
 ]);
 var missingCarriableNamespace = (0, import_ramda.allPass)([
   (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
@@ -412,8 +407,15 @@ var missingCarriableNamespace = (0, import_ramda.allPass)([
 ]);
 var carriesIgnoredNamespace = (0, import_ramda.allPass)([
   (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), carriesNamespace),
-  (0, import_ramda.pipe)((namespaceSelector, kubernetesObject) => namespaceSelector.includes(carriedNamespace(kubernetesObject)))
+  (0, import_ramda.pipe)((namespaceSelector, kubernetesObject) => {
+    if (kubernetesObject?.kind === "Namespace") {
+      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+    }
+    if (carriesNamespace(kubernetesObject)) {
+      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+    }
+    return false;
+  })
 ]);
 var unbindableNamespaces = (0, import_ramda.allPass)([
   (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
@@ -450,9 +452,108 @@ var mismatchedKind = (0, import_ramda.allPass)([
 
 // src/lib/filter/filter.ts
 function shouldSkipRequest(binding, req, capabilityNamespaces, ignoredNamespaces) {
-  const prefix = "Ignoring Admission Callback:";
   const obj = req.operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
-  return misboundDeleteWithDeletionTimestamp(binding) ? `${prefix} Cannot use deletionTimestamp filter on a DELETE operation.` : mismatchedDeletionTimestamp(binding, obj) ? `${prefix} Binding defines deletionTimestamp but Object does not carry it.` : mismatchedEvent(binding, req) ? `${prefix} Binding defines event '${definedEvent(binding)}' but Request declares '${declaredOperation(req)}'.` : mismatchedName(binding, obj) ? `${prefix} Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` : mismatchedGroup(binding, req) ? `${prefix} Binding defines group '${definedGroup(binding)}' but Request declares '${declaredGroup(req)}'.` : mismatchedVersion(binding, req) ? `${prefix} Binding defines version '${definedVersion(binding)}' but Request declares '${declaredVersion(req)}'.` : mismatchedKind(binding, req) ? `${prefix} Binding defines kind '${definedKind(binding)}' but Request declares '${declaredKind(req)}'.` : unbindableNamespaces(capabilityNamespaces, binding) ? `${prefix} Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : uncarryableNamespace(capabilityNamespaces, obj) ? `${prefix} Object carries namespace '${carriedNamespace(obj)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : mismatchedNamespace(binding, obj) ? `${prefix} Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(obj)}'.` : mismatchedLabels(binding, obj) ? `${prefix} Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(obj))}'.` : mismatchedAnnotations(binding, obj) ? `${prefix} Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.` : mismatchedNamespaceRegex(binding, obj) ? `${prefix} Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(obj)}'.` : mismatchedNameRegex(binding, obj) ? `${prefix} Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(obj)}'.` : carriesIgnoredNamespace(ignoredNamespaces, obj) ? `${prefix} Object carries namespace '${carriedNamespace(obj)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.` : missingCarriableNamespace(capabilityNamespaces, obj) ? `${prefix} Object does not carry a namespace but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : "";
+  const prefix = "Ignoring Admission Callback:";
+  const adjudicators = [
+    () => adjudicateMisboundDeleteWithDeletionTimestamp(binding),
+    () => adjudicateMismatchedDeletionTimestamp(binding, obj),
+    () => adjudicateMismatchedEvent(binding, req),
+    () => adjudicateMismatchedName(binding, obj),
+    () => adjudicateMismatchedGroup(binding, req),
+    () => adjudicateMismatchedVersion(binding, req),
+    () => adjudicateMismatchedKind(binding, req),
+    () => adjudicateUnbindableNamespaces(capabilityNamespaces, binding),
+    () => adjudicateUncarryableNamespace(capabilityNamespaces, obj),
+    () => adjudicateMismatchedNamespace(binding, obj),
+    () => adjudicateMismatchedLabels(binding, obj),
+    () => adjudicateMismatchedAnnotations(binding, obj),
+    () => adjudicateMismatchedNamespaceRegex(binding, obj),
+    () => adjudicateMismatchedNameRegex(binding, obj),
+    () => adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj),
+    () => adjudicateMissingCarriableNamespace(capabilityNamespaces, obj)
+  ];
+  for (const adjudicator of adjudicators) {
+    const result = adjudicator();
+    if (result) {
+      return `${prefix} ${result}`;
+    }
+  }
+  return "";
+}
+function filterNoMatchReason(binding, obj, capabilityNamespaces, ignoredNamespaces) {
+  const prefix = "Ignoring Watch Callback:";
+  const adjudicators = [
+    () => adjudicateMismatchedDeletionTimestamp(binding, obj),
+    () => adjudicateMismatchedName(binding, obj),
+    () => adjudicateMisboundNamespace(binding),
+    () => adjudicateMismatchedLabels(binding, obj),
+    () => adjudicateMismatchedAnnotations(binding, obj),
+    () => adjudicateUncarryableNamespace(capabilityNamespaces, obj),
+    () => adjudicateUnbindableNamespaces(capabilityNamespaces, binding),
+    () => adjudicateMismatchedNamespace(binding, obj),
+    () => adjudicateMismatchedNamespaceRegex(binding, obj),
+    () => adjudicateMismatchedNameRegex(binding, obj),
+    () => adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj),
+    () => adjudicateMissingCarriableNamespace(capabilityNamespaces, obj)
+  ];
+  for (const adjudicator of adjudicators) {
+    const result = adjudicator();
+    if (result) {
+      return `${prefix} ${result}`;
+    }
+  }
+  return "";
+}
+function adjudicateMisboundNamespace(binding) {
+  return misboundNamespace(binding) ? "Cannot use namespace filter on a namespace object." : null;
+}
+function adjudicateMisboundDeleteWithDeletionTimestamp(binding) {
+  return misboundDeleteWithDeletionTimestamp(binding) ? "Cannot use deletionTimestamp filter on a DELETE operation." : null;
+}
+function adjudicateMismatchedDeletionTimestamp(binding, obj) {
+  return mismatchedDeletionTimestamp(binding, obj) ? "Binding defines deletionTimestamp but Object does not carry it." : null;
+}
+function adjudicateMismatchedEvent(binding, req) {
+  return mismatchedEvent(binding, req) ? `Binding defines event '${definedEvent(binding)}' but Request declares '${declaredOperation(req)}'.` : null;
+}
+function adjudicateMismatchedName(binding, obj) {
+  return mismatchedName(binding, obj) ? `Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` : null;
+}
+function adjudicateMismatchedGroup(binding, req) {
+  return mismatchedGroup(binding, req) ? `Binding defines group '${definedGroup(binding)}' but Request declares '${declaredGroup(req)}'.` : null;
+}
+function adjudicateMismatchedVersion(binding, req) {
+  return mismatchedVersion(binding, req) ? `Binding defines version '${definedVersion(binding)}' but Request declares '${declaredVersion(req)}'.` : null;
+}
+function adjudicateMismatchedKind(binding, req) {
+  return mismatchedKind(binding, req) ? `Binding defines kind '${definedKind(binding)}' but Request declares '${declaredKind(req)}'.` : null;
+}
+function adjudicateUnbindableNamespaces(capabilityNamespaces, binding) {
+  return unbindableNamespaces(capabilityNamespaces, binding) ? `Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : null;
+}
+function adjudicateUncarryableNamespace(capabilityNamespaces, obj) {
+  return uncarryableNamespace(capabilityNamespaces, obj) ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : null;
+}
+function adjudicateMismatchedNamespace(binding, obj) {
+  return mismatchedNamespace(binding, obj) ? `Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(obj)}'.` : null;
+}
+function adjudicateMismatchedLabels(binding, obj) {
+  return mismatchedLabels(binding, obj) ? `Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(obj))}'.` : null;
+}
+function adjudicateMismatchedAnnotations(binding, obj) {
+  return mismatchedAnnotations(binding, obj) ? `Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.` : null;
+}
+function adjudicateMismatchedNamespaceRegex(binding, obj) {
+  return mismatchedNamespaceRegex(binding, obj) ? `Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(obj)}'.` : null;
+}
+function adjudicateMismatchedNameRegex(binding, obj) {
+  return mismatchedNameRegex(binding, obj) ? `Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(obj)}'.` : null;
+}
+function adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj) {
+  return carriesIgnoredNamespace(ignoredNamespaces, obj) ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.` : null;
+}
+function adjudicateMissingCarriableNamespace(capabilityNamespaces, obj) {
+  return missingCarriableNamespace(capabilityNamespaces, obj) ? `Object does not carry a namespace but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : null;
 }
 
 // src/lib/mutate-request.ts
@@ -562,80 +663,126 @@ function base64Encode(data) {
   return Buffer.from(data).toString("base64");
 }
 
-// src/lib/mutate-processor.ts
+// src/cli/init/enums.ts
+var OnError = /* @__PURE__ */ ((OnError2) => {
+  OnError2["AUDIT"] = "audit";
+  OnError2["IGNORE"] = "ignore";
+  OnError2["REJECT"] = "reject";
+  return OnError2;
+})(OnError || {});
+
+// src/lib/processors/mutate-processor.ts
+function updateStatus(config, name2, wrapped, status) {
+  if (wrapped.Request.operation === "DELETE") {
+    return wrapped;
+  }
+  wrapped.SetAnnotation(`${config.uuid}.pepr.dev/${name2}`, status);
+  return wrapped;
+}
+function logMutateErrorMessage(e) {
+  try {
+    if (e.message && e.message !== "[object Object]") {
+      return e.message;
+    } else {
+      throw new Error("An error occurred in the mutate action.");
+    }
+  } catch (e2) {
+    return "An error occurred with the mutate action.";
+  }
+}
+function decodeData(wrapped) {
+  let skipped = [];
+  const isSecret = wrapped.Request.kind.version === "v1" && wrapped.Request.kind.kind === "Secret";
+  if (isSecret) {
+    skipped = convertFromBase64Map(wrapped.Raw);
+  }
+  return { skipped, wrapped };
+}
+function reencodeData(wrapped, skipped) {
+  const transformed = (0, import_ramda3.clone)(wrapped.Raw);
+  const isSecret = wrapped.Request.kind.version === "v1" && wrapped.Request.kind.kind === "Secret";
+  if (isSecret) {
+    convertToBase64Map(transformed, skipped);
+  }
+  return transformed;
+}
+async function processRequest(bindable, wrapped, response) {
+  const { binding, actMeta, name: name2, config } = bindable;
+  const label = binding.mutateCallback.name;
+  logger_default.info(actMeta, `Processing mutation action (${label})`);
+  wrapped = updateStatus(config, name2, wrapped, "started");
+  try {
+    await binding.mutateCallback(wrapped);
+    logger_default.info(actMeta, `Mutation action succeeded (${label})`);
+    wrapped = updateStatus(config, name2, wrapped, "succeeded");
+  } catch (e) {
+    wrapped = updateStatus(config, name2, wrapped, "warning");
+    response.warnings = response.warnings || [];
+    const errorMessage = logMutateErrorMessage(e);
+    logger_default.error(actMeta, `Action failed: ${errorMessage}`);
+    response.warnings.push(`Action failed: ${errorMessage}`);
+    switch (config.onError) {
+      case "reject" /* REJECT */:
+        response.result = "Pepr module configured to reject on error";
+        break;
+      case "audit" /* AUDIT */:
+        response.auditAnnotations = response.auditAnnotations || {};
+        response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
+        break;
+    }
+  }
+  return { wrapped, response };
+}
 async function mutateProcessor(config, capabilities, req, reqMetadata) {
-  const wrapped = new PeprMutateRequest(req);
-  const response = {
+  let response = {
     uid: req.uid,
     warnings: [],
     allowed: false
   };
-  let matchedAction = false;
-  let skipDecode = [];
-  const isSecret = req.kind.version === "v1" && req.kind.kind === "Secret";
-  if (isSecret) {
-    skipDecode = convertFromBase64Map(wrapped.Raw);
-  }
+  const decoded = decodeData(new PeprMutateRequest(req));
+  let wrapped = decoded.wrapped;
   logger_default.info(reqMetadata, `Processing request`);
-  for (const { name: name2, bindings, namespaces } of capabilities) {
-    const actionMetadata = { ...reqMetadata, name: name2 };
-    for (const action of bindings) {
-      if (!action.mutateCallback) {
-        continue;
-      }
-      const shouldSkip = shouldSkipRequest(action, req, namespaces, config?.alwaysIgnore?.namespaces);
-      if (shouldSkip !== "") {
-        logger_default.debug(shouldSkip);
-        continue;
-      }
-      const label = action.mutateCallback.name;
-      logger_default.info(actionMetadata, `Processing mutation action (${label})`);
-      matchedAction = true;
-      const updateStatus = (status) => {
-        if (req.operation === "DELETE") {
-          return;
-        }
-        const identifier = `${config.uuid}.pepr.dev/${name2}`;
-        wrapped.Raw.metadata = wrapped.Raw.metadata || {};
-        wrapped.Raw.metadata.annotations = wrapped.Raw.metadata.annotations || {};
-        wrapped.Raw.metadata.annotations[identifier] = status;
-      };
-      updateStatus("started");
-      try {
-        await action.mutateCallback(wrapped);
-        logger_default.info(actionMetadata, `Mutation action succeeded (${label})`);
-        updateStatus("succeeded");
-      } catch (e) {
-        updateStatus("warning");
-        response.warnings = response.warnings || [];
-        const errorMessage = logMutateErrorMessage(e);
-        logger_default.error(actionMetadata, `Action failed: ${errorMessage}`);
-        response.warnings.push(`Action failed: ${errorMessage}`);
-        switch (config.onError) {
-          case Errors.reject:
-            logger_default.error(actionMetadata, `Action failed: ${errorMessage}`);
-            response.result = "Pepr module configured to reject on error";
-            return response;
-          case Errors.audit:
-            response.auditAnnotations = response.auditAnnotations || {};
-            response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
-            break;
-        }
-      }
+  let bindables = capabilities.flatMap(
+    (capa) => capa.bindings.map((bind) => ({
+      req,
+      config,
+      name: capa.name,
+      namespaces: capa.namespaces,
+      binding: bind,
+      actMeta: { ...reqMetadata, name: capa.name }
+    }))
+  );
+  bindables = bindables.filter((bind) => {
+    if (!bind.binding.mutateCallback) {
+      return false;
+    }
+    const shouldSkip = shouldSkipRequest(
+      bind.binding,
+      bind.req,
+      bind.namespaces,
+      bind.config?.alwaysIgnore?.namespaces
+    );
+    if (shouldSkip !== "") {
+      logger_default.debug(shouldSkip);
+      return false;
+    }
+    return true;
+  });
+  for (const bindable of bindables) {
+    ({ wrapped, response } = await processRequest(bindable, wrapped, response));
+    if (config.onError === "reject" /* REJECT */ && response?.warnings.length > 0) {
+      return response;
     }
   }
   response.allowed = true;
-  if (!matchedAction) {
+  if (bindables.length === 0) {
     logger_default.info(reqMetadata, `No matching actions found`);
     return response;
   }
   if (req.operation === "DELETE") {
     return response;
   }
-  const transformed = wrapped.Raw;
-  if (isSecret) {
-    convertToBase64Map(transformed, skipDecode);
-  }
+  const transformed = reencodeData(wrapped, decoded.skipped);
   const patches = import_fast_json_patch.default.compare(req.object, transformed);
   if (patches.length > 0) {
     response.patchType = "JSONPatch";
@@ -647,20 +794,9 @@ async function mutateProcessor(config, capabilities, req, reqMetadata) {
   logger_default.debug({ ...reqMetadata, patches }, `Patches generated`);
   return response;
 }
-var logMutateErrorMessage = (e) => {
-  try {
-    if (e.message && e.message !== "[object Object]") {
-      return e.message;
-    } else {
-      throw new Error("An error occurred in the mutate action.");
-    }
-  } catch (e2) {
-    return "An error occurred with the mutate action.";
-  }
-};
 
 // src/lib/validate-request.ts
-var import_ramda3 = require("ramda");
+var import_ramda4 = require("ramda");
 var PeprValidateRequest = class {
   Raw;
   #input;
@@ -685,9 +821,9 @@ var PeprValidateRequest = class {
   constructor(input) {
     this.#input = input;
     if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda3.clone)(input.oldObject);
+      this.Raw = (0, import_ramda4.clone)(input.oldObject);
     } else {
-      this.Raw = (0, import_ramda3.clone)(input.object);
+      this.Raw = (0, import_ramda4.clone)(input.object);
     }
     if (!this.Raw) {
       throw new Error("unable to load the request object into PeprRequest.Raw");
@@ -737,8 +873,8 @@ var PeprValidateRequest = class {
   };
 };
 
-// src/lib/validate-processor.ts
-async function processRequest(binding, actionMetadata, peprValidateRequest) {
+// src/lib/processors/validate-processor.ts
+async function processRequest2(binding, actionMetadata, peprValidateRequest) {
   const label = binding.validateCallback.name;
   logger_default.info(actionMetadata, `Processing validation action (${label})`);
   const valResp = {
@@ -786,7 +922,7 @@ async function validateProcessor(config, capabilities, req, reqMetadata) {
         logger_default.debug(shouldSkip);
         continue;
       }
-      const resp = await processRequest(binding, actionMetadata, wrapped);
+      const resp = await processRequest2(binding, actionMetadata, wrapped);
       response.push(resp);
     }
   }
@@ -795,7 +931,7 @@ async function validateProcessor(config, capabilities, req, reqMetadata) {
 
 // src/lib/controller/store.ts
 var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
-var import_ramda4 = require("ramda");
+var import_ramda5 = require("ramda");
 
 // src/lib/k8s.ts
 var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
@@ -909,7 +1045,7 @@ var StoreController = class {
     for (const name2 of Object.keys(this.#stores)) {
       const offset = `${name2}-`.length;
       for (const key of Object.keys(data)) {
-        if ((0, import_ramda4.startsWith)(name2, key) && !(0, import_ramda4.startsWith)(`${name2}-v2`, key)) {
+        if ((0, import_ramda5.startsWith)(name2, key) && !(0, import_ramda5.startsWith)(`${name2}-v2`, key)) {
           storeCache = fillStoreCache(storeCache, name2, "remove", {
             key: [key.slice(offset)],
             value: data[key]
@@ -933,7 +1069,7 @@ var StoreController = class {
         const offset = `${name2}-`.length;
         const filtered = {};
         for (const key of Object.keys(data)) {
-          if ((0, import_ramda4.startsWith)(name2, key)) {
+          if ((0, import_ramda5.startsWith)(name2, key)) {
             filtered[key.slice(offset)] = data[key];
           }
         }
@@ -1215,123 +1351,18 @@ var Controller = class _Controller {
   }
 };
 
-// src/lib/watch-processor.ts
-var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
-var import_types = require("kubernetes-fluent-client/dist/fluent/types");
-
-// src/sdk/sdk.ts
-var sdk_exports = {};
-__export(sdk_exports, {
-  containers: () => containers,
-  getOwnerRefFrom: () => getOwnerRefFrom,
-  sanitizeResourceName: () => sanitizeResourceName,
-  writeEvent: () => writeEvent
-});
-var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
-function containers(request, containerType) {
-  const containers2 = request.Raw.spec?.containers || [];
-  const initContainers = request.Raw.spec?.initContainers || [];
-  const ephemeralContainers = request.Raw.spec?.ephemeralContainers || [];
-  if (containerType === "containers") {
-    return containers2;
-  }
-  if (containerType === "initContainers") {
-    return initContainers;
-  }
-  if (containerType === "ephemeralContainers") {
-    return ephemeralContainers;
+// src/lib/errors.ts
+var ErrorList = Object.values(OnError);
+function ValidateError(error = "") {
+  if (!ErrorList.includes(error)) {
+    throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
   }
-  return [...containers2, ...initContainers, ...ephemeralContainers];
-}
-async function writeEvent(cr, event, eventType, eventReason, reportingComponent, reportingInstance) {
-  await (0, import_kubernetes_fluent_client4.K8s)(import_kubernetes_fluent_client4.kind.CoreEvent).Create({
-    type: eventType,
-    reason: eventReason,
-    ...event,
-    // Fixed values
-    metadata: {
-      namespace: cr.metadata.namespace,
-      generateName: cr.metadata.name
-    },
-    involvedObject: {
-      apiVersion: cr.apiVersion,
-      kind: cr.kind,
-      name: cr.metadata.name,
-      namespace: cr.metadata.namespace,
-      uid: cr.metadata.uid
-    },
-    firstTimestamp: /* @__PURE__ */ new Date(),
-    reportingComponent,
-    reportingInstance
-  });
-}
-function getOwnerRefFrom(customResource, blockOwnerDeletion, controller) {
-  const { apiVersion, kind: kind3, metadata } = customResource;
-  const { name: name2, uid } = metadata;
-  return [
-    {
-      apiVersion,
-      kind: kind3,
-      uid,
-      name: name2,
-      ...blockOwnerDeletion !== void 0 && { blockOwnerDeletion },
-      ...controller !== void 0 && { controller }
-    }
-  ];
-}
-function sanitizeResourceName(name2) {
-  return name2.toLowerCase().replace(/[^a-z0-9]+/g, "-").slice(0, 250).replace(/^[^a-z]+|[^a-z]+$/g, "");
 }
 
-// src/lib/helpers.ts
-function filterNoMatchReason(binding, kubernetesObject, capabilityNamespaces, ignoredNamespaces) {
-  const prefix = "Ignoring Watch Callback:";
-  return mismatchedDeletionTimestamp(binding, kubernetesObject) ? `${prefix} Binding defines deletionTimestamp but Object does not carry it.` : mismatchedName(binding, kubernetesObject) ? `${prefix} Binding defines name '${definedName(binding)}' but Object carries '${carriedName(kubernetesObject)}'.` : misboundNamespace(binding) ? `${prefix} Cannot use namespace filter on a namespace object.` : mismatchedLabels(binding, kubernetesObject) ? `${prefix} Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(kubernetesObject))}'.` : mismatchedAnnotations(binding, kubernetesObject) ? `${prefix} Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(kubernetesObject))}'.` : uncarryableNamespace(capabilityNamespaces, kubernetesObject) ? `${prefix} Object carries namespace '${carriedNamespace(kubernetesObject)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : unbindableNamespaces(capabilityNamespaces, binding) ? `${prefix} Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : mismatchedNamespace(binding, kubernetesObject) ? `${prefix} Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(kubernetesObject)}'.` : mismatchedNamespaceRegex(binding, kubernetesObject) ? `${prefix} Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(kubernetesObject)}'.` : mismatchedNameRegex(binding, kubernetesObject) ? `${prefix} Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(kubernetesObject)}'.` : carriesIgnoredNamespace(ignoredNamespaces, kubernetesObject) ? `${prefix} Object carries namespace '${carriedNamespace(kubernetesObject)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.` : missingCarriableNamespace(capabilityNamespaces, kubernetesObject) ? `${prefix} Object does not carry a namespace but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : "";
-}
-
-// src/lib/finalizer.ts
+// src/lib/processors/watch-processor.ts
 var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
-function addFinalizer(request) {
-  if (request.Request.operation === "DELETE" /* DELETE */) {
-    return;
-  }
-  if (request.Request.operation === "UPDATE" /* UPDATE */ && request.Raw.metadata?.deletionTimestamp) {
-    return;
-  }
-  const peprFinal = "pepr.dev/finalizer";
-  const finalizers = request.Raw.metadata?.finalizers || [];
-  if (!finalizers.includes(peprFinal)) {
-    finalizers.push(peprFinal);
-  }
-  request.Merge({ metadata: { finalizers } });
-}
-async function removeFinalizer(binding, obj) {
-  const peprFinal = "pepr.dev/finalizer";
-  const meta = obj.metadata;
-  const resource = `${meta.namespace || "ClusterScoped"}/${meta.name}`;
-  logger_default.debug({ obj }, `Removing finalizer '${peprFinal}' from '${resource}'`);
-  const { model, kind: kind3 } = binding;
-  try {
-    (0, import_kubernetes_fluent_client5.RegisterKind)(model, kind3);
-  } catch (e) {
-    const expected = e.message === `GVK ${model.name} already registered`;
-    if (!expected) {
-      logger_default.error({ model, kind: kind3, error: e }, `Error registering "${kind3}" during finalization.`);
-      return;
-    }
-  }
-  const finalizers = meta.finalizers?.filter((f) => f !== peprFinal) || [];
-  obj = await (0, import_kubernetes_fluent_client5.K8s)(model, meta).Patch([
-    {
-      op: "replace",
-      path: `/metadata/finalizers`,
-      value: finalizers
-    }
-  ]);
-  logger_default.debug({ obj }, `Removed finalizer '${peprFinal}' from '${resource}'`);
-}
 
-// src/lib/queue.ts
+// src/lib/core/queue.ts
 var import_node_crypto = require("node:crypto");
 var Queue = class {
   #name;
@@ -1419,7 +1450,52 @@ var Queue = class {
   }
 };
 
-// src/lib/watch-processor.ts
+// src/lib/processors/watch-processor.ts
+var import_types = require("kubernetes-fluent-client/dist/fluent/types");
+
+// src/lib/finalizer.ts
+var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
+function addFinalizer(request) {
+  if (request.Request.operation === "DELETE" /* DELETE */) {
+    return;
+  }
+  if (request.Request.operation === "UPDATE" /* UPDATE */ && request.Raw.metadata?.deletionTimestamp) {
+    return;
+  }
+  const peprFinal = "pepr.dev/finalizer";
+  const finalizers = request.Raw.metadata?.finalizers || [];
+  if (!finalizers.includes(peprFinal)) {
+    finalizers.push(peprFinal);
+  }
+  request.Merge({ metadata: { finalizers } });
+}
+async function removeFinalizer(binding, obj) {
+  const peprFinal = "pepr.dev/finalizer";
+  const meta = obj.metadata;
+  const resource = `${meta.namespace || "ClusterScoped"}/${meta.name}`;
+  logger_default.debug({ obj }, `Removing finalizer '${peprFinal}' from '${resource}'`);
+  const { model, kind: kind3 } = binding;
+  try {
+    (0, import_kubernetes_fluent_client4.RegisterKind)(model, kind3);
+  } catch (e) {
+    const expected = e.message === `GVK ${model.name} already registered`;
+    if (!expected) {
+      logger_default.error({ model, kind: kind3, error: e }, `Error registering "${kind3}" during finalization.`);
+      return;
+    }
+  }
+  const finalizers = meta.finalizers?.filter((f) => f !== peprFinal) || [];
+  obj = await (0, import_kubernetes_fluent_client4.K8s)(model, meta).Patch([
+    {
+      op: "replace",
+      path: `/metadata/finalizers`,
+      value: finalizers
+    }
+  ]);
+  logger_default.debug({ obj }, `Removed finalizer '${peprFinal}' from '${resource}'`);
+}
+
+// src/lib/processors/watch-processor.ts
 var queues = {};
 function queueKey(obj) {
   const options = ["kind", "kindNs", "kindNsName", "global"];
@@ -1497,7 +1573,7 @@ async function runBinding(binding, capabilityNamespaces, ignoredNamespaces) {
       shouldRemoveFinalizer === false ? logger_default.debug({ obj: kubernetesObject }, `Skipping removal of finalizer '${peprFinal}' from '${resource}'`) : await removeFinalizer(binding, kubernetesObject);
     }
   };
-  const watcher = (0, import_kubernetes_fluent_client6.K8s)(binding.model, binding.filters).Watch(async (obj, phase) => {
+  const watcher = (0, import_kubernetes_fluent_client5.K8s)(binding.model, binding.filters).Watch(async (obj, phase) => {
     logger_default.debug(obj, `Watch event ${phase} received`);
     if (binding.isQueue) {
       const queue = getOrCreateQueue(obj);
@@ -1506,30 +1582,30 @@ async function runBinding(binding, capabilityNamespaces, ignoredNamespaces) {
       await watchCallback(obj, phase);
     }
   }, watchCfg);
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, (err) => {
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, (err) => {
     logger_default.error(err, "Watch failed after 5 attempts, giving up");
     process.exit(1);
   });
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.CONNECT, (url) => logEvent(import_kubernetes_fluent_client6.WatchEvent.CONNECT, url));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.DATA_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.DATA_ERROR, err.message));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.CONNECT, (url) => logEvent(import_kubernetes_fluent_client5.WatchEvent.CONNECT, url));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.DATA_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.DATA_ERROR, err.message));
   watcher.events.on(
-    import_kubernetes_fluent_client6.WatchEvent.RECONNECT,
-    (retryCount) => logEvent(import_kubernetes_fluent_client6.WatchEvent.RECONNECT, `Reconnecting after ${retryCount} attempt${retryCount === 1 ? "" : "s"}`)
+    import_kubernetes_fluent_client5.WatchEvent.RECONNECT,
+    (retryCount) => logEvent(import_kubernetes_fluent_client5.WatchEvent.RECONNECT, `Reconnecting after ${retryCount} attempt${retryCount === 1 ? "" : "s"}`)
   );
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.RECONNECT_PENDING, () => logEvent(import_kubernetes_fluent_client6.WatchEvent.RECONNECT_PENDING));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, err.message));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.ABORT, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.ABORT, err.message));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.OLD_RESOURCE_VERSION, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.OLD_RESOURCE_VERSION, err));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.NETWORK_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.NETWORK_ERROR, err.message));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.LIST_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.LIST_ERROR, err.message));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.LIST, (list) => logEvent(import_kubernetes_fluent_client6.WatchEvent.LIST, JSON.stringify(list, void 0, 2)));
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.CACHE_MISS, (windowName) => {
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.RECONNECT_PENDING, () => logEvent(import_kubernetes_fluent_client5.WatchEvent.RECONNECT_PENDING));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, err.message));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.ABORT, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.ABORT, err.message));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.OLD_RESOURCE_VERSION, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.OLD_RESOURCE_VERSION, err));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.NETWORK_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.NETWORK_ERROR, err.message));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.LIST_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.LIST_ERROR, err.message));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.LIST, (list) => logEvent(import_kubernetes_fluent_client5.WatchEvent.LIST, JSON.stringify(list, void 0, 2)));
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.CACHE_MISS, (windowName) => {
     metricsCollector.incCacheMiss(windowName);
   });
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.INIT_CACHE_MISS, (windowName) => {
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.INIT_CACHE_MISS, (windowName) => {
     metricsCollector.initCacheMissWindow(windowName);
   });
-  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.INC_RESYNC_FAILURE_COUNT, (retryCount) => {
+  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.INC_RESYNC_FAILURE_COUNT, (retryCount) => {
     metricsCollector.incRetryCount(retryCount);
   });
   try {
@@ -1548,7 +1624,7 @@ function logEvent(event, message = "", obj) {
   }
 }
 
-// src/lib/module.ts
+// src/lib/core/module.ts
 var isWatchMode = () => process.env.PEPR_WATCH_MODE === "true";
 var isBuildMode = () => process.env.PEPR_MODE === "build";
 var isDevMode = () => process.env.PEPR_MODE === "dev";
@@ -1562,7 +1638,7 @@ var PeprModule = class {
    * @param opts Options for the Pepr runtime
    */
   constructor({ description, pepr }, capabilities = [], opts = {}) {
-    const config = (0, import_ramda5.clone)(pepr);
+    const config = (0, import_ramda6.clone)(pepr);
     config.description = description;
     ValidateError(config.onError);
     if (isBuildMode()) {
@@ -1608,8 +1684,8 @@ var PeprModule = class {
   };
 };
 
-// src/lib/storage.ts
-var import_ramda6 = require("ramda");
+// src/lib/core/storage.ts
+var import_ramda7 = require("ramda");
 var import_json_pointer = __toESM(require("json-pointer"));
 var MAX_WAIT_TIME = 15e3;
 var STORE_VERSION_PREFIX = "v2";
@@ -1632,7 +1708,7 @@ var Storage = class {
     this.#store = data || {};
     this.#onReady();
     for (const idx in this.#subscribers) {
-      this.#subscribers[idx]((0, import_ramda6.clone)(this.#store));
+      this.#subscribers[idx]((0, import_ramda7.clone)(this.#store));
     }
   };
   getItem = (key) => {
@@ -1720,7 +1796,7 @@ var Storage = class {
   };
   #onReady = () => {
     for (const handler of this.#readyHandlers) {
-      handler((0, import_ramda6.clone)(this.#store));
+      handler((0, import_ramda7.clone)(this.#store));
     }
     this.#onReady = () => {
     };
@@ -1736,7 +1812,7 @@ var Storage = class {
   };
 };
 
-// src/lib/schedule.ts
+// src/lib/core/schedule.ts
 var OnSchedule = class {
   intervalId = null;
   store;
@@ -1864,7 +1940,7 @@ var OnSchedule = class {
   }
 };
 
-// src/lib/capability.ts
+// src/lib/core/capability.ts
 var registerAdmission = isBuildMode() || !isWatchMode();
 var registerWatch = isBuildMode() || isWatchMode() || isDevMode();
 var Capability = class {
@@ -1991,7 +2067,7 @@ var Capability = class {
    * @returns
    */
   When = (model, kind3) => {
-    const matchedKind = (0, import_kubernetes_fluent_client7.modelToGroupVersionKind)(model.name);
+    const matchedKind = (0, import_kubernetes_fluent_client6.modelToGroupVersionKind)(model.name);
     if (!matchedKind && !kind3) {
       throw new Error(`Kind not specified for ${model.name}`);
     }
@@ -2015,7 +2091,7 @@ var Capability = class {
     const commonChain = { WithLabel, WithAnnotation, WithDeletionTimestamp, Mutate, Validate, Watch, Reconcile, Alias };
     const isNotEmpty = (value) => Object.keys(value).length > 0;
     const log = (message, cbString) => {
-      const filteredObj = (0, import_ramda7.pickBy)(isNotEmpty, binding.filters);
+      const filteredObj = (0, import_ramda8.pickBy)(isNotEmpty, binding.filters);
       logger_default.info(`${message} configured for ${binding.event}`, prefix);
       logger_default.info(filteredObj, prefix);
       logger_default.debug(cbString, prefix);
@@ -2168,6 +2244,70 @@ var Capability = class {
     };
   };
 };
+
+// src/sdk/sdk.ts
+var sdk_exports = {};
+__export(sdk_exports, {
+  containers: () => containers,
+  getOwnerRefFrom: () => getOwnerRefFrom,
+  sanitizeResourceName: () => sanitizeResourceName,
+  writeEvent: () => writeEvent
+});
+var import_kubernetes_fluent_client7 = require("kubernetes-fluent-client");
+function containers(request, containerType) {
+  const containers2 = request.Raw.spec?.containers || [];
+  const initContainers = request.Raw.spec?.initContainers || [];
+  const ephemeralContainers = request.Raw.spec?.ephemeralContainers || [];
+  if (containerType === "containers") {
+    return containers2;
+  }
+  if (containerType === "initContainers") {
+    return initContainers;
+  }
+  if (containerType === "ephemeralContainers") {
+    return ephemeralContainers;
+  }
+  return [...containers2, ...initContainers, ...ephemeralContainers];
+}
+async function writeEvent(cr, event, eventType, eventReason, reportingComponent, reportingInstance) {
+  await (0, import_kubernetes_fluent_client7.K8s)(import_kubernetes_fluent_client7.kind.CoreEvent).Create({
+    type: eventType,
+    reason: eventReason,
+    ...event,
+    // Fixed values
+    metadata: {
+      namespace: cr.metadata.namespace,
+      generateName: cr.metadata.name
+    },
+    involvedObject: {
+      apiVersion: cr.apiVersion,
+      kind: cr.kind,
+      name: cr.metadata.name,
+      namespace: cr.metadata.namespace,
+      uid: cr.metadata.uid
+    },
+    firstTimestamp: /* @__PURE__ */ new Date(),
+    reportingComponent,
+    reportingInstance
+  });
+}
+function getOwnerRefFrom(customResource, blockOwnerDeletion, controller) {
+  const { apiVersion, kind: kind3, metadata } = customResource;
+  const { name: name2, uid } = metadata;
+  return [
+    {
+      apiVersion,
+      kind: kind3,
+      uid,
+      name: name2,
+      ...blockOwnerDeletion !== void 0 && { blockOwnerDeletion },
+      ...controller !== void 0 && { controller }
+    }
+  ];
+}
+function sanitizeResourceName(name2) {
+  return name2.toLowerCase().replace(/[^a-z0-9]+/g, "-").slice(0, 250).replace(/^[^a-z]+|[^a-z]+$/g, "");
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   Capability,