pepr 0.42.3 → 0.44.0

package/dist/cli.js

@@ -92,7 +92,7 @@ var import_fs9 = require("fs");
 var import_path3 = require("path");
 
 // src/lib/assets/assets.ts
-var import_crypto2 = __toESM(require("crypto"));
+var import_crypto = __toESM(require("crypto"));
 
 // src/lib/tls.ts
 var import_node_forge = __toESM(require("node-forge"));
@@ -247,8 +247,13 @@ function watcherDeployTemplate(buildTimestamp) {
               - name: watcher
                 image: {{ .Values.watcher.image }}
                 imagePullPolicy: IfNotPresent
-                command:
-                  - node
+                {{- if gt (len .Values.imagePullSecrets) 0 }}
+                imagePullSecrets:
+                  {{- range .Values.imagePullSecrets }}
+                  - name: {{ . }}
+                  {{- end }}
+                {{- end }}
+                args:
                   - /app/node_modules/pepr/dist/controller.js
                   - {{ .Values.hash }}
                 readinessProbe:
@@ -263,6 +268,10 @@ function watcherDeployTemplate(buildTimestamp) {
                   {{- toYaml .Values.watcher.env | nindent 12 }}
                   - name: PEPR_WATCH_MODE
                     value: "true"
+                  {{- if .Values.additionalIgnoredNamespaces }}
+                  - name: PEPR_ADDITIONAL_IGNORED_NAMESPACES
+                    value: "{{ join ", " .Values.additionalIgnoredNamespaces }}"
+                  {{- end }}
                 envFrom:
                   {{- toYaml .Values.watcher.envFrom | nindent 12 }}
                 securityContext:
@@ -326,8 +335,13 @@ function admissionDeployTemplate(buildTimestamp) {
               - name: server
                 image: {{ .Values.admission.image }}
                 imagePullPolicy: IfNotPresent
-                command:
-                  - node
+                {{- if gt (len .Values.imagePullSecrets) 0 }}
+                imagePullSecrets:
+                  {{- range .Values.imagePullSecrets }}
+                  - name: {{ . }}
+                  {{- end }}
+                {{- end }}
+                args:
                   - /app/node_modules/pepr/dist/controller.js
                   - {{ .Values.hash }}
                 readinessProbe:
@@ -342,6 +356,10 @@ function admissionDeployTemplate(buildTimestamp) {
                   {{- toYaml .Values.admission.env | nindent 12 }}
                   - name: PEPR_WATCH_MODE
                     value: "false"
+                  {{- if .Values.additionalIgnoredNamespaces }}
+                  - name: PEPR_ADDITIONAL_IGNORED_NAMESPACES
+                    value: "{{ join ", " .Values.additionalIgnoredNamespaces }}"
+                  {{- end }}
                 envFrom:
                   {{- toYaml .Values.admission.envFrom | nindent 12 }}
                 securityContext:
@@ -415,10 +433,8 @@ async function createDirectoryIfNotExists(path) {
   }
 }
 
-// src/lib/assets/deploy.ts
-var import_crypto = __toESM(require("crypto"));
-var import_fs2 = require("fs");
-var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
+// src/lib/assets/pods.ts
+var import_zlib = require("zlib");
 
 // src/lib/telemetry/logger.ts
 var import_pino = require("pino");
@@ -440,90 +456,6 @@ if (process.env.LOG_LEVEL) {
 }
 var logger_default = Log;
 
-// src/lib/assets/networking.ts
-function apiTokenSecret(name2, apiToken) {
-  return {
-    apiVersion: "v1",
-    kind: "Secret",
-    metadata: {
-      name: `${name2}-api-token`,
-      namespace: "pepr-system"
-    },
-    type: "Opaque",
-    data: {
-      value: Buffer.from(apiToken).toString("base64")
-    }
-  };
-}
-function tlsSecret(name2, tls) {
-  return {
-    apiVersion: "v1",
-    kind: "Secret",
-    metadata: {
-      name: `${name2}-tls`,
-      namespace: "pepr-system"
-    },
-    type: "kubernetes.io/tls",
-    data: {
-      "tls.crt": tls.crt,
-      "tls.key": tls.key
-    }
-  };
-}
-function service(name2) {
-  return {
-    apiVersion: "v1",
-    kind: "Service",
-    metadata: {
-      name: name2,
-      namespace: "pepr-system",
-      labels: {
-        "pepr.dev/controller": "admission"
-      }
-    },
-    spec: {
-      selector: {
-        app: name2,
-        "pepr.dev/controller": "admission"
-      },
-      ports: [
-        {
-          port: 443,
-          targetPort: 3e3
-        }
-      ]
-    }
-  };
-}
-function watcherService(name2) {
-  return {
-    apiVersion: "v1",
-    kind: "Service",
-    metadata: {
-      name: `${name2}-watcher`,
-      namespace: "pepr-system",
-      labels: {
-        "pepr.dev/controller": "watcher"
-      }
-    },
-    spec: {
-      selector: {
-        app: `${name2}-watcher`,
-        "pepr.dev/controller": "watcher"
-      },
-      ports: [
-        {
-          port: 443,
-          targetPort: 3e3
-        }
-      ]
-    }
-  };
-}
-
-// src/lib/assets/pods.ts
-var import_zlib = require("zlib");
-
 // src/sdk/sdk.ts
 var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
 function sanitizeResourceName(name2) {
@@ -727,7 +659,7 @@ function getWatcher(assets, hash, buildTimestamp, imagePullSecret) {
   if (bindings.length < 1 && !hasSchedule) {
     return null;
   }
-  const deploy2 = {
+  const deploy = {
     apiVersion: "apps/v1",
     kind: "Deployment",
     metadata: {
@@ -777,7 +709,7 @@ function getWatcher(assets, hash, buildTimestamp, imagePullSecret) {
               name: "watcher",
               image,
               imagePullPolicy: "IfNotPresent",
-              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              args: ["/app/node_modules/pepr/dist/controller.js", hash],
               readinessProbe: {
                 httpGet: {
                   path: "/healthz",
@@ -852,14 +784,14 @@ function getWatcher(assets, hash, buildTimestamp, imagePullSecret) {
     }
   };
   if (imagePullSecret) {
-    deploy2.spec.template.spec.imagePullSecrets = [{ name: imagePullSecret }];
+    deploy.spec.template.spec.imagePullSecrets = [{ name: imagePullSecret }];
   }
-  return deploy2;
+  return deploy;
 }
 function getDeployment(assets, hash, buildTimestamp, imagePullSecret) {
   const { name: name2, image, config } = assets;
   const app = name2;
-  const deploy2 = {
+  const deploy = {
     apiVersion: "apps/v1",
     kind: "Deployment",
     metadata: {
@@ -907,7 +839,7 @@ function getDeployment(assets, hash, buildTimestamp, imagePullSecret) {
               name: "server",
               image,
               imagePullPolicy: "IfNotPresent",
-              command: ["node", "/app/node_modules/pepr/dist/controller.js", hash],
+              args: ["/app/node_modules/pepr/dist/controller.js", hash],
               readinessProbe: {
                 httpGet: {
                   path: "/healthz",
@@ -993,9 +925,9 @@ function getDeployment(assets, hash, buildTimestamp, imagePullSecret) {
     }
   };
   if (imagePullSecret) {
-    deploy2.spec.template.spec.imagePullSecrets = [{ name: imagePullSecret }];
+    deploy.spec.template.spec.imagePullSecrets = [{ name: imagePullSecret }];
   }
-  return deploy2;
+  return deploy;
 }
 function getModuleSecret(name2, data, hash) {
   const compressed = (0, import_zlib.gzipSync)(data);
@@ -1036,6 +968,9 @@ function genEnv(config, watchMode = false, ignoreWatchMode = false) {
   return ignoreWatchMode ? Object.entries({ ...noWatchDef, ...cfg }).map(([name2, value]) => ({ name: name2, value })) : Object.entries({ ...def, ...cfg }).map(([name2, value]) => ({ name: name2, value }));
 }
 
+// src/lib/assets/yaml/overridesFile.ts
+var import_client_node = require("@kubernetes/client-node");
+
 // src/lib/assets/rbac.ts
 function clusterRole(name2, capabilities, rbacMode = "admin", customRbac) {
   const rbacMap = createRBACMap(capabilities);
@@ -1138,371 +1073,51 @@ function storeRoleBinding(name2) {
   };
 }
 
-// src/lib/k8s.ts
-var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
-var Store = class extends import_kubernetes_fluent_client2.GenericKind {
-};
-var peprStoreGVK = {
-  kind: "PeprStore",
-  version: "v1",
-  group: "pepr.dev"
-};
-(0, import_kubernetes_fluent_client2.RegisterKind)(Store, peprStoreGVK);
-
-// src/lib/assets/store.ts
-var { group, version, kind: kind2 } = peprStoreGVK;
-var singular = kind2.toLocaleLowerCase();
-var plural = `${singular}s`;
-var name = `${plural}.${group}`;
-var peprStoreCRD = {
-  apiVersion: "apiextensions.k8s.io/v1",
-  kind: "CustomResourceDefinition",
-  metadata: {
-    name
-  },
-  spec: {
-    group,
-    versions: [
-      {
-        // typescript doesn't know this is really already set, which is kind of annoying
-        name: version || "v1",
-        served: true,
-        storage: true,
-        schema: {
-          openAPIV3Schema: {
-            type: "object",
-            properties: {
-              data: {
-                type: "object",
-                additionalProperties: {
-                  type: "string"
-                }
-              }
-            }
-          }
-        }
+// src/lib/assets/yaml/overridesFile.ts
+var import_fs2 = require("fs");
+async function overridesFile({ hash, name: name2, image, config, apiToken, capabilities }, path, imagePullSecrets) {
+  const rbacOverrides = clusterRole(name2, capabilities, config.rbacMode, config.rbac).rules;
+  const overrides = {
+    imagePullSecrets,
+    additionalIgnoredNamespaces: [],
+    rbac: rbacOverrides,
+    secrets: {
+      apiToken: Buffer.from(apiToken).toString("base64")
+    },
+    hash,
+    namespace: {
+      annotations: {},
+      labels: {
+        "pepr.dev": ""
       }
-    ],
-    scope: "Namespaced",
-    names: {
-      plural,
-      singular,
-      kind: kind2
-    }
-  }
-};
-
-// src/lib/assets/webhooks.ts
-var import_ramda = require("ramda");
-var peprIgnoreNamespaces = ["kube-system", "pepr-system"];
-var validateRule = (binding, isMutateWebhook) => {
-  const { event, kind: kind8, isMutate, isValidate } = binding;
-  if (isMutateWebhook && !isMutate || !isMutateWebhook && !isValidate) {
-    return void 0;
-  }
-  const operations = event === "CREATEORUPDATE" /* CREATE_OR_UPDATE */ ? ["CREATE" /* CREATE */, "UPDATE" /* UPDATE */] : [event];
-  const resource = kind8.plural || `${kind8.kind.toLowerCase()}s`;
-  const ruleObject = {
-    apiGroups: [kind8.group],
-    apiVersions: [kind8.version || "*"],
-    operations,
-    resources: [resource, ...resource === "pods" ? ["pods/ephemeralcontainers"] : []]
-  };
-  return ruleObject;
-};
-async function generateWebhookRules(assets, isMutateWebhook) {
-  const { config, capabilities } = assets;
-  const rules = capabilities.flatMap((capability) => {
-    console.info(`Module ${config.uuid} has capability: ${capability.name}`);
-    return capability.bindings.map((binding) => validateRule(binding, isMutateWebhook)).filter((rule) => !!rule);
-  });
-  return (0, import_ramda.uniqWith)(import_ramda.equals, rules);
-}
-async function webhookConfig(assets, mutateOrValidate, timeoutSeconds = 10) {
-  const ignore = [];
-  const { name: name2, tls, config, apiToken, host } = assets;
-  const ignoreNS = (0, import_ramda.concat)(peprIgnoreNamespaces, config?.alwaysIgnore?.namespaces || []);
-  if (ignoreNS) {
-    ignore.push({
-      key: "kubernetes.io/metadata.name",
-      operator: "NotIn",
-      values: ignoreNS
-    });
-  }
-  const clientConfig = {
-    caBundle: tls.ca
-  };
-  const apiPath = `/${mutateOrValidate}/${apiToken}`;
-  if (host) {
-    clientConfig.url = `https://${host}:3000${apiPath}`;
-  } else {
-    clientConfig.service = {
-      name: name2,
-      namespace: "pepr-system",
-      path: apiPath
-    };
-  }
-  const isMutate = mutateOrValidate === "mutate";
-  const rules = await generateWebhookRules(assets, isMutate);
-  if (rules.length < 1) {
-    return null;
-  }
-  return {
-    apiVersion: "admissionregistration.k8s.io/v1",
-    kind: isMutate ? "MutatingWebhookConfiguration" : "ValidatingWebhookConfiguration",
-    metadata: { name: name2 },
-    webhooks: [
-      {
-        name: `${name2}.pepr.dev`,
-        admissionReviewVersions: ["v1", "v1beta1"],
-        clientConfig,
-        failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
-        matchPolicy: "Equivalent",
-        timeoutSeconds,
-        namespaceSelector: {
-          matchExpressions: ignore
-        },
-        rules,
-        // @todo: track side effects state
-        sideEffects: "None"
-      }
-    ]
-  };
-}
-
-// src/lib/assets/deploy.ts
-async function deployImagePullSecret(imagePullSecret, name2) {
-  try {
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Get("pepr-system");
-  } catch {
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Apply(getNamespace());
-  }
-  try {
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(
-      {
-        apiVersion: "v1",
-        kind: "Secret",
-        metadata: {
-          name: name2,
-          namespace: "pepr-system"
-        },
-        type: "kubernetes.io/dockerconfigjson",
-        data: {
-          ".dockerconfigjson": Buffer.from(JSON.stringify(imagePullSecret)).toString("base64")
-        }
-      },
-      { force: true }
-    );
-  } catch (e) {
-    logger_default.error(e);
-  }
-}
-async function deploy(assets, force, webhookTimeout) {
-  logger_default.info("Establishing connection to Kubernetes");
-  const { name: name2, host, path } = assets;
-  logger_default.info("Applying pepr-system namespace");
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Apply(getNamespace(assets.config.customLabels?.namespace));
-  const mutateWebhook = await webhookConfig(assets, "mutate", webhookTimeout);
-  if (mutateWebhook) {
-    logger_default.info("Applying mutating webhook");
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.MutatingWebhookConfiguration).Apply(mutateWebhook, { force });
-  } else {
-    logger_default.info("Mutating webhook not needed, removing if it exists");
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.MutatingWebhookConfiguration).Delete(name2);
-  }
-  const validateWebhook = await webhookConfig(assets, "validate", webhookTimeout);
-  if (validateWebhook) {
-    logger_default.info("Applying validating webhook");
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ValidatingWebhookConfiguration).Apply(validateWebhook, { force });
-  } else {
-    logger_default.info("Validating webhook not needed, removing if it exists");
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ValidatingWebhookConfiguration).Delete(name2);
-  }
-  logger_default.info("Applying the Pepr Store CRD if it doesn't exist");
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.CustomResourceDefinition).Apply(peprStoreCRD, { force });
-  if (host) {
-    return;
-  }
-  const code = await import_fs2.promises.readFile(path);
-  const hash = import_crypto.default.createHash("sha256").update(code).digest("hex");
-  if (code.length < 1) {
-    throw new Error("No code provided");
-  }
-  await setupRBAC(name2, assets.capabilities, force, assets.config);
-  await setupController(assets, code, hash, force);
-  await setupWatcher(assets, hash, force);
-}
-async function setupRBAC(name2, capabilities, force, config) {
-  const { rbacMode, rbac } = config;
-  logger_default.info("Applying cluster role binding");
-  const crb = clusterRoleBinding(name2);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ClusterRoleBinding).Apply(crb, { force });
-  logger_default.info("Applying cluster role");
-  const cr = clusterRole(name2, capabilities, rbacMode, rbac);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ClusterRole).Apply(cr, { force });
-  logger_default.info("Applying service account");
-  const sa = serviceAccount(name2);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ServiceAccount).Apply(sa, { force });
-  logger_default.info("Applying store role");
-  const role = storeRole(name2);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Role).Apply(role, { force });
-  logger_default.info("Applying store role binding");
-  const roleBinding = storeRoleBinding(name2);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.RoleBinding).Apply(roleBinding, { force });
-}
-async function setupController(assets, code, hash, force) {
-  const { name: name2 } = assets;
-  logger_default.info("Applying module secret");
-  const mod = getModuleSecret(name2, code, hash);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(mod, { force });
-  logger_default.info("Applying controller service");
-  const svc = service(name2);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Service).Apply(svc, { force });
-  logger_default.info("Applying TLS secret");
-  const tls = tlsSecret(name2, assets.tls);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(tls, { force });
-  logger_default.info("Applying API token secret");
-  const apiToken = apiTokenSecret(name2, assets.apiToken);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(apiToken, { force });
-  logger_default.info("Applying deployment");
-  const dep = getDeployment(assets, hash, assets.buildTimestamp);
-  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Deployment).Apply(dep, { force });
-}
-async function setupWatcher(assets, hash, force) {
-  const watchDeployment = getWatcher(assets, hash, assets.buildTimestamp);
-  if (watchDeployment) {
-    logger_default.info("Applying watcher deployment");
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Deployment).Apply(watchDeployment, { force });
-    logger_default.info("Applying watcher service");
-    const watchSvc = watcherService(assets.name);
-    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Service).Apply(watchSvc, { force });
-  }
-}
-
-// src/lib/assets/index.ts
-var import_client_node = require("@kubernetes/client-node");
-var import_path = require("path");
-function toYaml(obj) {
-  return (0, import_client_node.dumpYaml)(obj, { noRefs: true });
-}
-function createWebhookYaml(name2, config, webhookConfiguration) {
-  const yaml = toYaml(webhookConfiguration);
-  return replaceString(
-    replaceString(
-      replaceString(yaml, name2, "{{ .Values.uuid }}"),
-      config.onError === "reject" ? "Fail" : "Ignore",
-      "{{ .Values.admission.failurePolicy }}"
-    ),
-    `${config.webhookTimeout}` || "10",
-    "{{ .Values.admission.webhookTimeout }}"
-  );
-}
-function helmLayout(basePath, unique) {
-  const helm = {
-    dirs: {
-      chart: (0, import_path.resolve)(`${basePath}/${unique}-chart`)
-    },
-    files: {}
-  };
-  helm.dirs = {
-    ...helm.dirs,
-    charts: `${helm.dirs.chart}/charts`,
-    tmpls: `${helm.dirs.chart}/templates`
-  };
-  helm.files = {
-    ...helm.files,
-    valuesYaml: `${helm.dirs.chart}/values.yaml`,
-    chartYaml: `${helm.dirs.chart}/Chart.yaml`,
-    namespaceYaml: `${helm.dirs.tmpls}/namespace.yaml`,
-    watcherServiceYaml: `${helm.dirs.tmpls}/watcher-service.yaml`,
-    admissionServiceYaml: `${helm.dirs.tmpls}/admission-service.yaml`,
-    mutationWebhookYaml: `${helm.dirs.tmpls}/mutation-webhook.yaml`,
-    validationWebhookYaml: `${helm.dirs.tmpls}/validation-webhook.yaml`,
-    admissionDeploymentYaml: `${helm.dirs.tmpls}/admission-deployment.yaml`,
-    admissionServiceMonitorYaml: `${helm.dirs.tmpls}/admission-service-monitor.yaml`,
-    watcherDeploymentYaml: `${helm.dirs.tmpls}/watcher-deployment.yaml`,
-    watcherServiceMonitorYaml: `${helm.dirs.tmpls}/watcher-service-monitor.yaml`,
-    tlsSecretYaml: `${helm.dirs.tmpls}/tls-secret.yaml`,
-    apiTokenSecretYaml: `${helm.dirs.tmpls}/api-token-secret.yaml`,
-    moduleSecretYaml: `${helm.dirs.tmpls}/module-secret.yaml`,
-    storeRoleYaml: `${helm.dirs.tmpls}/store-role.yaml`,
-    storeRoleBindingYaml: `${helm.dirs.tmpls}/store-role-binding.yaml`,
-    clusterRoleYaml: `${helm.dirs.tmpls}/cluster-role.yaml`,
-    clusterRoleBindingYaml: `${helm.dirs.tmpls}/cluster-role-binding.yaml`,
-    serviceAccountYaml: `${helm.dirs.tmpls}/service-account.yaml`
-  };
-  return helm;
-}
-
-// src/lib/assets/loader.ts
-var import_child_process = require("child_process");
-function loadCapabilities(path) {
-  return new Promise((resolve6, reject) => {
-    const program2 = (0, import_child_process.fork)(path, {
-      env: {
-        ...process.env,
-        LOG_LEVEL: "warn",
-        PEPR_MODE: "build",
-        NODE_OPTIONS: "--disable-warning=DEP0040"
-      }
-    });
-    program2.on("message", (message) => {
-      const capabilities = message.valueOf();
-      for (const capability of capabilities) {
-        console.info(`Registered Pepr Capability "${capability.name}"`);
-      }
-      resolve6(capabilities);
-    });
-    program2.on("error", (error) => {
-      reject(error);
-    });
-  });
-}
-
-// src/lib/assets/yaml.ts
-var import_client_node2 = require("@kubernetes/client-node");
-var import_fs3 = require("fs");
-async function overridesFile({ hash, name: name2, image, config, apiToken, capabilities }, path) {
-  const rbacOverrides = clusterRole(name2, capabilities, config.rbacMode, config.rbac).rules;
-  const overrides = {
-    rbac: rbacOverrides,
-    secrets: {
-      apiToken: Buffer.from(apiToken).toString("base64")
-    },
-    hash,
-    namespace: {
-      annotations: {},
-      labels: {
-        "pepr.dev": ""
-      }
-    },
-    uuid: name2,
-    admission: {
-      terminationGracePeriodSeconds: 5,
-      failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
-      webhookTimeout: config.webhookTimeout,
-      env: genEnv(config, false, true),
-      envFrom: [],
-      image,
-      annotations: {
-        "pepr.dev/description": `${config.description}` || ""
-      },
-      labels: {
-        app: name2,
-        "pepr.dev/controller": "admission",
-        "pepr.dev/uuid": config.uuid
-      },
-      securityContext: {
-        runAsUser: 65532,
-        runAsGroup: 65532,
-        runAsNonRoot: true,
-        fsGroup: 65532
-      },
-      readinessProbe: {
-        httpGet: {
-          path: "/healthz",
-          port: 3e3,
-          scheme: "HTTPS"
+    },
+    uuid: name2,
+    admission: {
+      terminationGracePeriodSeconds: 5,
+      failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
+      webhookTimeout: config.webhookTimeout,
+      env: genEnv(config, false, true),
+      envFrom: [],
+      image,
+      annotations: {
+        "pepr.dev/description": `${config.description}` || ""
+      },
+      labels: {
+        app: name2,
+        "pepr.dev/controller": "admission",
+        "pepr.dev/uuid": config.uuid
+      },
+      securityContext: {
+        runAsUser: 65532,
+        runAsGroup: 65532,
+        runAsNonRoot: true,
+        fsGroup: 65532
+      },
+      readinessProbe: {
+        httpGet: {
+          path: "/healthz",
+          port: 3e3,
+          scheme: "HTTPS"
         },
         initialDelaySeconds: 10
       },
@@ -1612,167 +1227,260 @@ async function overridesFile({ hash, name: name2, image, config, apiToken, capab
       }
     }
   };
-  await import_fs3.promises.writeFile(path, (0, import_client_node2.dumpYaml)(overrides, { noRefs: true, forceQuotes: true }));
+  await import_fs2.promises.writeFile(path, (0, import_client_node.dumpYaml)(overrides, { noRefs: true, forceQuotes: true }));
+}
+
+// src/lib/assets/index.ts
+var import_client_node2 = require("@kubernetes/client-node");
+var import_path = require("path");
+function toYaml(obj) {
+  return (0, import_client_node2.dumpYaml)(obj, { noRefs: true });
+}
+function createWebhookYaml(name2, config, webhookConfiguration) {
+  const yaml = toYaml(webhookConfiguration);
+  const replacements = [
+    { search: name2, replace: "{{ .Values.uuid }}" },
+    {
+      search: config.onError === "reject" ? "Fail" : "Ignore",
+      replace: "{{ .Values.admission.failurePolicy }}"
+    },
+    {
+      search: `${config.webhookTimeout}` || "10",
+      replace: "{{ .Values.admission.webhookTimeout }}"
+    },
+    {
+      search: `
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+            - kube-system
+            - pepr-system
+`,
+      replace: `
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+            - kube-system
+            - pepr-system
+            {{- range .Values.additionalIgnoredNamespaces }}
+            - {{ . }}
+            {{- end }}
+`
+    }
+  ];
+  return replacements.reduce((updatedYaml, { search, replace }) => replaceString(updatedYaml, search, replace), yaml);
+}
+function helmLayout(basePath, unique) {
+  const helm = {
+    dirs: {
+      chart: (0, import_path.resolve)(`${basePath}/${unique}-chart`)
+    },
+    files: {}
+  };
+  helm.dirs = {
+    ...helm.dirs,
+    charts: `${helm.dirs.chart}/charts`,
+    tmpls: `${helm.dirs.chart}/templates`
+  };
+  helm.files = {
+    ...helm.files,
+    valuesYaml: `${helm.dirs.chart}/values.yaml`,
+    chartYaml: `${helm.dirs.chart}/Chart.yaml`,
+    namespaceYaml: `${helm.dirs.tmpls}/namespace.yaml`,
+    watcherServiceYaml: `${helm.dirs.tmpls}/watcher-service.yaml`,
+    admissionServiceYaml: `${helm.dirs.tmpls}/admission-service.yaml`,
+    mutationWebhookYaml: `${helm.dirs.tmpls}/mutation-webhook.yaml`,
+    validationWebhookYaml: `${helm.dirs.tmpls}/validation-webhook.yaml`,
+    admissionDeploymentYaml: `${helm.dirs.tmpls}/admission-deployment.yaml`,
+    admissionServiceMonitorYaml: `${helm.dirs.tmpls}/admission-service-monitor.yaml`,
+    watcherDeploymentYaml: `${helm.dirs.tmpls}/watcher-deployment.yaml`,
+    watcherServiceMonitorYaml: `${helm.dirs.tmpls}/watcher-service-monitor.yaml`,
+    tlsSecretYaml: `${helm.dirs.tmpls}/tls-secret.yaml`,
+    apiTokenSecretYaml: `${helm.dirs.tmpls}/api-token-secret.yaml`,
+    moduleSecretYaml: `${helm.dirs.tmpls}/module-secret.yaml`,
+    storeRoleYaml: `${helm.dirs.tmpls}/store-role.yaml`,
+    storeRoleBindingYaml: `${helm.dirs.tmpls}/store-role-binding.yaml`,
+    clusterRoleYaml: `${helm.dirs.tmpls}/cluster-role.yaml`,
+    clusterRoleBindingYaml: `${helm.dirs.tmpls}/cluster-role-binding.yaml`,
+    serviceAccountYaml: `${helm.dirs.tmpls}/service-account.yaml`
+  };
+  return helm;
+}
+
+// src/lib/assets/loader.ts
+var import_child_process = require("child_process");
+function loadCapabilities(path) {
+  return new Promise((resolve6, reject) => {
+    const program2 = (0, import_child_process.fork)(path, {
+      env: {
+        ...process.env,
+        LOG_LEVEL: "warn",
+        PEPR_MODE: "build",
+        NODE_OPTIONS: "--disable-warning=DEP0040"
+      }
+    });
+    program2.on("message", (message) => {
+      const capabilities = message.valueOf();
+      for (const capability of capabilities) {
+        console.info(`Registered Pepr Capability "${capability.name}"`);
+      }
+      resolve6(capabilities);
+    });
+    program2.on("error", (error) => {
+      reject(error);
+    });
+  });
+}
+
+// src/lib/assets/assets.ts
+var import_fs3 = require("fs");
+
+// src/lib/assets/networking.ts
+function apiTokenSecret(name2, apiToken) {
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
+    metadata: {
+      name: `${name2}-api-token`,
+      namespace: "pepr-system"
+    },
+    type: "Opaque",
+    data: {
+      value: Buffer.from(apiToken).toString("base64")
+    }
+  };
 }
-function generateZarfYaml(name2, image, config, path) {
-  const zarfCfg = {
-    kind: "ZarfPackageConfig",
+function tlsSecret(name2, tls) {
+  return {
+    apiVersion: "v1",
+    kind: "Secret",
     metadata: {
-      name: name2,
-      description: `Pepr Module: ${config.description}`,
-      url: "https://github.com/defenseunicorns/pepr",
-      version: `${config.appVersion || "0.0.1"}`
+      name: `${name2}-tls`,
+      namespace: "pepr-system"
     },
-    components: [
-      {
-        name: "module",
-        required: true,
-        manifests: [
-          {
-            name: "module",
-            namespace: "pepr-system",
-            files: [path]
-          }
-        ],
-        images: [image]
-      }
-    ]
+    type: "kubernetes.io/tls",
+    data: {
+      "tls.crt": tls.crt,
+      "tls.key": tls.key
+    }
   };
-  return (0, import_client_node2.dumpYaml)(zarfCfg, { noRefs: true });
 }
-function generateZarfYamlChart(name2, image, config, path) {
-  const zarfCfg = {
-    kind: "ZarfPackageConfig",
+function service(name2) {
+  return {
+    apiVersion: "v1",
+    kind: "Service",
     metadata: {
       name: name2,
-      description: `Pepr Module: ${config.description}`,
-      url: "https://github.com/defenseunicorns/pepr",
-      version: `${config.appVersion || "0.0.1"}`
-    },
-    components: [
-      {
-        name: "module",
-        required: true,
-        charts: [
-          {
-            name: "module",
-            namespace: "pepr-system",
-            version: `${config.appVersion || "0.0.1"}`,
-            localPath: path
-          }
-        ],
-        images: [image]
+      namespace: "pepr-system",
+      labels: {
+        "pepr.dev/controller": "admission"
       }
-    ]
+    },
+    spec: {
+      selector: {
+        app: name2,
+        "pepr.dev/controller": "admission"
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3e3
+        }
+      ]
+    }
   };
-  return (0, import_client_node2.dumpYaml)(zarfCfg, { noRefs: true });
 }
-async function generateAllYaml(webhooks, deployments, assets) {
-  const { name: name2, tls, hash, apiToken, path, config } = assets;
-  const code = await import_fs3.promises.readFile(path);
-  const resources = [
-    getNamespace(assets.config.customLabels?.namespace),
-    clusterRole(name2, assets.capabilities, config.rbacMode, config.rbac),
-    clusterRoleBinding(name2),
-    serviceAccount(name2),
-    apiTokenSecret(name2, apiToken),
-    tlsSecret(name2, tls),
-    deployments.default,
-    service(name2),
-    watcherService(name2),
-    getModuleSecret(name2, code, hash),
-    storeRole(name2),
-    storeRoleBinding(name2)
-  ];
-  if (webhooks.mutate) {
-    resources.push(webhooks.mutate);
-  }
-  if (webhooks.validate) {
-    resources.push(webhooks.validate);
-  }
-  if (deployments.watch) {
-    resources.push(deployments.watch);
-  }
-  return resources.map((r) => (0, import_client_node2.dumpYaml)(r, { noRefs: true })).join("---\n");
+function watcherService(name2) {
+  return {
+    apiVersion: "v1",
+    kind: "Service",
+    metadata: {
+      name: `${name2}-watcher`,
+      namespace: "pepr-system",
+      labels: {
+        "pepr.dev/controller": "watcher"
+      }
+    },
+    spec: {
+      selector: {
+        app: `${name2}-watcher`,
+        "pepr.dev/controller": "watcher"
+      },
+      ports: [
+        {
+          port: 443,
+          targetPort: 3e3
+        }
+      ]
+    }
+  };
 }
 
 // src/lib/assets/assets.ts
-var import_fs4 = require("fs");
 var Assets = class {
-  constructor(config, path, host) {
-    this.config = config;
-    this.path = path;
-    this.host = host;
-    this.name = `pepr-${config.uuid}`;
-    this.buildTimestamp = `${Date.now()}`;
-    this.alwaysIgnore = config.alwaysIgnore;
-    this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
-    this.hash = "";
-    this.tls = genTLS(this.host || `${this.name}.pepr-system.svc`);
-    this.apiToken = import_crypto2.default.randomBytes(32).toString("hex");
-  }
   name;
   tls;
   apiToken;
+  config;
+  path;
   alwaysIgnore;
+  imagePullSecrets;
   capabilities;
   image;
   buildTimestamp;
-  hash;
-  setHash = (hash) => {
-    this.hash = hash;
-  };
-  deploy = async (force, webhookTimeout) => {
+  host;
+  constructor(config, path, imagePullSecrets, host) {
+    this.name = `pepr-${config.uuid}`;
+    this.imagePullSecrets = imagePullSecrets;
+    this.buildTimestamp = `${Date.now()}`;
+    this.config = config;
+    this.path = path;
+    this.host = host;
+    this.alwaysIgnore = config.alwaysIgnore;
+    this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
+    this.tls = genTLS(host || `${this.name}.pepr-system.svc`);
+    this.apiToken = import_crypto.default.randomBytes(32).toString("hex");
+  }
+  async deploy(deployFunction, force, webhookTimeout) {
     this.capabilities = await loadCapabilities(this.path);
-    await deploy(this, force, webhookTimeout);
-  };
-  zarfYaml = (path) => generateZarfYaml(this.name, this.image, this.config, path);
-  zarfYamlChart = (path) => generateZarfYamlChart(this.name, this.image, this.config, path);
-  allYaml = async (imagePullSecret) => {
+    const timeout = typeof webhookTimeout === "number" ? webhookTimeout : 10;
+    await deployFunction(this, force, timeout);
+  }
+  zarfYaml = (zarfYamlGenerator, path) => zarfYamlGenerator(this, path, "manifests");
+  zarfYamlChart = (zarfYamlGenerator, path) => zarfYamlGenerator(this, path, "charts");
+  allYaml = async (yamlGenerationFunction, imagePullSecret) => {
     this.capabilities = await loadCapabilities(this.path);
     for (const capability of this.capabilities) {
       namespaceComplianceValidator(capability, this.alwaysIgnore?.namespaces);
     }
-    const webhooks = {
-      mutate: await webhookConfig(this, "mutate", this.config.webhookTimeout),
-      validate: await webhookConfig(this, "validate", this.config.webhookTimeout)
-    };
-    const code = await import_fs4.promises.readFile(this.path);
-    this.hash = import_crypto2.default.createHash("sha256").update(code).digest("hex");
+    const code = await import_fs3.promises.readFile(this.path);
+    const moduleHash = import_crypto.default.createHash("sha256").update(code).digest("hex");
     const deployments = {
-      default: getDeployment(this, this.hash, this.buildTimestamp, imagePullSecret),
-      watch: getWatcher(this, this.hash, this.buildTimestamp, imagePullSecret)
-    };
-    const assetsInputs = {
-      apiToken: this.apiToken,
-      capabilities: this.capabilities,
-      config: this.config,
-      hash: this.hash,
-      name: this.name,
-      path: this.path,
-      tls: this.tls
+      default: getDeployment(this, moduleHash, this.buildTimestamp, imagePullSecret),
+      watch: getWatcher(this, moduleHash, this.buildTimestamp, imagePullSecret)
     };
-    return generateAllYaml(webhooks, deployments, assetsInputs);
+    return yamlGenerationFunction(this, deployments);
   };
   writeWebhookFiles = async (validateWebhook, mutateWebhook, helm) => {
     if (validateWebhook || mutateWebhook) {
-      await import_fs4.promises.writeFile(helm.files.admissionDeploymentYaml, dedent(admissionDeployTemplate(this.buildTimestamp)));
-      await import_fs4.promises.writeFile(helm.files.admissionServiceMonitorYaml, dedent(serviceMonitorTemplate("admission")));
+      await import_fs3.promises.writeFile(helm.files.admissionDeploymentYaml, dedent(admissionDeployTemplate(this.buildTimestamp)));
+      await import_fs3.promises.writeFile(helm.files.admissionServiceMonitorYaml, dedent(serviceMonitorTemplate("admission")));
     }
     if (mutateWebhook) {
-      await import_fs4.promises.writeFile(helm.files.mutationWebhookYaml, createWebhookYaml(this.name, this.config, mutateWebhook));
+      await import_fs3.promises.writeFile(helm.files.mutationWebhookYaml, createWebhookYaml(this.name, this.config, mutateWebhook));
     }
     if (validateWebhook) {
-      await import_fs4.promises.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this.name, this.config, validateWebhook));
+      await import_fs3.promises.writeFile(helm.files.validationWebhookYaml, createWebhookYaml(this.name, this.config, validateWebhook));
     }
   };
-  generateHelmChart = async (basePath) => {
+  generateHelmChart = async (webhookGeneratorFunction, basePath) => {
     const helm = helmLayout(basePath, this.config.uuid);
     try {
       await Promise.all(
         Object.values(helm.dirs).sort((l, r) => l.split("/").length - r.split("/").length).map(async (dir) => await createDirectoryIfNotExists(dir))
       );
-      const code = await import_fs4.promises.readFile(this.path);
+      const code = await import_fs3.promises.readFile(this.path);
+      const moduleHash = import_crypto.default.createHash("sha256").update(code).digest("hex");
       const pairs = [
         [helm.files.chartYaml, () => dedent(chartYaml(this.config.uuid, this.config.description || ""))],
         [helm.files.namespaceYaml, () => dedent(namespaceTemplate())],
@@ -1785,27 +1493,27 @@ var Assets = class {
         [helm.files.clusterRoleYaml, () => dedent(clusterRoleTemplate())],
         [helm.files.clusterRoleBindingYaml, () => toYaml(clusterRoleBinding(this.name))],
         [helm.files.serviceAccountYaml, () => toYaml(serviceAccount(this.name))],
-        [helm.files.moduleSecretYaml, () => toYaml(getModuleSecret(this.name, code, this.hash))]
+        [helm.files.moduleSecretYaml, () => toYaml(getModuleSecret(this.name, code, moduleHash))]
       ];
-      await Promise.all(pairs.map(async ([file, content]) => await import_fs4.promises.writeFile(file, content())));
+      await Promise.all(pairs.map(async ([file, content]) => await import_fs3.promises.writeFile(file, content())));
       const overrideData = {
-        hash: this.hash,
+        hash: moduleHash,
         name: this.name,
         image: this.image,
         config: this.config,
         apiToken: this.apiToken,
         capabilities: this.capabilities
       };
-      await overridesFile(overrideData, helm.files.valuesYaml);
-      const [mutateWebhook, validateWebhook] = await Promise.all([
-        webhookConfig(this, "mutate", this.config.webhookTimeout),
-        webhookConfig(this, "validate", this.config.webhookTimeout)
-      ]);
-      await this.writeWebhookFiles(validateWebhook, mutateWebhook, helm);
-      const watchDeployment = getWatcher(this, this.hash, this.buildTimestamp);
+      await overridesFile(overrideData, helm.files.valuesYaml, this.imagePullSecrets);
+      const webhooks = {
+        mutate: await webhookGeneratorFunction(this, "mutate" /* MUTATE */, this.config.webhookTimeout),
+        validate: await webhookGeneratorFunction(this, "validate" /* VALIDATE */, this.config.webhookTimeout)
+      };
+      await this.writeWebhookFiles(webhooks.validate, webhooks.mutate, helm);
+      const watchDeployment = getWatcher(this, moduleHash, this.buildTimestamp);
       if (watchDeployment) {
-        await import_fs4.promises.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
-        await import_fs4.promises.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));
+        await import_fs3.promises.writeFile(helm.files.watcherDeploymentYaml, dedent(watcherDeployTemplate(this.buildTimestamp)));
+        await import_fs3.promises.writeFile(helm.files.watcherServiceMonitorYaml, dedent(serviceMonitorTemplate("watcher")));
       }
     } catch (err) {
       console.error(`Error generating helm chart: ${err.message}`);
@@ -2021,7 +1729,7 @@ var gitIgnore = "# Ignore node_modules and Pepr build artifacts\nnode_modules\nd
 var readmeMd = '# Pepr Module\n\nThis is a Pepr Module. [Pepr](https://github.com/defenseunicorns/pepr) is a type-safe Kubernetes middleware system.\n\nThe `capabilities` directory contains all the capabilities for this module. By default,\na capability is a single typescript file in the format of `capability-name.ts` that is\nimported in the root `pepr.ts` file as `import { HelloPepr } from "./capabilities/hello-pepr";`.\nBecause this is typescript, you can organize this however you choose, e.g. creating a sub-folder\nper-capability or common logic in shared files or folders.\n\nExample Structure:\n\n```\nModule Root\n\u251C\u2500\u2500 package.json\n\u251C\u2500\u2500 pepr.ts\n\u2514\u2500\u2500 capabilities\n    \u251C\u2500\u2500 example-one.ts\n    \u251C\u2500\u2500 example-three.ts\n    \u2514\u2500\u2500 example-two.ts\n```\n';
 var peprTS = 'import { PeprModule } from "pepr";\n// cfg loads your pepr configuration from package.json\nimport cfg from "./package.json";\n\n// HelloPepr is a demo capability that is included with Pepr. Comment or delete the line below to remove it.\nimport { HelloPepr } from "./capabilities/hello-pepr";\n\n/**\n * This is the main entrypoint for this Pepr module. It is run when the module is started.\n * This is where you register your Pepr configurations and capabilities.\n */\nnew PeprModule(cfg, [\n  // "HelloPepr" is a demo capability that is included with Pepr. Comment or delete the line below to remove it.\n  HelloPepr,\n\n  // Your additional capabilities go here\n]);\n';
 var helloPeprTS = 'import {\n  Capability,\n  K8s,\n  Log,\n  PeprMutateRequest,\n  RegisterKind,\n  a,\n  fetch,\n  fetchStatus,\n  kind,\n} from "pepr";\nimport { MockAgent, setGlobalDispatcher } from "undici";\n\n/**\n *  The HelloPepr Capability is an example capability to demonstrate some general concepts of Pepr.\n *  To test this capability you run `pepr dev`and then run the following command:\n *  `kubectl apply -f capabilities/hello-pepr.samples.yaml`\n */\nexport const HelloPepr = new Capability({\n  name: "hello-pepr",\n  description: "A simple example capability to show how things work.",\n  namespaces: ["pepr-demo", "pepr-demo-2"],\n});\n\n// Use the \'When\' function to create a new action, use \'Store\' to persist data\nconst { When, Store } = HelloPepr;\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Namespace)                                   *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action removes the label `remove-me` when a Namespace is created.\n * Note we don\'t need to specify the namespace here, because we\'ve already specified\n * it in the Capability definition above.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .Mutate(ns => ns.RemoveLabel("remove-me"));\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Watch Action with K8s SSA (Namespace)                           *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action watches for the `pepr-demo-2` namespace to be created, then creates a ConfigMap with\n * the name `pepr-ssa-demo` and adds the namespace UID to the ConfigMap data. Because Pepr uses\n * server-side apply for this operation, the ConfigMap will be created or updated if it already exists.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .WithName("pepr-demo-2")\n  .Watch(async ns => {\n    Log.info("Namespace pepr-demo-2 was created.");\n\n    try {\n      // Apply the ConfigMap using K8s server-side apply\n      await K8s(kind.ConfigMap).Apply({\n        metadata: {\n          name: "pepr-ssa-demo",\n          namespace: "pepr-demo-2",\n        },\n        data: {\n          "ns-uid": ns.metadata.uid,\n        },\n      });\n    } catch (error) {\n      // You can use the Log object to log messages to the Pepr controller pod\n      Log.error(error, "Failed to apply ConfigMap using server-side apply.");\n    }\n\n    // You can share data between actions using the Store, including between different types of actions\n    Store.setItem("watch-data", "This data was stored by a Watch Action.");\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 1)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is a single action. They can be in the same file or put imported from other files.\n * In this example, when a ConfigMap is created with the name `example-1`, then add a label and annotation.\n *\n * Equivalent to manually running:\n * `kubectl label configmap example-1 pepr=was-here`\n * `kubectl annotate configmap example-1 pepr.dev=annotations-work-too`\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request\n      .SetLabel("pepr", "was-here")\n      .SetAnnotation("pepr.dev", "annotations-work-too");\n\n    // Use the Store to persist data between requests and Pepr controller pods\n    Store.setItem("example-1", "was-here");\n\n    // This data is written asynchronously and can be read back via `Store.getItem()` or `Store.subscribe()`\n    Store.setItem("example-1-data", JSON.stringify(request.Raw.data));\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate & Validate Actions (CM Example 2)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This combines 3 different types of actions: \'Mutate\', \'Validate\', and \'Watch\'. The order\n * of the actions is required, but each action is optional. In this example, when a ConfigMap is created\n * with the name `example-2`, then add a label and annotation, validate that the ConfigMap has the label\n * `pepr`, and log the request.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    // This Mutate Action will mutate the request before it is persisted to the cluster\n\n    // Use `request.Merge()` to merge the new data with the existing data\n    request.Merge({\n      metadata: {\n        labels: {\n          pepr: "was-here",\n        },\n        annotations: {\n          "pepr.dev": "annotations-work-too",\n        },\n      },\n    });\n  })\n  .Validate(request => {\n    // This Validate Action will validate the request before it is persisted to the cluster\n\n    // Approve the request if the ConfigMap has the label \'pepr\'\n    if (request.HasLabel("pepr")) {\n      return request.Approve();\n    }\n\n    // Otherwise, deny the request with an error message (optional)\n    return request.Deny("ConfigMap must have label \'pepr\'");\n  })\n  .Watch((cm, phase) => {\n    // This Watch Action will watch the ConfigMap after it has been persisted to the cluster\n    Log.info(cm, `ConfigMap was ${phase} with the name example-2`);\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 2a)                               *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action shows a simple validation that will deny any ConfigMap that has the\n * annotation `evil`. Note that the `Deny()` function takes an optional second parameter that is a\n * user-defined status code to return.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .Validate(request => {\n    if (request.HasAnnotation("evil")) {\n      return request.Deny("No evil CM annotations allowed.", 400);\n    }\n\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 3)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action combines different styles. Unlike the previous actions, this one will look\n * for any ConfigMap in the `pepr-demo` namespace that has the label `change=by-label` during either\n * CREATE or UPDATE. Note that all conditions added such as `WithName()`, `WithLabel()`, `InNamespace()`,\n * are ANDs so all conditions must be true for the request to be processed.\n */\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("change", "by-label")\n  .Mutate(request => {\n    // The K8s object e are going to mutate\n    const cm = request.Raw;\n\n    // Get the username and uid of the K8s request\n    const { username, uid } = request.Request.userInfo;\n\n    // Store some data about the request in the configmap\n    cm.data["username"] = username;\n    cm.data["uid"] = uid;\n\n    // You can still mix other ways of making changes too\n    request.SetAnnotation("pepr.dev", "making-waves");\n  });\n\n// This action validates the label `change=by-label` is deleted\nWhen(a.ConfigMap)\n  .IsDeleted()\n  .WithLabel("change", "by-label")\n  .Validate(request => {\n    // Log and then always approve the request\n    Log.info("CM with label \'change=by-label\' was deleted.");\n    return request.Approve();\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action show how you can use the `Mutate()` function without an inline function.\n * This is useful if you want to keep your actions small and focused on a single task,\n * or if you want to reuse the same function in multiple actions.\n */\nWhen(a.ConfigMap).IsCreated().WithName("example-4").Mutate(example4Cb);\n\n// This function uses the complete type definition, but is not required.\nfunction example4Cb(cm: PeprMutateRequest<a.ConfigMap>) {\n  cm.SetLabel("pepr.dev/first", "true");\n  cm.SetLabel("pepr.dev/second", "true");\n  cm.SetLabel("pepr.dev/third", "true");\n}\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 4a)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is the same as Example 4, except this only operates on a CM in the `pepr-demo-2` namespace.\n * Note because the Capability defines namespaces, the namespace specified here must be one of those.\n * Alternatively, you can remove the namespace from the Capability definition and specify it here.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .InNamespace("pepr-demo-2")\n  .WithName("example-4a")\n  .Mutate(example4Cb);\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (CM Example 5)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This action is a bit more complex. It will look for any ConfigMap in the `pepr-demo`\n * namespace that has the label `chuck-norris` during CREATE. When it finds one, it will fetch a\n * random Chuck Norris joke from the API and add it to the ConfigMap. This is a great example of how\n * you can use Pepr to make changes to your K8s objects based on external data.\n *\n * Note the use of the `async` keyword. This is required for any action that uses `await` or `fetch()`.\n *\n * Also note we are passing a type to the `fetch()` function. This is optional, but it will help you\n * avoid mistakes when working with the data returned from the API. You can also use the `as` keyword to\n * cast the data returned from the API.\n *\n * These are equivalent:\n * ```ts\n * const joke = await fetch<TheChuckNorrisJoke>("https://icanhazdadjoke.com/");\n * const joke = await fetch("https://icanhazdadjoke.com/") as TheChuckNorrisJoke;\n * ```\n *\n * Alternatively, you can drop the type completely:\n *\n * ```ts\n * fetch("https://icanhazdadjoke.com")\n * ```\n */\ninterface TheChuckNorrisJoke {\n  id: string;\n  joke: string;\n  status: number;\n}\n\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("chuck-norris")\n  .Mutate(cm => cm.SetLabel("got-jokes", "true"))\n  .Watch(async cm => {\n    const jokeURL = "https://icanhazdadjoke.com";\n\n    const mockAgent: MockAgent = new MockAgent();\n    setGlobalDispatcher(mockAgent);\n    const mockClient = mockAgent.get(jokeURL);\n    mockClient.intercept({ path: "/", method: "GET" }).reply(\n      200,\n      {\n        id: "R7UfaahVfFd",\n        joke: "Funny joke goes here.",\n        status: 200,\n      },\n      {\n        headers: {\n          "Content-Type": "application/json; charset=utf-8",\n        },\n      },\n    );\n\n    // Try/catch is not needed as a response object will always be returned\n    const response = await fetch<TheChuckNorrisJoke>(jokeURL, {\n      headers: {\n        Accept: "application/json",\n      },\n    });\n\n    // Instead, check the `response.ok` field\n    if (response.ok) {\n      const { joke } = response.data;\n      // Add Joke to the Store\n      await Store.setItemAndWait(jokeURL, joke);\n      // Add the Chuck Norris joke to the configmap\n      try {\n        await K8s(kind.ConfigMap).Apply({\n          metadata: {\n            name: cm.metadata.name,\n            namespace: cm.metadata.namespace,\n          },\n          data: {\n            "chuck-says": Store.getItem(jokeURL),\n          },\n        });\n      } catch (error) {\n        Log.error(error, "Failed to apply ConfigMap using server-side apply.", {\n          cm,\n        });\n      }\n    }\n\n    // You can also assert on different HTTP response codes\n    if (response.status === fetchStatus.NOT_FOUND) {\n      // Do something else\n      return;\n    }\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Secret Base64 Handling)                      *\n * ---------------------------------------------------------------------------------------------------\n *\n * The K8s JS client provides incomplete support for base64 encoding/decoding handling for secrets,\n * unlike the GO client. To make this less painful, Pepr automatically handles base64 encoding/decoding\n * secret data before and after the action is executed.\n */\nWhen(a.Secret)\n  .IsCreated()\n  .WithName("secret-1")\n  .Mutate(request => {\n    const secret = request.Raw;\n\n    // This will be encoded at the end of all processing back to base64: "Y2hhbmdlLXdpdGhvdXQtZW5jb2Rpbmc="\n    secret.data.magic = "change-without-encoding";\n\n    // You can modify the data directly, and it will be encoded at the end of all processing\n    secret.data.example += " - modified by Pepr";\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Untyped Custom Resource)                     *\n * ---------------------------------------------------------------------------------------------------\n *\n * Out of the box, Pepr supports all the standard Kubernetes objects. However, you can also create\n * your own types. This is useful if you are working with an Operator that creates custom resources.\n * There are two ways to do this, the first is to use the `When()` function with a `GenericKind`,\n * the second is to create a new class that extends `GenericKind` and use the `RegisterKind()` function.\n *\n * This example shows how to use the `When()` function with a `GenericKind`. Note that you\n * must specify the `group`, `version`, and `kind` of the object (if applicable). This is how Pepr knows\n * if the action should be triggered or not. Since we are using a `GenericKind`,\n * Pepr will not be able to provide any intellisense for the object, so you will need to refer to the\n * Kubernetes API documentation for the object you are working with.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-1\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```\n */\nWhen(a.GenericKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n})\n  .IsCreated()\n  .WithName("example-1")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr without type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   Mutate Action (Typed Custom Resource)                       *\n * ---------------------------------------------------------------------------------------------------\n *\n * This example shows how to use the `RegisterKind()` function to create a new type. This is useful\n * if you are working with an Operator that creates custom resources and you want to have intellisense\n * for the object. Note that you must specify the `group`, `version`, and `kind` of the object (if applicable)\n * as this is how Pepr knows if the action should be triggered or not.\n *\n * Once you register a new Kind with Pepr, you can use the `When()` function with the new Kind. Ideally,\n * you should register custom Kinds at the top of your Capability file or Pepr Module so they are available\n * to all actions, but we are putting it here for demonstration purposes.\n *\n * You will need to wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-2\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```*\n */\nclass UnicornKind extends a.GenericKind {\n  spec: {\n    /**\n     * JSDoc comments can be added to explain more details about the field.\n     *\n     * @example\n     * ```ts\n     * request.Raw.spec.message = "Hello Pepr!";\n     * ```\n     * */\n    message: string;\n    counter: number;\n  };\n}\n\nRegisterKind(UnicornKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n});\n\nWhen(UnicornKind)\n  .IsCreated()\n  .WithName("example-2")\n  .Mutate(request => {\n    request.Merge({\n      spec: {\n        message: "Hello Pepr with type data!",\n        counter: Math.random(),\n      },\n    });\n  });\n\n/**\n * A callback function that is called once the Pepr Store is fully loaded.\n */\nStore.onReady(data => {\n  Log.info(data, "Pepr Store Ready");\n});\n';
-var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, files: ["/dist", "/src", "!src/**/*.test.ts", "!dist/**/*.test.d.ts*"], version: "0.42.3", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { ci: "npm ci", "gen-data-json": "node hack/build-template-data.js", prebuild: "rm -fr dist/* && npm run gen-data-json", version: "node scripts/set-version.js", build: "tsc && node build.mjs && npm pack", "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .", test: "npm run test:unit && npm run test:journey", "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'", "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run", "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi", "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm", "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system", "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:prep && npm run test:journey:upgrade", "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts", "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write", prepare: `if [ "$NODE_ENV" != 'production' ]; then husky; fi` }, dependencies: { "@types/ramda": "0.30.2", express: "4.21.2", "fast-json-patch": "3.1.1", "follow-redirects": "1.15.9", "http-status-codes": "^2.3.0", "json-pointer": "^0.6.2", "kubernetes-fluent-client": "3.3.7", pino: "9.6.0", "pino-pretty": "13.0.0", "prom-client": "15.1.3", ramda: "0.30.1", sigstore: "3.0.0" }, devDependencies: { "@commitlint/cli": "19.6.1", "@commitlint/config-conventional": "19.6.0", "@fast-check/jest": "^2.0.1", "@jest/globals": "29.7.0", "@types/eslint": "9.6.1", "@types/express": "5.0.0", "@types/follow-redirects": "1.14.4", "@types/json-pointer": "^1.0.34", "@types/node": "22.x.x", "@types/node-forge": "1.3.11", "@types/uuid": "10.0.0", "fast-check": "^3.19.0", husky: "^9.1.6", jest: "29.7.0", "js-yaml": "^4.1.0", "ts-jest": "29.2.5", undici: "^7.0.1" }, peerDependencies: { "@typescript-eslint/eslint-plugin": "7.18.0", "@typescript-eslint/parser": "7.18.0", "@types/prompts": "2.4.9", eslint: "8.57.0", commander: "12.1.0", esbuild: "0.24.0", "node-forge": "1.3.1", prettier: "3.4.2", prompts: "2.4.2", typescript: "^5.3.3", uuid: "11.0.3" } };
+var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, files: ["/dist", "/src", "!src/**/*.test.ts", "!dist/**/*.test.d.ts*"], version: "0.44.0", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { ci: "npm ci", "gen-data-json": "node hack/build-template-data.js", prebuild: "rm -fr dist/* && npm run gen-data-json", version: "node scripts/set-version.js", build: "tsc && node build.mjs && npm pack", "build:image": "npm run build && docker buildx build --output type=docker --tag pepr:dev .", test: "npm run test:unit && npm run test:journey", "test:unit": "npm run gen-data-json && jest src --coverage --detectOpenHandles --coverageDirectory=./coverage --testPathIgnorePatterns='cosign.e2e.test.ts'", "test:integration": "npm run test:integration:prep && npm run test:integration:run", "test:integration:prep": "./integration/prep.sh", "test:integration:run": "jest --maxWorkers=4 integration", "test:journey": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run", "test:journey:prep": "if [ ! -d ./pepr-upgrade-test ]; then git clone https://github.com/defenseunicorns/pepr-upgrade-test.git ; fi", "test:journey-wasm": "npm run test:journey:k3d && npm run build && npm run test:journey:image && npm run test:journey:run-wasm", "test:journey:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0' --wait && kubectl rollout status deployment -n kube-system", "test:journey:image": "docker buildx build --output type=docker --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:journey:run": "jest --detectOpenHandles journey/entrypoint.test.ts && npm run test:journey:prep && npm run test:journey:upgrade", "test:journey:run-wasm": "jest --detectOpenHandles journey/entrypoint-wasm.test.ts", "test:journey:upgrade": "npm run test:journey:k3d && npm run test:journey:image && jest --detectOpenHandles journey/pepr-upgrade.test.ts", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write", prepare: `if [ "$NODE_ENV" != 'production' ]; then husky; fi` }, dependencies: { "@types/ramda": "0.30.2", express: "4.21.2", "fast-json-patch": "3.1.1", "follow-redirects": "1.15.9", "http-status-codes": "^2.3.0", "json-pointer": "^0.6.2", "kubernetes-fluent-client": "3.3.8", pino: "9.6.0", "pino-pretty": "13.0.0", "prom-client": "15.1.3", ramda: "0.30.1", sigstore: "3.0.0" }, devDependencies: { "@commitlint/cli": "19.6.1", "@commitlint/config-conventional": "19.6.0", "@fast-check/jest": "^2.0.1", "@jest/globals": "29.7.0", "@types/eslint": "9.6.1", "@types/express": "5.0.0", "@types/follow-redirects": "1.14.4", "@types/json-pointer": "^1.0.34", "@types/node": "22.x.x", "@types/node-forge": "1.3.11", "@types/uuid": "10.0.0", "fast-check": "^3.19.0", husky: "^9.1.6", jest: "29.7.0", "js-yaml": "^4.1.0", "ts-jest": "29.2.5", undici: "^7.0.1" }, peerDependencies: { "@typescript-eslint/eslint-plugin": "7.18.0", "@typescript-eslint/parser": "7.18.0", "@types/prompts": "2.4.9", eslint: "8.57.0", commander: "12.1.0", esbuild: "0.24.0", "node-forge": "1.3.1", prettier: "3.4.2", prompts: "2.4.2", typescript: "^5.3.3", uuid: "11.0.3" } };
 
 // src/templates/pepr.code-snippets.json
 var pepr_code_snippets_default = {
@@ -2080,7 +1788,7 @@ var tsconfig_module_default = {
 };
 
 // src/cli/init/utils.ts
-var import_fs5 = require("fs");
+var import_fs4 = require("fs");
 function sanitizeName(name2) {
   if (typeof name2 !== "string") {
     throw TypeError(
@@ -2094,7 +1802,7 @@ function sanitizeName(name2) {
 }
 async function createDir(dir) {
   try {
-    await import_fs5.promises.mkdir(dir);
+    await import_fs4.promises.mkdir(dir);
   } catch (err) {
     if (err && err.code === "EEXIST") {
       throw new Error(`Directory ${dir} already exists`);
@@ -2107,11 +1815,11 @@ function write(path, data) {
   if (typeof data !== "string") {
     data = JSON.stringify(data, null, 2);
   }
-  return import_fs5.promises.writeFile(path, data);
+  return import_fs4.promises.writeFile(path, data);
 }
 
 // src/cli/init/templates.ts
-var { dependencies, devDependencies, peerDependencies, scripts, version: version2 } = packageJSON;
+var { dependencies, devDependencies, peerDependencies, scripts, version } = packageJSON;
 function genPkgJSON(opts, pgkVerOverride) {
   const uuid = (0, import_uuid.v5)(opts.name, (0, import_uuid.v4)());
   const name2 = sanitizeName(opts.name);
@@ -2147,7 +1855,7 @@ function genPkgJSON(opts, pgkVerOverride) {
       "k3d-setup": scripts["test:journey:k3d"]
     },
     dependencies: {
-      pepr: pgkVerOverride || version2,
+      pepr: pgkVerOverride || version,
       undici: "^7.0.1"
     },
     devDependencies: {
@@ -2210,85 +1918,244 @@ var import_commander = require("commander");
 var import_eslint = require("eslint");
 
 // src/cli/format.helpers.ts
-var import_fs6 = require("fs");
+var import_fs5 = require("fs");
 var import_prettier = require("prettier");
 async function formatWithPrettier(results, validateOnly) {
   let hasFailure = false;
   for (const { filePath } of results) {
-    const content = await import_fs6.promises.readFile(filePath, "utf8");
+    const content = await import_fs5.promises.readFile(filePath, "utf8");
     const cfg = await (0, import_prettier.resolveConfig)(filePath);
     const formatted = await (0, import_prettier.format)(content, { filepath: filePath, ...cfg });
     if (validateOnly && formatted !== content) {
       hasFailure = true;
       console.error(`File ${filePath} is not formatted correctly`);
     } else {
-      await import_fs6.promises.writeFile(filePath, formatted);
+      await import_fs5.promises.writeFile(filePath, formatted);
     }
   }
   return hasFailure;
 }
 
-// src/cli/format.ts
-function format_default(program2) {
-  program2.command("format").description("Lint and format this Pepr module").option("-v, --validate-only", "Do not modify files, only validate formatting").action(async (opts) => {
-    const success = await peprFormat(opts.validateOnly);
-    if (success) {
-      console.info("\u2705 Module formatted");
-    } else {
-      process.exit(1);
-    }
-  });
-}
-async function peprFormat(validateOnly) {
-  {
-    try {
-      const eslint2 = new import_eslint.ESLint();
-      const results = await eslint2.lintFiles(["./**/*.ts"]);
-      let hasFailure = false;
-      results.forEach(async (result) => {
-        const errorCount = result.fatalErrorCount + result.errorCount;
-        if (errorCount > 0) {
-          hasFailure = true;
-        }
-      });
-      const formatter = await eslint2.loadFormatter("stylish");
-      const resultText = await formatter.format(results, {});
-      if (resultText) {
-        console.log(resultText);
-      }
-      if (!validateOnly) {
-        await import_eslint.ESLint.outputFixes(results);
-      }
-      hasFailure = await formatWithPrettier(results, validateOnly);
-      return !hasFailure;
-    } catch (e) {
-      console.error(`Error formatting module:`, e);
-      return false;
-    }
-  }
+// src/cli/format.ts
+function format_default(program2) {
+  program2.command("format").description("Lint and format this Pepr module").option("-v, --validate-only", "Do not modify files, only validate formatting").action(async (opts) => {
+    const success = await peprFormat(opts.validateOnly);
+    if (success) {
+      console.info("\u2705 Module formatted");
+    } else {
+      process.exit(1);
+    }
+  });
+}
+async function peprFormat(validateOnly) {
+  {
+    try {
+      const eslint2 = new import_eslint.ESLint();
+      const results = await eslint2.lintFiles(["./**/*.ts"]);
+      let hasFailure = false;
+      results.forEach(async (result) => {
+        const errorCount = result.fatalErrorCount + result.errorCount;
+        if (errorCount > 0) {
+          hasFailure = true;
+        }
+      });
+      const formatter = await eslint2.loadFormatter("stylish");
+      const resultText = await formatter.format(results, {});
+      if (resultText) {
+        console.log(resultText);
+      }
+      if (!validateOnly) {
+        await import_eslint.ESLint.outputFixes(results);
+      }
+      hasFailure = await formatWithPrettier(results, validateOnly);
+      return !hasFailure;
+    } catch (e) {
+      console.error(`Error formatting module:`, e);
+      return false;
+    }
+  }
+}
+
+// src/lib/included-files.ts
+var import_fs6 = require("fs");
+async function createDockerfile(version3, description, includedFiles) {
+  const file = `
+    # Use an official Node.js runtime as the base image
+    FROM ghcr.io/defenseunicorns/pepr/controller:v${version3}
+  
+    LABEL description="${description}"
+    
+    # Add the included files to the image
+    ${includedFiles.map((f) => `ADD ${f} ${f}`).join("\n")}
+  
+    `;
+  await import_fs6.promises.writeFile("Dockerfile.controller", file, { encoding: "utf-8" });
+}
+
+// src/cli/build.helpers.ts
+var import_child_process2 = require("child_process");
+var import_esbuild = require("esbuild");
+var import_path2 = require("path");
+var import_fs8 = require("fs");
+
+// src/lib/assets/yaml/generateAllYaml.ts
+var import_crypto2 = __toESM(require("crypto"));
+var import_client_node4 = require("@kubernetes/client-node");
+var import_fs7 = require("fs");
+
+// src/lib/assets/webhooks.ts
+var import_ramda = require("ramda");
+var peprIgnoreNamespaces = ["kube-system", "pepr-system"];
+var validateRule = (binding, isMutateWebhook) => {
+  const { event, kind: kind8, isMutate, isValidate } = binding;
+  if (isMutateWebhook && !isMutate || !isMutateWebhook && !isValidate) {
+    return void 0;
+  }
+  const operations = event === "CREATEORUPDATE" /* CREATE_OR_UPDATE */ ? ["CREATE" /* CREATE */, "UPDATE" /* UPDATE */] : [event];
+  const resource = kind8.plural || `${kind8.kind.toLowerCase()}s`;
+  const ruleObject = {
+    apiGroups: [kind8.group],
+    apiVersions: [kind8.version || "*"],
+    operations,
+    resources: [resource, ...resource === "pods" ? ["pods/ephemeralcontainers"] : []]
+  };
+  return ruleObject;
+};
+function resolveIgnoreNamespaces(ignoredNSConfig = []) {
+  const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES;
+  if (!ignoredNSEnv) {
+    return ignoredNSConfig;
+  }
+  const namespaces = ignoredNSEnv.split(",").map((ns) => ns.trim());
+  if (ignoredNSConfig) {
+    namespaces.push(...ignoredNSConfig);
+  }
+  return namespaces.filter((ns) => ns.length > 0);
+}
+async function generateWebhookRules(assets, isMutateWebhook) {
+  const { config, capabilities } = assets;
+  const rules = capabilities.flatMap((capability) => {
+    console.info(`Module ${config.uuid} has capability: ${capability.name}`);
+    return capability.bindings.map((binding) => validateRule(binding, isMutateWebhook)).filter((rule) => !!rule);
+  });
+  return (0, import_ramda.uniqWith)(import_ramda.equals, rules);
+}
+async function webhookConfigGenerator(assets, mutateOrValidate, timeoutSeconds = 10) {
+  const ignore = [];
+  const { name: name2, tls, config, apiToken, host } = assets;
+  const ignoreNS = (0, import_ramda.concat)(peprIgnoreNamespaces, resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces));
+  if (ignoreNS) {
+    ignore.push({
+      key: "kubernetes.io/metadata.name",
+      operator: "NotIn",
+      values: ignoreNS
+    });
+  }
+  const clientConfig = {
+    caBundle: tls.ca
+  };
+  const apiPath = `/${mutateOrValidate}/${apiToken}`;
+  if (host) {
+    clientConfig.url = `https://${host}:3000${apiPath}`;
+  } else {
+    clientConfig.service = {
+      name: name2,
+      namespace: "pepr-system",
+      path: apiPath
+    };
+  }
+  const isMutate = mutateOrValidate === "mutate" /* MUTATE */;
+  const rules = await generateWebhookRules(assets, isMutate);
+  if (rules.length < 1) {
+    return null;
+  }
+  return {
+    apiVersion: "admissionregistration.k8s.io/v1",
+    kind: isMutate ? "MutatingWebhookConfiguration" : "ValidatingWebhookConfiguration",
+    metadata: { name: name2 },
+    webhooks: [
+      {
+        name: `${name2}.pepr.dev`,
+        admissionReviewVersions: ["v1", "v1beta1"],
+        clientConfig,
+        failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
+        matchPolicy: "Equivalent",
+        timeoutSeconds,
+        namespaceSelector: {
+          matchExpressions: ignore
+        },
+        rules,
+        // @todo: track side effects state
+        sideEffects: "None"
+      }
+    ]
+  };
+}
+
+// src/lib/assets/yaml/generateAllYaml.ts
+async function generateAllYaml(assets, deployments) {
+  const { name: name2, tls, apiToken, path, config } = assets;
+  const code = await import_fs7.promises.readFile(path);
+  const hash = import_crypto2.default.createHash("sha256").update(code).digest("hex");
+  const resources = [
+    getNamespace(assets.config.customLabels?.namespace),
+    clusterRole(name2, assets.capabilities, config.rbacMode, config.rbac),
+    clusterRoleBinding(name2),
+    serviceAccount(name2),
+    apiTokenSecret(name2, apiToken),
+    tlsSecret(name2, tls),
+    deployments.default,
+    service(name2),
+    watcherService(name2),
+    getModuleSecret(name2, code, hash),
+    storeRole(name2),
+    storeRoleBinding(name2)
+  ];
+  const webhooks = {
+    mutate: await webhookConfigGenerator(assets, "mutate" /* MUTATE */, assets.config.webhookTimeout),
+    validate: await webhookConfigGenerator(assets, "validate" /* VALIDATE */, assets.config.webhookTimeout)
+  };
+  const additionalResources = [webhooks.mutate, webhooks.validate, deployments.watch].filter(
+    (resource) => resource !== null && resource !== void 0
+  );
+  resources.push(...additionalResources);
+  return resources.map((resource) => (0, import_client_node4.dumpYaml)(resource, { noRefs: true })).join("---\n");
 }
 
-// src/lib/included-files.ts
-var import_fs7 = require("fs");
-async function createDockerfile(version3, description, includedFiles) {
-  const file = `
-    # Use an official Node.js runtime as the base image
-    FROM ghcr.io/defenseunicorns/pepr/controller:v${version3}
-  
-    LABEL description="${description}"
-    
-    # Add the included files to the image
-    ${includedFiles.map((f) => `ADD ${f} ${f}`).join("\n")}
-  
-    `;
-  await import_fs7.promises.writeFile("Dockerfile.controller", file, { encoding: "utf-8" });
+// src/lib/assets/yaml/generateZarfYaml.ts
+var import_client_node5 = require("@kubernetes/client-node");
+function generateZarfYamlGeneric(assets, path, type) {
+  const manifestSettings = {
+    name: "module",
+    namespace: "pepr-system",
+    files: [path]
+  };
+  const chartSettings = {
+    name: "module",
+    namespace: "pepr-system",
+    version: `${assets.config.appVersion || "0.0.1"}`,
+    localPath: path
+  };
+  const component = {
+    name: "module",
+    required: true,
+    images: [assets.image],
+    [type]: [type === "manifests" ? manifestSettings : chartSettings]
+  };
+  const zarfCfg = {
+    kind: "ZarfPackageConfig",
+    metadata: {
+      name: assets.name,
+      description: `Pepr Module: ${assets.config.description}`,
+      url: "https://github.com/defenseunicorns/pepr",
+      version: `${assets.config.appVersion || "0.0.1"}`
+    },
+    components: [component]
+  };
+  return (0, import_client_node5.dumpYaml)(zarfCfg, { noRefs: true });
 }
 
 // src/cli/build.helpers.ts
-var import_child_process2 = require("child_process");
-var import_esbuild = require("esbuild");
-var import_path2 = require("path");
-var import_fs8 = require("fs");
 function determineRbacMode(opts, cfg) {
   if (opts.rbacMode) {
     return opts.rbacMode;
@@ -2323,17 +2190,6 @@ function validImagePullSecret(imagePullSecretName) {
     }
   }
 }
-function handleCustomImage(customImage, registry) {
-  let defaultImage = "";
-  if (customImage) {
-    if (registry) {
-      console.error(`Custom Image and registry cannot be used together.`);
-      process.exit(1);
-    }
-    defaultImage = customImage;
-  }
-  return defaultImage;
-}
 async function handleCustomImageBuild(includedFiles, peprVersion, description, image) {
   if (includedFiles.length > 0) {
     await createDockerfile(peprVersion, description, includedFiles);
@@ -2372,17 +2228,17 @@ async function generateYamlAndWriteToDisk(obj) {
   const yamlFile = `pepr-module-${uuid}.yaml`;
   const chartPath = `${uuid}-chart`;
   const yamlPath = (0, import_path2.resolve)(outputDir2, yamlFile);
-  const yaml = await assets.allYaml(imagePullSecret);
+  const yaml = await assets.allYaml(generateAllYaml, imagePullSecret);
   const zarfPath = (0, import_path2.resolve)(outputDir2, "zarf.yaml");
   let localZarf = "";
   if (zarf === "chart") {
-    localZarf = assets.zarfYamlChart(chartPath);
+    localZarf = assets.zarfYamlChart(generateZarfYamlGeneric, chartPath);
   } else {
-    localZarf = assets.zarfYaml(yamlFile);
+    localZarf = assets.zarfYaml(generateZarfYamlGeneric, yamlFile);
   }
   await import_fs8.promises.writeFile(yamlPath, yaml);
   await import_fs8.promises.writeFile(zarfPath, localZarf);
-  await assets.generateHelmChart(outputDir2);
+  await assets.generateHelmChart(webhookConfigGenerator, outputDir2);
   console.info(`\u2705 K8s resource for the module saved to ${yamlPath}`);
 }
 
@@ -2393,27 +2249,34 @@ function build_default(program2) {
   program2.command("build").description("Build a Pepr Module for deployment").option("-e, --entry-point [file]", "Specify the entry point file to build with.", peprTS2).option(
     "-n, --no-embed",
     "Disables embedding of deployment files into output module.  Useful when creating library modules intended solely for reuse/distribution via NPM."
-  ).option(
-    "-i, --custom-image <custom-image>",
-    "Custom Image: Use custom image for Admission and Watch Deployments."
-  ).option(
-    "-r, --registry-info [<registry>/<username>]",
-    "Registry Info: Image registry and username. Note: You must be signed into the registry"
+  ).addOption(
+    new import_commander.Option(
+      "-i, --custom-image <custom-image>",
+      "Specify a custom image (including version) for Admission and Watch Deployments. Example: 'docker.io/username/custom-pepr-controller:v1.0.0'"
+    ).conflicts(["version", "registryInfo", "registry"])
+  ).addOption(
+    new import_commander.Option(
+      "-r, --registry-info [<registry>/<username>]",
+      "Provide the image registry and username for building and pushing a custom WASM container. Requires authentication. Builds and pushes 'registry/username/custom-pepr-controller:<current-version>'."
+    ).conflicts(["customImage", "version", "registry"])
   ).option("-o, --output-dir <output directory>", "Define where to place build output").option(
     "--timeout <timeout>",
     "How long the API server should wait for a webhook to respond before treating the call as a failure",
     parseTimeout
-  ).option(
-    "-v, --version <version>. Example: '0.27.3'",
-    "The version of the Pepr image to use in the deployment manifests."
+  ).addOption(
+    new import_commander.Option(
+      "-v, --version <version>",
+      "The version of the Pepr image to use in the deployment manifests. Example: '0.27.3'."
+    ).conflicts(["customImage", "registryInfo"])
   ).option(
     "--withPullSecret <imagePullSecret>",
-    "Image Pull Secret: Use image pull secret for controller Deployment."
+    "Image Pull Secret: Use image pull secret for controller Deployment.",
+    ""
   ).addOption(
     new import_commander.Option(
       "--registry <GitHub|Iron Bank>",
       "Container registry: Choose container registry for deployment manifests. Can't be used with --custom-image."
-    ).choices(["GitHub", "Iron Bank"])
+    ).conflicts(["customImage", "registryInfo"]).choices(["GitHub", "Iron Bank"])
   ).addOption(
     new import_commander.Option(
       "-z, --zarf [manifest|chart]",
@@ -2429,7 +2292,7 @@ function build_default(program2) {
     if (buildModuleResult?.cfg && buildModuleResult.path && buildModuleResult.uuid) {
       const { cfg, path, uuid } = buildModuleResult;
       const { includedFiles } = cfg.pepr;
-      let image = handleCustomImage(opts.customImage, opts.registry);
+      let image = opts.customImage || "";
       if (opts.timeout !== void 0) {
         cfg.pepr.webhookTimeout = opts.timeout;
       }
@@ -2445,10 +2308,14 @@ function build_default(program2) {
           ...cfg.pepr,
           appVersion: cfg.version,
           description: cfg.description,
+          alwaysIgnore: {
+            namespaces: cfg.pepr.alwaysIgnore?.namespaces
+          },
           // Can override the rbacMode with the CLI option
           rbacMode: determineRbacMode(opts, cfg)
         },
-        path
+        path,
+        opts.withPullSecret === "" ? [] : [opts.withPullSecret]
       );
       image = checkIronBankImage(opts.registry, image, cfg.pepr.peprVersion);
       image !== "" ? assets.image = image : null;
@@ -2484,7 +2351,7 @@ async function loadModule(entryPoint = peprTS2) {
   const cfg = JSON.parse(moduleText);
   const { uuid } = cfg.pepr;
   const name2 = `pepr-${uuid}.js`;
-  cfg.pepr.peprVersion = version2;
+  cfg.pepr.peprVersion = version;
   if (!uuid) {
     throw new Error("Could not load the uuid in package.json");
   }
@@ -2590,6 +2457,169 @@ async function checkFormat() {
 // src/cli/deploy.ts
 var import_prompts = __toESM(require("prompts"));
 
+// src/lib/assets/deploy.ts
+var import_crypto3 = __toESM(require("crypto"));
+var import_fs10 = require("fs");
+var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
+
+// src/lib/k8s.ts
+var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
+var Store = class extends import_kubernetes_fluent_client2.GenericKind {
+};
+var peprStoreGVK = {
+  kind: "PeprStore",
+  version: "v1",
+  group: "pepr.dev"
+};
+(0, import_kubernetes_fluent_client2.RegisterKind)(Store, peprStoreGVK);
+
+// src/lib/assets/store.ts
+var { group, version: version2, kind: kind2 } = peprStoreGVK;
+var singular = kind2.toLocaleLowerCase();
+var plural = `${singular}s`;
+var name = `${plural}.${group}`;
+var peprStoreCRD = {
+  apiVersion: "apiextensions.k8s.io/v1",
+  kind: "CustomResourceDefinition",
+  metadata: {
+    name
+  },
+  spec: {
+    group,
+    versions: [
+      {
+        // typescript doesn't know this is really already set, which is kind of annoying
+        name: version2 || "v1",
+        served: true,
+        storage: true,
+        schema: {
+          openAPIV3Schema: {
+            type: "object",
+            properties: {
+              data: {
+                type: "object",
+                additionalProperties: {
+                  type: "string"
+                }
+              }
+            }
+          }
+        }
+      }
+    ],
+    scope: "Namespaced",
+    names: {
+      plural,
+      singular,
+      kind: kind2
+    }
+  }
+};
+
+// src/lib/assets/deploy.ts
+async function deployImagePullSecret(imagePullSecret, name2) {
+  try {
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Get("pepr-system");
+  } catch {
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Apply(getNamespace());
+  }
+  try {
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(
+      {
+        apiVersion: "v1",
+        kind: "Secret",
+        metadata: {
+          name: name2,
+          namespace: "pepr-system"
+        },
+        type: "kubernetes.io/dockerconfigjson",
+        data: {
+          ".dockerconfigjson": Buffer.from(JSON.stringify(imagePullSecret)).toString("base64")
+        }
+      },
+      { force: true }
+    );
+  } catch (e) {
+    logger_default.error(e);
+  }
+}
+async function handleWebhookConfiguration(assets, type, webhookTimeout, force) {
+  const kindMap = {
+    mutate: import_kubernetes_fluent_client3.kind.MutatingWebhookConfiguration,
+    validate: import_kubernetes_fluent_client3.kind.ValidatingWebhookConfiguration
+  };
+  const webhookConfig = await webhookConfigGenerator(assets, type, webhookTimeout);
+  if (webhookConfig) {
+    logger_default.info(`Applying ${type} webhook`);
+    await (0, import_kubernetes_fluent_client3.K8s)(kindMap[type]).Apply(webhookConfig, { force });
+  } else {
+    logger_default.info(`${type.charAt(0).toUpperCase() + type.slice(1)} webhook not needed, removing if it exists`);
+    await (0, import_kubernetes_fluent_client3.K8s)(kindMap[type]).Delete(assets.name);
+  }
+}
+async function deployWebhook(assets, force, webhookTimeout) {
+  logger_default.info("Establishing connection to Kubernetes");
+  logger_default.info("Applying pepr-system namespace");
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Namespace).Apply(getNamespace(assets.config.customLabels?.namespace));
+  await handleWebhookConfiguration(assets, "mutate" /* MUTATE */, webhookTimeout, force);
+  await handleWebhookConfiguration(assets, "validate" /* VALIDATE */, webhookTimeout, force);
+  logger_default.info("Applying the Pepr Store CRD if it doesn't exist");
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.CustomResourceDefinition).Apply(peprStoreCRD, { force });
+  if (assets.host) return;
+  const code = await import_fs10.promises.readFile(assets.path);
+  if (!code.length) throw new Error("No code provided");
+  const hash = import_crypto3.default.createHash("sha256").update(code).digest("hex");
+  await setupRBAC(assets.name, assets.capabilities, force, assets.config);
+  await setupController(assets, code, hash, force);
+  await setupWatcher(assets, hash, force);
+}
+async function setupRBAC(name2, capabilities, force, config) {
+  const { rbacMode, rbac } = config;
+  logger_default.info("Applying cluster role binding");
+  const crb = clusterRoleBinding(name2);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ClusterRoleBinding).Apply(crb, { force });
+  logger_default.info("Applying cluster role");
+  const cr = clusterRole(name2, capabilities, rbacMode, rbac);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ClusterRole).Apply(cr, { force });
+  logger_default.info("Applying service account");
+  const sa = serviceAccount(name2);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.ServiceAccount).Apply(sa, { force });
+  logger_default.info("Applying store role");
+  const role = storeRole(name2);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Role).Apply(role, { force });
+  logger_default.info("Applying store role binding");
+  const roleBinding = storeRoleBinding(name2);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.RoleBinding).Apply(roleBinding, { force });
+}
+async function setupController(assets, code, hash, force) {
+  const { name: name2 } = assets;
+  logger_default.info("Applying module secret");
+  const mod = getModuleSecret(name2, code, hash);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(mod, { force });
+  logger_default.info("Applying controller service");
+  const svc = service(name2);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Service).Apply(svc, { force });
+  logger_default.info("Applying TLS secret");
+  const tls = tlsSecret(name2, assets.tls);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(tls, { force });
+  logger_default.info("Applying API token secret");
+  const apiToken = apiTokenSecret(name2, assets.apiToken);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Secret).Apply(apiToken, { force });
+  logger_default.info("Applying deployment");
+  const dep = getDeployment(assets, hash, assets.buildTimestamp);
+  await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Deployment).Apply(dep, { force });
+}
+async function setupWatcher(assets, hash, force) {
+  const watchDeployment = getWatcher(assets, hash, assets.buildTimestamp);
+  if (watchDeployment) {
+    logger_default.info("Applying watcher deployment");
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Deployment).Apply(watchDeployment, { force });
+    logger_default.info("Applying watcher service");
+    const watchSvc = watcherService(assets.name);
+    await (0, import_kubernetes_fluent_client3.K8s)(import_kubernetes_fluent_client3.kind.Service).Apply(watchSvc, { force });
+  }
+}
+
 // src/lib/deploymentChecks.ts
 var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
 async function checkDeploymentStatus(namespace) {
@@ -2703,11 +2733,12 @@ function deploy_default(program2) {
     }
     const webhook = new Assets(
       { ...builtModule.cfg.pepr, description: builtModule.cfg.description },
-      builtModule.path
+      builtModule.path,
+      []
     );
     webhook.image = opts.image ?? webhook.image;
     try {
-      await webhook.deploy(opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
+      await webhook.deploy(deployWebhook, opts.force, builtModule.cfg.pepr.webhookTimeout ?? 10);
       validateCapabilityNames(webhook.capabilities);
       await namespaceDeploymentsReady();
       console.info(`\u2705 Module deployed successfully`);
@@ -2719,10 +2750,10 @@ function deploy_default(program2) {
 }
 
 // src/cli/dev.ts
-var import_child_process4 = require("child_process");
-var import_fs10 = require("fs");
 var import_prompts2 = __toESM(require("prompts"));
+var import_child_process4 = require("child_process");
 var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
+var import_fs11 = require("fs");
 function dev_default(program2) {
   program2.command("dev").description("Setup a local webhook development environment").option("-h, --host [host]", "Host to listen on", "host.k3d.internal").option("--confirm", "Skip confirmation prompt").action(async (opts) => {
     if (!opts.confirm) {
@@ -2742,10 +2773,11 @@ function dev_default(program2) {
         description: cfg.description
       },
       path,
+      [],
       opts.host
     );
-    await import_fs10.promises.writeFile("insecure-tls.crt", webhook.tls.pem.crt);
-    await import_fs10.promises.writeFile("insecure-tls.key", webhook.tls.pem.key);
+    await import_fs11.promises.writeFile("insecure-tls.crt", webhook.tls.pem.crt);
+    await import_fs11.promises.writeFile("insecure-tls.key", webhook.tls.pem.key);
     try {
       let program3;
       const name2 = `pepr-${cfg.pepr.uuid}`;
@@ -2753,7 +2785,7 @@ function dev_default(program2) {
       const store = `pepr-${cfg.pepr.uuid}-store`;
       const runFork = async () => {
         console.info(`Running module ${path}`);
-        await webhook.deploy(false, 30);
+        await webhook.deploy(deployWebhook, false, 30);
         try {
           validateCapabilityNames(webhook.capabilities);
         } catch (e) {
@@ -2804,7 +2836,7 @@ function dev_default(program2) {
 }
 
 // src/cli/monitor.ts
-var import_client_node4 = require("@kubernetes/client-node");
+var import_client_node6 = require("@kubernetes/client-node");
 var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
 var import_stream = __toESM(require("stream"));
 function monitor_default(program2) {
@@ -2840,9 +2872,9 @@ function getLabelsAndErrorMessage(uuid) {
   return { labels, errorMessage };
 }
 function getK8sLogFromKubeConfig() {
-  const kc = new import_client_node4.KubeConfig();
+  const kc = new import_client_node6.KubeConfig();
   kc.loadFromDefault();
-  return new import_client_node4.Log(kc);
+  return new import_client_node6.Log(kc);
 }
 function createLogStream() {
   const logStream = new import_stream.default.PassThrough();
@@ -2898,7 +2930,7 @@ var import_path4 = require("path");
 var import_prompts4 = __toESM(require("prompts"));
 
 // src/cli/init/walkthrough.ts
-var import_fs11 = require("fs");
+var import_fs12 = require("fs");
 var import_prompts3 = __toESM(require("prompts"));
 
 // src/cli/init/enums.ts
@@ -2929,7 +2961,7 @@ async function setName(name2) {
     validate: async (val) => {
       try {
         const name3 = sanitizeName(val);
-        await import_fs11.promises.access(name3, import_fs11.promises.constants.F_OK);
+        await import_fs12.promises.access(name3, import_fs12.promises.constants.F_OK);
         return "A directory with this name already exists";
       } catch (e) {
         return val.length > 2 || "The name must be at least 3 characters long";
@@ -3097,9 +3129,9 @@ function uuid_default(program2) {
     } else {
       deployments = await (0, import_kubernetes_fluent_client7.K8s)(import_kubernetes_fluent_client7.kind.Deployment).InNamespace("pepr-system").WithLabel("pepr.dev/uuid", uuid).Get();
     }
-    deployments.items.map((deploy2) => {
-      const uuid2 = deploy2.metadata?.labels?.["pepr.dev/uuid"] || "";
-      const description = deploy2.metadata?.annotations?.["pepr.dev/description"] || "";
+    deployments.items.map((deploy) => {
+      const uuid2 = deploy.metadata?.labels?.["pepr.dev/uuid"] || "";
+      const description = deploy.metadata?.annotations?.["pepr.dev/description"] || "";
       if (uuid2 !== "") {
         uuidTable[uuid2] = description;
       }
@@ -3124,7 +3156,7 @@ var RootCmd = class extends import_commander2.Command {
 
 // src/cli/update.ts
 var import_child_process6 = require("child_process");
-var import_fs12 = __toESM(require("fs"));
+var import_fs13 = __toESM(require("fs"));
 var import_path5 = require("path");
 var import_prompts5 = __toESM(require("prompts"));
 function update_default(program2) {
@@ -3164,12 +3196,12 @@ function update_default(program2) {
         await write((0, import_path5.resolve)(".vscode", snippet.path), snippet.data);
         await write((0, import_path5.resolve)(".vscode", codeSettings.path), codeSettings.data);
         const samplePath = (0, import_path5.resolve)("capabilities", samplesYaml.path);
-        if (import_fs12.default.existsSync(samplePath)) {
-          import_fs12.default.unlinkSync(samplePath);
+        if (import_fs13.default.existsSync(samplePath)) {
+          import_fs13.default.unlinkSync(samplePath);
           await write(samplePath, samplesYaml.data);
         }
         const tsPath = (0, import_path5.resolve)("capabilities", helloPepr.path);
-        if (import_fs12.default.existsSync(tsPath)) {
+        if (import_fs13.default.existsSync(tsPath)) {
           await write(tsPath, helloPepr.data);
         }
       }
@@ -3216,7 +3248,7 @@ var program = new RootCmd();
 if (!process.env.PEPR_NODE_WARNINGS) {
   process.removeAllListeners("warning");
 }
-program.version(version2).description(`Pepr (v${version2}) - Type safe K8s middleware for humans`).action(() => {
+program.version(version).description(`Pepr (v${version}) - Type safe K8s middleware for humans`).action(() => {
   if (program.args.length < 1) {
     console.log(banner);
     program.help();