pepr 0.45.0-nightly.0 → 0.45.0-nightly.1

package/dist/lib.js

@@ -50,8 +50,8 @@ var import_kubernetes_fluent_client8 = require("kubernetes-fluent-client");
 var R = __toESM(require("ramda"));
 
 // src/lib/core/capability.ts
-var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
-var import_ramda9 = require("ramda");
+var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
+var import_ramda2 = require("ramda");
 
 // src/lib/telemetry/logger.ts
 var import_pino = require("pino");
@@ -101,2222 +101,2222 @@ function redactedPatch(patch = {}) {
 }
 var logger_default = Log;
 
-// src/lib/core/module.ts
-var import_ramda7 = require("ramda");
-
-// src/lib/controller/index.ts
-var import_express = __toESM(require("express"));
-var import_fs = __toESM(require("fs"));
-var import_https = __toESM(require("https"));
+// src/lib/core/envChecks.ts
+var isWatchMode = () => process.env.PEPR_WATCH_MODE === "true";
+var isBuildMode = () => process.env.PEPR_MODE === "build";
+var isDevMode = () => process.env.PEPR_MODE === "dev";
 
-// src/lib/telemetry/metrics.ts
-var import_perf_hooks = require("perf_hooks");
-var import_prom_client = __toESM(require("prom-client"));
-var loggingPrefix = "MetricsCollector";
-var MetricsCollector = class {
-  #registry;
-  #counters = /* @__PURE__ */ new Map();
-  #gauges = /* @__PURE__ */ new Map();
-  #summaries = /* @__PURE__ */ new Map();
-  #prefix;
-  #cacheMissWindows = /* @__PURE__ */ new Map();
-  #metricNames = {
-    errors: "errors",
-    alerts: "alerts",
-    mutate: "mutate",
-    validate: "validate",
-    cacheMiss: "cache_miss",
-    resyncFailureCount: "resync_failure_count"
+// src/lib/core/storage.ts
+var import_ramda = require("ramda");
+var import_json_pointer = __toESM(require("json-pointer"));
+var MAX_WAIT_TIME = 15e3;
+var STORE_VERSION_PREFIX = "v2";
+function v2StoreKey(key) {
+  return `${STORE_VERSION_PREFIX}-${import_json_pointer.default.escape(key)}`;
+}
+function v2UnescapedStoreKey(key) {
+  return `${STORE_VERSION_PREFIX}-${key}`;
+}
+var Storage = class {
+  #store = {};
+  #send;
+  #subscribers = {};
+  #subscriberId = 0;
+  #readyHandlers = [];
+  registerSender = (send) => {
+    this.#send = send;
   };
-  /**
-   * Creates a MetricsCollector instance with prefixed metrics.
-   * @param [prefix='pepr'] - The prefix for the metric names.
-   */
-  constructor(prefix = "pepr") {
-    this.#registry = new import_prom_client.Registry();
-    this.#prefix = prefix;
-    this.addCounter(this.#metricNames.errors, "Mutation/Validate errors encountered");
-    this.addCounter(this.#metricNames.alerts, "Mutation/Validate bad api token received");
-    this.addSummary(this.#metricNames.mutate, "Mutation operation summary");
-    this.addSummary(this.#metricNames.validate, "Validation operation summary");
-    this.addGauge(this.#metricNames.cacheMiss, "Number of cache misses per window", ["window"]);
-    this.addGauge(this.#metricNames.resyncFailureCount, "Number of failures per resync operation", ["count"]);
-  }
-  #getMetricName = (name2) => `${this.#prefix}_${name2}`;
-  #addMetric = (collection, MetricType, { name: name2, help, labelNames }) => {
-    if (collection.has(this.#getMetricName(name2))) {
-      logger_default.debug(`Metric for ${name2} already exists`, loggingPrefix);
-      return;
+  receive = (data) => {
+    this.#store = data || {};
+    this.#onReady();
+    for (const idx in this.#subscribers) {
+      this.#subscribers[idx]((0, import_ramda.clone)(this.#store));
     }
-    const metric = new MetricType({
-      name: this.#getMetricName(name2),
-      help,
-      registers: [this.#registry],
-      labelNames
-    });
-    collection.set(this.#getMetricName(name2), metric);
-  };
-  addCounter = (name2, help) => {
-    this.#addMetric(this.#counters, import_prom_client.default.Counter, { name: name2, help, labelNames: [] });
   };
-  addSummary = (name2, help) => {
-    this.#addMetric(this.#summaries, import_prom_client.default.Summary, { name: name2, help, labelNames: [] });
+  getItem = (key) => {
+    const result = this.#store[v2UnescapedStoreKey(key)] || null;
+    if (result !== null && typeof result !== "function" && typeof result !== "object") {
+      return result;
+    }
+    return null;
   };
-  addGauge = (name2, help, labelNames) => {
-    this.#addMetric(this.#gauges, import_prom_client.default.Gauge, { name: name2, help, labelNames });
+  clear = () => {
+    if (Object.keys(this.#store).length > 0) {
+      this.#dispatchUpdate(
+        "remove",
+        Object.keys(this.#store).map((key) => import_json_pointer.default.escape(key))
+      );
+    }
   };
-  incCounter = (name2) => {
-    this.#counters.get(this.#getMetricName(name2))?.inc();
+  removeItem = (key) => {
+    this.#dispatchUpdate("remove", [v2StoreKey(key)]);
   };
-  incGauge = (name2, labels, value = 1) => {
-    this.#gauges.get(this.#getMetricName(name2))?.inc(labels || {}, value);
+  setItem = (key, value) => {
+    this.#dispatchUpdate("add", [v2StoreKey(key)], value);
   };
   /**
-   * Increments the error counter.
+   * Creates a promise and subscribes to the store, the promise resolves when
+   * the key and value are seen in the store.
+   *
+   * @param key - The key to add into the store
+   * @param value - The value of the key
+   * @returns
    */
-  error = () => this.incCounter(this.#metricNames.errors);
+  setItemAndWait = (key, value) => {
+    this.#dispatchUpdate("add", [v2StoreKey(key)], value);
+    const record = {};
+    return new Promise((resolve, reject) => {
+      record.timeout = setTimeout(() => {
+        record.unsubscribe();
+        return reject(`MAX_WAIT_TIME elapsed: Key ${key} not seen in ${MAX_WAIT_TIME / 1e3}s`);
+      }, MAX_WAIT_TIME);
+      record.unsubscribe = this.subscribe((data) => {
+        if (data[`${v2UnescapedStoreKey(key)}`] === value) {
+          record.unsubscribe();
+          clearTimeout(record.timeout);
+          resolve("ok");
+        }
+      });
+    });
+  };
   /**
-   * Increments the alerts counter.
+   * Creates a promise and subscribes to the store, the promise resolves when
+   * the key is removed from the store.
+   *
+   * @param key - The key to add into the store
+   * @returns
    */
-  alert = () => this.incCounter(this.#metricNames.alerts);
+  removeItemAndWait = (key) => {
+    this.#dispatchUpdate("remove", [v2StoreKey(key)]);
+    const record = {};
+    return new Promise((resolve, reject) => {
+      record.timeout = setTimeout(() => {
+        record.unsubscribe();
+        return reject(`MAX_WAIT_TIME elapsed: Key ${key} still seen after ${MAX_WAIT_TIME / 1e3}s`);
+      }, MAX_WAIT_TIME);
+      record.unsubscribe = this.subscribe((data) => {
+        if (!Object.hasOwn(data, `${v2UnescapedStoreKey(key)}`)) {
+          record.unsubscribe();
+          clearTimeout(record.timeout);
+          resolve("ok");
+        }
+      });
+    });
+  };
+  subscribe = (subscriber) => {
+    const idx = this.#subscriberId++;
+    this.#subscribers[idx] = subscriber;
+    return () => this.unsubscribe(idx);
+  };
+  onReady = (callback) => {
+    this.#readyHandlers.push(callback);
+  };
   /**
-   * Observes the duration since the provided start time and updates the summary.
-   * @param startTime - The start time.
-   * @param name - The metrics summary to increment.
+   * Remove a subscriber from the list of subscribers.
+   * @param idx - The index of the subscriber to remove.
    */
-  observeEnd = (startTime, name2 = this.#metricNames.mutate) => {
-    this.#summaries.get(this.#getMetricName(name2))?.observe(import_perf_hooks.performance.now() - startTime);
+  unsubscribe = (idx) => {
+    delete this.#subscribers[idx];
+  };
+  #onReady = () => {
+    for (const handler of this.#readyHandlers) {
+      handler((0, import_ramda.clone)(this.#store));
+    }
+    this.#onReady = () => {
+    };
   };
   /**
-   * Fetches the current metrics from the registry.
-   * @returns The metrics.
+   * Dispatch an update to the store and notify all subscribers.
+   * @param  op - The type of operation to perform.
+   * @param  keys - The keys to update.
+   * @param  [value] - The new value.
    */
-  getMetrics = () => this.#registry.metrics();
+  #dispatchUpdate = (op, keys, value) => {
+    this.#send(op, keys, value);
+  };
+};
+
+// src/lib/core/schedule.ts
+var OnSchedule = class {
+  intervalId = null;
+  store;
+  name;
+  completions;
+  every;
+  unit;
+  run;
+  startTime;
+  duration;
+  lastTimestamp;
+  constructor(schedule) {
+    this.name = schedule.name;
+    this.run = schedule.run;
+    this.every = schedule.every;
+    this.unit = schedule.unit;
+    this.startTime = schedule?.startTime;
+    this.completions = schedule?.completions;
+  }
+  setStore(store) {
+    this.store = store;
+    this.startInterval();
+  }
+  startInterval() {
+    this.checkStore();
+    this.getDuration();
+    this.setupInterval();
+  }
   /**
-   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
-   * @returns The timestamp.
+   * Checks the store for this schedule and sets the values if it exists
+   * @returns
    */
-  static observeStart() {
-    return import_perf_hooks.performance.now();
+  checkStore() {
+    const result = this.store && this.store.getItem(this.name);
+    if (result) {
+      const storedSchedule = JSON.parse(result);
+      this.completions = storedSchedule?.completions;
+      this.startTime = storedSchedule?.startTime;
+      this.lastTimestamp = storedSchedule?.lastTimestamp;
+    }
   }
   /**
-   * Increments the cache miss gauge for a given label.
-   * @param label - The label for the cache miss.
+   * Saves the schedule to the store
+   * @returns
    */
-  incCacheMiss = (window) => {
-    this.incGauge(this.#metricNames.cacheMiss, { window });
-  };
+  saveToStore() {
+    const schedule = {
+      completions: this.completions,
+      startTime: this.startTime,
+      lastTimestamp: /* @__PURE__ */ new Date(),
+      name: this.name
+    };
+    if (this.store) this.store.setItem(this.name, JSON.stringify(schedule));
+  }
   /**
-   * Increments the retry count gauge.
-   * @param count - The count to increment by.
+   * Gets the durations in milliseconds
    */
-  incRetryCount = (count) => {
-    this.incGauge(this.#metricNames.resyncFailureCount, { count });
-  };
+  getDuration() {
+    switch (this.unit) {
+      case "seconds":
+        if (this.every < 10) throw new Error("10 Seconds in the smallest interval allowed");
+        this.duration = 1e3 * this.every;
+        break;
+      case "minutes":
+      case "minute":
+        this.duration = 1e3 * 60 * this.every;
+        break;
+      case "hours":
+      case "hour":
+        this.duration = 1e3 * 60 * 60 * this.every;
+        break;
+      default:
+        throw new Error("Invalid time unit");
+    }
+  }
   /**
-   * Initializes the cache miss gauge for a given label.
-   * @param label - The label for the cache miss.
+   * Sets up the interval
    */
-  initCacheMissWindow = (window) => {
-    this.#rollCacheMissWindows();
-    this.#gauges.get(this.#getMetricName(this.#metricNames.cacheMiss))?.set({ window }, 0);
-    this.#cacheMissWindows.set(window, 0);
-  };
+  setupInterval() {
+    const now = /* @__PURE__ */ new Date();
+    let delay;
+    if (this.lastTimestamp && this.startTime) {
+      this.startTime = void 0;
+    }
+    if (this.startTime) {
+      delay = this.startTime.getTime() - now.getTime();
+    } else if (this.lastTimestamp && this.duration) {
+      const lastTimestamp = new Date(this.lastTimestamp);
+      delay = this.duration - (now.getTime() - lastTimestamp.getTime());
+    }
+    if (delay === void 0 || delay <= 0) {
+      this.start();
+    } else {
+      setTimeout(() => {
+        this.start();
+      }, delay);
+    }
+  }
   /**
-   * Manages the size of the cache miss gauge map.
+   * Starts the interval
    */
-  #rollCacheMissWindows = () => {
-    const maxCacheMissWindows = process.env.PEPR_MAX_CACHE_MISS_WINDOWS ? parseInt(process.env.PEPR_MAX_CACHE_MISS_WINDOWS, 10) : void 0;
-    if (maxCacheMissWindows !== void 0 && this.#cacheMissWindows.size >= maxCacheMissWindows) {
-      const firstKey = this.#cacheMissWindows.keys().next().value;
-      if (firstKey !== void 0) {
-        this.#cacheMissWindows.delete(firstKey);
+  start() {
+    this.intervalId = setInterval(() => {
+      if (this.completions === 0) {
+        this.stop();
+        return;
+      } else {
+        this.run();
+        if (this.completions && this.completions !== 0) {
+          this.completions -= 1;
+        }
+        this.saveToStore();
       }
-      this.#gauges.get(this.#getMetricName(this.#metricNames.cacheMiss))?.remove({ window: firstKey });
-    }
-  };
-};
-var metricsCollector = new MetricsCollector("pepr");
-
-// src/lib/processors/mutate-processor.ts
-var import_fast_json_patch = __toESM(require("fast-json-patch"));
-var import_ramda4 = require("ramda");
-
-// src/lib/telemetry/timeUtils.ts
-var getNow = () => performance.now();
-
-// src/lib/telemetry/webhookTimeouts.ts
-var MeasureWebhookTimeout = class {
-  #startTime = null;
-  #webhookType;
-  timeout = 0;
-  constructor(webhookType) {
-    this.#webhookType = webhookType;
-    metricsCollector.addCounter(`${webhookType}_timeouts`, `Number of ${webhookType} webhook timeouts`);
-  }
-  start(timeout = 10) {
-    this.#startTime = getNow();
-    this.timeout = timeout;
-    logger_default.info(`Starting timer at ${this.#startTime}`);
+    }, this.duration);
   }
+  /**
+   * Stops the interval
+   */
   stop() {
-    if (this.#startTime === null) {
-      throw new Error("Timer was not started before calling stop.");
-    }
-    const elapsedTime = getNow() - this.#startTime;
-    logger_default.info(`Webhook ${this.#startTime} took ${elapsedTime}ms`);
-    this.#startTime = null;
-    if (elapsedTime > this.timeout) {
-      metricsCollector.incCounter(`${this.#webhookType}_timeouts`);
+    if (this.intervalId) {
+      clearInterval(this.intervalId);
+      this.intervalId = null;
     }
+    if (this.store) this.store.removeItem(this.name);
   }
 };
 
-// src/lib/filter/adjudicators/adjudicators.ts
-var import_ramda = require("ramda");
-var declaredOperation = (0, import_ramda.pipe)(
-  (request) => request?.operation,
-  (0, import_ramda.defaultTo)("")
-);
-var declaredGroup = (0, import_ramda.pipe)(
-  (request) => request?.kind?.group,
-  (0, import_ramda.defaultTo)("")
-);
-var declaredVersion = (0, import_ramda.pipe)(
-  (request) => request?.kind?.version,
-  (0, import_ramda.defaultTo)("")
-);
-var declaredKind = (0, import_ramda.pipe)(
-  (request) => request?.kind?.kind,
-  (0, import_ramda.defaultTo)("")
-);
-var declaredUid = (0, import_ramda.pipe)((request) => request?.uid, (0, import_ramda.defaultTo)(""));
-var carriesDeletionTimestamp = (0, import_ramda.pipe)(
-  (kubernetesObject) => !!kubernetesObject.metadata?.deletionTimestamp,
-  (0, import_ramda.defaultTo)(false)
-);
-var missingDeletionTimestamp = (0, import_ramda.complement)(carriesDeletionTimestamp);
-var carriedKind = (0, import_ramda.pipe)(
-  (kubernetesObject) => kubernetesObject?.kind,
-  (0, import_ramda.defaultTo)("not set")
-);
-var carriedVersion = (0, import_ramda.pipe)(
-  (kubernetesObject) => kubernetesObject?.metadata?.resourceVersion,
-  (0, import_ramda.defaultTo)("not set")
-);
-var carriedName = (0, import_ramda.pipe)(
-  (kubernetesObject) => kubernetesObject?.metadata?.name,
-  (0, import_ramda.defaultTo)("")
-);
-var carriesName = (0, import_ramda.pipe)(carriedName, (0, import_ramda.equals)(""), import_ramda.not);
-var missingName = (0, import_ramda.complement)(carriesName);
-var carriedNamespace = (0, import_ramda.pipe)(
-  (kubernetesObject) => kubernetesObject?.metadata?.namespace,
-  (0, import_ramda.defaultTo)("")
-);
-var carriesNamespace = (0, import_ramda.pipe)(carriedNamespace, (0, import_ramda.equals)(""), import_ramda.not);
-var carriedAnnotations = (0, import_ramda.pipe)(
-  (kubernetesObject) => kubernetesObject?.metadata?.annotations,
-  (0, import_ramda.defaultTo)({})
-);
-var carriesAnnotations = (0, import_ramda.pipe)(carriedAnnotations, (0, import_ramda.equals)({}), import_ramda.not);
-var carriedLabels = (0, import_ramda.pipe)(
-  (kubernetesObject) => kubernetesObject?.metadata?.labels,
-  (0, import_ramda.defaultTo)({})
-);
-var carriesLabels = (0, import_ramda.pipe)(carriedLabels, (0, import_ramda.equals)({}), import_ramda.not);
-var definesDeletionTimestamp = (0, import_ramda.pipe)(
-  (binding) => binding?.filters?.deletionTimestamp ?? false,
-  (0, import_ramda.defaultTo)(false)
-);
-var ignoresDeletionTimestamp = (0, import_ramda.complement)(definesDeletionTimestamp);
-var definedName = (0, import_ramda.pipe)((binding) => {
-  return binding.filters.name;
-}, (0, import_ramda.defaultTo)(""));
-var definesName = (0, import_ramda.pipe)(definedName, (0, import_ramda.equals)(""), import_ramda.not);
-var ignoresName = (0, import_ramda.complement)(definesName);
-var definedNameRegex = (0, import_ramda.pipe)(
-  (binding) => binding.filters?.regexName,
-  (0, import_ramda.defaultTo)("")
-);
-var definesNameRegex = (0, import_ramda.pipe)(definedNameRegex, (0, import_ramda.equals)(""), import_ramda.not);
-var definedNamespaces = (0, import_ramda.pipe)((binding) => binding?.filters?.namespaces, (0, import_ramda.defaultTo)([]));
-var definesNamespaces = (0, import_ramda.pipe)(definedNamespaces, (0, import_ramda.equals)([]), import_ramda.not);
-var definedNamespaceRegexes = (0, import_ramda.pipe)((binding) => binding?.filters?.regexNamespaces, (0, import_ramda.defaultTo)([]));
-var definesNamespaceRegexes = (0, import_ramda.pipe)(definedNamespaceRegexes, (0, import_ramda.equals)([]), import_ramda.not);
-var definedAnnotations = (0, import_ramda.pipe)((binding) => binding?.filters?.annotations, (0, import_ramda.defaultTo)({}));
-var definesAnnotations = (0, import_ramda.pipe)(definedAnnotations, (0, import_ramda.equals)({}), import_ramda.not);
-var definedLabels = (0, import_ramda.pipe)((binding) => binding?.filters?.labels, (0, import_ramda.defaultTo)({}));
-var definesLabels = (0, import_ramda.pipe)(definedLabels, (0, import_ramda.equals)({}), import_ramda.not);
-var definedEvent = (binding) => {
-  return binding.event;
-};
-var definesDelete = (0, import_ramda.pipe)(definedEvent, (0, import_ramda.equals)("DELETE" /* DELETE */));
-var definedGroup = (0, import_ramda.pipe)((binding) => binding?.kind?.group, (0, import_ramda.defaultTo)(""));
-var definesGroup = (0, import_ramda.pipe)(definedGroup, (0, import_ramda.equals)(""), import_ramda.not);
-var definedVersion = (0, import_ramda.pipe)(
-  (binding) => binding?.kind?.version,
-  (0, import_ramda.defaultTo)("")
-);
-var definesVersion = (0, import_ramda.pipe)(definedVersion, (0, import_ramda.equals)(""), import_ramda.not);
-var definedKind = (0, import_ramda.pipe)((binding) => binding?.kind?.kind, (0, import_ramda.defaultTo)(""));
-var definesKind = (0, import_ramda.pipe)(definedKind, (0, import_ramda.equals)(""), import_ramda.not);
-var definedCallback = (binding) => {
-  return binding.isFinalize ? binding.finalizeCallback : binding.isWatch ? binding.watchCallback : binding.isMutate ? binding.mutateCallback : binding.isValidate ? binding.validateCallback : null;
-};
-var definedCallbackName = (0, import_ramda.pipe)(definedCallback, (0, import_ramda.defaultTo)({ name: "" }), (callback) => callback.name);
-var mismatchedDeletionTimestamp = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesDeletionTimestamp),
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), missingDeletionTimestamp)
-]);
-var mismatchedName = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesName),
-  (0, import_ramda.pipe)((binding, kubernetesObject) => definedName(binding) !== carriedName(kubernetesObject))
-]);
-var mismatchedNameRegex = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesNameRegex),
-  (0, import_ramda.pipe)((binding, kubernetesObject) => new RegExp(definedNameRegex(binding)).test(carriedName(kubernetesObject)), import_ramda.not)
-]);
-var bindsToKind = (0, import_ramda.curry)(
-  (0, import_ramda.allPass)([(0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definedKind, (0, import_ramda.equals)(""), import_ramda.not), (0, import_ramda.pipe)((binding, kind3) => definedKind(binding) === kind3)])
-);
-var bindsToNamespace = (0, import_ramda.curry)((0, import_ramda.pipe)(bindsToKind(import_ramda.__, "Namespace")));
-var misboundNamespace = (0, import_ramda.allPass)([bindsToNamespace, definesNamespaces]);
-var mismatchedNamespace = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesNamespaces),
-  (0, import_ramda.pipe)((binding, kubernetesObject) => definedNamespaces(binding).includes(carriedNamespace(kubernetesObject)), import_ramda.not)
-]);
-var mismatchedNamespaceRegex = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesNamespaceRegexes),
-  (0, import_ramda.pipe)(
-    (binding, kubernetesObject) => (0, import_ramda.pipe)(
-      (0, import_ramda.any)((regEx) => new RegExp(regEx).test(carriedNamespace(kubernetesObject))),
-      import_ramda.not
-    )(definedNamespaceRegexes(binding))
-  )
-]);
-var metasMismatch = (0, import_ramda.pipe)(
-  (defined, carried) => {
-    const result = { defined, carried, unalike: {} };
-    result.unalike = Object.entries(result.defined).map(([key, value]) => {
-      const keyMissing = !Object.hasOwn(result.carried, key);
-      const noValue = !value;
-      const valMissing = !result.carried[key];
-      const valDiffers = result.carried[key] !== result.defined[key];
-      return keyMissing ? { [key]: value } : noValue ? {} : valMissing ? { [key]: value } : valDiffers ? { [key]: value } : {};
-    }).reduce((acc, cur) => ({ ...acc, ...cur }), {});
-    return result.unalike;
-  },
-  (unalike) => Object.keys(unalike).length > 0
-);
-var mismatchedAnnotations = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesAnnotations),
-  (0, import_ramda.pipe)((binding, kubernetesObject) => metasMismatch(definedAnnotations(binding), carriedAnnotations(kubernetesObject)))
-]);
-var mismatchedLabels = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesLabels),
-  (0, import_ramda.pipe)((binding, kubernetesObject) => metasMismatch(definedLabels(binding), carriedLabels(kubernetesObject)))
-]);
-var uncarryableNamespace = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
-  (0, import_ramda.pipe)((namespaceSelector, kubernetesObject) => {
-    if (kubernetesObject?.kind === "Namespace") {
-      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
-    }
-    if (carriesNamespace(kubernetesObject)) {
-      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
-    }
-    return true;
-  }, import_ramda.not)
-]);
-var missingCarriableNamespace = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
-  (0, import_ramda.pipe)(
-    (namespaceSelector, kubernetesObject) => kubernetesObject.kind === "Namespace" ? !namespaceSelector.includes(kubernetesObject.metadata.name) : !carriesNamespace(kubernetesObject)
-  )
-]);
-var carriesIgnoredNamespace = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
-  (0, import_ramda.pipe)((namespaceSelector, kubernetesObject) => {
-    if (kubernetesObject?.kind === "Namespace") {
-      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+// src/lib/finalizer.ts
+var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
+function addFinalizer(request) {
+  if (request.Request.operation === "DELETE" /* DELETE */) {
+    return;
+  }
+  if (request.Request.operation === "UPDATE" /* UPDATE */ && request.Raw.metadata?.deletionTimestamp) {
+    return;
+  }
+  const peprFinal = "pepr.dev/finalizer";
+  const finalizers = request.Raw.metadata?.finalizers || [];
+  if (!finalizers.includes(peprFinal)) {
+    finalizers.push(peprFinal);
+  }
+  request.Merge({ metadata: { finalizers } });
+}
+async function removeFinalizer(binding, obj) {
+  const peprFinal = "pepr.dev/finalizer";
+  const meta = obj.metadata;
+  const resource = `${meta.namespace || "ClusterScoped"}/${meta.name}`;
+  logger_default.debug({ obj }, `Removing finalizer '${peprFinal}' from '${resource}'`);
+  const { model, kind: kind3 } = binding;
+  try {
+    (0, import_kubernetes_fluent_client.RegisterKind)(model, kind3);
+  } catch (e) {
+    const expected = e.message === `GVK ${model.name} already registered`;
+    if (!expected) {
+      logger_default.error({ model, kind: kind3, error: e }, `Error registering "${kind3}" during finalization.`);
+      return;
     }
-    if (carriesNamespace(kubernetesObject)) {
-      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+  }
+  const finalizers = meta.finalizers?.filter((f) => f !== peprFinal) || [];
+  obj = await (0, import_kubernetes_fluent_client.K8s)(model, meta).Patch([
+    {
+      op: "replace",
+      path: `/metadata/finalizers`,
+      value: finalizers
     }
-    return false;
-  })
-]);
-var unbindableNamespaces = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), import_ramda.length, (0, import_ramda.gt)(import_ramda.__, 0)),
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), definesNamespaces),
-  (0, import_ramda.pipe)(
-    (namespaceSelector, binding) => (0, import_ramda.difference)(definedNamespaces(binding), namespaceSelector),
-    import_ramda.length,
-    (0, import_ramda.equals)(0),
-    import_ramda.not
-  )
-]);
-var misboundDeleteWithDeletionTimestamp = (0, import_ramda.allPass)([definesDelete, definesDeletionTimestamp]);
-var operationMatchesEvent = (0, import_ramda.anyPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(1), (0, import_ramda.equals)("*" /* ANY */)),
-  (0, import_ramda.pipe)((operation, event) => operation.valueOf() === event.valueOf()),
-  (0, import_ramda.pipe)((operation, event) => operation ? event.includes(operation) : false)
-]);
-var mismatchedEvent = (0, import_ramda.pipe)(
-  (binding, request) => operationMatchesEvent(declaredOperation(request), definedEvent(binding)),
-  import_ramda.not
-);
-var mismatchedGroup = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesGroup),
-  (0, import_ramda.pipe)((binding, request) => definedGroup(binding) !== declaredGroup(request))
-]);
-var mismatchedVersion = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesVersion),
-  (0, import_ramda.pipe)((binding, request) => definedVersion(binding) !== declaredVersion(request))
-]);
-var mismatchedKind = (0, import_ramda.allPass)([
-  (0, import_ramda.pipe)((0, import_ramda.nthArg)(0), definesKind),
-  (0, import_ramda.pipe)((binding, request) => definedKind(binding) !== declaredKind(request))
-]);
+  ]);
+  logger_default.debug({ obj }, `Removed finalizer '${peprFinal}' from '${resource}'`);
+}
 
-// src/lib/filter/filter.ts
-function shouldSkipRequest(binding, req, capabilityNamespaces, ignoredNamespaces) {
-  const obj = req.operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
-  const prefix = "Ignoring Admission Callback:";
-  const adjudicators = [
-    () => adjudicateMisboundDeleteWithDeletionTimestamp(binding),
-    () => adjudicateMismatchedDeletionTimestamp(binding, obj),
-    () => adjudicateMismatchedEvent(binding, req),
-    () => adjudicateMismatchedName(binding, obj),
-    () => adjudicateMismatchedGroup(binding, req),
-    () => adjudicateMismatchedVersion(binding, req),
-    () => adjudicateMismatchedKind(binding, req),
-    () => adjudicateUnbindableNamespaces(capabilityNamespaces, binding),
-    () => adjudicateUncarryableNamespace(capabilityNamespaces, obj),
-    () => adjudicateMismatchedNamespace(binding, obj),
-    () => adjudicateMismatchedLabels(binding, obj),
-    () => adjudicateMismatchedAnnotations(binding, obj),
-    () => adjudicateMismatchedNamespaceRegex(binding, obj),
-    () => adjudicateMismatchedNameRegex(binding, obj),
-    () => adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj),
-    () => adjudicateMissingCarriableNamespace(capabilityNamespaces, obj)
-  ];
-  for (const adjudicator of adjudicators) {
-    const result = adjudicator();
-    if (result) {
-      return `${prefix} ${result}`;
+// src/lib/core/capability.ts
+var registerAdmission = isBuildMode() || !isWatchMode();
+var registerWatch = isBuildMode() || isWatchMode() || isDevMode();
+var Capability = class {
+  #name;
+  #description;
+  #namespaces;
+  #bindings = [];
+  #store = new Storage();
+  #scheduleStore = new Storage();
+  #registered = false;
+  #scheduleRegistered = false;
+  hasSchedule;
+  /**
+   * Run code on a schedule with the capability.
+   *
+   * @param schedule The schedule to run the code on
+   * @returns
+   */
+  OnSchedule = (schedule) => {
+    const { name: name2, every, unit, run, startTime, completions } = schedule;
+    this.hasSchedule = true;
+    if (process.env.PEPR_WATCH_MODE === "true" || process.env.PEPR_MODE === "dev") {
+      const newSchedule = {
+        name: name2,
+        every,
+        unit,
+        run,
+        startTime,
+        completions
+      };
+      this.#scheduleStore.onReady(() => {
+        new OnSchedule(newSchedule).setStore(this.#scheduleStore);
+      });
     }
+  };
+  getScheduleStore() {
+    return this.#scheduleStore;
   }
-  return "";
-}
-function filterNoMatchReason(binding, obj, capabilityNamespaces, ignoredNamespaces) {
-  const prefix = "Ignoring Watch Callback:";
-  const adjudicators = [
-    () => adjudicateMismatchedDeletionTimestamp(binding, obj),
-    () => adjudicateMismatchedName(binding, obj),
-    () => adjudicateMisboundNamespace(binding),
-    () => adjudicateMismatchedLabels(binding, obj),
-    () => adjudicateMismatchedAnnotations(binding, obj),
-    () => adjudicateUncarryableNamespace(capabilityNamespaces, obj),
-    () => adjudicateUnbindableNamespaces(capabilityNamespaces, binding),
-    () => adjudicateMismatchedNamespace(binding, obj),
-    () => adjudicateMismatchedNamespaceRegex(binding, obj),
-    () => adjudicateMismatchedNameRegex(binding, obj),
-    () => adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj),
-    () => adjudicateMissingCarriableNamespace(capabilityNamespaces, obj)
-  ];
-  for (const adjudicator of adjudicators) {
-    const result = adjudicator();
-    if (result) {
-      return `${prefix} ${result}`;
-    }
+  /**
+   * Store is a key-value data store that can be used to persist data that should be shared
+   * between requests. Each capability has its own store, and the data is persisted in Kubernetes
+   * in the `pepr-system` namespace.
+   *
+   * Note: You should only access the store from within an action.
+   */
+  Store = {
+    clear: this.#store.clear,
+    getItem: this.#store.getItem,
+    removeItem: this.#store.removeItem,
+    removeItemAndWait: this.#store.removeItemAndWait,
+    setItem: this.#store.setItem,
+    subscribe: this.#store.subscribe,
+    onReady: this.#store.onReady,
+    setItemAndWait: this.#store.setItemAndWait
+  };
+  /**
+   * ScheduleStore is a key-value data store used to persist schedule data that should be shared
+   * between intervals. Each Schedule shares store, and the data is persisted in Kubernetes
+   * in the `pepr-system` namespace.
+   *
+   * Note: There is no direct access to schedule store
+   */
+  ScheduleStore = {
+    clear: this.#scheduleStore.clear,
+    getItem: this.#scheduleStore.getItem,
+    removeItemAndWait: this.#scheduleStore.removeItemAndWait,
+    removeItem: this.#scheduleStore.removeItem,
+    setItemAndWait: this.#scheduleStore.setItemAndWait,
+    setItem: this.#scheduleStore.setItem,
+    subscribe: this.#scheduleStore.subscribe,
+    onReady: this.#scheduleStore.onReady
+  };
+  get bindings() {
+    return this.#bindings;
   }
-  return "";
-}
-function adjudicateMisboundNamespace(binding) {
-  return misboundNamespace(binding) ? "Cannot use namespace filter on a namespace object." : null;
-}
-function adjudicateMisboundDeleteWithDeletionTimestamp(binding) {
-  return misboundDeleteWithDeletionTimestamp(binding) ? "Cannot use deletionTimestamp filter on a DELETE operation." : null;
-}
-function adjudicateMismatchedDeletionTimestamp(binding, obj) {
-  return mismatchedDeletionTimestamp(binding, obj) ? "Binding defines deletionTimestamp but Object does not carry it." : null;
-}
-function adjudicateMismatchedEvent(binding, req) {
-  return mismatchedEvent(binding, req) ? `Binding defines event '${definedEvent(binding)}' but Request declares '${declaredOperation(req)}'.` : null;
-}
-function adjudicateMismatchedName(binding, obj) {
-  return mismatchedName(binding, obj) ? `Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` : null;
-}
-function adjudicateMismatchedGroup(binding, req) {
-  return mismatchedGroup(binding, req) ? `Binding defines group '${definedGroup(binding)}' but Request declares '${declaredGroup(req)}'.` : null;
-}
-function adjudicateMismatchedVersion(binding, req) {
-  return mismatchedVersion(binding, req) ? `Binding defines version '${definedVersion(binding)}' but Request declares '${declaredVersion(req)}'.` : null;
-}
-function adjudicateMismatchedKind(binding, req) {
-  return mismatchedKind(binding, req) ? `Binding defines kind '${definedKind(binding)}' but Request declares '${declaredKind(req)}'.` : null;
-}
-function adjudicateUnbindableNamespaces(capabilityNamespaces, binding) {
-  return unbindableNamespaces(capabilityNamespaces, binding) ? `Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : null;
-}
-function adjudicateUncarryableNamespace(capabilityNamespaces, obj) {
-  return uncarryableNamespace(capabilityNamespaces, obj) ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : null;
-}
-function adjudicateMismatchedNamespace(binding, obj) {
-  return mismatchedNamespace(binding, obj) ? `Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(obj)}'.` : null;
-}
-function adjudicateMismatchedLabels(binding, obj) {
-  return mismatchedLabels(binding, obj) ? `Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(obj))}'.` : null;
-}
-function adjudicateMismatchedAnnotations(binding, obj) {
-  return mismatchedAnnotations(binding, obj) ? `Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.` : null;
-}
-function adjudicateMismatchedNamespaceRegex(binding, obj) {
-  return mismatchedNamespaceRegex(binding, obj) ? `Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(obj)}'.` : null;
-}
-function adjudicateMismatchedNameRegex(binding, obj) {
-  return mismatchedNameRegex(binding, obj) ? `Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(obj)}'.` : null;
-}
-function adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj) {
-  return carriesIgnoredNamespace(ignoredNamespaces, obj) ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.` : null;
-}
-function adjudicateMissingCarriableNamespace(capabilityNamespaces, obj) {
-  return missingCarriableNamespace(capabilityNamespaces, obj) ? `Object does not carry a namespace but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : null;
-}
-
-// src/lib/mutate-request.ts
-var import_ramda2 = require("ramda");
-var PeprMutateRequest = class {
-  Raw;
-  #input;
-  get PermitSideEffects() {
-    return !this.#input.dryRun;
+  get name() {
+    return this.#name;
   }
-  get IsDryRun() {
-    return this.#input.dryRun;
+  get description() {
+    return this.#description;
   }
-  get OldResource() {
-    return this.#input.oldObject;
+  get namespaces() {
+    return this.#namespaces || [];
   }
-  get Request() {
-    return this.#input;
+  constructor(cfg) {
+    this.#name = cfg.name;
+    this.#description = cfg.description;
+    this.#namespaces = cfg.namespaces;
+    this.hasSchedule = false;
+    logger_default.info(`Capability ${this.#name} registered`);
+    logger_default.debug(cfg);
   }
-  constructor(input) {
-    this.#input = input;
-    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda2.clone)(input.oldObject);
-    } else {
-      this.Raw = (0, import_ramda2.clone)(input.object);
-    }
-    if (!this.Raw) {
-      throw new Error("Unable to load the request object into PeprRequest.Raw");
+  /**
+   * Register the store with the capability. This is called automatically by the Pepr controller.
+   */
+  registerScheduleStore = () => {
+    logger_default.info(`Registering schedule store for ${this.#name}`);
+    if (this.#scheduleRegistered) {
+      throw new Error(`Schedule store already registered for ${this.#name}`);
     }
-  }
-  Merge = (obj) => {
-    this.Raw = (0, import_ramda2.mergeDeepRight)(this.Raw, obj);
-  };
-  SetLabel = (key, value) => {
-    const ref = this.Raw;
-    ref.metadata = ref.metadata ?? {};
-    ref.metadata.labels = ref.metadata.labels ?? {};
-    ref.metadata.labels[key] = value;
-    return this;
-  };
-  SetAnnotation = (key, value) => {
-    const ref = this.Raw;
-    ref.metadata = ref.metadata ?? {};
-    ref.metadata.annotations = ref.metadata.annotations ?? {};
-    ref.metadata.annotations[key] = value;
-    return this;
+    this.#scheduleRegistered = true;
+    return this.#scheduleStore;
   };
-  RemoveLabel = (key) => {
-    if (this.Raw.metadata?.labels?.[key]) {
-      delete this.Raw.metadata.labels[key];
+  /**
+   * Register the store with the capability. This is called automatically by the Pepr controller.
+   *
+   * @param store
+   */
+  registerStore = () => {
+    logger_default.info(`Registering store for ${this.#name}`);
+    if (this.#registered) {
+      throw new Error(`Store already registered for ${this.#name}`);
     }
-    return this;
+    this.#registered = true;
+    return this.#store;
   };
-  RemoveAnnotation = (key) => {
-    if (this.Raw.metadata?.annotations?.[key]) {
-      delete this.Raw.metadata.annotations[key];
+  /**
+   * The When method is used to register a action to be executed when a Kubernetes resource is
+   * processed by Pepr. The action will be executed if the resource matches the specified kind and any
+   * filters that are applied.
+   *
+   * @param model the KubernetesObject model to match
+   * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
+   * @returns
+   */
+  When = (model, kind3) => {
+    const matchedKind = (0, import_kubernetes_fluent_client2.modelToGroupVersionKind)(model.name);
+    if (!matchedKind && !kind3) {
+      throw new Error(`Kind not specified for ${model.name}`);
+    }
+    const binding = {
+      model,
+      // If the kind is not specified, use the matched kind from the model
+      kind: kind3 || matchedKind,
+      event: "*" /* ANY */,
+      filters: {
+        name: "",
+        namespaces: [],
+        regexNamespaces: [],
+        regexName: "",
+        labels: {},
+        annotations: {},
+        deletionTimestamp: false
+      }
+    };
+    const bindings = this.#bindings;
+    const prefix = `${this.#name}: ${model.name}`;
+    const commonChain = { WithLabel, WithAnnotation, WithDeletionTimestamp, Mutate, Validate, Watch, Reconcile, Alias };
+    const isNotEmpty = (value) => Object.keys(value).length > 0;
+    const log = (message, cbString) => {
+      const filteredObj = (0, import_ramda2.pickBy)(isNotEmpty, binding.filters);
+      logger_default.info(`${message} configured for ${binding.event}`, prefix);
+      logger_default.info(filteredObj, prefix);
+      logger_default.debug(cbString, prefix);
+    };
+    function Validate(validateCallback) {
+      if (registerAdmission) {
+        log("Validate Action", validateCallback.toString());
+        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
+        bindings.push({
+          ...binding,
+          isValidate: true,
+          validateCallback: async (req, logger = aliasLogger) => {
+            logger_default.info(`Executing validate action with alias: ${binding.alias || "no alias provided"}`);
+            return await validateCallback(req, logger);
+          }
+        });
+      }
+      return { Watch, Reconcile };
+    }
+    function Mutate(mutateCallback) {
+      if (registerAdmission) {
+        log("Mutate Action", mutateCallback.toString());
+        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
+        bindings.push({
+          ...binding,
+          isMutate: true,
+          mutateCallback: async (req, logger = aliasLogger) => {
+            logger_default.info(`Executing mutation action with alias: ${binding.alias || "no alias provided"}`);
+            await mutateCallback(req, logger);
+          }
+        });
+      }
+      return { Watch, Validate, Reconcile };
+    }
+    function Watch(watchCallback) {
+      if (registerWatch) {
+        log("Watch Action", watchCallback.toString());
+        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
+        bindings.push({
+          ...binding,
+          isWatch: true,
+          watchCallback: async (update, phase, logger = aliasLogger) => {
+            logger_default.info(`Executing watch action with alias: ${binding.alias || "no alias provided"}`);
+            await watchCallback(update, phase, logger);
+          }
+        });
+      }
+      return { Finalize };
+    }
+    function Reconcile(reconcileCallback) {
+      if (registerWatch) {
+        log("Reconcile Action", reconcileCallback.toString());
+        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
+        bindings.push({
+          ...binding,
+          isWatch: true,
+          isQueue: true,
+          watchCallback: async (update, phase, logger = aliasLogger) => {
+            logger_default.info(`Executing reconcile action with alias: ${binding.alias || "no alias provided"}`);
+            await reconcileCallback(update, phase, logger);
+          }
+        });
+      }
+      return { Finalize };
+    }
+    function Finalize(finalizeCallback) {
+      log("Finalize Action", finalizeCallback.toString());
+      const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
+      if (registerAdmission) {
+        const mutateBinding = {
+          ...binding,
+          isMutate: true,
+          isFinalize: true,
+          event: "*" /* ANY */,
+          mutateCallback: addFinalizer
+        };
+        bindings.push(mutateBinding);
+      }
+      if (registerWatch) {
+        const watchBinding = {
+          ...binding,
+          isWatch: true,
+          isFinalize: true,
+          event: "UPDATE" /* UPDATE */,
+          finalizeCallback: async (update, logger = aliasLogger) => {
+            logger_default.info(`Executing finalize action with alias: ${binding.alias || "no alias provided"}`);
+            return await finalizeCallback(update, logger);
+          }
+        };
+        bindings.push(watchBinding);
+      }
+    }
+    function InNamespace(...namespaces) {
+      logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
+      binding.filters.namespaces.push(...namespaces);
+      return { ...commonChain, WithName, WithNameRegex };
+    }
+    function InNamespaceRegex(...namespaces) {
+      logger_default.debug(`Add regex namespaces filter ${namespaces}`, prefix);
+      binding.filters.regexNamespaces.push(...namespaces.map((regex) => regex.source));
+      return { ...commonChain, WithName, WithNameRegex };
+    }
+    function WithDeletionTimestamp() {
+      logger_default.debug("Add deletionTimestamp filter");
+      binding.filters.deletionTimestamp = true;
+      return commonChain;
+    }
+    function WithNameRegex(regexName) {
+      logger_default.debug(`Add regex name filter ${regexName}`, prefix);
+      binding.filters.regexName = regexName.source;
+      return commonChain;
+    }
+    function WithName(name2) {
+      logger_default.debug(`Add name filter ${name2}`, prefix);
+      binding.filters.name = name2;
+      return commonChain;
+    }
+    function WithLabel(key, value = "") {
+      logger_default.debug(`Add label filter ${key}=${value}`, prefix);
+      binding.filters.labels[key] = value;
+      return commonChain;
+    }
+    function WithAnnotation(key, value = "") {
+      logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
+      binding.filters.annotations[key] = value;
+      return commonChain;
+    }
+    function Alias(alias) {
+      logger_default.debug(`Adding prefix alias ${alias}`, prefix);
+      binding.alias = alias;
+      return commonChain;
+    }
+    function bindEvent(event) {
+      binding.event = event;
+      return {
+        ...commonChain,
+        InNamespace,
+        InNamespaceRegex,
+        WithName,
+        WithNameRegex,
+        WithDeletionTimestamp,
+        Alias
+      };
+    }
+    return {
+      IsCreatedOrUpdated: () => bindEvent("CREATEORUPDATE" /* CREATE_OR_UPDATE */),
+      IsCreated: () => bindEvent("CREATE" /* CREATE */),
+      IsUpdated: () => bindEvent("UPDATE" /* UPDATE */),
+      IsDeleted: () => bindEvent("DELETE" /* DELETE */)
+    };
+  };
+};
+
+// src/lib/core/module.ts
+var import_ramda9 = require("ramda");
+
+// src/lib/controller/index.ts
+var import_express = __toESM(require("express"));
+var import_fs = __toESM(require("fs"));
+var import_https = __toESM(require("https"));
+
+// src/lib/telemetry/metrics.ts
+var import_perf_hooks = require("perf_hooks");
+var import_prom_client = __toESM(require("prom-client"));
+var loggingPrefix = "MetricsCollector";
+var MetricsCollector = class {
+  #registry;
+  #counters = /* @__PURE__ */ new Map();
+  #gauges = /* @__PURE__ */ new Map();
+  #summaries = /* @__PURE__ */ new Map();
+  #prefix;
+  #cacheMissWindows = /* @__PURE__ */ new Map();
+  #metricNames = {
+    errors: "errors",
+    alerts: "alerts",
+    mutate: "mutate",
+    validate: "validate",
+    cacheMiss: "cache_miss",
+    resyncFailureCount: "resync_failure_count"
+  };
+  /**
+   * Creates a MetricsCollector instance with prefixed metrics.
+   * @param [prefix='pepr'] - The prefix for the metric names.
+   */
+  constructor(prefix = "pepr") {
+    this.#registry = new import_prom_client.Registry();
+    this.#prefix = prefix;
+    this.addCounter(this.#metricNames.errors, "Mutation/Validate errors encountered");
+    this.addCounter(this.#metricNames.alerts, "Mutation/Validate bad api token received");
+    this.addSummary(this.#metricNames.mutate, "Mutation operation summary");
+    this.addSummary(this.#metricNames.validate, "Validation operation summary");
+    this.addGauge(this.#metricNames.cacheMiss, "Number of cache misses per window", ["window"]);
+    this.addGauge(this.#metricNames.resyncFailureCount, "Number of failures per resync operation", ["count"]);
+  }
+  #getMetricName = (name2) => `${this.#prefix}_${name2}`;
+  #addMetric = (collection, MetricType, { name: name2, help, labelNames }) => {
+    if (collection.has(this.#getMetricName(name2))) {
+      logger_default.debug(`Metric for ${name2} already exists`, loggingPrefix);
+      return;
+    }
+    const metric = new MetricType({
+      name: this.#getMetricName(name2),
+      help,
+      registers: [this.#registry],
+      labelNames
+    });
+    collection.set(this.#getMetricName(name2), metric);
+  };
+  addCounter = (name2, help) => {
+    this.#addMetric(this.#counters, import_prom_client.default.Counter, { name: name2, help, labelNames: [] });
+  };
+  addSummary = (name2, help) => {
+    this.#addMetric(this.#summaries, import_prom_client.default.Summary, { name: name2, help, labelNames: [] });
+  };
+  addGauge = (name2, help, labelNames) => {
+    this.#addMetric(this.#gauges, import_prom_client.default.Gauge, { name: name2, help, labelNames });
+  };
+  incCounter = (name2) => {
+    this.#counters.get(this.#getMetricName(name2))?.inc();
+  };
+  incGauge = (name2, labels, value = 1) => {
+    this.#gauges.get(this.#getMetricName(name2))?.inc(labels || {}, value);
+  };
+  /**
+   * Increments the error counter.
+   */
+  error = () => this.incCounter(this.#metricNames.errors);
+  /**
+   * Increments the alerts counter.
+   */
+  alert = () => this.incCounter(this.#metricNames.alerts);
+  /**
+   * Observes the duration since the provided start time and updates the summary.
+   * @param startTime - The start time.
+   * @param name - The metrics summary to increment.
+   */
+  observeEnd = (startTime, name2 = this.#metricNames.mutate) => {
+    this.#summaries.get(this.#getMetricName(name2))?.observe(import_perf_hooks.performance.now() - startTime);
+  };
+  /**
+   * Fetches the current metrics from the registry.
+   * @returns The metrics.
+   */
+  getMetrics = () => this.#registry.metrics();
+  /**
+   * Returns the current timestamp from performance.now() method. Useful for start timing an operation.
+   * @returns The timestamp.
+   */
+  static observeStart() {
+    return import_perf_hooks.performance.now();
+  }
+  /**
+   * Increments the cache miss gauge for a given label.
+   * @param label - The label for the cache miss.
+   */
+  incCacheMiss = (window) => {
+    this.incGauge(this.#metricNames.cacheMiss, { window });
+  };
+  /**
+   * Increments the retry count gauge.
+   * @param count - The count to increment by.
+   */
+  incRetryCount = (count) => {
+    this.incGauge(this.#metricNames.resyncFailureCount, { count });
+  };
+  /**
+   * Initializes the cache miss gauge for a given label.
+   * @param label - The label for the cache miss.
+   */
+  initCacheMissWindow = (window) => {
+    this.#rollCacheMissWindows();
+    this.#gauges.get(this.#getMetricName(this.#metricNames.cacheMiss))?.set({ window }, 0);
+    this.#cacheMissWindows.set(window, 0);
+  };
+  /**
+   * Manages the size of the cache miss gauge map.
+   */
+  #rollCacheMissWindows = () => {
+    const maxCacheMissWindows = process.env.PEPR_MAX_CACHE_MISS_WINDOWS ? parseInt(process.env.PEPR_MAX_CACHE_MISS_WINDOWS, 10) : void 0;
+    if (maxCacheMissWindows !== void 0 && this.#cacheMissWindows.size >= maxCacheMissWindows) {
+      const firstKey = this.#cacheMissWindows.keys().next().value;
+      if (firstKey !== void 0) {
+        this.#cacheMissWindows.delete(firstKey);
+      }
+      this.#gauges.get(this.#getMetricName(this.#metricNames.cacheMiss))?.remove({ window: firstKey });
+    }
+  };
+};
+var metricsCollector = new MetricsCollector("pepr");
+
+// src/lib/processors/mutate-processor.ts
+var import_fast_json_patch = __toESM(require("fast-json-patch"));
+var import_ramda6 = require("ramda");
+
+// src/lib/telemetry/timeUtils.ts
+var getNow = () => performance.now();
+
+// src/lib/telemetry/webhookTimeouts.ts
+var MeasureWebhookTimeout = class {
+  #startTime = null;
+  #webhookType;
+  timeout = 0;
+  constructor(webhookType) {
+    this.#webhookType = webhookType;
+    metricsCollector.addCounter(`${webhookType}_timeouts`, `Number of ${webhookType} webhook timeouts`);
+  }
+  start(timeout = 10) {
+    this.#startTime = getNow();
+    this.timeout = timeout;
+    logger_default.info(`Starting timer at ${this.#startTime}`);
+  }
+  stop() {
+    if (this.#startTime === null) {
+      throw new Error("Timer was not started before calling stop.");
+    }
+    const elapsedTime = getNow() - this.#startTime;
+    logger_default.info(`Webhook ${this.#startTime} took ${elapsedTime}ms`);
+    this.#startTime = null;
+    if (elapsedTime > this.timeout) {
+      metricsCollector.incCounter(`${this.#webhookType}_timeouts`);
+    }
+  }
+};
+
+// src/lib/filter/adjudicators/adjudicators.ts
+var import_ramda3 = require("ramda");
+var declaredOperation = (0, import_ramda3.pipe)(
+  (request) => request?.operation,
+  (0, import_ramda3.defaultTo)("")
+);
+var declaredGroup = (0, import_ramda3.pipe)(
+  (request) => request?.kind?.group,
+  (0, import_ramda3.defaultTo)("")
+);
+var declaredVersion = (0, import_ramda3.pipe)(
+  (request) => request?.kind?.version,
+  (0, import_ramda3.defaultTo)("")
+);
+var declaredKind = (0, import_ramda3.pipe)(
+  (request) => request?.kind?.kind,
+  (0, import_ramda3.defaultTo)("")
+);
+var declaredUid = (0, import_ramda3.pipe)((request) => request?.uid, (0, import_ramda3.defaultTo)(""));
+var carriesDeletionTimestamp = (0, import_ramda3.pipe)(
+  (kubernetesObject) => !!kubernetesObject.metadata?.deletionTimestamp,
+  (0, import_ramda3.defaultTo)(false)
+);
+var missingDeletionTimestamp = (0, import_ramda3.complement)(carriesDeletionTimestamp);
+var carriedKind = (0, import_ramda3.pipe)(
+  (kubernetesObject) => kubernetesObject?.kind,
+  (0, import_ramda3.defaultTo)("not set")
+);
+var carriedVersion = (0, import_ramda3.pipe)(
+  (kubernetesObject) => kubernetesObject?.metadata?.resourceVersion,
+  (0, import_ramda3.defaultTo)("not set")
+);
+var carriedName = (0, import_ramda3.pipe)(
+  (kubernetesObject) => kubernetesObject?.metadata?.name,
+  (0, import_ramda3.defaultTo)("")
+);
+var carriesName = (0, import_ramda3.pipe)(carriedName, (0, import_ramda3.equals)(""), import_ramda3.not);
+var missingName = (0, import_ramda3.complement)(carriesName);
+var carriedNamespace = (0, import_ramda3.pipe)(
+  (kubernetesObject) => kubernetesObject?.metadata?.namespace,
+  (0, import_ramda3.defaultTo)("")
+);
+var carriesNamespace = (0, import_ramda3.pipe)(carriedNamespace, (0, import_ramda3.equals)(""), import_ramda3.not);
+var carriedAnnotations = (0, import_ramda3.pipe)(
+  (kubernetesObject) => kubernetesObject?.metadata?.annotations,
+  (0, import_ramda3.defaultTo)({})
+);
+var carriesAnnotations = (0, import_ramda3.pipe)(carriedAnnotations, (0, import_ramda3.equals)({}), import_ramda3.not);
+var carriedLabels = (0, import_ramda3.pipe)(
+  (kubernetesObject) => kubernetesObject?.metadata?.labels,
+  (0, import_ramda3.defaultTo)({})
+);
+var carriesLabels = (0, import_ramda3.pipe)(carriedLabels, (0, import_ramda3.equals)({}), import_ramda3.not);
+var definesDeletionTimestamp = (0, import_ramda3.pipe)(
+  (binding) => binding?.filters?.deletionTimestamp ?? false,
+  (0, import_ramda3.defaultTo)(false)
+);
+var ignoresDeletionTimestamp = (0, import_ramda3.complement)(definesDeletionTimestamp);
+var definedName = (0, import_ramda3.pipe)((binding) => {
+  return binding.filters.name;
+}, (0, import_ramda3.defaultTo)(""));
+var definesName = (0, import_ramda3.pipe)(definedName, (0, import_ramda3.equals)(""), import_ramda3.not);
+var ignoresName = (0, import_ramda3.complement)(definesName);
+var definedNameRegex = (0, import_ramda3.pipe)(
+  (binding) => binding.filters?.regexName,
+  (0, import_ramda3.defaultTo)("")
+);
+var definesNameRegex = (0, import_ramda3.pipe)(definedNameRegex, (0, import_ramda3.equals)(""), import_ramda3.not);
+var definedNamespaces = (0, import_ramda3.pipe)((binding) => binding?.filters?.namespaces, (0, import_ramda3.defaultTo)([]));
+var definesNamespaces = (0, import_ramda3.pipe)(definedNamespaces, (0, import_ramda3.equals)([]), import_ramda3.not);
+var definedNamespaceRegexes = (0, import_ramda3.pipe)((binding) => binding?.filters?.regexNamespaces, (0, import_ramda3.defaultTo)([]));
+var definesNamespaceRegexes = (0, import_ramda3.pipe)(definedNamespaceRegexes, (0, import_ramda3.equals)([]), import_ramda3.not);
+var definedAnnotations = (0, import_ramda3.pipe)((binding) => binding?.filters?.annotations, (0, import_ramda3.defaultTo)({}));
+var definesAnnotations = (0, import_ramda3.pipe)(definedAnnotations, (0, import_ramda3.equals)({}), import_ramda3.not);
+var definedLabels = (0, import_ramda3.pipe)((binding) => binding?.filters?.labels, (0, import_ramda3.defaultTo)({}));
+var definesLabels = (0, import_ramda3.pipe)(definedLabels, (0, import_ramda3.equals)({}), import_ramda3.not);
+var definedEvent = (binding) => {
+  return binding.event;
+};
+var definesDelete = (0, import_ramda3.pipe)(definedEvent, (0, import_ramda3.equals)("DELETE" /* DELETE */));
+var definedGroup = (0, import_ramda3.pipe)((binding) => binding?.kind?.group, (0, import_ramda3.defaultTo)(""));
+var definesGroup = (0, import_ramda3.pipe)(definedGroup, (0, import_ramda3.equals)(""), import_ramda3.not);
+var definedVersion = (0, import_ramda3.pipe)(
+  (binding) => binding?.kind?.version,
+  (0, import_ramda3.defaultTo)("")
+);
+var definesVersion = (0, import_ramda3.pipe)(definedVersion, (0, import_ramda3.equals)(""), import_ramda3.not);
+var definedKind = (0, import_ramda3.pipe)((binding) => binding?.kind?.kind, (0, import_ramda3.defaultTo)(""));
+var definesKind = (0, import_ramda3.pipe)(definedKind, (0, import_ramda3.equals)(""), import_ramda3.not);
+var definedCallback = (binding) => {
+  return binding.isFinalize ? binding.finalizeCallback : binding.isWatch ? binding.watchCallback : binding.isMutate ? binding.mutateCallback : binding.isValidate ? binding.validateCallback : null;
+};
+var definedCallbackName = (0, import_ramda3.pipe)(definedCallback, (0, import_ramda3.defaultTo)({ name: "" }), (callback) => callback.name);
+var mismatchedDeletionTimestamp = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definesDeletionTimestamp),
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(1), missingDeletionTimestamp)
+]);
+var mismatchedName = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definesName),
+  (0, import_ramda3.pipe)((binding, kubernetesObject) => definedName(binding) !== carriedName(kubernetesObject))
+]);
+var mismatchedNameRegex = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definesNameRegex),
+  (0, import_ramda3.pipe)((binding, kubernetesObject) => new RegExp(definedNameRegex(binding)).test(carriedName(kubernetesObject)), import_ramda3.not)
+]);
+var bindsToKind = (0, import_ramda3.curry)(
+  (0, import_ramda3.allPass)([(0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definedKind, (0, import_ramda3.equals)(""), import_ramda3.not), (0, import_ramda3.pipe)((binding, kind3) => definedKind(binding) === kind3)])
+);
+var bindsToNamespace = (0, import_ramda3.curry)((0, import_ramda3.pipe)(bindsToKind(import_ramda3.__, "Namespace")));
+var misboundNamespace = (0, import_ramda3.allPass)([bindsToNamespace, definesNamespaces]);
+var mismatchedNamespace = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definesNamespaces),
+  (0, import_ramda3.pipe)((binding, kubernetesObject) => definedNamespaces(binding).includes(carriedNamespace(kubernetesObject)), import_ramda3.not)
+]);
+var mismatchedNamespaceRegex = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definesNamespaceRegexes),
+  (0, import_ramda3.pipe)(
+    (binding, kubernetesObject) => (0, import_ramda3.pipe)(
+      (0, import_ramda3.any)((regEx) => new RegExp(regEx).test(carriedNamespace(kubernetesObject))),
+      import_ramda3.not
+    )(definedNamespaceRegexes(binding))
+  )
+]);
+var metasMismatch = (0, import_ramda3.pipe)(
+  (defined, carried) => {
+    const result = { defined, carried, unalike: {} };
+    result.unalike = Object.entries(result.defined).map(([key, value]) => {
+      const keyMissing = !Object.hasOwn(result.carried, key);
+      const noValue = !value;
+      const valMissing = !result.carried[key];
+      const valDiffers = result.carried[key] !== result.defined[key];
+      return keyMissing ? { [key]: value } : noValue ? {} : valMissing ? { [key]: value } : valDiffers ? { [key]: value } : {};
+    }).reduce((acc, cur) => ({ ...acc, ...cur }), {});
+    return result.unalike;
+  },
+  (unalike) => Object.keys(unalike).length > 0
+);
+var mismatchedAnnotations = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definesAnnotations),
+  (0, import_ramda3.pipe)((binding, kubernetesObject) => metasMismatch(definedAnnotations(binding), carriedAnnotations(kubernetesObject)))
+]);
+var mismatchedLabels = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definesLabels),
+  (0, import_ramda3.pipe)((binding, kubernetesObject) => metasMismatch(definedLabels(binding), carriedLabels(kubernetesObject)))
+]);
+var uncarryableNamespace = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), import_ramda3.length, (0, import_ramda3.gt)(import_ramda3.__, 0)),
+  (0, import_ramda3.pipe)((namespaceSelector, kubernetesObject) => {
+    if (kubernetesObject?.kind === "Namespace") {
+      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+    }
+    if (carriesNamespace(kubernetesObject)) {
+      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+    }
+    return true;
+  }, import_ramda3.not)
+]);
+var missingCarriableNamespace = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), import_ramda3.length, (0, import_ramda3.gt)(import_ramda3.__, 0)),
+  (0, import_ramda3.pipe)(
+    (namespaceSelector, kubernetesObject) => kubernetesObject.kind === "Namespace" ? !namespaceSelector.includes(kubernetesObject.metadata.name) : !carriesNamespace(kubernetesObject)
+  )
+]);
+var carriesIgnoredNamespace = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), import_ramda3.length, (0, import_ramda3.gt)(import_ramda3.__, 0)),
+  (0, import_ramda3.pipe)((namespaceSelector, kubernetesObject) => {
+    if (kubernetesObject?.kind === "Namespace") {
+      return namespaceSelector.includes(kubernetesObject?.metadata?.name);
+    }
+    if (carriesNamespace(kubernetesObject)) {
+      return namespaceSelector.includes(carriedNamespace(kubernetesObject));
+    }
+    return false;
+  })
+]);
+var unbindableNamespaces = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), import_ramda3.length, (0, import_ramda3.gt)(import_ramda3.__, 0)),
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(1), definesNamespaces),
+  (0, import_ramda3.pipe)(
+    (namespaceSelector, binding) => (0, import_ramda3.difference)(definedNamespaces(binding), namespaceSelector),
+    import_ramda3.length,
+    (0, import_ramda3.equals)(0),
+    import_ramda3.not
+  )
+]);
+var misboundDeleteWithDeletionTimestamp = (0, import_ramda3.allPass)([definesDelete, definesDeletionTimestamp]);
+var operationMatchesEvent = (0, import_ramda3.anyPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(1), (0, import_ramda3.equals)("*" /* ANY */)),
+  (0, import_ramda3.pipe)((operation, event) => operation.valueOf() === event.valueOf()),
+  (0, import_ramda3.pipe)((operation, event) => operation ? event.includes(operation) : false)
+]);
+var mismatchedEvent = (0, import_ramda3.pipe)(
+  (binding, request) => operationMatchesEvent(declaredOperation(request), definedEvent(binding)),
+  import_ramda3.not
+);
+var mismatchedGroup = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definesGroup),
+  (0, import_ramda3.pipe)((binding, request) => definedGroup(binding) !== declaredGroup(request))
+]);
+var mismatchedVersion = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definesVersion),
+  (0, import_ramda3.pipe)((binding, request) => definedVersion(binding) !== declaredVersion(request))
+]);
+var mismatchedKind = (0, import_ramda3.allPass)([
+  (0, import_ramda3.pipe)((0, import_ramda3.nthArg)(0), definesKind),
+  (0, import_ramda3.pipe)((binding, request) => definedKind(binding) !== declaredKind(request))
+]);
+
+// src/lib/filter/filter.ts
+function shouldSkipRequest(binding, req, capabilityNamespaces, ignoredNamespaces) {
+  const obj = req.operation === "DELETE" /* DELETE */ ? req.oldObject : req.object;
+  const prefix = "Ignoring Admission Callback:";
+  const adjudicators = [
+    () => adjudicateMisboundDeleteWithDeletionTimestamp(binding),
+    () => adjudicateMismatchedDeletionTimestamp(binding, obj),
+    () => adjudicateMismatchedEvent(binding, req),
+    () => adjudicateMismatchedName(binding, obj),
+    () => adjudicateMismatchedGroup(binding, req),
+    () => adjudicateMismatchedVersion(binding, req),
+    () => adjudicateMismatchedKind(binding, req),
+    () => adjudicateUnbindableNamespaces(capabilityNamespaces, binding),
+    () => adjudicateUncarryableNamespace(capabilityNamespaces, obj),
+    () => adjudicateMismatchedNamespace(binding, obj),
+    () => adjudicateMismatchedLabels(binding, obj),
+    () => adjudicateMismatchedAnnotations(binding, obj),
+    () => adjudicateMismatchedNamespaceRegex(binding, obj),
+    () => adjudicateMismatchedNameRegex(binding, obj),
+    () => adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj),
+    () => adjudicateMissingCarriableNamespace(capabilityNamespaces, obj)
+  ];
+  for (const adjudicator of adjudicators) {
+    const result = adjudicator();
+    if (result) {
+      return `${prefix} ${result}`;
     }
-    return this;
-  };
-  HasLabel = (key) => {
-    return this.Raw.metadata?.labels?.[key] !== void 0;
-  };
-  HasAnnotation = (key) => {
-    return this.Raw.metadata?.annotations?.[key] !== void 0;
-  };
-};
-
-// src/lib/utils.ts
-var utils_exports = {};
-__export(utils_exports, {
-  base64Decode: () => base64Decode,
-  base64Encode: () => base64Encode,
-  convertFromBase64Map: () => convertFromBase64Map,
-  convertToBase64Map: () => convertToBase64Map,
-  isAscii: () => isAscii
-});
-var isAscii = /^[\s\x20-\x7E]*$/;
-function convertToBase64Map(obj, skip) {
-  obj.data = obj.data ?? {};
-  for (const key in obj.data) {
-    const value = obj.data[key];
-    obj.data[key] = skip.includes(key) ? value : base64Encode(value);
   }
+  return "";
 }
-function convertFromBase64Map(obj) {
-  const skip = [];
-  obj.data = obj.data ?? {};
-  for (const key in obj.data) {
-    if (obj.data[key] === void 0) {
-      obj.data[key] = "";
-    } else {
-      const decoded = base64Decode(obj.data[key]);
-      if (isAscii.test(decoded)) {
-        obj.data[key] = decoded;
-      } else {
-        skip.push(key);
-      }
+function filterNoMatchReason(binding, obj, capabilityNamespaces, ignoredNamespaces) {
+  const prefix = "Ignoring Watch Callback:";
+  const adjudicators = [
+    () => adjudicateMismatchedDeletionTimestamp(binding, obj),
+    () => adjudicateMismatchedName(binding, obj),
+    () => adjudicateMisboundNamespace(binding),
+    () => adjudicateMismatchedLabels(binding, obj),
+    () => adjudicateMismatchedAnnotations(binding, obj),
+    () => adjudicateUncarryableNamespace(capabilityNamespaces, obj),
+    () => adjudicateUnbindableNamespaces(capabilityNamespaces, binding),
+    () => adjudicateMismatchedNamespace(binding, obj),
+    () => adjudicateMismatchedNamespaceRegex(binding, obj),
+    () => adjudicateMismatchedNameRegex(binding, obj),
+    () => adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj),
+    () => adjudicateMissingCarriableNamespace(capabilityNamespaces, obj)
+  ];
+  for (const adjudicator of adjudicators) {
+    const result = adjudicator();
+    if (result) {
+      return `${prefix} ${result}`;
     }
   }
-  logger_default.debug(`Non-ascii data detected in keys: ${skip}, skipping automatic base64 decoding`);
-  return skip;
+  return "";
 }
-function base64Decode(data) {
-  return Buffer.from(data, "base64").toString("utf-8");
+function adjudicateMisboundNamespace(binding) {
+  return misboundNamespace(binding) ? "Cannot use namespace filter on a namespace object." : null;
 }
-function base64Encode(data) {
-  return Buffer.from(data).toString("base64");
+function adjudicateMisboundDeleteWithDeletionTimestamp(binding) {
+  return misboundDeleteWithDeletionTimestamp(binding) ? "Cannot use deletionTimestamp filter on a DELETE operation." : null;
 }
-
-// src/cli/init/enums.ts
-var OnError = /* @__PURE__ */ ((OnError2) => {
-  OnError2["AUDIT"] = "audit";
-  OnError2["IGNORE"] = "ignore";
-  OnError2["REJECT"] = "reject";
-  return OnError2;
-})(OnError || {});
-
-// src/lib/assets/webhooks.ts
-var import_ramda3 = require("ramda");
-function resolveIgnoreNamespaces(ignoredNSConfig = []) {
-  const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES;
-  if (!ignoredNSEnv) {
-    return ignoredNSConfig;
-  }
-  const namespaces = ignoredNSEnv.split(",").map((ns) => ns.trim());
-  if (ignoredNSConfig) {
-    namespaces.push(...ignoredNSConfig);
-  }
-  return namespaces.filter((ns) => ns.length > 0);
+function adjudicateMismatchedDeletionTimestamp(binding, obj) {
+  return mismatchedDeletionTimestamp(binding, obj) ? "Binding defines deletionTimestamp but Object does not carry it." : null;
 }
-
-// src/lib/processors/mutate-processor.ts
-function updateStatus(config, name2, wrapped, status) {
-  if (wrapped.Request.operation === "DELETE") {
-    return wrapped;
-  }
-  wrapped.SetAnnotation(`${config.uuid}.pepr.dev/${name2}`, status);
-  return wrapped;
+function adjudicateMismatchedEvent(binding, req) {
+  return mismatchedEvent(binding, req) ? `Binding defines event '${definedEvent(binding)}' but Request declares '${declaredOperation(req)}'.` : null;
 }
-function logMutateErrorMessage(e) {
-  try {
-    if (e.message && e.message !== "[object Object]") {
-      return e.message;
-    } else {
-      throw new Error("An error occurred in the mutate action.");
-    }
-  } catch {
-    return "An error occurred with the mutate action.";
-  }
+function adjudicateMismatchedName(binding, obj) {
+  return mismatchedName(binding, obj) ? `Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.` : null;
 }
-function decodeData(wrapped) {
-  let skipped = [];
-  const isSecret = wrapped.Request.kind.version === "v1" && wrapped.Request.kind.kind === "Secret";
-  if (isSecret) {
-    skipped = convertFromBase64Map(wrapped.Raw);
-  }
-  return { skipped, wrapped };
+function adjudicateMismatchedGroup(binding, req) {
+  return mismatchedGroup(binding, req) ? `Binding defines group '${definedGroup(binding)}' but Request declares '${declaredGroup(req)}'.` : null;
 }
-function reencodeData(wrapped, skipped) {
-  const transformed = (0, import_ramda4.clone)(wrapped.Raw);
-  const isSecret = wrapped.Request.kind.version === "v1" && wrapped.Request.kind.kind === "Secret";
-  if (isSecret) {
-    convertToBase64Map(transformed, skipped);
-  }
-  return transformed;
+function adjudicateMismatchedVersion(binding, req) {
+  return mismatchedVersion(binding, req) ? `Binding defines version '${definedVersion(binding)}' but Request declares '${declaredVersion(req)}'.` : null;
 }
-async function processRequest(bindable, wrapped, response) {
-  const { binding, actMeta, name: name2, config } = bindable;
-  const label = binding.mutateCallback.name;
-  logger_default.info(actMeta, `Processing mutation action (${label})`);
-  wrapped = updateStatus(config, name2, wrapped, "started");
-  try {
-    await binding.mutateCallback(wrapped);
-    logger_default.info(actMeta, `Mutation action succeeded (${label})`);
-    wrapped = updateStatus(config, name2, wrapped, "succeeded");
-  } catch (e) {
-    wrapped = updateStatus(config, name2, wrapped, "warning");
-    response.warnings = response.warnings || [];
-    const errorMessage = logMutateErrorMessage(e);
-    logger_default.error(actMeta, `Action failed: ${errorMessage}`);
-    response.warnings.push(`Action failed: ${errorMessage}`);
-    switch (config.onError) {
-      case "reject" /* REJECT */:
-        response.result = "Pepr module configured to reject on error";
-        break;
-      case "audit" /* AUDIT */:
-        response.auditAnnotations = response.auditAnnotations || {};
-        response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
-        break;
-    }
-  }
-  return { wrapped, response };
+function adjudicateMismatchedKind(binding, req) {
+  return mismatchedKind(binding, req) ? `Binding defines kind '${definedKind(binding)}' but Request declares '${declaredKind(req)}'.` : null;
 }
-async function mutateProcessor(config, capabilities, req, reqMetadata) {
-  const webhookTimer = new MeasureWebhookTimeout("mutate" /* MUTATE */);
-  webhookTimer.start(config.webhookTimeout);
-  let response = {
-    uid: req.uid,
-    warnings: [],
-    allowed: false
-  };
-  const decoded = decodeData(new PeprMutateRequest(req));
-  let wrapped = decoded.wrapped;
-  logger_default.info(reqMetadata, `Processing request`);
-  let bindables = capabilities.flatMap(
-    (capa) => capa.bindings.map((bind) => ({
-      req,
-      config,
-      name: capa.name,
-      namespaces: capa.namespaces,
-      binding: bind,
-      actMeta: { ...reqMetadata, name: capa.name }
-    }))
-  );
-  bindables = bindables.filter((bind) => {
-    if (!bind.binding.mutateCallback) {
-      return false;
-    }
-    const shouldSkip = shouldSkipRequest(
-      bind.binding,
-      bind.req,
-      bind.namespaces,
-      resolveIgnoreNamespaces(bind.config?.alwaysIgnore?.namespaces)
-    );
-    if (shouldSkip !== "") {
-      logger_default.debug(shouldSkip);
-      return false;
-    }
-    return true;
-  });
-  for (const bindable of bindables) {
-    ({ wrapped, response } = await processRequest(bindable, wrapped, response));
-    if (config.onError === "reject" /* REJECT */ && response?.warnings.length > 0) {
-      return response;
-    }
-  }
-  response.allowed = true;
-  if (bindables.length === 0) {
-    logger_default.info(reqMetadata, `No matching actions found`);
-    return response;
-  }
-  if (req.operation === "DELETE") {
-    return response;
-  }
-  const transformed = reencodeData(wrapped, decoded.skipped);
-  const patches = import_fast_json_patch.default.compare(req.object, transformed);
-  updateResponsePatchAndWarnings(patches, response);
-  logger_default.debug({ ...reqMetadata, patches }, `Patches generated`);
-  webhookTimer.stop();
-  return response;
+function adjudicateUnbindableNamespaces(capabilityNamespaces, binding) {
+  return unbindableNamespaces(capabilityNamespaces, binding) ? `Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : null;
 }
-function updateResponsePatchAndWarnings(patches, response) {
-  if (patches.length > 0) {
-    response.patchType = "JSONPatch";
-    response.patch = base64Encode(JSON.stringify(patches));
-  }
-  if (response.warnings && response.warnings.length < 1) {
-    delete response.warnings;
-  }
+function adjudicateUncarryableNamespace(capabilityNamespaces, obj) {
+  return uncarryableNamespace(capabilityNamespaces, obj) ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : null;
+}
+function adjudicateMismatchedNamespace(binding, obj) {
+  return mismatchedNamespace(binding, obj) ? `Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(obj)}'.` : null;
+}
+function adjudicateMismatchedLabels(binding, obj) {
+  return mismatchedLabels(binding, obj) ? `Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(obj))}'.` : null;
+}
+function adjudicateMismatchedAnnotations(binding, obj) {
+  return mismatchedAnnotations(binding, obj) ? `Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.` : null;
+}
+function adjudicateMismatchedNamespaceRegex(binding, obj) {
+  return mismatchedNamespaceRegex(binding, obj) ? `Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(obj)}'.` : null;
+}
+function adjudicateMismatchedNameRegex(binding, obj) {
+  return mismatchedNameRegex(binding, obj) ? `Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(obj)}'.` : null;
+}
+function adjudicateCarriesIgnoredNamespace(ignoredNamespaces, obj) {
+  return carriesIgnoredNamespace(ignoredNamespaces, obj) ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.` : null;
+}
+function adjudicateMissingCarriableNamespace(capabilityNamespaces, obj) {
+  return missingCarriableNamespace(capabilityNamespaces, obj) ? `Object does not carry a namespace but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.` : null;
 }
 
-// src/lib/validate-request.ts
-var import_ramda5 = require("ramda");
-var PeprValidateRequest = class {
+// src/lib/mutate-request.ts
+var import_ramda4 = require("ramda");
+var PeprMutateRequest = class {
   Raw;
   #input;
-  /**
-   * Provides access to the old resource in the request if available.
-   * @returns The old Kubernetes resource object or null if not available.
-   */
+  get PermitSideEffects() {
+    return !this.#input.dryRun;
+  }
+  get IsDryRun() {
+    return this.#input.dryRun;
+  }
   get OldResource() {
     return this.#input.oldObject;
   }
-  /**
-   * Provides access to the request object.
-   * @returns The request object containing the Kubernetes resource.
-   */
   get Request() {
     return this.#input;
   }
-  /**
-   * Creates a new instance of the Action class.
-   * @param input - The request object containing the Kubernetes resource to modify.
-   */
   constructor(input) {
-    this.#input = input;
-    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
-      this.Raw = (0, import_ramda5.clone)(input.oldObject);
-    } else {
-      this.Raw = (0, import_ramda5.clone)(input.object);
-    }
-    if (!this.Raw) {
-      throw new Error("unable to load the request object into PeprRequest.Raw");
-    }
-  }
-  /**
-   * Check if a label exists on the Kubernetes resource.
-   *
-   * @param key the label key to check
-   * @returns
-   */
-  HasLabel = (key) => {
-    return this.Raw.metadata?.labels?.[key] !== void 0;
-  };
-  /**
-   * Check if an annotation exists on the Kubernetes resource.
-   *
-   * @param key the annotation key to check
-   * @returns
-   */
-  HasAnnotation = (key) => {
-    return this.Raw.metadata?.annotations?.[key] !== void 0;
-  };
-  /**
-   * Create a validation response that allows the request.
-   *
-   * @returns The validation response.
-   */
-  Approve = () => {
-    return {
-      allowed: true
-    };
-  };
-  /**
-   * Create a validation response that denies the request.
-   *
-   * @param statusMessage Optional status message to return to the user.
-   * @param statusCode Optional status code to return to the user.
-   * @returns The validation response.
-   */
-  Deny = (statusMessage, statusCode) => {
-    return {
-      allowed: false,
-      statusCode,
-      statusMessage
-    };
-  };
-};
-
-// src/lib/processors/validate-processor.ts
-async function processRequest2(binding, actionMetadata, peprValidateRequest) {
-  const label = binding.validateCallback.name;
-  logger_default.info(actionMetadata, `Processing validation action (${label})`);
-  const valResp = {
-    uid: peprValidateRequest.Request.uid,
-    allowed: true
-    // Assume it's allowed until a validation check fails
-  };
-  try {
-    const callbackResp = await binding.validateCallback(peprValidateRequest);
-    valResp.allowed = callbackResp.allowed;
-    if (callbackResp.statusCode || callbackResp.statusMessage) {
-      valResp.status = {
-        code: callbackResp.statusCode || 400,
-        message: callbackResp.statusMessage || `Validation failed for ${name}`
-      };
-    }
-    logger_default.info(actionMetadata, `Validation action complete (${label}): ${callbackResp.allowed ? "allowed" : "denied"}`);
-    return valResp;
-  } catch (e) {
-    logger_default.error(actionMetadata, `Action failed: ${JSON.stringify(e)}`);
-    valResp.allowed = false;
-    valResp.status = {
-      code: 500,
-      message: `Action failed with error: ${JSON.stringify(e)}`
-    };
-    return valResp;
-  }
-}
-async function validateProcessor(config, capabilities, req, reqMetadata) {
-  const webhookTimer = new MeasureWebhookTimeout("validate" /* VALIDATE */);
-  webhookTimer.start(config.webhookTimeout);
-  const wrapped = new PeprValidateRequest(req);
-  const response = [];
-  if (req.kind.version === "v1" && req.kind.kind === "Secret") {
-    convertFromBase64Map(wrapped.Raw);
-  }
-  logger_default.info(reqMetadata, `Processing validation request`);
-  for (const { name: name2, bindings, namespaces } of capabilities) {
-    const actionMetadata = { ...reqMetadata, name: name2 };
-    for (const binding of bindings) {
-      if (!binding.validateCallback) {
-        continue;
-      }
-      const shouldSkip = shouldSkipRequest(
-        binding,
-        req,
-        namespaces,
-        resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces)
-      );
-      if (shouldSkip !== "") {
-        logger_default.debug(shouldSkip);
-        continue;
-      }
-      const resp = await processRequest2(binding, actionMetadata, wrapped);
-      response.push(resp);
-    }
-  }
-  webhookTimer.stop();
-  return response;
-}
-
-// src/lib/controller/store.ts
-var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
-var import_ramda6 = require("ramda");
-
-// src/lib/k8s.ts
-var import_kubernetes_fluent_client = require("kubernetes-fluent-client");
-var Store = class extends import_kubernetes_fluent_client.GenericKind {
-};
-var peprStoreGVK = {
-  kind: "PeprStore",
-  version: "v1",
-  group: "pepr.dev"
-};
-(0, import_kubernetes_fluent_client.RegisterKind)(Store, peprStoreGVK);
-
-// src/lib/controller/storeCache.ts
-var import_kubernetes_fluent_client2 = require("kubernetes-fluent-client");
-var import_http_status_codes = require("http-status-codes");
-var sendUpdatesAndFlushCache = async (cache, namespace2, name2) => {
-  const indexes = Object.keys(cache);
-  const payload = Object.values(cache);
-  try {
-    if (payload.length > 0) {
-      await (0, import_kubernetes_fluent_client2.K8s)(Store, { namespace: namespace2, name: name2 }).Patch(updateCacheID(payload));
-      Object.keys(cache).forEach((key) => delete cache[key]);
-    }
-  } catch (err) {
-    logger_default.error(err, "Pepr store update failure");
-    if (err.status === import_http_status_codes.StatusCodes.UNPROCESSABLE_ENTITY) {
-      Object.keys(cache).forEach((key) => delete cache[key]);
-    } else {
-      indexes.forEach((index) => {
-        cache[index] = payload[Number(index)];
-      });
-    }
-  }
-  return cache;
-};
-var fillStoreCache = (cache, capabilityName, op, cacheItem) => {
-  const path = [`/data/${capabilityName}`, cacheItem.version, cacheItem.key].filter((str) => str !== "" && str !== void 0).join("-");
-  if (op === "add") {
-    const value = cacheItem.value || "";
-    const cacheIdx = [op, path, value].join(":");
-    cache[cacheIdx] = { op, path, value };
-  } else if (op === "remove") {
-    if (cacheItem.key.length < 1) {
-      throw new Error(`Key is required for REMOVE operation`);
-    }
-    const cacheIndex = [op, path].join(":");
-    cache[cacheIndex] = { op, path };
-  } else {
-    throw new Error(`Unsupported operation: ${op}`);
-  }
-  return cache;
-};
-function updateCacheID(payload) {
-  payload.push({
-    op: "replace",
-    path: "/metadata/labels/pepr.dev-cacheID",
-    value: `${Date.now()}`
-  });
-  return payload;
-}
-
-// src/lib/controller/store.ts
-var namespace = "pepr-system";
-var debounceBackoffReceive = 1e3;
-var debounceBackoffSend = 4e3;
-var StoreController = class {
-  #name;
-  #stores = {};
-  #sendDebounce;
-  #onReady;
-  constructor(capabilities, name2, onReady) {
-    this.#onReady = onReady;
-    this.#name = name2;
-    const setStorageInstance = (registrationFunction, name3) => {
-      const scheduleStore = registrationFunction();
-      scheduleStore.registerSender(this.#send(name3));
-      this.#stores[name3] = scheduleStore;
-    };
-    if (name2.includes("schedule")) {
-      for (const { name: name3, registerScheduleStore, hasSchedule } of capabilities) {
-        if (hasSchedule === true) {
-          setStorageInstance(registerScheduleStore, name3);
-        }
-      }
+    this.#input = input;
+    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
+      this.Raw = (0, import_ramda4.clone)(input.oldObject);
     } else {
-      for (const { name: name3, registerStore } of capabilities) {
-        setStorageInstance(registerStore, name3);
-      }
+      this.Raw = (0, import_ramda4.clone)(input.object);
+    }
+    if (!this.Raw) {
+      throw new Error("Unable to load the request object into PeprRequest.Raw");
     }
-    setTimeout(
-      () => (0, import_kubernetes_fluent_client3.K8s)(Store).InNamespace(namespace).Get(this.#name).then(async (store) => await this.#migrateAndSetupWatch(store)).catch(this.#createStoreResource),
-      Math.random() * 3e3
-      // Add a jitter to the Store creation to avoid collisions
-    );
   }
-  #setupWatch = () => {
-    const watcher = (0, import_kubernetes_fluent_client3.K8s)(Store, { name: this.#name, namespace }).Watch(this.#receive);
-    watcher.start().catch((e) => logger_default.error(e, "Error starting Pepr store watch"));
+  Merge = (obj) => {
+    this.Raw = (0, import_ramda4.mergeDeepRight)(this.Raw, obj);
   };
-  #migrateAndSetupWatch = async (store) => {
-    logger_default.debug(redactedStore(store), "Pepr Store migration");
-    await (0, import_kubernetes_fluent_client3.K8s)(Store, { namespace, name: this.#name }).Patch([
-      {
-        op: "add",
-        path: "/metadata/labels/pepr.dev-cacheID",
-        value: `${Date.now()}`
-      }
-    ]);
-    const data = store.data || {};
-    let storeCache = {};
-    for (const name2 of Object.keys(this.#stores)) {
-      const offset = `${name2}-`.length;
-      for (const key of Object.keys(data)) {
-        if ((0, import_ramda6.startsWith)(name2, key) && !(0, import_ramda6.startsWith)(`${name2}-v2`, key)) {
-          storeCache = fillStoreCache(storeCache, name2, "remove", {
-            key: [key.slice(offset)],
-            value: data[key]
-          });
-          storeCache = fillStoreCache(storeCache, name2, "add", {
-            key: [key.slice(offset)],
-            value: data[key],
-            version: "v2"
-          });
-        }
-      }
-    }
-    storeCache = await sendUpdatesAndFlushCache(storeCache, namespace, this.#name);
-    this.#setupWatch();
+  SetLabel = (key, value) => {
+    const ref = this.Raw;
+    ref.metadata = ref.metadata ?? {};
+    ref.metadata.labels = ref.metadata.labels ?? {};
+    ref.metadata.labels[key] = value;
+    return this;
   };
-  #receive = (store) => {
-    logger_default.debug(redactedStore(store), "Pepr Store update");
-    const debounced = () => {
-      const data = store.data || {};
-      for (const name2 of Object.keys(this.#stores)) {
-        const offset = `${name2}-`.length;
-        const filtered = {};
-        for (const key of Object.keys(data)) {
-          if ((0, import_ramda6.startsWith)(name2, key)) {
-            filtered[key.slice(offset)] = data[key];
-          }
-        }
-        this.#stores[name2].receive(filtered);
-      }
-      if (this.#onReady) {
-        this.#onReady();
-        this.#onReady = void 0;
-      }
-    };
-    clearTimeout(this.#sendDebounce);
-    this.#sendDebounce = setTimeout(debounced, this.#onReady ? 0 : debounceBackoffReceive);
+  SetAnnotation = (key, value) => {
+    const ref = this.Raw;
+    ref.metadata = ref.metadata ?? {};
+    ref.metadata.annotations = ref.metadata.annotations ?? {};
+    ref.metadata.annotations[key] = value;
+    return this;
   };
-  #send = (capabilityName) => {
-    let storeCache = {};
-    const sender = async (op, key, value) => {
-      storeCache = fillStoreCache(storeCache, capabilityName, op, { key, value });
-    };
-    setInterval(() => {
-      if (Object.keys(storeCache).length > 0) {
-        logger_default.debug(redactedPatch(storeCache), "Sending updates to Pepr store");
-        void sendUpdatesAndFlushCache(storeCache, namespace, this.#name);
-      }
-    }, debounceBackoffSend);
-    return sender;
+  RemoveLabel = (key) => {
+    if (this.Raw.metadata?.labels?.[key]) {
+      delete this.Raw.metadata.labels[key];
+    }
+    return this;
   };
-  #createStoreResource = async (e) => {
-    logger_default.info(`Pepr store not found, creating...`);
-    logger_default.debug(e);
-    try {
-      await (0, import_kubernetes_fluent_client3.K8s)(Store).Apply({
-        metadata: {
-          name: this.#name,
-          namespace,
-          labels: {
-            "pepr.dev-cacheID": `${Date.now()}`
-          }
-        },
-        data: {
-          // JSON Patch will die if the data is empty, so we need to add a placeholder
-          __pepr_do_not_delete__: "k-thx-bye"
-        }
-      });
-      this.#setupWatch();
-    } catch (err) {
-      logger_default.error(err, "Failed to create Pepr store");
+  RemoveAnnotation = (key) => {
+    if (this.Raw.metadata?.annotations?.[key]) {
+      delete this.Raw.metadata.annotations[key];
     }
+    return this;
+  };
+  HasLabel = (key) => {
+    return this.Raw.metadata?.labels?.[key] !== void 0;
+  };
+  HasAnnotation = (key) => {
+    return this.Raw.metadata?.annotations?.[key] !== void 0;
   };
 };
 
-// src/lib/controller/index.util.ts
-function karForMutate(mr) {
-  return {
-    apiVersion: "admission.k8s.io/v1",
-    kind: "AdmissionReview",
-    response: mr
-  };
+// src/lib/utils.ts
+var utils_exports = {};
+__export(utils_exports, {
+  base64Decode: () => base64Decode,
+  base64Encode: () => base64Encode,
+  convertFromBase64Map: () => convertFromBase64Map,
+  convertToBase64Map: () => convertToBase64Map,
+  isAscii: () => isAscii
+});
+var isAscii = /^[\s\x20-\x7E]*$/;
+function convertToBase64Map(obj, skip) {
+  obj.data = obj.data ?? {};
+  for (const key in obj.data) {
+    const value = obj.data[key];
+    obj.data[key] = skip.includes(key) ? value : base64Encode(value);
+  }
 }
-function karForValidate(ar, vr) {
-  const isAllowed = vr.filter((r) => !r.allowed).length === 0;
-  const resp = vr.length === 0 ? {
-    uid: ar.uid,
-    allowed: true,
-    status: { code: 200, message: "no in-scope validations -- allowed!" }
-  } : {
-    uid: vr[0].uid,
-    allowed: isAllowed,
-    status: {
-      code: isAllowed ? 200 : 422,
-      message: vr.filter((rl) => !rl.allowed).map((curr) => curr.status?.message).join("; ")
+function convertFromBase64Map(obj) {
+  const skip = [];
+  obj.data = obj.data ?? {};
+  for (const key in obj.data) {
+    if (obj.data[key] === void 0) {
+      obj.data[key] = "";
+    } else {
+      const decoded = base64Decode(obj.data[key]);
+      if (isAscii.test(decoded)) {
+        obj.data[key] = decoded;
+      } else {
+        skip.push(key);
+      }
     }
-  };
-  return {
-    apiVersion: "admission.k8s.io/v1",
-    kind: "AdmissionReview",
-    response: resp
-  };
+  }
+  logger_default.debug(`Non-ascii data detected in keys: ${skip}, skipping automatic base64 decoding`);
+  return skip;
+}
+function base64Decode(data) {
+  return Buffer.from(data, "base64").toString("utf-8");
+}
+function base64Encode(data) {
+  return Buffer.from(data).toString("base64");
 }
 
-// src/lib/controller/index.ts
-if (!process.env.PEPR_NODE_WARNINGS) {
-  process.removeAllListeners("warning");
+// src/cli/init/enums.ts
+var OnError = /* @__PURE__ */ ((OnError2) => {
+  OnError2["AUDIT"] = "audit";
+  OnError2["IGNORE"] = "ignore";
+  OnError2["REJECT"] = "reject";
+  return OnError2;
+})(OnError || {});
+
+// src/lib/assets/webhooks.ts
+var import_ramda5 = require("ramda");
+function resolveIgnoreNamespaces(ignoredNSConfig = []) {
+  const ignoredNSEnv = process.env.PEPR_ADDITIONAL_IGNORED_NAMESPACES;
+  if (!ignoredNSEnv) {
+    return ignoredNSConfig;
+  }
+  const namespaces = ignoredNSEnv.split(",").map((ns) => ns.trim());
+  if (ignoredNSConfig) {
+    namespaces.push(...ignoredNSConfig);
+  }
+  return namespaces.filter((ns) => ns.length > 0);
 }
-var Controller = class _Controller {
-  // Track whether the server is running
-  #running = false;
-  // Metrics collector
-  #metricsCollector = metricsCollector;
-  // The token used to authenticate requests
-  #token = "";
-  // The express app instance
-  #app = (0, import_express.default)();
-  // Initialized with the constructor
-  #config;
-  #capabilities;
-  #beforeHook;
-  #afterHook;
-  constructor(config, capabilities, hooks = {}) {
-    const { beforeHook, afterHook, onReady } = hooks;
-    this.#config = config;
-    this.#capabilities = capabilities;
-    new StoreController(capabilities, `pepr-${config.uuid}-store`, () => {
-      this.#bindEndpoints();
-      if (typeof onReady === "function") {
-        onReady();
-      }
-      logger_default.info("\u2705 Controller startup complete");
-      new StoreController(capabilities, `pepr-${config.uuid}-schedule`, () => {
-        logger_default.info("\u2705 Scheduling processed");
-      });
-    });
-    this.#app.use(_Controller.#logger);
-    this.#app.use(import_express.default.json({ limit: "2mb" }));
-    if (beforeHook) {
-      logger_default.info(`Using beforeHook: ${beforeHook}`);
-      this.#beforeHook = beforeHook;
-    }
-    if (afterHook) {
-      logger_default.info(`Using afterHook: ${afterHook}`);
-      this.#afterHook = afterHook;
+
+// src/lib/processors/mutate-processor.ts
+function updateStatus(config, name2, wrapped, status) {
+  if (wrapped.Request.operation === "DELETE") {
+    return wrapped;
+  }
+  wrapped.SetAnnotation(`${config.uuid}.pepr.dev/${name2}`, status);
+  return wrapped;
+}
+function logMutateErrorMessage(e) {
+  try {
+    if (e.message && e.message !== "[object Object]") {
+      return e.message;
+    } else {
+      throw new Error("An error occurred in the mutate action.");
     }
+  } catch {
+    return "An error occurred with the mutate action.";
   }
-  /** Start the webhook server */
-  startServer = (port) => {
-    if (this.#running) {
-      throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
-    }
-    const options = {
-      key: import_fs.default.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
-      cert: import_fs.default.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt")
-    };
-    if (!isWatchMode()) {
-      this.#token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
-      logger_default.info(`Using API token: ${this.#token}`);
-      if (!this.#token) {
-        throw new Error("API token not found");
-      }
+}
+function decodeData(wrapped) {
+  let skipped = [];
+  const isSecret = wrapped.Request.kind.version === "v1" && wrapped.Request.kind.kind === "Secret";
+  if (isSecret) {
+    skipped = convertFromBase64Map(wrapped.Raw);
+  }
+  return { skipped, wrapped };
+}
+function reencodeData(wrapped, skipped) {
+  const transformed = (0, import_ramda6.clone)(wrapped.Raw);
+  const isSecret = wrapped.Request.kind.version === "v1" && wrapped.Request.kind.kind === "Secret";
+  if (isSecret) {
+    convertToBase64Map(transformed, skipped);
+  }
+  return transformed;
+}
+async function processRequest(bindable, wrapped, response) {
+  const { binding, actMeta, name: name2, config } = bindable;
+  const label = binding.mutateCallback.name;
+  logger_default.info(actMeta, `Processing mutation action (${label})`);
+  wrapped = updateStatus(config, name2, wrapped, "started");
+  try {
+    await binding.mutateCallback(wrapped);
+    logger_default.info(actMeta, `Mutation action succeeded (${label})`);
+    wrapped = updateStatus(config, name2, wrapped, "succeeded");
+  } catch (e) {
+    wrapped = updateStatus(config, name2, wrapped, "warning");
+    response.warnings = response.warnings || [];
+    const errorMessage = logMutateErrorMessage(e);
+    logger_default.error(actMeta, `Action failed: ${errorMessage}`);
+    response.warnings.push(`Action failed: ${errorMessage}`);
+    switch (config.onError) {
+      case "reject" /* REJECT */:
+        response.result = "Pepr module configured to reject on error";
+        break;
+      case "audit" /* AUDIT */:
+        response.auditAnnotations = response.auditAnnotations || {};
+        response.auditAnnotations[Date.now()] = `Action failed: ${errorMessage}`;
+        break;
     }
-    const server = import_https.default.createServer(options, this.#app).listen(port);
-    server.on("listening", () => {
-      logger_default.info(`Server listening on port ${port}`);
-      this.#running = true;
-    });
-    server.on("error", (e) => {
-      if (e.code === "EADDRINUSE") {
-        logger_default.info(
-          `Address in use, retrying in 2 seconds. If this persists, ensure ${port} is not in use, e.g. "lsof -i :${port}"`
-        );
-        setTimeout(() => {
-          server.close();
-          server.listen(port);
-        }, 2e3);
-      }
-    });
-    process.on("SIGTERM", () => {
-      logger_default.info("Received SIGTERM, closing server");
-      server.close(() => {
-        logger_default.info("Server closed");
-        process.exit(0);
-      });
-    });
+  }
+  return { wrapped, response };
+}
+async function mutateProcessor(config, capabilities, req, reqMetadata) {
+  const webhookTimer = new MeasureWebhookTimeout("mutate" /* MUTATE */);
+  webhookTimer.start(config.webhookTimeout);
+  let response = {
+    uid: req.uid,
+    warnings: [],
+    allowed: false
   };
-  #bindEndpoints = () => {
-    this.#app.get("/healthz", _Controller.#healthz);
-    this.#app.get("/metrics", this.#metrics);
-    if (isWatchMode()) {
-      return;
+  const decoded = decodeData(new PeprMutateRequest(req));
+  let wrapped = decoded.wrapped;
+  logger_default.info(reqMetadata, `Processing request`);
+  let bindables = capabilities.flatMap(
+    (capa) => capa.bindings.map((bind) => ({
+      req,
+      config,
+      name: capa.name,
+      namespaces: capa.namespaces,
+      binding: bind,
+      actMeta: { ...reqMetadata, name: capa.name }
+    }))
+  );
+  bindables = bindables.filter((bind) => {
+    if (!bind.binding.mutateCallback) {
+      return false;
     }
-    this.#app.use(["/mutate/:token", "/validate/:token"], this.#validateToken);
-    this.#app.post("/mutate/:token", this.#admissionReq("Mutate"));
-    this.#app.post("/validate/:token", this.#admissionReq("Validate"));
-  };
-  /**
-   * Validate the token in the request path
-   *
-   * @param req The incoming request
-   * @param res The outgoing response
-   * @param next The next middleware function
-   * @returns
-   */
-  #validateToken = (req, res, next) => {
-    const { token } = req.params;
-    if (token !== this.#token) {
-      const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
-      logger_default.info(err);
-      res.status(401).send(err);
-      this.#metricsCollector.alert();
-      return;
+    const shouldSkip = shouldSkipRequest(
+      bind.binding,
+      bind.req,
+      bind.namespaces,
+      resolveIgnoreNamespaces(bind.config?.alwaysIgnore?.namespaces)
+    );
+    if (shouldSkip !== "") {
+      logger_default.debug(shouldSkip);
+      return false;
     }
-    next();
-  };
-  /**
-   * Metrics endpoint handler
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   */
-  #metrics = async (req, res) => {
-    try {
-      res.set("Content-Type", "text/plain; version=0.0.4");
-      res.send(await this.#metricsCollector.getMetrics());
-    } catch (err) {
-      logger_default.error(err, `Error getting metrics`);
-      res.status(500).send("Internal Server Error");
+    return true;
+  });
+  for (const bindable of bindables) {
+    ({ wrapped, response } = await processRequest(bindable, wrapped, response));
+    if (config.onError === "reject" /* REJECT */ && response?.warnings.length > 0) {
+      return response;
     }
-  };
-  /**
-   * Admission request handler for both mutate and validate requests
-   *
-   * @param admissionKind the type of admission request
-   * @returns the request handler
-   */
-  #admissionReq = (admissionKind) => {
-    return async (req, res) => {
-      const startTime = MetricsCollector.observeStart();
-      try {
-        const request = req.body?.request || {};
-        const { name: name2, namespace: namespace2, gvk } = {
-          name: request?.name ? `/${request.name}` : "",
-          namespace: request?.namespace || "",
-          gvk: request?.kind || { group: "", version: "", kind: "" }
-        };
-        const reqMetadata = { uid: request.uid, namespace: namespace2, name: name2 };
-        logger_default.info({ ...reqMetadata, gvk, operation: request.operation, admissionKind }, "Incoming request");
-        logger_default.debug({ ...reqMetadata, request }, "Incoming request body");
-        if (typeof this.#beforeHook === "function") {
-          this.#beforeHook(request || {});
-        }
-        const response = admissionKind === "Mutate" ? await mutateProcessor(this.#config, this.#capabilities, request, reqMetadata) : await validateProcessor(this.#config, this.#capabilities, request, reqMetadata);
-        [response].flat().map((res2) => {
-          if (typeof this.#afterHook === "function") {
-            this.#afterHook(res2);
-          }
-          logger_default.info({ ...reqMetadata, res: res2 }, "Check response");
-        });
-        const kar = admissionKind === "Mutate" ? karForMutate(response) : karForValidate(request, response);
-        logger_default.debug({ ...reqMetadata, kubeAdmissionResponse: kar.response }, "Outgoing response");
-        res.send(kar);
-        this.#metricsCollector.observeEnd(startTime, admissionKind);
-      } catch (err) {
-        logger_default.error(err, `Error processing ${admissionKind} request`);
-        res.status(500).send("Internal Server Error");
-        this.#metricsCollector.error();
-      }
-    };
-  };
-  /**
-   * Middleware for logging requests
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   * @param next the next middleware function
-   */
-  static #logger(req, res, next) {
-    const startTime = Date.now();
-    res.on("finish", () => {
-      const excludedRoutes = ["/healthz", "/metrics"];
-      if (excludedRoutes.includes(req.originalUrl)) {
-        return;
-      }
-      const elapsedTime = Date.now() - startTime;
-      const message = {
-        uid: req.body?.request?.uid,
-        method: req.method,
-        url: req.originalUrl,
-        status: res.statusCode,
-        duration: `${elapsedTime} ms`
-      };
-      logger_default.info(message);
-    });
-    next();
   }
-  /**
-   * Health check endpoint handler
-   *
-   * @param req the incoming request
-   * @param res the outgoing response
-   */
-  static #healthz(req, res) {
-    try {
-      res.send("OK");
-    } catch (err) {
-      logger_default.error(err, `Error processing health check`);
-      res.status(500).send("Internal Server Error");
-    }
+  response.allowed = true;
+  if (bindables.length === 0) {
+    logger_default.info(reqMetadata, `No matching actions found`);
+    return response;
+  }
+  if (req.operation === "DELETE") {
+    return response;
+  }
+  const transformed = reencodeData(wrapped, decoded.skipped);
+  const patches = import_fast_json_patch.default.compare(req.object, transformed);
+  updateResponsePatchAndWarnings(patches, response);
+  logger_default.debug({ ...reqMetadata, patches }, `Patches generated`);
+  webhookTimer.stop();
+  return response;
+}
+function updateResponsePatchAndWarnings(patches, response) {
+  if (patches.length > 0) {
+    response.patchType = "JSONPatch";
+    response.patch = base64Encode(JSON.stringify(patches));
   }
-};
-
-// src/lib/errors.ts
-var ErrorList = Object.values(OnError);
-function ValidateError(error = "") {
-  if (!ErrorList.includes(error)) {
-    throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
+  if (response.warnings && response.warnings.length < 1) {
+    delete response.warnings;
   }
 }
 
-// src/lib/processors/watch-processor.ts
-var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
-
-// src/lib/core/queue.ts
-var import_node_crypto = require("node:crypto");
-var Queue = class {
-  #name;
-  #uid;
-  #queue = [];
-  #pendingPromise = false;
-  constructor(name2) {
-    this.#name = name2;
-    this.#uid = `${Date.now()}-${(0, import_node_crypto.randomBytes)(2).toString("hex")}`;
+// src/lib/validate-request.ts
+var import_ramda7 = require("ramda");
+var PeprValidateRequest = class {
+  Raw;
+  #input;
+  /**
+   * Provides access to the old resource in the request if available.
+   * @returns The old Kubernetes resource object or null if not available.
+   */
+  get OldResource() {
+    return this.#input.oldObject;
   }
-  label() {
-    return { name: this.#name, uid: this.#uid };
+  /**
+   * Provides access to the request object.
+   * @returns The request object containing the Kubernetes resource.
+   */
+  get Request() {
+    return this.#input;
   }
-  stats() {
-    return {
-      queue: this.label(),
-      stats: {
-        length: this.#queue.length
-      }
-    };
+  /**
+   * Creates a new instance of the Action class.
+   * @param input - The request object containing the Kubernetes resource to modify.
+   */
+  constructor(input) {
+    this.#input = input;
+    if (input.operation.toUpperCase() === "DELETE" /* DELETE */) {
+      this.Raw = (0, import_ramda7.clone)(input.oldObject);
+    } else {
+      this.Raw = (0, import_ramda7.clone)(input.object);
+    }
+    if (!this.Raw) {
+      throw new Error("unable to load the request object into PeprRequest.Raw");
+    }
   }
   /**
-   * Enqueue adds an item to the queue and returns a promise that resolves when the item is
-   * reconciled.
+   * Check if a label exists on the Kubernetes resource.
    *
-   * @param item The object to reconcile
-   * @param type The watch phase requested for reconcile
-   * @param reconcile The callback to enqueue for reconcile
-   * @returns A promise that resolves when the object is reconciled
+   * @param key the label key to check
+   * @returns
    */
-  enqueue(item, phase, reconcile) {
-    const note = {
-      queue: this.label(),
-      item: {
-        name: item.metadata?.name,
-        namespace: item.metadata?.namespace,
-        resourceVersion: item.metadata?.resourceVersion
-      }
+  HasLabel = (key) => {
+    return this.Raw.metadata?.labels?.[key] !== void 0;
+  };
+  /**
+   * Check if an annotation exists on the Kubernetes resource.
+   *
+   * @param key the annotation key to check
+   * @returns
+   */
+  HasAnnotation = (key) => {
+    return this.Raw.metadata?.annotations?.[key] !== void 0;
+  };
+  /**
+   * Create a validation response that allows the request.
+   *
+   * @returns The validation response.
+   */
+  Approve = () => {
+    return {
+      allowed: true
     };
-    logger_default.debug(note, "Enqueueing");
-    return new Promise((resolve, reject) => {
-      this.#queue.push({ item, phase, callback: reconcile, resolve, reject });
-      logger_default.debug(this.stats(), "Queue stats - push");
-      return this.#dequeue();
-    });
-  }
+  };
   /**
-   * Dequeue reconciles the next item in the queue
+   * Create a validation response that denies the request.
    *
-   * @returns A promise that resolves when the webapp is reconciled
+   * @param statusMessage Optional status message to return to the user.
+   * @param statusCode Optional status code to return to the user.
+   * @returns The validation response.
    */
-  async #dequeue() {
-    if (this.#pendingPromise) {
-      logger_default.debug("Pending promise, not dequeuing");
-      return false;
-    }
-    const element = this.#queue.shift();
-    if (!element) {
-      logger_default.debug("No element, not dequeuing");
-      return false;
-    }
-    try {
-      this.#pendingPromise = true;
-      const note = {
-        queue: this.label(),
-        item: {
-          name: element.item.metadata?.name,
-          namespace: element.item.metadata?.namespace,
-          resourceVersion: element.item.metadata?.resourceVersion
-        }
-      };
-      logger_default.debug(note, "Reconciling");
-      await element.callback(element.item, element.phase);
-      logger_default.debug(note, "Reconciled");
-      element.resolve();
-    } catch (e) {
-      logger_default.debug(`Error reconciling ${element.item.metadata.name}`, { error: e });
-      element.reject(e);
-    } finally {
-      logger_default.debug(this.stats(), "Queue stats - shift");
-      logger_default.debug("Resetting pending promise and dequeuing");
-      this.#pendingPromise = false;
-      await this.#dequeue();
-    }
-  }
+  Deny = (statusMessage, statusCode) => {
+    return {
+      allowed: false,
+      statusCode,
+      statusMessage
+    };
+  };
 };
 
-// src/lib/processors/watch-processor.ts
-var import_types = require("kubernetes-fluent-client/dist/fluent/types");
-
-// src/lib/finalizer.ts
-var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
-function addFinalizer(request) {
-  if (request.Request.operation === "DELETE" /* DELETE */) {
-    return;
-  }
-  if (request.Request.operation === "UPDATE" /* UPDATE */ && request.Raw.metadata?.deletionTimestamp) {
-    return;
-  }
-  const peprFinal = "pepr.dev/finalizer";
-  const finalizers = request.Raw.metadata?.finalizers || [];
-  if (!finalizers.includes(peprFinal)) {
-    finalizers.push(peprFinal);
-  }
-  request.Merge({ metadata: { finalizers } });
-}
-async function removeFinalizer(binding, obj) {
-  const peprFinal = "pepr.dev/finalizer";
-  const meta = obj.metadata;
-  const resource = `${meta.namespace || "ClusterScoped"}/${meta.name}`;
-  logger_default.debug({ obj }, `Removing finalizer '${peprFinal}' from '${resource}'`);
-  const { model, kind: kind3 } = binding;
+// src/lib/processors/validate-processor.ts
+async function processRequest2(binding, actionMetadata, peprValidateRequest) {
+  const label = binding.validateCallback.name;
+  logger_default.info(actionMetadata, `Processing validation action (${label})`);
+  const valResp = {
+    uid: peprValidateRequest.Request.uid,
+    allowed: true
+    // Assume it's allowed until a validation check fails
+  };
   try {
-    (0, import_kubernetes_fluent_client4.RegisterKind)(model, kind3);
-  } catch (e) {
-    const expected = e.message === `GVK ${model.name} already registered`;
-    if (!expected) {
-      logger_default.error({ model, kind: kind3, error: e }, `Error registering "${kind3}" during finalization.`);
-      return;
+    const callbackResp = await binding.validateCallback(peprValidateRequest);
+    valResp.allowed = callbackResp.allowed;
+    if (callbackResp.statusCode || callbackResp.statusMessage) {
+      valResp.status = {
+        code: callbackResp.statusCode || 400,
+        message: callbackResp.statusMessage || `Validation failed for ${name}`
+      };
     }
+    logger_default.info(actionMetadata, `Validation action complete (${label}): ${callbackResp.allowed ? "allowed" : "denied"}`);
+    return valResp;
+  } catch (e) {
+    logger_default.error(actionMetadata, `Action failed: ${JSON.stringify(e)}`);
+    valResp.allowed = false;
+    valResp.status = {
+      code: 500,
+      message: `Action failed with error: ${JSON.stringify(e)}`
+    };
+    return valResp;
   }
-  const finalizers = meta.finalizers?.filter((f) => f !== peprFinal) || [];
-  obj = await (0, import_kubernetes_fluent_client4.K8s)(model, meta).Patch([
-    {
-      op: "replace",
-      path: `/metadata/finalizers`,
-      value: finalizers
-    }
-  ]);
-  logger_default.debug({ obj }, `Removed finalizer '${peprFinal}' from '${resource}'`);
-}
-
-// src/lib/processors/watch-processor.ts
-var queues = {};
-function queueKey(obj) {
-  const options = ["kind", "kindNs", "kindNsName", "global"];
-  const d3fault = "kind";
-  let strat = process.env.PEPR_RECONCILE_STRATEGY || d3fault;
-  strat = options.includes(strat) ? strat : d3fault;
-  const ns = obj.metadata?.namespace ?? "cluster-scoped";
-  const kind3 = obj.kind ?? "UnknownKind";
-  const name2 = obj.metadata?.name ?? "Unnamed";
-  const lookup = {
-    kind: `${kind3}`,
-    kindNs: `${kind3}/${ns}`,
-    kindNsName: `${kind3}/${ns}/${name2}`,
-    global: "global"
-  };
-  return lookup[strat];
 }
-function getOrCreateQueue(obj) {
-  const key = queueKey(obj);
-  if (!queues[key]) {
-    queues[key] = new Queue(key);
+async function validateProcessor(config, capabilities, req, reqMetadata) {
+  const webhookTimer = new MeasureWebhookTimeout("validate" /* VALIDATE */);
+  webhookTimer.start(config.webhookTimeout);
+  const wrapped = new PeprValidateRequest(req);
+  const response = [];
+  if (req.kind.version === "v1" && req.kind.kind === "Secret") {
+    convertFromBase64Map(wrapped.Raw);
+  }
+  logger_default.info(reqMetadata, `Processing validation request`);
+  for (const { name: name2, bindings, namespaces } of capabilities) {
+    const actionMetadata = { ...reqMetadata, name: name2 };
+    for (const binding of bindings) {
+      if (!binding.validateCallback) {
+        continue;
+      }
+      const shouldSkip = shouldSkipRequest(
+        binding,
+        req,
+        namespaces,
+        resolveIgnoreNamespaces(config?.alwaysIgnore?.namespaces)
+      );
+      if (shouldSkip !== "") {
+        logger_default.debug(shouldSkip);
+        continue;
+      }
+      const resp = await processRequest2(binding, actionMetadata, wrapped);
+      response.push(resp);
+    }
   }
-  return queues[key];
+  webhookTimer.stop();
+  return response;
 }
-var watchCfg = {
-  resyncFailureMax: process.env.PEPR_RESYNC_FAILURE_MAX ? parseInt(process.env.PEPR_RESYNC_FAILURE_MAX, 10) : 5,
-  resyncDelaySec: process.env.PEPR_RESYNC_DELAY_SECONDS ? parseInt(process.env.PEPR_RESYNC_DELAY_SECONDS, 10) : 5,
-  lastSeenLimitSeconds: process.env.PEPR_LAST_SEEN_LIMIT_SECONDS ? parseInt(process.env.PEPR_LAST_SEEN_LIMIT_SECONDS, 10) : 300,
-  relistIntervalSec: process.env.PEPR_RELIST_INTERVAL_SECONDS ? parseInt(process.env.PEPR_RELIST_INTERVAL_SECONDS, 10) : 600
+
+// src/lib/controller/store.ts
+var import_kubernetes_fluent_client5 = require("kubernetes-fluent-client");
+var import_ramda8 = require("ramda");
+
+// src/lib/k8s.ts
+var import_kubernetes_fluent_client3 = require("kubernetes-fluent-client");
+var Store = class extends import_kubernetes_fluent_client3.GenericKind {
 };
-var eventToPhaseMap = {
-  ["CREATE" /* CREATE */]: [import_types.WatchPhase.Added],
-  ["UPDATE" /* UPDATE */]: [import_types.WatchPhase.Modified],
-  ["CREATEORUPDATE" /* CREATE_OR_UPDATE */]: [import_types.WatchPhase.Added, import_types.WatchPhase.Modified],
-  ["DELETE" /* DELETE */]: [import_types.WatchPhase.Deleted],
-  ["*" /* ANY */]: [import_types.WatchPhase.Added, import_types.WatchPhase.Modified, import_types.WatchPhase.Deleted]
+var peprStoreGVK = {
+  kind: "PeprStore",
+  version: "v1",
+  group: "pepr.dev"
 };
-function setupWatch(capabilities, ignoredNamespaces) {
-  capabilities.map(
-    (capability) => capability.bindings.filter((binding) => binding.isWatch).forEach((bindingElement) => runBinding(bindingElement, capability.namespaces, ignoredNamespaces))
-  );
-}
-async function runBinding(binding, capabilityNamespaces, ignoredNamespaces) {
-  const phaseMatch = eventToPhaseMap[binding.event] || eventToPhaseMap["*" /* ANY */];
-  logger_default.debug({ watchCfg }, "Effective WatchConfig");
-  const watchCallback = async (kubernetesObject, phase) => {
-    if (phaseMatch.includes(phase)) {
-      try {
-        const filterMatch = filterNoMatchReason(binding, kubernetesObject, capabilityNamespaces, ignoredNamespaces);
-        if (filterMatch !== "") {
-          logger_default.debug(filterMatch);
-          return;
-        }
-        if (binding.isFinalize) {
-          await handleFinalizerRemoval(kubernetesObject);
-        } else {
-          await binding.watchCallback?.(kubernetesObject, phase);
-        }
-      } catch (e) {
-        logger_default.error(e, "Error executing watch callback");
-      }
-    }
-  };
-  const handleFinalizerRemoval = async (kubernetesObject) => {
-    if (!kubernetesObject.metadata?.deletionTimestamp) {
-      return;
-    }
-    let shouldRemoveFinalizer = true;
-    try {
-      shouldRemoveFinalizer = await binding.finalizeCallback?.(kubernetesObject);
-    } finally {
-      const peprFinal = "pepr.dev/finalizer";
-      const meta = kubernetesObject.metadata;
-      const resource = `${meta.namespace || "ClusterScoped"}/${meta.name}`;
-      if (shouldRemoveFinalizer === false) {
-        logger_default.debug({ obj: kubernetesObject }, `Skipping removal of finalizer '${peprFinal}' from '${resource}'`);
-      } else {
-        await removeFinalizer(binding, kubernetesObject);
-      }
+(0, import_kubernetes_fluent_client3.RegisterKind)(Store, peprStoreGVK);
+
+// src/lib/controller/storeCache.ts
+var import_kubernetes_fluent_client4 = require("kubernetes-fluent-client");
+var import_http_status_codes = require("http-status-codes");
+var sendUpdatesAndFlushCache = async (cache, namespace2, name2) => {
+  const indexes = Object.keys(cache);
+  const payload = Object.values(cache);
+  try {
+    if (payload.length > 0) {
+      await (0, import_kubernetes_fluent_client4.K8s)(Store, { namespace: namespace2, name: name2 }).Patch(updateCacheID(payload));
+      Object.keys(cache).forEach((key) => delete cache[key]);
     }
-  };
-  const watcher = (0, import_kubernetes_fluent_client5.K8s)(binding.model, binding.filters).Watch(async (obj, phase) => {
-    logger_default.debug(obj, `Watch event ${phase} received`);
-    if (binding.isQueue) {
-      const queue = getOrCreateQueue(obj);
-      await queue.enqueue(obj, phase, watchCallback);
+  } catch (err) {
+    logger_default.error(err, "Pepr store update failure");
+    if (err.status === import_http_status_codes.StatusCodes.UNPROCESSABLE_ENTITY) {
+      Object.keys(cache).forEach((key) => delete cache[key]);
     } else {
-      await watchCallback(obj, phase);
+      indexes.forEach((index) => {
+        cache[index] = payload[Number(index)];
+      });
     }
-  }, watchCfg);
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, (err) => {
-    logger_default.error(err, "Watch failed after 5 attempts, giving up");
-    process.exit(1);
-  });
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.CONNECT, (url) => logEvent(import_kubernetes_fluent_client5.WatchEvent.CONNECT, url));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.DATA_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.DATA_ERROR, err.message));
-  watcher.events.on(
-    import_kubernetes_fluent_client5.WatchEvent.RECONNECT,
-    (retryCount) => logEvent(import_kubernetes_fluent_client5.WatchEvent.RECONNECT, `Reconnecting after ${retryCount} attempt${retryCount === 1 ? "" : "s"}`)
-  );
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.RECONNECT_PENDING, () => logEvent(import_kubernetes_fluent_client5.WatchEvent.RECONNECT_PENDING));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.GIVE_UP, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.ABORT, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.ABORT, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.OLD_RESOURCE_VERSION, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.OLD_RESOURCE_VERSION, err));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.NETWORK_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.NETWORK_ERROR, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.LIST_ERROR, (err) => logEvent(import_kubernetes_fluent_client5.WatchEvent.LIST_ERROR, err.message));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.LIST, (list) => logEvent(import_kubernetes_fluent_client5.WatchEvent.LIST, JSON.stringify(list, void 0, 2)));
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.CACHE_MISS, (windowName) => {
-    metricsCollector.incCacheMiss(windowName);
-  });
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.INIT_CACHE_MISS, (windowName) => {
-    metricsCollector.initCacheMissWindow(windowName);
-  });
-  watcher.events.on(import_kubernetes_fluent_client5.WatchEvent.INC_RESYNC_FAILURE_COUNT, (retryCount) => {
-    metricsCollector.incRetryCount(retryCount);
-  });
-  try {
-    await watcher.start();
-  } catch (err) {
-    logger_default.error(err, "Error starting watch");
-    process.exit(1);
   }
-}
-function logEvent(event, message = "", obj) {
-  const logMessage = `Watch event ${event} received${message ? `. ${message}.` : "."}`;
-  if (obj) {
-    logger_default.debug(obj, logMessage);
+  return cache;
+};
+var fillStoreCache = (cache, capabilityName, op, cacheItem) => {
+  const path = [`/data/${capabilityName}`, cacheItem.version, cacheItem.key].filter((str) => str !== "" && str !== void 0).join("-");
+  if (op === "add") {
+    const value = cacheItem.value || "";
+    const cacheIdx = [op, path, value].join(":");
+    cache[cacheIdx] = { op, path, value };
+  } else if (op === "remove") {
+    if (cacheItem.key.length < 1) {
+      throw new Error(`Key is required for REMOVE operation`);
+    }
+    const cacheIndex = [op, path].join(":");
+    cache[cacheIndex] = { op, path };
   } else {
-    logger_default.debug(logMessage);
+    throw new Error(`Unsupported operation: ${op}`);
   }
+  return cache;
+};
+function updateCacheID(payload) {
+  payload.push({
+    op: "replace",
+    path: "/metadata/labels/pepr.dev-cacheID",
+    value: `${Date.now()}`
+  });
+  return payload;
 }
 
-// src/lib/core/module.ts
-var isWatchMode = () => process.env.PEPR_WATCH_MODE === "true";
-var isBuildMode = () => process.env.PEPR_MODE === "build";
-var isDevMode = () => process.env.PEPR_MODE === "dev";
-var PeprModule = class {
-  #controller;
-  /**
-   * Create a new Pepr runtime
-   *
-   * @param config The configuration for the Pepr runtime
-   * @param capabilities The capabilities to be loaded into the Pepr runtime
-   * @param opts Options for the Pepr runtime
-   */
-  constructor({ description, pepr }, capabilities = [], opts = {}) {
-    const config = (0, import_ramda7.clone)(pepr);
-    config.description = description;
-    ValidateError(config.onError);
-    if (isBuildMode()) {
-      if (!process.send) {
-        throw new Error("process.send is not defined");
+// src/lib/controller/store.ts
+var namespace = "pepr-system";
+var debounceBackoffReceive = 1e3;
+var debounceBackoffSend = 4e3;
+var StoreController = class {
+  #name;
+  #stores = {};
+  #sendDebounce;
+  #onReady;
+  constructor(capabilities, name2, onReady) {
+    this.#onReady = onReady;
+    this.#name = name2;
+    const setStorageInstance = (registrationFunction, name3) => {
+      const scheduleStore = registrationFunction();
+      scheduleStore.registerSender(this.#send(name3));
+      this.#stores[name3] = scheduleStore;
+    };
+    if (name2.includes("schedule")) {
+      for (const { name: name3, registerScheduleStore, hasSchedule } of capabilities) {
+        if (hasSchedule === true) {
+          setStorageInstance(registerScheduleStore, name3);
+        }
       }
-      const exportedCapabilities = [];
-      for (const capability of capabilities) {
-        exportedCapabilities.push({
-          name: capability.name,
-          description: capability.description,
-          namespaces: capability.namespaces,
-          bindings: capability.bindings,
-          hasSchedule: capability.hasSchedule
-        });
+    } else {
+      for (const { name: name3, registerStore } of capabilities) {
+        setStorageInstance(registerStore, name3);
       }
-      process.send(exportedCapabilities);
-      return;
     }
-    const controllerHooks = {
-      beforeHook: opts.beforeHook,
-      afterHook: opts.afterHook,
-      onReady: () => {
-        if (isWatchMode() || isDevMode()) {
-          try {
-            setupWatch(capabilities, resolveIgnoreNamespaces(pepr?.alwaysIgnore?.namespaces));
-          } catch (e) {
-            logger_default.error(e, "Error setting up watch");
-            process.exit(1);
+    setTimeout(
+      () => (0, import_kubernetes_fluent_client5.K8s)(Store).InNamespace(namespace).Get(this.#name).then(async (store) => await this.#migrateAndSetupWatch(store)).catch(this.#createStoreResource),
+      Math.random() * 3e3
+      // Add a jitter to the Store creation to avoid collisions
+    );
+  }
+  #setupWatch = () => {
+    const watcher = (0, import_kubernetes_fluent_client5.K8s)(Store, { name: this.#name, namespace }).Watch(this.#receive);
+    watcher.start().catch((e) => logger_default.error(e, "Error starting Pepr store watch"));
+  };
+  #migrateAndSetupWatch = async (store) => {
+    logger_default.debug(redactedStore(store), "Pepr Store migration");
+    await (0, import_kubernetes_fluent_client5.K8s)(Store, { namespace, name: this.#name }).Patch([
+      {
+        op: "add",
+        path: "/metadata/labels/pepr.dev-cacheID",
+        value: `${Date.now()}`
+      }
+    ]);
+    const data = store.data || {};
+    let storeCache = {};
+    for (const name2 of Object.keys(this.#stores)) {
+      const offset = `${name2}-`.length;
+      for (const key of Object.keys(data)) {
+        if ((0, import_ramda8.startsWith)(name2, key) && !(0, import_ramda8.startsWith)(`${name2}-v2`, key)) {
+          storeCache = fillStoreCache(storeCache, name2, "remove", {
+            key: [key.slice(offset)],
+            value: data[key]
+          });
+          storeCache = fillStoreCache(storeCache, name2, "add", {
+            key: [key.slice(offset)],
+            value: data[key],
+            version: "v2"
+          });
+        }
+      }
+    }
+    storeCache = await sendUpdatesAndFlushCache(storeCache, namespace, this.#name);
+    this.#setupWatch();
+  };
+  #receive = (store) => {
+    logger_default.debug(redactedStore(store), "Pepr Store update");
+    const debounced = () => {
+      const data = store.data || {};
+      for (const name2 of Object.keys(this.#stores)) {
+        const offset = `${name2}-`.length;
+        const filtered = {};
+        for (const key of Object.keys(data)) {
+          if ((0, import_ramda8.startsWith)(name2, key)) {
+            filtered[key.slice(offset)] = data[key];
           }
         }
+        this.#stores[name2].receive(filtered);
+      }
+      if (this.#onReady) {
+        this.#onReady();
+        this.#onReady = void 0;
       }
     };
-    this.#controller = new Controller(config, capabilities, controllerHooks);
-    if (opts.deferStart) {
-      return;
-    }
-    this.start();
-  }
-  /**
-   * Start the Pepr runtime manually.
-   * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
-   *
-   * @param port
-   */
-  start = (port = 3e3) => {
-    this.#controller.startServer(port);
+    clearTimeout(this.#sendDebounce);
+    this.#sendDebounce = setTimeout(debounced, this.#onReady ? 0 : debounceBackoffReceive);
   };
-};
-
-// src/lib/core/storage.ts
-var import_ramda8 = require("ramda");
-var import_json_pointer = __toESM(require("json-pointer"));
-var MAX_WAIT_TIME = 15e3;
-var STORE_VERSION_PREFIX = "v2";
-function v2StoreKey(key) {
-  return `${STORE_VERSION_PREFIX}-${import_json_pointer.default.escape(key)}`;
-}
-function v2UnescapedStoreKey(key) {
-  return `${STORE_VERSION_PREFIX}-${key}`;
-}
-var Storage = class {
-  #store = {};
-  #send;
-  #subscribers = {};
-  #subscriberId = 0;
-  #readyHandlers = [];
-  registerSender = (send) => {
-    this.#send = send;
+  #send = (capabilityName) => {
+    let storeCache = {};
+    const sender = async (op, key, value) => {
+      storeCache = fillStoreCache(storeCache, capabilityName, op, { key, value });
+    };
+    setInterval(() => {
+      if (Object.keys(storeCache).length > 0) {
+        logger_default.debug(redactedPatch(storeCache), "Sending updates to Pepr store");
+        void sendUpdatesAndFlushCache(storeCache, namespace, this.#name);
+      }
+    }, debounceBackoffSend);
+    return sender;
   };
-  receive = (data) => {
-    this.#store = data || {};
-    this.#onReady();
-    for (const idx in this.#subscribers) {
-      this.#subscribers[idx]((0, import_ramda8.clone)(this.#store));
+  #createStoreResource = async (e) => {
+    logger_default.info(`Pepr store not found, creating...`);
+    logger_default.debug(e);
+    try {
+      await (0, import_kubernetes_fluent_client5.K8s)(Store).Apply({
+        metadata: {
+          name: this.#name,
+          namespace,
+          labels: {
+            "pepr.dev-cacheID": `${Date.now()}`
+          }
+        },
+        data: {
+          // JSON Patch will die if the data is empty, so we need to add a placeholder
+          __pepr_do_not_delete__: "k-thx-bye"
+        }
+      });
+      this.#setupWatch();
+    } catch (err) {
+      logger_default.error(err, "Failed to create Pepr store");
     }
   };
-  getItem = (key) => {
-    const result = this.#store[v2UnescapedStoreKey(key)] || null;
-    if (result !== null && typeof result !== "function" && typeof result !== "object") {
-      return result;
-    }
-    return null;
+};
+
+// src/lib/controller/index.util.ts
+function karForMutate(mr) {
+  return {
+    apiVersion: "admission.k8s.io/v1",
+    kind: "AdmissionReview",
+    response: mr
   };
-  clear = () => {
-    if (Object.keys(this.#store).length > 0) {
-      this.#dispatchUpdate(
-        "remove",
-        Object.keys(this.#store).map((key) => import_json_pointer.default.escape(key))
-      );
+}
+function karForValidate(ar, vr) {
+  const isAllowed = vr.filter((r) => !r.allowed).length === 0;
+  const resp = vr.length === 0 ? {
+    uid: ar.uid,
+    allowed: true,
+    status: { code: 200, message: "no in-scope validations -- allowed!" }
+  } : {
+    uid: vr[0].uid,
+    allowed: isAllowed,
+    status: {
+      code: isAllowed ? 200 : 422,
+      message: vr.filter((rl) => !rl.allowed).map((curr) => curr.status?.message).join("; ")
     }
   };
-  removeItem = (key) => {
-    this.#dispatchUpdate("remove", [v2StoreKey(key)]);
-  };
-  setItem = (key, value) => {
-    this.#dispatchUpdate("add", [v2StoreKey(key)], value);
+  return {
+    apiVersion: "admission.k8s.io/v1",
+    kind: "AdmissionReview",
+    response: resp
   };
-  /**
-   * Creates a promise and subscribes to the store, the promise resolves when
-   * the key and value are seen in the store.
-   *
-   * @param key - The key to add into the store
-   * @param value - The value of the key
-   * @returns
-   */
-  setItemAndWait = (key, value) => {
-    this.#dispatchUpdate("add", [v2StoreKey(key)], value);
-    const record = {};
-    return new Promise((resolve, reject) => {
-      record.timeout = setTimeout(() => {
-        record.unsubscribe();
-        return reject(`MAX_WAIT_TIME elapsed: Key ${key} not seen in ${MAX_WAIT_TIME / 1e3}s`);
-      }, MAX_WAIT_TIME);
-      record.unsubscribe = this.subscribe((data) => {
-        if (data[`${v2UnescapedStoreKey(key)}`] === value) {
-          record.unsubscribe();
-          clearTimeout(record.timeout);
-          resolve("ok");
-        }
+}
+
+// src/lib/controller/index.ts
+if (!process.env.PEPR_NODE_WARNINGS) {
+  process.removeAllListeners("warning");
+}
+var Controller = class _Controller {
+  // Track whether the server is running
+  #running = false;
+  // Metrics collector
+  #metricsCollector = metricsCollector;
+  // The token used to authenticate requests
+  #token = "";
+  // The express app instance
+  #app = (0, import_express.default)();
+  // Initialized with the constructor
+  #config;
+  #capabilities;
+  #beforeHook;
+  #afterHook;
+  constructor(config, capabilities, hooks = {}) {
+    const { beforeHook, afterHook, onReady } = hooks;
+    this.#config = config;
+    this.#capabilities = capabilities;
+    new StoreController(capabilities, `pepr-${config.uuid}-store`, () => {
+      this.#bindEndpoints();
+      if (typeof onReady === "function") {
+        onReady();
+      }
+      logger_default.info("\u2705 Controller startup complete");
+      new StoreController(capabilities, `pepr-${config.uuid}-schedule`, () => {
+        logger_default.info("\u2705 Scheduling processed");
       });
     });
-  };
-  /**
-   * Creates a promise and subscribes to the store, the promise resolves when
-   * the key is removed from the store.
-   *
-   * @param key - The key to add into the store
-   * @returns
-   */
-  removeItemAndWait = (key) => {
-    this.#dispatchUpdate("remove", [v2StoreKey(key)]);
-    const record = {};
-    return new Promise((resolve, reject) => {
-      record.timeout = setTimeout(() => {
-        record.unsubscribe();
-        return reject(`MAX_WAIT_TIME elapsed: Key ${key} still seen after ${MAX_WAIT_TIME / 1e3}s`);
-      }, MAX_WAIT_TIME);
-      record.unsubscribe = this.subscribe((data) => {
-        if (!Object.hasOwn(data, `${v2UnescapedStoreKey(key)}`)) {
-          record.unsubscribe();
-          clearTimeout(record.timeout);
-          resolve("ok");
-        }
-      });
+    this.#app.use(_Controller.#logger);
+    this.#app.use(import_express.default.json({ limit: "2mb" }));
+    if (beforeHook) {
+      logger_default.info(`Using beforeHook: ${beforeHook}`);
+      this.#beforeHook = beforeHook;
+    }
+    if (afterHook) {
+      logger_default.info(`Using afterHook: ${afterHook}`);
+      this.#afterHook = afterHook;
+    }
+  }
+  /** Start the webhook server */
+  startServer = (port) => {
+    if (this.#running) {
+      throw new Error("Cannot start Pepr module: Pepr module was not instantiated with deferStart=true");
+    }
+    const options = {
+      key: import_fs.default.readFileSync(process.env.SSL_KEY_PATH || "/etc/certs/tls.key"),
+      cert: import_fs.default.readFileSync(process.env.SSL_CERT_PATH || "/etc/certs/tls.crt")
+    };
+    if (!isWatchMode()) {
+      this.#token = process.env.PEPR_API_TOKEN || import_fs.default.readFileSync("/app/api-token/value").toString().trim();
+      logger_default.info(`Using API token: ${this.#token}`);
+      if (!this.#token) {
+        throw new Error("API token not found");
+      }
+    }
+    const server = import_https.default.createServer(options, this.#app).listen(port);
+    server.on("listening", () => {
+      logger_default.info(`Server listening on port ${port}`);
+      this.#running = true;
+    });
+    server.on("error", (e) => {
+      if (e.code === "EADDRINUSE") {
+        logger_default.info(
+          `Address in use, retrying in 2 seconds. If this persists, ensure ${port} is not in use, e.g. "lsof -i :${port}"`
+        );
+        setTimeout(() => {
+          server.close();
+          server.listen(port);
+        }, 2e3);
+      }
+    });
+    process.on("SIGTERM", () => {
+      logger_default.info("Received SIGTERM, closing server");
+      server.close(() => {
+        logger_default.info("Server closed");
+        process.exit(0);
+      });
     });
   };
-  subscribe = (subscriber) => {
-    const idx = this.#subscriberId++;
-    this.#subscribers[idx] = subscriber;
-    return () => this.unsubscribe(idx);
-  };
-  onReady = (callback) => {
-    this.#readyHandlers.push(callback);
-  };
-  /**
-   * Remove a subscriber from the list of subscribers.
-   * @param idx - The index of the subscriber to remove.
-   */
-  unsubscribe = (idx) => {
-    delete this.#subscribers[idx];
-  };
-  #onReady = () => {
-    for (const handler of this.#readyHandlers) {
-      handler((0, import_ramda8.clone)(this.#store));
+  #bindEndpoints = () => {
+    this.#app.get("/healthz", _Controller.#healthz);
+    this.#app.get("/metrics", this.#metrics);
+    if (isWatchMode()) {
+      return;
     }
-    this.#onReady = () => {
-    };
-  };
-  /**
-   * Dispatch an update to the store and notify all subscribers.
-   * @param  op - The type of operation to perform.
-   * @param  keys - The keys to update.
-   * @param  [value] - The new value.
-   */
-  #dispatchUpdate = (op, keys, value) => {
-    this.#send(op, keys, value);
+    this.#app.use(["/mutate/:token", "/validate/:token"], this.#validateToken);
+    this.#app.post("/mutate/:token", this.#admissionReq("Mutate"));
+    this.#app.post("/validate/:token", this.#admissionReq("Validate"));
   };
-};
-
-// src/lib/core/schedule.ts
-var OnSchedule = class {
-  intervalId = null;
-  store;
-  name;
-  completions;
-  every;
-  unit;
-  run;
-  startTime;
-  duration;
-  lastTimestamp;
-  constructor(schedule) {
-    this.name = schedule.name;
-    this.run = schedule.run;
-    this.every = schedule.every;
-    this.unit = schedule.unit;
-    this.startTime = schedule?.startTime;
-    this.completions = schedule?.completions;
-  }
-  setStore(store) {
-    this.store = store;
-    this.startInterval();
-  }
-  startInterval() {
-    this.checkStore();
-    this.getDuration();
-    this.setupInterval();
-  }
-  /**
-   * Checks the store for this schedule and sets the values if it exists
-   * @returns
-   */
-  checkStore() {
-    const result = this.store && this.store.getItem(this.name);
-    if (result) {
-      const storedSchedule = JSON.parse(result);
-      this.completions = storedSchedule?.completions;
-      this.startTime = storedSchedule?.startTime;
-      this.lastTimestamp = storedSchedule?.lastTimestamp;
-    }
-  }
   /**
-   * Saves the schedule to the store
+   * Validate the token in the request path
+   *
+   * @param req The incoming request
+   * @param res The outgoing response
+   * @param next The next middleware function
    * @returns
    */
-  saveToStore() {
-    const schedule = {
-      completions: this.completions,
-      startTime: this.startTime,
-      lastTimestamp: /* @__PURE__ */ new Date(),
-      name: this.name
-    };
-    if (this.store) this.store.setItem(this.name, JSON.stringify(schedule));
-  }
-  /**
-   * Gets the durations in milliseconds
-   */
-  getDuration() {
-    switch (this.unit) {
-      case "seconds":
-        if (this.every < 10) throw new Error("10 Seconds in the smallest interval allowed");
-        this.duration = 1e3 * this.every;
-        break;
-      case "minutes":
-      case "minute":
-        this.duration = 1e3 * 60 * this.every;
-        break;
-      case "hours":
-      case "hour":
-        this.duration = 1e3 * 60 * 60 * this.every;
-        break;
-      default:
-        throw new Error("Invalid time unit");
+  #validateToken = (req, res, next) => {
+    const { token } = req.params;
+    if (token !== this.#token) {
+      const err = `Unauthorized: invalid token '${token.replace(/[^\w]/g, "_")}'`;
+      logger_default.info(err);
+      res.status(401).send(err);
+      this.#metricsCollector.alert();
+      return;
     }
-  }
+    next();
+  };
   /**
-   * Sets up the interval
+   * Metrics endpoint handler
+   *
+   * @param req the incoming request
+   * @param res the outgoing response
    */
-  setupInterval() {
-    const now = /* @__PURE__ */ new Date();
-    let delay;
-    if (this.lastTimestamp && this.startTime) {
-      this.startTime = void 0;
-    }
-    if (this.startTime) {
-      delay = this.startTime.getTime() - now.getTime();
-    } else if (this.lastTimestamp && this.duration) {
-      const lastTimestamp = new Date(this.lastTimestamp);
-      delay = this.duration - (now.getTime() - lastTimestamp.getTime());
-    }
-    if (delay === void 0 || delay <= 0) {
-      this.start();
-    } else {
-      setTimeout(() => {
-        this.start();
-      }, delay);
+  #metrics = async (req, res) => {
+    try {
+      res.set("Content-Type", "text/plain; version=0.0.4");
+      res.send(await this.#metricsCollector.getMetrics());
+    } catch (err) {
+      logger_default.error(err, `Error getting metrics`);
+      res.status(500).send("Internal Server Error");
     }
-  }
+  };
   /**
-   * Starts the interval
+   * Admission request handler for both mutate and validate requests
+   *
+   * @param admissionKind the type of admission request
+   * @returns the request handler
    */
-  start() {
-    this.intervalId = setInterval(() => {
-      if (this.completions === 0) {
-        this.stop();
-        return;
-      } else {
-        this.run();
-        if (this.completions && this.completions !== 0) {
-          this.completions -= 1;
+  #admissionReq = (admissionKind) => {
+    return async (req, res) => {
+      const startTime = MetricsCollector.observeStart();
+      try {
+        const request = req.body?.request || {};
+        const { name: name2, namespace: namespace2, gvk } = {
+          name: request?.name ? `/${request.name}` : "",
+          namespace: request?.namespace || "",
+          gvk: request?.kind || { group: "", version: "", kind: "" }
+        };
+        const reqMetadata = { uid: request.uid, namespace: namespace2, name: name2 };
+        logger_default.info({ ...reqMetadata, gvk, operation: request.operation, admissionKind }, "Incoming request");
+        logger_default.debug({ ...reqMetadata, request }, "Incoming request body");
+        if (typeof this.#beforeHook === "function") {
+          this.#beforeHook(request || {});
         }
-        this.saveToStore();
+        const response = admissionKind === "Mutate" ? await mutateProcessor(this.#config, this.#capabilities, request, reqMetadata) : await validateProcessor(this.#config, this.#capabilities, request, reqMetadata);
+        [response].flat().map((res2) => {
+          if (typeof this.#afterHook === "function") {
+            this.#afterHook(res2);
+          }
+          logger_default.info({ ...reqMetadata, res: res2 }, "Check response");
+        });
+        const kar = admissionKind === "Mutate" ? karForMutate(response) : karForValidate(request, response);
+        logger_default.debug({ ...reqMetadata, kubeAdmissionResponse: kar.response }, "Outgoing response");
+        res.send(kar);
+        this.#metricsCollector.observeEnd(startTime, admissionKind);
+      } catch (err) {
+        logger_default.error(err, `Error processing ${admissionKind} request`);
+        res.status(500).send("Internal Server Error");
+        this.#metricsCollector.error();
       }
-    }, this.duration);
-  }
-  /**
-   * Stops the interval
-   */
-  stop() {
-    if (this.intervalId) {
-      clearInterval(this.intervalId);
-      this.intervalId = null;
-    }
-    if (this.store) this.store.removeItem(this.name);
-  }
-};
-
-// src/lib/core/capability.ts
-var registerAdmission = isBuildMode() || !isWatchMode();
-var registerWatch = isBuildMode() || isWatchMode() || isDevMode();
-var Capability = class {
-  #name;
-  #description;
-  #namespaces;
-  #bindings = [];
-  #store = new Storage();
-  #scheduleStore = new Storage();
-  #registered = false;
-  #scheduleRegistered = false;
-  hasSchedule;
+    };
+  };
   /**
-   * Run code on a schedule with the capability.
+   * Middleware for logging requests
    *
-   * @param schedule The schedule to run the code on
-   * @returns
+   * @param req the incoming request
+   * @param res the outgoing response
+   * @param next the next middleware function
    */
-  OnSchedule = (schedule) => {
-    const { name: name2, every, unit, run, startTime, completions } = schedule;
-    this.hasSchedule = true;
-    if (process.env.PEPR_WATCH_MODE === "true" || process.env.PEPR_MODE === "dev") {
-      const newSchedule = {
-        name: name2,
-        every,
-        unit,
-        run,
-        startTime,
-        completions
+  static #logger(req, res, next) {
+    const startTime = Date.now();
+    res.on("finish", () => {
+      const excludedRoutes = ["/healthz", "/metrics"];
+      if (excludedRoutes.includes(req.originalUrl)) {
+        return;
+      }
+      const elapsedTime = Date.now() - startTime;
+      const message = {
+        uid: req.body?.request?.uid,
+        method: req.method,
+        url: req.originalUrl,
+        status: res.statusCode,
+        duration: `${elapsedTime} ms`
       };
-      this.#scheduleStore.onReady(() => {
-        new OnSchedule(newSchedule).setStore(this.#scheduleStore);
-      });
-    }
-  };
-  getScheduleStore() {
-    return this.#scheduleStore;
+      logger_default.info(message);
+    });
+    next();
   }
   /**
-   * Store is a key-value data store that can be used to persist data that should be shared
-   * between requests. Each capability has its own store, and the data is persisted in Kubernetes
-   * in the `pepr-system` namespace.
-   *
-   * Note: You should only access the store from within an action.
-   */
-  Store = {
-    clear: this.#store.clear,
-    getItem: this.#store.getItem,
-    removeItem: this.#store.removeItem,
-    removeItemAndWait: this.#store.removeItemAndWait,
-    setItem: this.#store.setItem,
-    subscribe: this.#store.subscribe,
-    onReady: this.#store.onReady,
-    setItemAndWait: this.#store.setItemAndWait
-  };
-  /**
-   * ScheduleStore is a key-value data store used to persist schedule data that should be shared
-   * between intervals. Each Schedule shares store, and the data is persisted in Kubernetes
-   * in the `pepr-system` namespace.
+   * Health check endpoint handler
    *
-   * Note: There is no direct access to schedule store
+   * @param req the incoming request
+   * @param res the outgoing response
    */
-  ScheduleStore = {
-    clear: this.#scheduleStore.clear,
-    getItem: this.#scheduleStore.getItem,
-    removeItemAndWait: this.#scheduleStore.removeItemAndWait,
-    removeItem: this.#scheduleStore.removeItem,
-    setItemAndWait: this.#scheduleStore.setItemAndWait,
-    setItem: this.#scheduleStore.setItem,
-    subscribe: this.#scheduleStore.subscribe,
-    onReady: this.#scheduleStore.onReady
-  };
-  get bindings() {
-    return this.#bindings;
+  static #healthz(req, res) {
+    try {
+      res.send("OK");
+    } catch (err) {
+      logger_default.error(err, `Error processing health check`);
+      res.status(500).send("Internal Server Error");
+    }
   }
-  get name() {
-    return this.#name;
+};
+
+// src/lib/errors.ts
+var ErrorList = Object.values(OnError);
+function ValidateError(error = "") {
+  if (!ErrorList.includes(error)) {
+    throw new Error(`Invalid error: ${error}. Must be one of: ${ErrorList.join(", ")}`);
   }
-  get description() {
-    return this.#description;
+}
+
+// src/lib/processors/watch-processor.ts
+var import_kubernetes_fluent_client6 = require("kubernetes-fluent-client");
+
+// src/lib/core/queue.ts
+var import_node_crypto = require("node:crypto");
+var Queue = class {
+  #name;
+  #uid;
+  #queue = [];
+  #pendingPromise = false;
+  constructor(name2) {
+    this.#name = name2;
+    this.#uid = `${Date.now()}-${(0, import_node_crypto.randomBytes)(2).toString("hex")}`;
   }
-  get namespaces() {
-    return this.#namespaces || [];
+  label() {
+    return { name: this.#name, uid: this.#uid };
   }
-  constructor(cfg) {
-    this.#name = cfg.name;
-    this.#description = cfg.description;
-    this.#namespaces = cfg.namespaces;
-    this.hasSchedule = false;
-    logger_default.info(`Capability ${this.#name} registered`);
-    logger_default.debug(cfg);
+  stats() {
+    return {
+      queue: this.label(),
+      stats: {
+        length: this.#queue.length
+      }
+    };
   }
   /**
-   * Register the store with the capability. This is called automatically by the Pepr controller.
-   */
-  registerScheduleStore = () => {
-    logger_default.info(`Registering schedule store for ${this.#name}`);
-    if (this.#scheduleRegistered) {
-      throw new Error(`Schedule store already registered for ${this.#name}`);
-    }
-    this.#scheduleRegistered = true;
-    return this.#scheduleStore;
-  };
-  /**
-   * Register the store with the capability. This is called automatically by the Pepr controller.
+   * Enqueue adds an item to the queue and returns a promise that resolves when the item is
+   * reconciled.
    *
-   * @param store
+   * @param item The object to reconcile
+   * @param type The watch phase requested for reconcile
+   * @param reconcile The callback to enqueue for reconcile
+   * @returns A promise that resolves when the object is reconciled
    */
-  registerStore = () => {
-    logger_default.info(`Registering store for ${this.#name}`);
-    if (this.#registered) {
-      throw new Error(`Store already registered for ${this.#name}`);
-    }
-    this.#registered = true;
-    return this.#store;
-  };
+  enqueue(item, phase, reconcile) {
+    const note = {
+      queue: this.label(),
+      item: {
+        name: item.metadata?.name,
+        namespace: item.metadata?.namespace,
+        resourceVersion: item.metadata?.resourceVersion
+      }
+    };
+    logger_default.debug(note, "Enqueueing");
+    return new Promise((resolve, reject) => {
+      this.#queue.push({ item, phase, callback: reconcile, resolve, reject });
+      logger_default.debug(this.stats(), "Queue stats - push");
+      return this.#dequeue();
+    });
+  }
   /**
-   * The When method is used to register a action to be executed when a Kubernetes resource is
-   * processed by Pepr. The action will be executed if the resource matches the specified kind and any
-   * filters that are applied.
+   * Dequeue reconciles the next item in the queue
    *
-   * @param model the KubernetesObject model to match
-   * @param kind if using a custom KubernetesObject not available in `a.*`, specify the GroupVersionKind
-   * @returns
+   * @returns A promise that resolves when the webapp is reconciled
    */
-  When = (model, kind3) => {
-    const matchedKind = (0, import_kubernetes_fluent_client6.modelToGroupVersionKind)(model.name);
-    if (!matchedKind && !kind3) {
-      throw new Error(`Kind not specified for ${model.name}`);
+  async #dequeue() {
+    if (this.#pendingPromise) {
+      logger_default.debug("Pending promise, not dequeuing");
+      return false;
     }
-    const binding = {
-      model,
-      // If the kind is not specified, use the matched kind from the model
-      kind: kind3 || matchedKind,
-      event: "*" /* ANY */,
-      filters: {
-        name: "",
-        namespaces: [],
-        regexNamespaces: [],
-        regexName: "",
-        labels: {},
-        annotations: {},
-        deletionTimestamp: false
-      }
-    };
-    const bindings = this.#bindings;
-    const prefix = `${this.#name}: ${model.name}`;
-    const commonChain = { WithLabel, WithAnnotation, WithDeletionTimestamp, Mutate, Validate, Watch, Reconcile, Alias };
-    const isNotEmpty = (value) => Object.keys(value).length > 0;
-    const log = (message, cbString) => {
-      const filteredObj = (0, import_ramda9.pickBy)(isNotEmpty, binding.filters);
-      logger_default.info(`${message} configured for ${binding.event}`, prefix);
-      logger_default.info(filteredObj, prefix);
-      logger_default.debug(cbString, prefix);
-    };
-    function Validate(validateCallback) {
-      if (registerAdmission) {
-        log("Validate Action", validateCallback.toString());
-        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
-        bindings.push({
-          ...binding,
-          isValidate: true,
-          validateCallback: async (req, logger = aliasLogger) => {
-            logger_default.info(`Executing validate action with alias: ${binding.alias || "no alias provided"}`);
-            return await validateCallback(req, logger);
-          }
-        });
+    const element = this.#queue.shift();
+    if (!element) {
+      logger_default.debug("No element, not dequeuing");
+      return false;
+    }
+    try {
+      this.#pendingPromise = true;
+      const note = {
+        queue: this.label(),
+        item: {
+          name: element.item.metadata?.name,
+          namespace: element.item.metadata?.namespace,
+          resourceVersion: element.item.metadata?.resourceVersion
+        }
+      };
+      logger_default.debug(note, "Reconciling");
+      await element.callback(element.item, element.phase);
+      logger_default.debug(note, "Reconciled");
+      element.resolve();
+    } catch (e) {
+      logger_default.debug(`Error reconciling ${element.item.metadata.name}`, { error: e });
+      element.reject(e);
+    } finally {
+      logger_default.debug(this.stats(), "Queue stats - shift");
+      logger_default.debug("Resetting pending promise and dequeuing");
+      this.#pendingPromise = false;
+      await this.#dequeue();
+    }
+  }
+};
+
+// src/lib/processors/watch-processor.ts
+var import_types = require("kubernetes-fluent-client/dist/fluent/types");
+var queues = {};
+function queueKey(obj) {
+  const options = ["kind", "kindNs", "kindNsName", "global"];
+  const d3fault = "kind";
+  let strat = process.env.PEPR_RECONCILE_STRATEGY || d3fault;
+  strat = options.includes(strat) ? strat : d3fault;
+  const ns = obj.metadata?.namespace ?? "cluster-scoped";
+  const kind3 = obj.kind ?? "UnknownKind";
+  const name2 = obj.metadata?.name ?? "Unnamed";
+  const lookup = {
+    kind: `${kind3}`,
+    kindNs: `${kind3}/${ns}`,
+    kindNsName: `${kind3}/${ns}/${name2}`,
+    global: "global"
+  };
+  return lookup[strat];
+}
+function getOrCreateQueue(obj) {
+  const key = queueKey(obj);
+  if (!queues[key]) {
+    queues[key] = new Queue(key);
+  }
+  return queues[key];
+}
+var watchCfg = {
+  resyncFailureMax: process.env.PEPR_RESYNC_FAILURE_MAX ? parseInt(process.env.PEPR_RESYNC_FAILURE_MAX, 10) : 5,
+  resyncDelaySec: process.env.PEPR_RESYNC_DELAY_SECONDS ? parseInt(process.env.PEPR_RESYNC_DELAY_SECONDS, 10) : 5,
+  lastSeenLimitSeconds: process.env.PEPR_LAST_SEEN_LIMIT_SECONDS ? parseInt(process.env.PEPR_LAST_SEEN_LIMIT_SECONDS, 10) : 300,
+  relistIntervalSec: process.env.PEPR_RELIST_INTERVAL_SECONDS ? parseInt(process.env.PEPR_RELIST_INTERVAL_SECONDS, 10) : 600
+};
+var eventToPhaseMap = {
+  ["CREATE" /* CREATE */]: [import_types.WatchPhase.Added],
+  ["UPDATE" /* UPDATE */]: [import_types.WatchPhase.Modified],
+  ["CREATEORUPDATE" /* CREATE_OR_UPDATE */]: [import_types.WatchPhase.Added, import_types.WatchPhase.Modified],
+  ["DELETE" /* DELETE */]: [import_types.WatchPhase.Deleted],
+  ["*" /* ANY */]: [import_types.WatchPhase.Added, import_types.WatchPhase.Modified, import_types.WatchPhase.Deleted]
+};
+function setupWatch(capabilities, ignoredNamespaces) {
+  capabilities.map(
+    (capability) => capability.bindings.filter((binding) => binding.isWatch).forEach((bindingElement) => runBinding(bindingElement, capability.namespaces, ignoredNamespaces))
+  );
+}
+async function runBinding(binding, capabilityNamespaces, ignoredNamespaces) {
+  const phaseMatch = eventToPhaseMap[binding.event] || eventToPhaseMap["*" /* ANY */];
+  logger_default.debug({ watchCfg }, "Effective WatchConfig");
+  const watchCallback = async (kubernetesObject, phase) => {
+    if (phaseMatch.includes(phase)) {
+      try {
+        const filterMatch = filterNoMatchReason(binding, kubernetesObject, capabilityNamespaces, ignoredNamespaces);
+        if (filterMatch !== "") {
+          logger_default.debug(filterMatch);
+          return;
+        }
+        if (binding.isFinalize) {
+          await handleFinalizerRemoval(kubernetesObject);
+        } else {
+          await binding.watchCallback?.(kubernetesObject, phase);
+        }
+      } catch (e) {
+        logger_default.error(e, "Error executing watch callback");
       }
-      return { Watch, Reconcile };
     }
-    function Mutate(mutateCallback) {
-      if (registerAdmission) {
-        log("Mutate Action", mutateCallback.toString());
-        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
-        bindings.push({
-          ...binding,
-          isMutate: true,
-          mutateCallback: async (req, logger = aliasLogger) => {
-            logger_default.info(`Executing mutation action with alias: ${binding.alias || "no alias provided"}`);
-            await mutateCallback(req, logger);
-          }
-        });
-      }
-      return { Watch, Validate, Reconcile };
+  };
+  const handleFinalizerRemoval = async (kubernetesObject) => {
+    if (!kubernetesObject.metadata?.deletionTimestamp) {
+      return;
     }
-    function Watch(watchCallback) {
-      if (registerWatch) {
-        log("Watch Action", watchCallback.toString());
-        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
-        bindings.push({
-          ...binding,
-          isWatch: true,
-          watchCallback: async (update, phase, logger = aliasLogger) => {
-            logger_default.info(`Executing watch action with alias: ${binding.alias || "no alias provided"}`);
-            await watchCallback(update, phase, logger);
-          }
-        });
+    let shouldRemoveFinalizer = true;
+    try {
+      shouldRemoveFinalizer = await binding.finalizeCallback?.(kubernetesObject);
+    } finally {
+      const peprFinal = "pepr.dev/finalizer";
+      const meta = kubernetesObject.metadata;
+      const resource = `${meta.namespace || "ClusterScoped"}/${meta.name}`;
+      if (shouldRemoveFinalizer === false) {
+        logger_default.debug({ obj: kubernetesObject }, `Skipping removal of finalizer '${peprFinal}' from '${resource}'`);
+      } else {
+        await removeFinalizer(binding, kubernetesObject);
       }
-      return { Finalize };
     }
-    function Reconcile(reconcileCallback) {
-      if (registerWatch) {
-        log("Reconcile Action", reconcileCallback.toString());
-        const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
-        bindings.push({
-          ...binding,
-          isWatch: true,
-          isQueue: true,
-          watchCallback: async (update, phase, logger = aliasLogger) => {
-            logger_default.info(`Executing reconcile action with alias: ${binding.alias || "no alias provided"}`);
-            await reconcileCallback(update, phase, logger);
-          }
+  };
+  const watcher = (0, import_kubernetes_fluent_client6.K8s)(binding.model, binding.filters).Watch(async (obj, phase) => {
+    logger_default.debug(obj, `Watch event ${phase} received`);
+    if (binding.isQueue) {
+      const queue = getOrCreateQueue(obj);
+      await queue.enqueue(obj, phase, watchCallback);
+    } else {
+      await watchCallback(obj, phase);
+    }
+  }, watchCfg);
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, (err) => {
+    logger_default.error(err, "Watch failed after 5 attempts, giving up");
+    process.exit(1);
+  });
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.CONNECT, (url) => logEvent(import_kubernetes_fluent_client6.WatchEvent.CONNECT, url));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.DATA_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.DATA_ERROR, err.message));
+  watcher.events.on(
+    import_kubernetes_fluent_client6.WatchEvent.RECONNECT,
+    (retryCount) => logEvent(import_kubernetes_fluent_client6.WatchEvent.RECONNECT, `Reconnecting after ${retryCount} attempt${retryCount === 1 ? "" : "s"}`)
+  );
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.RECONNECT_PENDING, () => logEvent(import_kubernetes_fluent_client6.WatchEvent.RECONNECT_PENDING));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.GIVE_UP, err.message));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.ABORT, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.ABORT, err.message));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.OLD_RESOURCE_VERSION, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.OLD_RESOURCE_VERSION, err));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.NETWORK_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.NETWORK_ERROR, err.message));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.LIST_ERROR, (err) => logEvent(import_kubernetes_fluent_client6.WatchEvent.LIST_ERROR, err.message));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.LIST, (list) => logEvent(import_kubernetes_fluent_client6.WatchEvent.LIST, JSON.stringify(list, void 0, 2)));
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.CACHE_MISS, (windowName) => {
+    metricsCollector.incCacheMiss(windowName);
+  });
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.INIT_CACHE_MISS, (windowName) => {
+    metricsCollector.initCacheMissWindow(windowName);
+  });
+  watcher.events.on(import_kubernetes_fluent_client6.WatchEvent.INC_RESYNC_FAILURE_COUNT, (retryCount) => {
+    metricsCollector.incRetryCount(retryCount);
+  });
+  try {
+    await watcher.start();
+  } catch (err) {
+    logger_default.error(err, "Error starting watch");
+    process.exit(1);
+  }
+}
+function logEvent(event, message = "", obj) {
+  const logMessage = `Watch event ${event} received${message ? `. ${message}.` : "."}`;
+  if (obj) {
+    logger_default.debug(obj, logMessage);
+  } else {
+    logger_default.debug(logMessage);
+  }
+}
+
+// src/lib/core/module.ts
+var PeprModule = class {
+  #controller;
+  /**
+   * Create a new Pepr runtime
+   *
+   * @param config The configuration for the Pepr runtime
+   * @param capabilities The capabilities to be loaded into the Pepr runtime
+   * @param opts Options for the Pepr runtime
+   */
+  constructor({ description, pepr }, capabilities = [], opts = {}) {
+    const config = (0, import_ramda9.clone)(pepr);
+    config.description = description;
+    ValidateError(config.onError);
+    if (isBuildMode()) {
+      if (!process.send) {
+        throw new Error("process.send is not defined");
+      }
+      const exportedCapabilities = [];
+      for (const capability of capabilities) {
+        exportedCapabilities.push({
+          name: capability.name,
+          description: capability.description,
+          namespaces: capability.namespaces,
+          bindings: capability.bindings,
+          hasSchedule: capability.hasSchedule
         });
       }
-      return { Finalize };
+      process.send(exportedCapabilities);
+      return;
     }
-    function Finalize(finalizeCallback) {
-      log("Finalize Action", finalizeCallback.toString());
-      const aliasLogger = logger_default.child({ alias: binding.alias || "no alias provided" });
-      if (registerAdmission) {
-        const mutateBinding = {
-          ...binding,
-          isMutate: true,
-          isFinalize: true,
-          event: "*" /* ANY */,
-          mutateCallback: addFinalizer
-        };
-        bindings.push(mutateBinding);
-      }
-      if (registerWatch) {
-        const watchBinding = {
-          ...binding,
-          isWatch: true,
-          isFinalize: true,
-          event: "UPDATE" /* UPDATE */,
-          finalizeCallback: async (update, logger = aliasLogger) => {
-            logger_default.info(`Executing finalize action with alias: ${binding.alias || "no alias provided"}`);
-            return await finalizeCallback(update, logger);
+    const controllerHooks = {
+      beforeHook: opts.beforeHook,
+      afterHook: opts.afterHook,
+      onReady: () => {
+        if (isWatchMode() || isDevMode()) {
+          try {
+            setupWatch(capabilities, resolveIgnoreNamespaces(pepr?.alwaysIgnore?.namespaces));
+          } catch (e) {
+            logger_default.error(e, "Error setting up watch");
+            process.exit(1);
           }
-        };
-        bindings.push(watchBinding);
+        }
       }
-    }
-    function InNamespace(...namespaces) {
-      logger_default.debug(`Add namespaces filter ${namespaces}`, prefix);
-      binding.filters.namespaces.push(...namespaces);
-      return { ...commonChain, WithName, WithNameRegex };
-    }
-    function InNamespaceRegex(...namespaces) {
-      logger_default.debug(`Add regex namespaces filter ${namespaces}`, prefix);
-      binding.filters.regexNamespaces.push(...namespaces.map((regex) => regex.source));
-      return { ...commonChain, WithName, WithNameRegex };
-    }
-    function WithDeletionTimestamp() {
-      logger_default.debug("Add deletionTimestamp filter");
-      binding.filters.deletionTimestamp = true;
-      return commonChain;
-    }
-    function WithNameRegex(regexName) {
-      logger_default.debug(`Add regex name filter ${regexName}`, prefix);
-      binding.filters.regexName = regexName.source;
-      return commonChain;
-    }
-    function WithName(name2) {
-      logger_default.debug(`Add name filter ${name2}`, prefix);
-      binding.filters.name = name2;
-      return commonChain;
-    }
-    function WithLabel(key, value = "") {
-      logger_default.debug(`Add label filter ${key}=${value}`, prefix);
-      binding.filters.labels[key] = value;
-      return commonChain;
-    }
-    function WithAnnotation(key, value = "") {
-      logger_default.debug(`Add annotation filter ${key}=${value}`, prefix);
-      binding.filters.annotations[key] = value;
-      return commonChain;
-    }
-    function Alias(alias) {
-      logger_default.debug(`Adding prefix alias ${alias}`, prefix);
-      binding.alias = alias;
-      return commonChain;
-    }
-    function bindEvent(event) {
-      binding.event = event;
-      return {
-        ...commonChain,
-        InNamespace,
-        InNamespaceRegex,
-        WithName,
-        WithNameRegex,
-        WithDeletionTimestamp,
-        Alias
-      };
-    }
-    return {
-      IsCreatedOrUpdated: () => bindEvent("CREATEORUPDATE" /* CREATE_OR_UPDATE */),
-      IsCreated: () => bindEvent("CREATE" /* CREATE */),
-      IsUpdated: () => bindEvent("UPDATE" /* UPDATE */),
-      IsDeleted: () => bindEvent("DELETE" /* DELETE */)
     };
+    this.#controller = new Controller(config, capabilities, controllerHooks);
+    if (opts.deferStart) {
+      return;
+    }
+    this.start();
+  }
+  /**
+   * Start the Pepr runtime manually.
+   * Normally this is called automatically when the Pepr module is instantiated, but can be called manually if `deferStart` is set to `true` in the constructor.
+   *
+   * @param port
+   */
+  start = (port = 3e3) => {
+    this.#controller.startServer(port);
   };
 };