pepr 0.6.1 → 0.7.1

package/README.md

@@ -40,10 +40,20 @@ When(a.ConfigMap)
   });
 ```
 
+## Prerequisites
+
+- [Node.js](https://nodejs.org/en/) v18.0.0+.
+
+  > _Recommend installing with [NVM](https://github.com/nvm-sh/nvm) or [NVM for Windows](https://github.com/coreybutler/nvm-windows) to avoid permission issues when installing the Pepr CLI globally._
+
+- Recommended (optional) tools:
+  - [Visual Studio Code](https://code.visualstudio.com/) for inline debugging and [Pepr Capabilities](#capability) creation.
+  - A Kubernetes cluster for `pepr dev`. Pepr modules include `npm run k3d-setup` if you want to test locally with [K3d](https://k3d.io/) and [Docker](https://www.docker.com/).
+
 ## Wow too many words! tl;dr;
 
 ```bash
-# Install Pepr (you can also use npx)
+# Install Pepr globally. If this command requires sudo, see the Prerequisites section to install Node.js with NVM or NVM for Windows.
 npm i -g pepr
 
 # Initialize a new Pepr Module
@@ -95,6 +105,7 @@ For example, a CapabilityAction could be responsible for adding a specific label
 See [CapabilityActions](./docs/actions.md) for more details.
 
 ## Logical Pepr Flow
+
 ![Module Diagram](./.images/modules.svg)
 
 ## TypeScript

package/dist/cli.js

@@ -91,14 +91,17 @@ var banner = `\x1B[107;40m\x1B[38;5;016m \x1B[38;5;016m \x1B[38;5;016m \x1B[38;5
     \x1B[0m`;
 
 // src/cli/build.ts
+var import_child_process2 = require("child_process");
 var import_esbuild = require("esbuild");
-var import_fs2 = require("fs");
+var import_fs3 = require("fs");
 var import_path = require("path");
-var import_child_process = require("child_process");
 
 // src/lib/k8s/webhook.ts
 var import_client_node = require("@kubernetes/client-node");
+var import_child_process = require("child_process");
 var import_crypto = __toESM(require("crypto"));
+var import_fs = require("fs");
+var import_ramda = require("ramda");
 var import_zlib = require("zlib");
 
 // src/lib/logger.ts
@@ -187,6 +190,14 @@ if (process.env.LOG_LEVEL) {
 }
 var logger_default = Log;
 
+// src/lib/types.ts
+var ErrorBehavior = /* @__PURE__ */ ((ErrorBehavior2) => {
+  ErrorBehavior2["ignore"] = "ignore";
+  ErrorBehavior2["audit"] = "audit";
+  ErrorBehavior2["reject"] = "reject";
+  return ErrorBehavior2;
+})(ErrorBehavior || {});
+
 // src/lib/k8s/tls.ts
 var import_node_forge = __toESM(require("node-forge"));
 var caName = "Pepr Ephemeral CA";
@@ -338,7 +349,63 @@ var Webhook = class {
       }
     };
   }
-  mutatingWebhook(timeoutSeconds = 10) {
+  generateWebhookRules(path) {
+    return new Promise((resolve4, reject) => {
+      const rules = [];
+      const defaultRule = {
+        apiGroups: ["*"],
+        apiVersions: ["*"],
+        operations: ["CREATE", "UPDATE", "DELETE"],
+        resources: ["*/*"]
+      };
+      const program2 = (0, import_child_process.fork)(path, {
+        env: {
+          ...process.env,
+          LOG_LEVEL: "warn",
+          PEPR_MODE: "build"
+        }
+      });
+      program2.on("message", (message) => {
+        const { capabilities } = message.valueOf();
+        for (const capability of capabilities) {
+          logger_default.info(`Module ${this.config.uuid} has capability: ${capability._name}`);
+          const { _bindings } = capability;
+          for (const binding of _bindings) {
+            const { event, kind } = binding;
+            const operations = [];
+            if (event === "CREATEORUPDATE" /* CreateOrUpdate */) {
+              operations.push("CREATE" /* Create */, "UPDATE" /* Update */);
+            } else {
+              operations.push(event);
+            }
+            const resource = kind.plural || `${kind.kind.toLowerCase()}s`;
+            rules.push({
+              apiGroups: [kind.group],
+              apiVersions: [kind.version || "*"],
+              operations,
+              resources: [resource]
+            });
+          }
+        }
+      });
+      program2.on("exit", (code) => {
+        if (code !== 0) {
+          reject(new Error(`Child process exited with code ${code}`));
+        } else {
+          if (rules.length < 1) {
+            resolve4([defaultRule]);
+          } else {
+            const reducedRules = (0, import_ramda.uniqWith)(import_ramda.equals, rules);
+            resolve4(reducedRules);
+          }
+        }
+      });
+      program2.on("error", (error) => {
+        reject(error);
+      });
+    });
+  }
+  async mutatingWebhook(path, timeoutSeconds = 10) {
     const { name } = this;
     const ignore = [peprIgnore];
     if (this.config.alwaysIgnore.namespaces && this.config.alwaysIgnore.namespaces.length > 0) {
@@ -360,6 +427,7 @@ var Webhook = class {
         path: "/mutate"
       };
     }
+    const rules = await this.generateWebhookRules(path);
     return {
       apiVersion: "admissionregistration.k8s.io/v1",
       kind: "MutatingWebhookConfiguration",
@@ -378,15 +446,7 @@ var Webhook = class {
           objectSelector: {
             matchExpressions: ignore
           },
-          // @todo: make this configurable
-          rules: [
-            {
-              apiGroups: ["*"],
-              apiVersions: ["*"],
-              operations: ["CREATE", "UPDATE", "DELETE"],
-              resources: ["*/*"]
-            }
-          ],
+          rules,
           // @todo: track side effects state
           sideEffects: "None"
         }
@@ -581,8 +641,10 @@ var Webhook = class {
     };
     return (0, import_client_node.dumpYaml)(zarfCfg, { noRefs: true });
   }
-  allYaml(code) {
+  async allYaml(path) {
+    const code = await import_fs.promises.readFile(path);
     const hash = import_crypto.default.createHash("sha256").update(code).digest("hex");
+    const webhook = await this.mutatingWebhook(path);
     const resources = [
       this.namespace(),
       this.networkPolicy(),
@@ -590,23 +652,20 @@ var Webhook = class {
       this.clusterRoleBinding(),
       this.serviceAccount(),
       this.tlsSecret(),
-      this.mutatingWebhook(),
+      webhook,
       this.deployment(hash),
       this.service(),
       this.moduleSecret(code, hash)
     ];
     return resources.map((r) => (0, import_client_node.dumpYaml)(r, { noRefs: true })).join("---\n");
   }
-  async deploy(code, webhookTimeout) {
+  async deploy(path, webhookTimeout) {
     logger_default.info("Establishing connection to Kubernetes");
     const namespace = "pepr-system";
     const kubeConfig = new import_client_node.KubeConfig();
     kubeConfig.loadFromDefault();
     const coreV1Api = kubeConfig.makeApiClient(import_client_node.CoreV1Api);
-    const rbacApi = kubeConfig.makeApiClient(import_client_node.RbacAuthorizationV1Api);
-    const appsApi = kubeConfig.makeApiClient(import_client_node.AppsV1Api);
     const admissionApi = kubeConfig.makeApiClient(import_client_node.AdmissionregistrationV1Api);
-    const networkApi = kubeConfig.makeApiClient(import_client_node.NetworkingV1Api);
     const ns = this.namespace();
     try {
       logger_default.info("Checking for namespace");
@@ -616,7 +675,7 @@ var Webhook = class {
       logger_default.info("Creating namespace");
       await coreV1Api.createNamespace(ns);
     }
-    const wh = this.mutatingWebhook(webhookTimeout);
+    const wh = await this.mutatingWebhook(path, webhookTimeout);
     try {
       logger_default.info("Creating mutating webhook");
       await admissionApi.createMutatingWebhookConfiguration(wh);
@@ -629,18 +688,22 @@ var Webhook = class {
     if (this.host) {
       return;
     }
-    if (!code) {
+    if (!path) {
       throw new Error("No code provided");
     }
+    const code = await import_fs.promises.readFile(path);
     const hash = import_crypto.default.createHash("sha256").update(code).digest("hex");
-    const netpol = this.networkPolicy();
+    const appsApi = kubeConfig.makeApiClient(import_client_node.AppsV1Api);
+    const rbacApi = kubeConfig.makeApiClient(import_client_node.RbacAuthorizationV1Api);
+    const networkApi = kubeConfig.makeApiClient(import_client_node.NetworkingV1Api);
+    const networkPolicy = this.networkPolicy();
     try {
       logger_default.info("Checking for network policy");
-      await networkApi.readNamespacedNetworkPolicy(netpol.metadata?.name ?? "", namespace);
+      await networkApi.readNamespacedNetworkPolicy(networkPolicy.metadata?.name ?? "", namespace);
     } catch (e) {
       logger_default.debug(e instanceof import_client_node.HttpError ? e.body : e);
       logger_default.info("Creating network policy");
-      await networkApi.createNamespacedNetworkPolicy(namespace, netpol);
+      await networkApi.createNamespacedNetworkPolicy(namespace, networkPolicy);
     }
     const crb = this.clusterRoleBinding();
     try {
@@ -907,8 +970,8 @@ var hello_pepr_samples_default = [
 var gitIgnore = "# Ignore node_modules and Pepr build artifacts\nnode_modules\ndist\ninsecure*\n";
 var readmeMd = '# Pepr Module\n\nThis is a Pepr Module. [Pepr](https://github.com/defenseunicorns/pepr) is a Kubernetes transformation system\nwritten in Typescript.\n\nThe `capabilities` directory contains all the capabilities for this module. By default,\na capability is a single typescript file in the format of `capability-name.ts` that is\nimported in the root `pepr.ts` file as `import { HelloPepr } from "./capabilities/hello-pepr";`.\nBecause this is typescript, you can organize this however you choose, e.g. creating a sub-folder\nper-capability or common logic in shared files or folders.\n\nExample Structure:\n\n```\nModule Root\n\u251C\u2500\u2500 package.json\n\u251C\u2500\u2500 pepr.ts\n\u2514\u2500\u2500 capabilities\n    \u251C\u2500\u2500 example-one.ts\n    \u251C\u2500\u2500 example-three.ts\n    \u2514\u2500\u2500 example-two.ts\n```\n';
 var peprTS = 'import { PeprModule } from "pepr";\n// cfg loads your pepr configuration from package.json\nimport cfg from "./package.json";\n\n// HelloPepr is a demo capability that is included with Pepr. Comment or delete the line below to remove it.\nimport { HelloPepr } from "./capabilities/hello-pepr";\n\n/**\n * This is the main entrypoint for this Pepr module. It is run when the module is started.\n * This is where you register your Pepr configurations and capabilities.\n */\nnew PeprModule(cfg, [\n  // "HelloPepr" is a demo capability that is included with Pepr. Comment or delete the line below to remove it.\n  HelloPepr,\n\n  // Your additional capabilities go here\n]);\n';
-var helloPeprTS = 'import {\n  Capability,\n  PeprRequest,\n  RegisterKind,\n  a,\n  fetch,\n  fetchStatus,\n} from "pepr";\n\n/**\n *  The HelloPepr Capability is an example capability to demonstrate some general concepts of Pepr.\n *  To test this capability you can run `pepr dev` or `npm start` and then run the following command:\n *  `kubectl apply -f capabilities/hello-pepr.samples.yaml`\n */\nexport const HelloPepr = new Capability({\n  name: "hello-pepr",\n  description: "A simple example capability to show how things work.",\n  namespaces: ["pepr-demo", "pepr-demo-2"],\n});\n\n// Use the \'When\' function to create a new Capability Action\nconst { When } = HelloPepr;\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (Namespace)                                   *\n * ---------------------------------------------------------------------------------------------------\n *\n * This Capability Action removes the label `remove-me` when a Namespace is created.\n * Note we don\'t need to specify the namespace here, because we\'ve already specified\n * it in the Capability definition above.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .Then(ns => ns.RemoveLabel("remove-me"));\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 1)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is a single Capability Action. They can be in the same file or put imported from other files.\n * In this example, when a ConfigMap is created with the name `example-1`, then add a label and annotation.\n *\n * Equivalent to manually running:\n * `kubectl label configmap example-1 pepr=was-here`\n * `kubectl annotate configmap example-1 pepr.dev=annotations-work-too`\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-1")\n  .Then(request =>\n    request\n      .SetLabel("pepr", "was-here")\n      .SetAnnotation("pepr.dev", "annotations-work-too")\n  );\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 2)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This Capability Action does the exact same changes for example-2, except this time it uses\n * the `.ThenSet()` feature. You can stack multiple `.Then()` calls, but only a single `.ThenSet()`\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-2")\n  .ThenSet({\n    metadata: {\n      labels: {\n        pepr: "was-here",\n      },\n      annotations: {\n        "pepr.dev": "annotations-work-too",\n      },\n    },\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 3)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This Capability Action combines different styles. Unlike the previous actions, this one will look\n * for any ConfigMap in the `pepr-demo` namespace that has the label `change=by-label` during either\n * CREATE or UPDATE. Note that all conditions added such as `WithName()`, `WithLabel()`, `InNamespace()`,\n * are ANDs so all conditions must be true for the request to be processed.\n */\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("change", "by-label")\n  .Then(request => {\n    // The K8s object e are going to mutate\n    const cm = request.Raw;\n\n    // Get the username and uid of the K8s request\n    const { username, uid } = request.Request.userInfo;\n\n    // Store some data about the request in the configmap\n    cm.data["username"] = username;\n    cm.data["uid"] = uid;\n\n    // You can still mix other ways of making changes too\n    request.SetAnnotation("pepr.dev", "making-waves");\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 4)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This Capability Action show how you can use the `Then()` function to make multiple changes to the\n * same object from different functions. This is useful if you want to keep your Capability Actions\n * small and focused on a single task, or if you want to reuse the same function in multiple\n * Capability Actions.\n *\n * Note that the order of the `.Then()` calls matters. The first call will be executed first,\n * then the second, and so on. Also note the functions are not called until the Capability Action\n * is triggered.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-4")\n  .Then(cm => cm.SetLabel("pepr.dev/first", "true"))\n  .Then(addSecond)\n  .Then(addThird);\n\n//This function uses the complete type definition, but is not required.\nfunction addSecond(cm: PeprRequest<a.ConfigMap>) {\n  cm.SetLabel("pepr.dev/second", "true");\n}\n\n// This function has no type definition, so you won\'t have intellisense in the function body.\nfunction addThird(cm) {\n  cm.SetLabel("pepr.dev/third", "true");\n}\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 4a)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is the same as Example 4, except this only operates on a CM in the `pepr-demo-2` namespace.\n * Note because the Capability defines namespaces, the namespace specified here must be one of those.\n * Alternatively, you can remove the namespace from the Capability definition and specify it here.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .InNamespace("pepr-demo-2")\n  .WithName("example-4a")\n  .Then(cm => cm.SetLabel("pepr.dev/first", "true"))\n  .Then(addSecond)\n  .Then(addThird);\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 5)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This Capability Action is a bit more complex. It will look for any ConfigMap in the `pepr-demo`\n * namespace that has the label `chuck-norris` during CREATE. When it finds one, it will fetch a\n * random Chuck Norris joke from the API and add it to the ConfigMap. This is a great example of how\n * you can use Pepr to make changes to your K8s objects based on external data.\n *\n * Note the use of the `async` keyword. This is required for any Capability Action that uses `await` or `fetch()`.\n *\n * Also note we are passing a type to the `fetch()` function. This is optional, but it will help you\n * avoid mistakes when working with the data returned from the API. You can also use the `as` keyword to\n * cast the data returned from the API.\n *\n * These are equivalent:\n * ```ts\n * const joke = await fetch<TheChuckNorrisJoke>("https://api.chucknorris.io/jokes/random?category=dev");\n * const joke = await fetch("https://api.chucknorris.io/jokes/random?category=dev") as TheChuckNorrisJoke;\n * ```\n *\n * Alternatively, you can drop the type completely:\n *\n * ```ts\n * fetch("https://api.chucknorris.io/jokes/random?category=dev")\n * ```\n */\ninterface TheChuckNorrisJoke {\n  icon_url: string;\n  id: string;\n  url: string;\n  value: string;\n}\n\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithLabel("chuck-norris")\n  .Then(async change => {\n    // Try/catch is not needed as a response object will always be returned\n    const response = await fetch<TheChuckNorrisJoke>(\n      "https://api.chucknorris.io/jokes/random?category=dev"\n    );\n\n    // Instead, check the `response.ok` field\n    if (response.ok) {\n      // Add the Chuck Norris joke to the configmap\n      change.Raw.data["chuck-says"] = response.data.value;\n      return;\n    }\n\n    // You can also assert on different HTTP response codes\n    if (response.status === fetchStatus.NOT_FOUND) {\n      // Do something else\n      return;\n    }\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (Secret Base64 Handling)                      *\n * ---------------------------------------------------------------------------------------------------\n *\n * The K8s JS client provides incomplete support for base64 encoding/decoding handling for secrets,\n * unlike the GO client. To make this less painful, Pepr automatically handles base64 encoding/decoding\n * secret data before and after the Capability Action is executed.\n */\nWhen(a.Secret)\n  .IsCreated()\n  .WithName("secret-1")\n  .Then(request => {\n    const secret = request.Raw;\n\n    // This will be encoded at the end of all processing back to base64: "Y2hhbmdlLXdpdGhvdXQtZW5jb2Rpbmc="\n    secret.data.magic = "change-without-encoding";\n\n    // You can modify the data directly, and it will be encoded at the end of all processing\n    secret.data.example += " - modified by Pepr";\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (Untyped Custom Resource)                     *\n * ---------------------------------------------------------------------------------------------------\n *\n * Out of the box, Pepr supports all the standard Kubernetes objects. However, you can also create\n * your own types. This is useful if you are working with an Operator that creates custom resources.\n * There are two ways to do this, the first is to use the `When()` function with a `GenericKind`,\n * the second is to create a new class that extends `GenericKind` and use the `RegisterKind()` function.\n *\n * This example shows how to use the `When()` function with a `GenericKind`. Note that you\n * must specify the `group`, `version`, and `kind` of the object (if applicable). This is how Pepr knows\n * if the Capability Action should be triggered or not. Since we are using a `GenericKind`,\n * Pepr will not be able to provide any intellisense for the object, so you will need to refer to the\n * Kubernetes API documentation for the object you are working with.\n *\n * You will need ot wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-1\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```\n */\nWhen(a.GenericKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n})\n  .IsCreated()\n  .WithName("example-1")\n  .ThenSet({\n    spec: {\n      message: "Hello Pepr without type data!",\n      counter: Math.random(),\n    },\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (Typed Custom Resource)                       *\n * ---------------------------------------------------------------------------------------------------\n *\n * This example shows how to use the `RegisterKind()` function to create a new type. This is useful\n * if you are working with an Operator that creates custom resources and you want to have intellisense\n * for the object. Note that you must specify the `group`, `version`, and `kind` of the object (if applicable)\n * as this is how Pepr knows if the Capability Action should be triggered or not.\n *\n * Once you register a new Kind with Pepr, you can use the `When()` function with the new Kind. Ideally,\n * you should register custom Kinds at the top of your Capability file or Pepr Module so they are available\n * to all Capability Actions, but we are putting it here for demonstration purposes.\n *\n * You will need ot wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-2\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```*\n */\nclass UnicornKind extends a.GenericKind {\n  spec: {\n    /**\n     * JSDoc comments can be added to explain more details about the field.\n     *\n     * @example\n     * ```ts\n     * request.Raw.spec.message = "Hello Pepr!";\n     * ```\n     * */\n    message: string;\n    counter: number;\n  };\n}\n\nRegisterKind(UnicornKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n});\n\nWhen(UnicornKind)\n  .IsCreated()\n  .WithName("example-2")\n  .ThenSet({\n    spec: {\n      message: "Hello Pepr now with type data!",\n      counter: Math.random(),\n    },\n  });\n';
-var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, version: "0.6.1", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { prebuild: "rm -fr dist/* && node hack/build-template-data.js", build: "tsc && node build.mjs", test: "npm run test:unit && npm run test:e2e", "test:unit": "npm run build && tsc -p tsconfig.tests.json && ava dist/**/*.test.js", "test:e2e": "npm run test:e2e:k3d && npm run test:e2e:build && npm run test:e2e:image && npm run test:e2e:run", "test:e2e:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'", "test:e2e:build": "npm run build && npm pack && npm uninstall pepr -g && npm install -g pepr-0.0.0-development.tgz && pepr", "test:e2e:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:e2e:run": "ava hack/e2e.test.mjs --sequential --timeout=2m", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write" }, dependencies: { "@kubernetes/client-node": "0.18.1", express: "4.18.2", "fast-json-patch": "3.1.1", "http-status-codes": "2.2.0", "node-fetch": "2.6.11", ramda: "0.29.0" }, devDependencies: { "@types/eslint": "8.40.0", "@types/express": "4.17.17", "@types/node-fetch": "2.6.4", "@types/node-forge": "1.3.2", "@types/prettier": "2.7.3", "@types/prompts": "2.4.4", "@types/ramda": "0.29.2", "@types/uuid": "9.0.1", ava: "5.3.0", nock: "13.3.1" }, peerDependencies: { "@typescript-eslint/eslint-plugin": "5.59.7", "@typescript-eslint/parser": "5.59.7", commander: "10.0.1", esbuild: "0.17.19", eslint: "8.41.0", "node-forge": "1.3.1", prettier: "2.8.8", prompts: "2.4.2", typescript: "5.0.4", uuid: "9.0.0" }, ava: { failFast: true, verbose: true } };
+var helloPeprTS = 'import {\n  Capability,\n  PeprRequest,\n  RegisterKind,\n  a,\n  fetch,\n  fetchStatus,\n} from "pepr";\n\n/**\n *  The HelloPepr Capability is an example capability to demonstrate some general concepts of Pepr.\n *  To test this capability you run `pepr dev`and then run the following command:\n *  `kubectl apply -f capabilities/hello-pepr.samples.yaml`\n */\nexport const HelloPepr = new Capability({\n  name: "hello-pepr",\n  description: "A simple example capability to show how things work.",\n  namespaces: ["pepr-demo", "pepr-demo-2"],\n});\n\n// Use the \'When\' function to create a new Capability Action\nconst { When } = HelloPepr;\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (Namespace)                                   *\n * ---------------------------------------------------------------------------------------------------\n *\n * This Capability Action removes the label `remove-me` when a Namespace is created.\n * Note we don\'t need to specify the namespace here, because we\'ve already specified\n * it in the Capability definition above.\n */\nWhen(a.Namespace)\n  .IsCreated()\n  .Then(ns => ns.RemoveLabel("remove-me"));\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 1)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is a single Capability Action. They can be in the same file or put imported from other files.\n * In this example, when a ConfigMap is created with the name `example-1`, then add a label and annotation.\n *\n * Equivalent to manually running:\n * `kubectl label configmap example-1 pepr=was-here`\n * `kubectl annotate configmap example-1 pepr.dev=annotations-work-too`\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-1")\n  .Then(request =>\n    request\n      .SetLabel("pepr", "was-here")\n      .SetAnnotation("pepr.dev", "annotations-work-too")\n  );\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 2)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This Capability Action does the exact same changes for example-2, except this time it uses\n * the `.ThenSet()` feature. You can stack multiple `.Then()` calls, but only a single `.ThenSet()`\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-2")\n  .ThenSet({\n    metadata: {\n      labels: {\n        pepr: "was-here",\n      },\n      annotations: {\n        "pepr.dev": "annotations-work-too",\n      },\n    },\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 3)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This Capability Action combines different styles. Unlike the previous actions, this one will look\n * for any ConfigMap in the `pepr-demo` namespace that has the label `change=by-label` during either\n * CREATE or UPDATE. Note that all conditions added such as `WithName()`, `WithLabel()`, `InNamespace()`,\n * are ANDs so all conditions must be true for the request to be processed.\n */\nWhen(a.ConfigMap)\n  .IsCreatedOrUpdated()\n  .WithLabel("change", "by-label")\n  .Then(request => {\n    // The K8s object e are going to mutate\n    const cm = request.Raw;\n\n    // Get the username and uid of the K8s request\n    const { username, uid } = request.Request.userInfo;\n\n    // Store some data about the request in the configmap\n    cm.data["username"] = username;\n    cm.data["uid"] = uid;\n\n    // You can still mix other ways of making changes too\n    request.SetAnnotation("pepr.dev", "making-waves");\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 4)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This Capability Action show how you can use the `Then()` function to make multiple changes to the\n * same object from different functions. This is useful if you want to keep your Capability Actions\n * small and focused on a single task, or if you want to reuse the same function in multiple\n * Capability Actions.\n *\n * Note that the order of the `.Then()` calls matters. The first call will be executed first,\n * then the second, and so on. Also note the functions are not called until the Capability Action\n * is triggered.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithName("example-4")\n  .Then(cm => cm.SetLabel("pepr.dev/first", "true"))\n  .Then(addSecond)\n  .Then(addThird);\n\n//This function uses the complete type definition, but is not required.\nfunction addSecond(cm: PeprRequest<a.ConfigMap>) {\n  cm.SetLabel("pepr.dev/second", "true");\n}\n\n// This function has no type definition, so you won\'t have intellisense in the function body.\nfunction addThird(cm) {\n  cm.SetLabel("pepr.dev/third", "true");\n}\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 4a)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This is the same as Example 4, except this only operates on a CM in the `pepr-demo-2` namespace.\n * Note because the Capability defines namespaces, the namespace specified here must be one of those.\n * Alternatively, you can remove the namespace from the Capability definition and specify it here.\n */\nWhen(a.ConfigMap)\n  .IsCreated()\n  .InNamespace("pepr-demo-2")\n  .WithName("example-4a")\n  .Then(cm => cm.SetLabel("pepr.dev/first", "true"))\n  .Then(addSecond)\n  .Then(addThird);\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (CM Example 5)                                *\n * ---------------------------------------------------------------------------------------------------\n *\n * This Capability Action is a bit more complex. It will look for any ConfigMap in the `pepr-demo`\n * namespace that has the label `chuck-norris` during CREATE. When it finds one, it will fetch a\n * random Chuck Norris joke from the API and add it to the ConfigMap. This is a great example of how\n * you can use Pepr to make changes to your K8s objects based on external data.\n *\n * Note the use of the `async` keyword. This is required for any Capability Action that uses `await` or `fetch()`.\n *\n * Also note we are passing a type to the `fetch()` function. This is optional, but it will help you\n * avoid mistakes when working with the data returned from the API. You can also use the `as` keyword to\n * cast the data returned from the API.\n *\n * These are equivalent:\n * ```ts\n * const joke = await fetch<TheChuckNorrisJoke>("https://api.chucknorris.io/jokes/random?category=dev");\n * const joke = await fetch("https://api.chucknorris.io/jokes/random?category=dev") as TheChuckNorrisJoke;\n * ```\n *\n * Alternatively, you can drop the type completely:\n *\n * ```ts\n * fetch("https://api.chucknorris.io/jokes/random?category=dev")\n * ```\n */\ninterface TheChuckNorrisJoke {\n  icon_url: string;\n  id: string;\n  url: string;\n  value: string;\n}\n\nWhen(a.ConfigMap)\n  .IsCreated()\n  .WithLabel("chuck-norris")\n  .Then(async change => {\n    // Try/catch is not needed as a response object will always be returned\n    const response = await fetch<TheChuckNorrisJoke>(\n      "https://api.chucknorris.io/jokes/random?category=dev"\n    );\n\n    // Instead, check the `response.ok` field\n    if (response.ok) {\n      // Add the Chuck Norris joke to the configmap\n      change.Raw.data["chuck-says"] = response.data.value;\n      return;\n    }\n\n    // You can also assert on different HTTP response codes\n    if (response.status === fetchStatus.NOT_FOUND) {\n      // Do something else\n      return;\n    }\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (Secret Base64 Handling)                      *\n * ---------------------------------------------------------------------------------------------------\n *\n * The K8s JS client provides incomplete support for base64 encoding/decoding handling for secrets,\n * unlike the GO client. To make this less painful, Pepr automatically handles base64 encoding/decoding\n * secret data before and after the Capability Action is executed.\n */\nWhen(a.Secret)\n  .IsCreated()\n  .WithName("secret-1")\n  .Then(request => {\n    const secret = request.Raw;\n\n    // This will be encoded at the end of all processing back to base64: "Y2hhbmdlLXdpdGhvdXQtZW5jb2Rpbmc="\n    secret.data.magic = "change-without-encoding";\n\n    // You can modify the data directly, and it will be encoded at the end of all processing\n    secret.data.example += " - modified by Pepr";\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (Untyped Custom Resource)                     *\n * ---------------------------------------------------------------------------------------------------\n *\n * Out of the box, Pepr supports all the standard Kubernetes objects. However, you can also create\n * your own types. This is useful if you are working with an Operator that creates custom resources.\n * There are two ways to do this, the first is to use the `When()` function with a `GenericKind`,\n * the second is to create a new class that extends `GenericKind` and use the `RegisterKind()` function.\n *\n * This example shows how to use the `When()` function with a `GenericKind`. Note that you\n * must specify the `group`, `version`, and `kind` of the object (if applicable). This is how Pepr knows\n * if the Capability Action should be triggered or not. Since we are using a `GenericKind`,\n * Pepr will not be able to provide any intellisense for the object, so you will need to refer to the\n * Kubernetes API documentation for the object you are working with.\n *\n * You will need ot wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-1\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```\n */\nWhen(a.GenericKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n})\n  .IsCreated()\n  .WithName("example-1")\n  .ThenSet({\n    spec: {\n      message: "Hello Pepr without type data!",\n      counter: Math.random(),\n    },\n  });\n\n/**\n * ---------------------------------------------------------------------------------------------------\n *                                   CAPABILITY ACTION (Typed Custom Resource)                       *\n * ---------------------------------------------------------------------------------------------------\n *\n * This example shows how to use the `RegisterKind()` function to create a new type. This is useful\n * if you are working with an Operator that creates custom resources and you want to have intellisense\n * for the object. Note that you must specify the `group`, `version`, and `kind` of the object (if applicable)\n * as this is how Pepr knows if the Capability Action should be triggered or not.\n *\n * Once you register a new Kind with Pepr, you can use the `When()` function with the new Kind. Ideally,\n * you should register custom Kinds at the top of your Capability file or Pepr Module so they are available\n * to all Capability Actions, but we are putting it here for demonstration purposes.\n *\n * You will need ot wait for the CRD in `hello-pepr.samples.yaml` to be created, then you can apply\n *\n * ```yaml\n * apiVersion: pepr.dev/v1\n * kind: Unicorn\n * metadata:\n *   name: example-2\n *   namespace: pepr-demo\n * spec:\n *   message: replace-me\n *   counter: 0\n * ```*\n */\nclass UnicornKind extends a.GenericKind {\n  spec: {\n    /**\n     * JSDoc comments can be added to explain more details about the field.\n     *\n     * @example\n     * ```ts\n     * request.Raw.spec.message = "Hello Pepr!";\n     * ```\n     * */\n    message: string;\n    counter: number;\n  };\n}\n\nRegisterKind(UnicornKind, {\n  group: "pepr.dev",\n  version: "v1",\n  kind: "Unicorn",\n});\n\nWhen(UnicornKind)\n  .IsCreated()\n  .WithName("example-2")\n  .ThenSet({\n    spec: {\n      message: "Hello Pepr now with type data!",\n      counter: Math.random(),\n    },\n  });\n';
+var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, version: "0.7.1", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { prebuild: "rm -fr dist/* && node hack/build-template-data.js", build: "tsc && node build.mjs", test: "npm run test:unit && npm run test:e2e", "test:unit": "npm run build && tsc -p tsconfig.tests.json && ava dist/**/*.test.js", "test:e2e": "npm run test:e2e:k3d && npm run test:e2e:build && npm run test:e2e:image && npm run test:e2e:run", "test:e2e:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'", "test:e2e:build": "npm run build && npm pack && npm uninstall pepr -g && npm install -g pepr-0.0.0-development.tgz && pepr", "test:e2e:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:e2e:run": "ava hack/e2e.test.mjs --sequential --timeout=2m", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write" }, dependencies: { "@kubernetes/client-node": "0.18.1", express: "4.18.2", "fast-json-patch": "3.1.1", "http-status-codes": "2.2.0", "node-fetch": "2.6.11", ramda: "0.29.0" }, devDependencies: { "@types/eslint": "8.40.2", "@types/express": "4.17.17", "@types/node-fetch": "2.6.4", "@types/node-forge": "1.3.2", "@types/prettier": "2.7.3", "@types/prompts": "2.4.4", "@types/ramda": "0.29.2", "@types/uuid": "9.0.2", ava: "5.3.0", nock: "13.3.1" }, peerDependencies: { "@typescript-eslint/eslint-plugin": "5.59.7", "@typescript-eslint/parser": "5.59.7", commander: "10.0.1", esbuild: "0.17.19", eslint: "8.41.0", "node-forge": "1.3.1", prettier: "2.8.8", prompts: "2.4.2", typescript: "5.0.4", uuid: "9.0.0" }, ava: { failFast: true, verbose: true } };
 
 // src/cli/init/templates/pepr.code-snippets.json
 var pepr_code_snippets_default = {
@@ -955,7 +1018,7 @@ var tsconfig_module_default = {
 };
 
 // src/cli/init/utils.ts
-var import_fs = require("fs");
+var import_fs2 = require("fs");
 function sanitizeName(name) {
   let sanitized = name.toLowerCase().replace(/[^a-z0-9-]+/gi, "-");
   sanitized = sanitized.replace(/^-+|-+$/g, "");
@@ -964,7 +1027,7 @@ function sanitizeName(name) {
 }
 async function createDir(dir) {
   try {
-    await import_fs.promises.mkdir(dir);
+    await import_fs2.promises.mkdir(dir);
   } catch (err) {
     if (err && err.code === "EEXIST") {
       throw new Error(`Directory ${dir} already exists`);
@@ -977,7 +1040,7 @@ function write(path, data) {
   if (typeof data !== "string") {
     data = JSON.stringify(data, null, 2);
   }
-  return import_fs.promises.writeFile(path, data);
+  return import_fs2.promises.writeFile(path, data);
 }
 
 // src/cli/init/templates.ts
@@ -991,6 +1054,9 @@ function genPkgJSON(opts, pgkVerOverride) {
     version: "0.0.1",
     description: opts.description,
     keywords: ["pepr", "k8s", "policy-engine", "pepr-module", "security"],
+    engines: {
+      node: ">=18.0.0"
+    },
     pepr: {
       name: opts.name.trim(),
       uuid: pgkVerOverride ? "static-test" : uuid,
@@ -1001,8 +1067,7 @@ function genPkgJSON(opts, pgkVerOverride) {
       }
     },
     scripts: {
-      "k3d-setup": scripts["test:e2e:k3d"],
-      start: "pepr dev"
+      "k3d-setup": scripts["test:e2e:k3d"]
     },
     dependencies: {
       pepr: pgkVerOverride || version
@@ -1065,18 +1130,21 @@ function build_default(program2) {
     peprTS2
   ).action(async (opts) => {
     const { cfg, path, uuid } = await buildModule(void 0, opts.entryPoint);
-    const code = await import_fs2.promises.readFile(path);
+    if (opts.entryPoint !== peprTS2) {
+      logger_default.info(`Module built successfully at ${path}`);
+      return;
+    }
     const webhook = new Webhook({
       ...cfg.pepr,
       description: cfg.description
     });
     const yamlFile = `pepr-module-${uuid}.yaml`;
     const yamlPath = (0, import_path.resolve)("dist", yamlFile);
-    const yaml = webhook.allYaml(code);
+    const yaml = await webhook.allYaml(path);
     const zarfPath = (0, import_path.resolve)("dist", "zarf.yaml");
     const zarf = webhook.zarfYaml(yamlFile);
-    await import_fs2.promises.writeFile(yamlPath, yaml);
-    await import_fs2.promises.writeFile(zarfPath, zarf);
+    await import_fs3.promises.writeFile(yamlPath, yaml);
+    await import_fs3.promises.writeFile(zarfPath, zarf);
     logger_default.debug(`Module compiled successfully at ${path}`);
     logger_default.info(`K8s resource for the module saved to ${yamlPath}`);
   });
@@ -1087,15 +1155,15 @@ async function loadModule(entryPoint = peprTS2) {
   const cfgPath = (0, import_path.resolve)(".", "package.json");
   const input = (0, import_path.resolve)(".", entryPoint);
   try {
-    await import_fs2.promises.access(cfgPath);
-    await import_fs2.promises.access(input);
+    await import_fs3.promises.access(cfgPath);
+    await import_fs3.promises.access(input);
   } catch (e) {
     logger_default.error(
       `Could not find ${cfgPath} or ${input} in the current directory. Please run this command from the root of your module's directory.`
     );
     process.exit(1);
   }
-  const moduleText = await import_fs2.promises.readFile(cfgPath, { encoding: "utf-8" });
+  const moduleText = await import_fs3.promises.readFile(cfgPath, { encoding: "utf-8" });
   const cfg = JSON.parse(moduleText);
   const { uuid } = cfg.pepr;
   const name = `pepr-${uuid}.js`;
@@ -1120,9 +1188,8 @@ async function loadModule(entryPoint = peprTS2) {
 async function buildModule(reloader, entryPoint = peprTS2) {
   try {
     const { cfg, path, uuid } = await loadModule(entryPoint);
-    (0, import_child_process.execSync)("./node_modules/.bin/tsc", { stdio: "inherit" });
-    const customEntryPoint = entryPoint !== peprTS2;
-    const ctx = await (0, import_esbuild.context)({
+    (0, import_child_process2.execSync)("./node_modules/.bin/tsc", { stdio: "inherit" });
+    const ctxCfg = {
       bundle: true,
       entryPoints: [entryPoint],
       external: externalLibs,
@@ -1130,11 +1197,8 @@ async function buildModule(reloader, entryPoint = peprTS2) {
       keepNames: true,
       legalComments: "external",
       metafile: true,
-      // Only minify the code if we're not in dev mode and we're not using a custom entry point
-      minify: !reloader && !customEntryPoint,
+      minify: true,
       outfile: path,
-      // Only bundle the NPM packages if we're not using a custom entry point
-      packages: customEntryPoint ? "external" : void 0,
       plugins: [
         {
           name: "reload-server",
@@ -1144,18 +1208,26 @@ async function buildModule(reloader, entryPoint = peprTS2) {
                 console.log(await (0, import_esbuild.analyzeMetafile)(r.metafile));
               }
               if (reloader) {
-                reloader(r);
+                await reloader(r);
               }
             });
           }
         }
       ],
       platform: "node",
-      // Only generate a sourcemap if we're in dev mode
-      sourcemap: !!reloader,
-      // Only tree shake the code if we're not using a custom entry point
-      treeShaking: !customEntryPoint
-    });
+      sourcemap: true,
+      treeShaking: true
+    };
+    if (reloader) {
+      ctxCfg.minify = false;
+    }
+    if (entryPoint !== peprTS2) {
+      ctxCfg.minify = false;
+      ctxCfg.outfile = (0, import_path.resolve)("dist", (0, import_path.basename)(entryPoint, (0, import_path.extname)(entryPoint))) + ".js";
+      ctxCfg.packages = "external";
+      ctxCfg.treeShaking = false;
+    }
+    const ctx = await (0, import_esbuild.context)(ctxCfg);
     if (reloader) {
       await ctx.watch();
     } else {
@@ -1173,7 +1245,6 @@ async function buildModule(reloader, entryPoint = peprTS2) {
 }
 
 // src/cli/deploy.ts
-var import_fs3 = require("fs");
 var import_prompts = __toESM(require("prompts"));
 function deploy_default(program2) {
   program2.command("deploy").description("Deploy a Pepr Module").option("-i, --image [image]", "Override the image tag").option("--confirm", "Skip confirmation prompt").action(async (opts) => {
@@ -1188,7 +1259,6 @@ function deploy_default(program2) {
       }
     }
     const { cfg, path } = await buildModule();
-    const code = await import_fs3.promises.readFile(path);
     const webhook = new Webhook({
       ...cfg.pepr,
       description: cfg.description
@@ -1197,7 +1267,7 @@ function deploy_default(program2) {
       webhook.image = opts.image;
     }
     try {
-      await webhook.deploy(code);
+      await webhook.deploy(path);
       logger_default.info(`Module deployed successfully`);
     } catch (e) {
       logger_default.error(`Error deploying module: ${e}`);
@@ -1207,7 +1277,7 @@ function deploy_default(program2) {
 }
 
 // src/cli/dev.ts
-var import_child_process2 = require("child_process");
+var import_child_process3 = require("child_process");
 var import_fs4 = require("fs");
 var import_prompts2 = __toESM(require("prompts"));
 function dev_default(program2) {
@@ -1233,12 +1303,11 @@ function dev_default(program2) {
     await import_fs4.promises.writeFile("insecure-tls.crt", webhook.tls.pem.crt);
     await import_fs4.promises.writeFile("insecure-tls.key", webhook.tls.pem.key);
     try {
-      await webhook.deploy(void 0, 30);
-      logger_default.info(`Module deployed successfully`);
       let program3;
-      const runFork = () => {
+      const runFork = async () => {
         logger_default.info(`Running module ${path}`);
-        program3 = (0, import_child_process2.fork)(path, {
+        await webhook.deploy(path, 30);
+        program3 = (0, import_child_process3.fork)(path, {
           env: {
             ...process.env,
             LOG_LEVEL: "debug",
@@ -1247,16 +1316,16 @@ function dev_default(program2) {
           }
         });
       };
-      await buildModule((r) => {
+      await buildModule(async (r) => {
         if (r.errors.length > 0) {
           logger_default.error(`Error compiling module: ${r.errors}`);
           return;
         }
         if (program3) {
           program3.once("exit", runFork);
-          program3.kill();
+          program3.kill("SIGKILL");
         } else {
-          runFork();
+          await runFork();
         }
       });
     } catch (e) {
@@ -1316,23 +1385,13 @@ function format_default(program2) {
 }
 
 // src/cli/init/index.ts
-var import_child_process3 = require("child_process");
+var import_child_process4 = require("child_process");
 var import_path2 = require("path");
 var import_prompts4 = __toESM(require("prompts"));
 
 // src/cli/init/walkthrough.ts
 var import_fs6 = require("fs");
 var import_prompts3 = __toESM(require("prompts"));
-
-// src/lib/types.ts
-var ErrorBehavior = /* @__PURE__ */ ((ErrorBehavior2) => {
-  ErrorBehavior2["ignore"] = "ignore";
-  ErrorBehavior2["audit"] = "audit";
-  ErrorBehavior2["reject"] = "reject";
-  return ErrorBehavior2;
-})(ErrorBehavior || {});
-
-// src/cli/init/walkthrough.ts
 function walkthrough() {
   const askName = {
     type: "text",
@@ -1435,14 +1494,14 @@ function init_default(program2) {
         await write((0, import_path2.resolve)(dirName, "capabilities", helloPepr.path), helloPepr.data);
         if (!opts.skipPostInit) {
           process.chdir(dirName);
-          (0, import_child_process3.execSync)("npm install", {
+          (0, import_child_process4.execSync)("npm install", {
             stdio: "inherit"
           });
-          (0, import_child_process3.execSync)("git init", {
+          (0, import_child_process4.execSync)("git init", {
             stdio: "inherit"
           });
           try {
-            (0, import_child_process3.execSync)("code .", {
+            (0, import_child_process4.execSync)("code .", {
               stdio: "inherit"
             });
           } catch (e) {
@@ -1475,7 +1534,7 @@ var RootCmd = class extends import_commander.Command {
 };
 
 // src/cli/update.ts
-var import_child_process4 = require("child_process");
+var import_child_process5 = require("child_process");
 var import_path3 = require("path");
 var import_prompts5 = __toESM(require("prompts"));
 function update_default(program2) {
@@ -1499,10 +1558,10 @@ function update_default(program2) {
         await write((0, import_path3.resolve)("capabilities", samplesYaml.path), samplesYaml.data);
         await write((0, import_path3.resolve)("capabilities", helloPepr.path), helloPepr.data);
       }
-      (0, import_child_process4.execSync)("npm install pepr@latest", {
+      (0, import_child_process5.execSync)("npm install pepr@latest", {
         stdio: "inherit"
       });
-      (0, import_child_process4.execSync)("npm install -g pepr@latest", {
+      (0, import_child_process5.execSync)("npm install -g pepr@latest", {
         stdio: "inherit"
       });
       console.log(`Module updated!`);
@@ -1516,12 +1575,41 @@ function update_default(program2) {
   });
 }
 
+// src/lib.ts
+var import_client_node4 = __toESM(require("@kubernetes/client-node"));
+var import_http_status_codes2 = require("http-status-codes");
+var utils = __toESM(require("ramda"));
+
+// src/lib/k8s/upstream.ts
+var import_client_node3 = require("@kubernetes/client-node");
+
+// src/lib/fetch.ts
+var import_http_status_codes = require("http-status-codes");
+var import_node_fetch = __toESM(require("node-fetch"));
+
+// src/lib/module.ts
+var import_ramda3 = require("ramda");
+
+// src/lib/controller.ts
+var import_express = __toESM(require("express"));
+
+// src/lib/processor.ts
+var import_fast_json_patch = __toESM(require("fast-json-patch"));
+
+// src/lib/request.ts
+var import_ramda2 = require("ramda");
+
 // src/cli.ts
 var program = new RootCmd();
 program.version(version).description(`Pepr Kubernetes Thingy (v${version})`).action(() => {
   if (program.args.length < 1) {
     console.log(banner);
     program.help();
+  } else {
+    logger_default.error(`Invalid command '${program.args.join(" ")}'
+`);
+    program.outputHelp();
+    process.exitCode = 1;
   }
 });
 init_default(program);

package/dist/controller.js

@@ -116,7 +116,7 @@ if (process.env.LOG_LEVEL) {
 var logger_default = Log;
 
 // src/cli/init/templates/data.json
-var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, version: "0.6.1", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { prebuild: "rm -fr dist/* && node hack/build-template-data.js", build: "tsc && node build.mjs", test: "npm run test:unit && npm run test:e2e", "test:unit": "npm run build && tsc -p tsconfig.tests.json && ava dist/**/*.test.js", "test:e2e": "npm run test:e2e:k3d && npm run test:e2e:build && npm run test:e2e:image && npm run test:e2e:run", "test:e2e:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'", "test:e2e:build": "npm run build && npm pack && npm uninstall pepr -g && npm install -g pepr-0.0.0-development.tgz && pepr", "test:e2e:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:e2e:run": "ava hack/e2e.test.mjs --sequential --timeout=2m", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write" }, dependencies: { "@kubernetes/client-node": "0.18.1", express: "4.18.2", "fast-json-patch": "3.1.1", "http-status-codes": "2.2.0", "node-fetch": "2.6.11", ramda: "0.29.0" }, devDependencies: { "@types/eslint": "8.40.0", "@types/express": "4.17.17", "@types/node-fetch": "2.6.4", "@types/node-forge": "1.3.2", "@types/prettier": "2.7.3", "@types/prompts": "2.4.4", "@types/ramda": "0.29.2", "@types/uuid": "9.0.1", ava: "5.3.0", nock: "13.3.1" }, peerDependencies: { "@typescript-eslint/eslint-plugin": "5.59.7", "@typescript-eslint/parser": "5.59.7", commander: "10.0.1", esbuild: "0.17.19", eslint: "8.41.0", "node-forge": "1.3.1", prettier: "2.8.8", prompts: "2.4.2", typescript: "5.0.4", uuid: "9.0.0" }, ava: { failFast: true, verbose: true } };
+var packageJSON = { name: "pepr", description: "Kubernetes application engine", author: "Defense Unicorns", homepage: "https://github.com/defenseunicorns/pepr", license: "Apache-2.0", bin: "dist/cli.js", repository: "defenseunicorns/pepr", engines: { node: ">=18.0.0" }, version: "0.7.1", main: "dist/lib.js", types: "dist/lib.d.ts", scripts: { prebuild: "rm -fr dist/* && node hack/build-template-data.js", build: "tsc && node build.mjs", test: "npm run test:unit && npm run test:e2e", "test:unit": "npm run build && tsc -p tsconfig.tests.json && ava dist/**/*.test.js", "test:e2e": "npm run test:e2e:k3d && npm run test:e2e:build && npm run test:e2e:image && npm run test:e2e:run", "test:e2e:k3d": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'", "test:e2e:build": "npm run build && npm pack && npm uninstall pepr -g && npm install -g pepr-0.0.0-development.tgz && pepr", "test:e2e:image": "docker buildx build --tag pepr:dev . && k3d image import pepr:dev -c pepr-dev", "test:e2e:run": "ava hack/e2e.test.mjs --sequential --timeout=2m", "format:check": "eslint src && prettier src --check", "format:fix": "eslint src --fix && prettier src --write" }, dependencies: { "@kubernetes/client-node": "0.18.1", express: "4.18.2", "fast-json-patch": "3.1.1", "http-status-codes": "2.2.0", "node-fetch": "2.6.11", ramda: "0.29.0" }, devDependencies: { "@types/eslint": "8.40.2", "@types/express": "4.17.17", "@types/node-fetch": "2.6.4", "@types/node-forge": "1.3.2", "@types/prettier": "2.7.3", "@types/prompts": "2.4.4", "@types/ramda": "0.29.2", "@types/uuid": "9.0.2", ava: "5.3.0", nock: "13.3.1" }, peerDependencies: { "@typescript-eslint/eslint-plugin": "5.59.7", "@typescript-eslint/parser": "5.59.7", commander: "10.0.1", esbuild: "0.17.19", eslint: "8.41.0", "node-forge": "1.3.1", prettier: "2.8.8", prompts: "2.4.2", typescript: "5.0.4", uuid: "9.0.0" }, ava: { failFast: true, verbose: true } };
 
 // src/runtime/controller.ts
 var { version } = packageJSON;

package/dist/lib/capability.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"capability.d.ts","sourceRoot":"","sources":["../../src/lib/capability.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE/C,OAAO,EAEL,OAAO,EAIP,aAAa,EAGb,YAAY,EACZ,SAAS,EACT,YAAY,EACb,MAAM,SAAS,CAAC;AAEjB;;GAEG;AACH,qBAAa,UAAW,YAAW,aAAa;IAC9C,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,WAAW,CAAC,CAAuB;IAG3C,OAAO,CAAC,iBAAiB,CAAoB;IAE7C,OAAO,CAAC,SAAS,CAAiB;IAElC,IAAI,QAAQ,IAAI,OAAO,EAAE,CAExB;IAED,IAAI,IAAI,WAEP;IAED,IAAI,WAAW,WAEd;IAED,IAAI,UAAU,aAEb;IAED,IAAI,gBAAgB,cAEnB;gBAEW,GAAG,EAAE,aAAa;IAQ9B;;;;;;;;OAQG;IACH,IAAI,4CAA6C,gBAAgB,qBAuF/D;CACH"}
+{"version":3,"file":"capability.d.ts","sourceRoot":"","sources":["../../src/lib/capability.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE/C,OAAO,EAEL,OAAO,EAIP,aAAa,EAGb,YAAY,EACZ,SAAS,EACT,YAAY,EACb,MAAM,SAAS,CAAC;AAEjB;;GAEG;AACH,qBAAa,UAAW,YAAW,aAAa;IAC9C,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,WAAW,CAAC,CAAuB;IAG3C,OAAO,CAAC,iBAAiB,CAAoB;IAE7C,OAAO,CAAC,SAAS,CAAiB;IAElC,IAAI,QAAQ,IAAI,OAAO,EAAE,CAExB;IAED,IAAI,IAAI,WAEP;IAED,IAAI,WAAW,WAEd;IAED,IAAI,UAAU,aAEb;IAED,IAAI,gBAAgB,cAEnB;gBAEW,GAAG,EAAE,aAAa;IAQ9B;;;;;;;;OAQG;IACH,IAAI,4CAA6C,gBAAgB,qBAwF/D;CACH"}