From 880c37da3b46ac40b88311ce59ef7fe8f34b1c98 Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 09:22:02 +0800
Subject: [PATCH 01/13] Ensure api-runner supports cgo builds

---
 docker-compose.yml           | 5 ++++-
 docker/dockerfile-api-runner | 7 +++++++
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 docker/dockerfile-api-runner

diff --git a/docker-compose.yml b/docker-compose.yml
index c6dca4f7..d4806fbf 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -83,7 +83,10 @@ services:
           restart: no
           env_file:
             - ./.env
-          image: golang:1.25.1-alpine@sha256:b6ed3fd0452c0e9bcdef5597f29cc1418f61672e9d3a2f55bf02e7222c014abd
+          build:
+            context: .
+            dockerfile: ./docker/dockerfile-api-runner
+          image: api-api-runner
           volumes:
             - .:/app
             - go_mod_cache:/go/pkg/mod
diff --git a/docker/dockerfile-api-runner b/docker/dockerfile-api-runner
new file mode 100644
index 00000000..2b5276b1
--- /dev/null
+++ b/docker/dockerfile-api-runner
@@ -0,0 +1,7 @@
+# syntax=docker/dockerfile:1
+FROM golang:1.25.1-alpine
+
+# Install toolchain required for cgo builds
+RUN apk add --no-cache build-base
+
+WORKDIR /app

From c95d9fd780df3fa6d752ef8bf952d3d7c70fc096 Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 09:52:59 +0800
Subject: [PATCH 02/13] Use api Dockerfile for runner image

---
 docker-compose.yml           | 3 ++-
 docker/dockerfile-api-runner | 7 -------
 2 files changed, 2 insertions(+), 8 deletions(-)
 delete mode 100644 docker/dockerfile-api-runner

diff --git a/docker-compose.yml b/docker-compose.yml
index d4806fbf..5be406ce 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -85,7 +85,8 @@ services:
             - ./.env
           build:
             context: .
-            dockerfile: ./docker/dockerfile-api-runner
+            dockerfile: ./docker/dockerfile-api
+            target: builder
           image: api-api-runner
           volumes:
             - .:/app
diff --git a/docker/dockerfile-api-runner b/docker/dockerfile-api-runner
deleted file mode 100644
index 2b5276b1..00000000
--- a/docker/dockerfile-api-runner
+++ /dev/null
@@ -1,7 +0,0 @@
-# syntax=docker/dockerfile:1
-FROM golang:1.25.1-alpine
-
-# Install toolchain required for cgo builds
-RUN apk add --no-cache build-base
-
-WORKDIR /app

From 5443ade8de5e3022375282063e199e51997163ec Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 10:25:33 +0800
Subject: [PATCH 03/13] Improve run-cli defaults and error handling

---
 Makefile              |  4 ++++
 metal/makefile/app.mk | 52 +++++++++++++++++++++++++++++--------------
 2 files changed, 39 insertions(+), 17 deletions(-)

diff --git a/Makefile b/Makefile
index 70b54ce6..688d6f34 100644
--- a/Makefile
+++ b/Makefile
@@ -31,6 +31,10 @@ REPO_OWNER            := $(shell cd .. && basename "$$(pwd)")
 VERSION               := $(shell git describe --tags 2>/dev/null | cut -c 2-)
 CGO_ENABLED           := 1
 
+DB_SECRET_USERNAME ?= ./database/infra/secrets/pg_username
+DB_SECRET_PASSWORD ?= ./database/infra/secrets/pg_password
+DB_SECRET_DBNAME   ?= ./database/infra/secrets/pg_dbname
+
 # -------------------------------------------------------------------------------------------------------------------- #
 # -------------------------------------------------------------------------------------------------------------------- #
 
diff --git a/metal/makefile/app.mk b/metal/makefile/app.mk
index 87b03688..6f51e20d 100644
--- a/metal/makefile/app.mk
+++ b/metal/makefile/app.mk
@@ -36,23 +36,41 @@ install-air:
 	@go install github.com/air-verse/air@latest
 
 run-cli:
-	@if [ -z "$(DB_SECRET_USERNAME)" ] || [ -z "$(DB_SECRET_PASSWORD)" ] || [ -z "$(DB_SECRET_DBNAME)" ]; then \
-    	  printf "\n$(RED)⚠️ Usage: make run-cli \n$(NC)"; \
-    	  printf "         DB_SECRET_USERNAME=/path/to/pg_username\n"; \
-    	  printf "         DB_SECRET_PASSWORD=/path/to/pg_password\n"; \
-    	  printf "         DB_SECRET_DBNAME=/path/to/pg_dbname\n\n"; \
-    	  printf "\n------------------------------------------------------\n\n"; \
-    	  exit 1; \
-    	fi; \
-    	printf "\n$(GREEN)🔒 Running CLI with secrets from:$(NC)\n"; \
-    	printf "           DB_SECRET_USERNAME=$(DB_SECRET_USERNAME)\n"; \
-    	printf "           DB_SECRET_PASSWORD=$(DB_SECRET_PASSWORD)\n"; \
-    	printf "           DB_SECRET_DBNAME=$(DB_SECRET_DBNAME)\n\n"; \
-    	DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" \
-    	DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" \
-    	DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" \
-    	docker compose run --rm api-runner go run ./metal/cli/main.go
-
+	@missing=""; \
+	for secret in "$(DB_SECRET_USERNAME)" "$(DB_SECRET_PASSWORD)" "$(DB_SECRET_DBNAME)"; do \
+	  if [ ! -f "$$secret" ]; then \
+	    missing="$$missing\n  - $$secret"; \
+	  fi; \
+	done; \
+	if [ -n "$$missing" ]; then \
+	  printf "\n$(RED)❌ Missing secret files:$(NC)%s\n" "$$missing"; \
+	  printf "  Please make sure the paths exist or override them when invoking $(BOLD)make run-cli$(NC).\n\n"; \
+	  exit 1; \
+	fi
+	@printf "\n$(GREEN)🔒 Running CLI with secrets from:$(NC)\n"
+	@printf "           DB_SECRET_USERNAME=$(DB_SECRET_USERNAME)\n"
+	@printf "           DB_SECRET_PASSWORD=$(DB_SECRET_PASSWORD)\n"
+	@printf "           DB_SECRET_DBNAME=$(DB_SECRET_DBNAME)\n\n"
+	@if ! command -v docker >/dev/null 2>&1; then \
+	  printf "$(YELLOW)⚠️ Docker not available. Running CLI locally without Docker.\n$(NC)"; \
+	  DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" \
+	  DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" \
+	  DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" \
+	  go run ./metal/cli/main.go || { \
+	    status=$$?; \
+	    printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
+	    exit $$status; \
+	  }; \
+	else \
+	  DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" \
+	  DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" \
+	  DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" \
+	  docker compose run --rm api-runner go run ./metal/cli/main.go || { \
+	    status=$$?; \
+	    printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
+	    exit $$status; \
+	  }; \
+	fi
 run-cli-docker:
 	make run-cli DB_SECRET_USERNAME=./database/infra/secrets/pg_username DB_SECRET_PASSWORD=./database/infra/secrets/pg_password DB_SECRET_DBNAME=./database/infra/secrets/pg_dbname
 

From 885f6a38aa0310b1dc38267db62db0670566c956 Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 10:25:38 +0800
Subject: [PATCH 04/13] chore: scope cli secrets with app makefile

---
 Makefile              | 4 ----
 metal/makefile/app.mk | 4 ++++
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 688d6f34..70b54ce6 100644
--- a/Makefile
+++ b/Makefile
@@ -31,10 +31,6 @@ REPO_OWNER            := $(shell cd .. && basename "$$(pwd)")
 VERSION               := $(shell git describe --tags 2>/dev/null | cut -c 2-)
 CGO_ENABLED           := 1
 
-DB_SECRET_USERNAME ?= ./database/infra/secrets/pg_username
-DB_SECRET_PASSWORD ?= ./database/infra/secrets/pg_password
-DB_SECRET_DBNAME   ?= ./database/infra/secrets/pg_dbname
-
 # -------------------------------------------------------------------------------------------------------------------- #
 # -------------------------------------------------------------------------------------------------------------------- #
 
diff --git a/metal/makefile/app.mk b/metal/makefile/app.mk
index 6f51e20d..9a8c1786 100644
--- a/metal/makefile/app.mk
+++ b/metal/makefile/app.mk
@@ -1,5 +1,9 @@
 .PHONY: fresh destroy audit watch format run-cli test-all run-cli-docker run-metal
 
+DB_SECRET_USERNAME ?= ./database/infra/secrets/pg_username
+DB_SECRET_PASSWORD ?= ./database/infra/secrets/pg_password
+DB_SECRET_DBNAME   ?= ./database/infra/secrets/pg_dbname
+
 format:
 	gofmt -w -s .
 

From cc4f737cf2f9dc17e09d358cb26368c0bc2010a6 Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 10:43:32 +0800
Subject: [PATCH 05/13] Allow run-cli secrets to be overridden dynamically

---
 metal/makefile/app.mk | 66 +++++++++++++++++++++++++------------------
 1 file changed, 39 insertions(+), 27 deletions(-)

diff --git a/metal/makefile/app.mk b/metal/makefile/app.mk
index 9a8c1786..4b7bdec2 100644
--- a/metal/makefile/app.mk
+++ b/metal/makefile/app.mk
@@ -40,43 +40,55 @@ install-air:
 	@go install github.com/air-verse/air@latest
 
 run-cli:
-	@missing=""; \
-	for secret in "$(DB_SECRET_USERNAME)" "$(DB_SECRET_PASSWORD)" "$(DB_SECRET_DBNAME)"; do \
-	  if [ ! -f "$$secret" ]; then \
-	    missing="$$missing\n  - $$secret"; \
-	  fi; \
+	@set -euo pipefail; \
+	missing_values=""; \
+	missing_files=""; \
+	for secret_name in DB_SECRET_USERNAME DB_SECRET_PASSWORD DB_SECRET_DBNAME; do \
+		value="${!secret_name:-}"; \
+		if [ -z "$$value" ]; then \
+			missing_values="$$missing_values\n  - $$secret_name"; \
+		elif [[ "$$value" == /* || "$$value" == ./* || "$$value" == ../* ]]; then \
+			if [ ! -f "$$value" ]; then \
+				missing_files="$$missing_files\n  - $$secret_name ($$value)"; \
+			fi; \
+		fi; \
 	done; \
-	if [ -n "$$missing" ]; then \
-	  printf "\n$(RED)❌ Missing secret files:$(NC)%s\n" "$$missing"; \
-	  printf "  Please make sure the paths exist or override them when invoking $(BOLD)make run-cli$(NC).\n\n"; \
-	  exit 1; \
+	if [ -n "$$missing_values" ]; then \
+		printf "\n$(RED)❌ Missing secret values:$(NC)%s\n" "$$missing_values"; \
+		printf "  Provide them via environment variables or override them when invoking $(BOLD)make run-cli$(NC).\n\n"; \
+		exit 1; \
+	fi; \
+	if [ -n "$$missing_files" ]; then \
+		printf "\n$(RED)❌ Secret file paths not found:$(NC)%s\n" "$$missing_files"; \
+		printf "  Ensure the files exist or adjust the overrides before running $(BOLD)make run-cli$(NC).\n\n"; \
+		exit 1; \
 	fi
 	@printf "\n$(GREEN)🔒 Running CLI with secrets from:$(NC)\n"
 	@printf "           DB_SECRET_USERNAME=$(DB_SECRET_USERNAME)\n"
 	@printf "           DB_SECRET_PASSWORD=$(DB_SECRET_PASSWORD)\n"
 	@printf "           DB_SECRET_DBNAME=$(DB_SECRET_DBNAME)\n\n"
 	@if ! command -v docker >/dev/null 2>&1; then \
-	  printf "$(YELLOW)⚠️ Docker not available. Running CLI locally without Docker.\n$(NC)"; \
-	  DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" \
-	  DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" \
-	  DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" \
-	  go run ./metal/cli/main.go || { \
-	    status=$$?; \
-	    printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
-	    exit $$status; \
-	  }; \
+		printf "$(YELLOW)⚠️ Docker not available. Running CLI locally without Docker.\n$(NC)"; \
+		DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" \
+		DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" \
+		DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" \
+		go run ./metal/cli/main.go || { \
+			status=$$?; \
+			printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
+			exit $$status; \
+		}; \
 	else \
-	  DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" \
-	  DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" \
-	  DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" \
-	  docker compose run --rm api-runner go run ./metal/cli/main.go || { \
-	    status=$$?; \
-	    printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
-	    exit $$status; \
-	  }; \
+		DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" \
+		DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" \
+		DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" \
+		docker compose run --rm api-runner go run ./metal/cli/main.go || { \
+			status=$$?; \
+			printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
+			exit $$status; \
+		}; \
 	fi
 run-cli-docker:
-	make run-cli DB_SECRET_USERNAME=./database/infra/secrets/pg_username DB_SECRET_PASSWORD=./database/infra/secrets/pg_password DB_SECRET_DBNAME=./database/infra/secrets/pg_dbname
+	make run-cli DB_SECRET_USERNAME=$(DB_SECRET_USERNAME) DB_SECRET_PASSWORD=$(DB_SECRET_PASSWORD) DB_SECRET_DBNAME=$(DB_SECRET_DBNAME)
 
 test-all:
 	go test ./...

From 63f1e6e62f87f55d1d4c9837cbb28d6827f2ae23 Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 11:04:29 +0800
Subject: [PATCH 06/13] Fix run-cli secret defaults handling

---
 metal/makefile/app.mk | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/metal/makefile/app.mk b/metal/makefile/app.mk
index 4b7bdec2..ead2fc91 100644
--- a/metal/makefile/app.mk
+++ b/metal/makefile/app.mk
@@ -43,23 +43,35 @@ run-cli:
 	@set -euo pipefail; \
 	missing_values=""; \
 	missing_files=""; \
-	for secret_name in DB_SECRET_USERNAME DB_SECRET_PASSWORD DB_SECRET_DBNAME; do \
-		value="${!secret_name:-}"; \
-		if [ -z "$$value" ]; then \
-			missing_values="$$missing_values\n  - $$secret_name"; \
-		elif [[ "$$value" == /* || "$$value" == ./* || "$$value" == ../* ]]; then \
-			if [ ! -f "$$value" ]; then \
-				missing_files="$$missing_files\n  - $$secret_name ($$value)"; \
+	check_secret() { \
+		local secret_name="$$1"; \
+		local secret_value="$$2"; \
+		if [ -z "$$secret_value" ]; then \
+			if [ -z "$$missing_values" ]; then \
+				missing_values="  - $$secret_name"; \
+			else \
+				printf -v missing_values "%s\n  - %s" "$$missing_values" "$$secret_name"; \
+			fi; \
+		elif [[ "$$secret_value" == /* || "$$secret_value" == ./* || "$$secret_value" == ../* ]]; then \
+			if [ ! -f "$$secret_value" ]; then \
+				if [ -z "$$missing_files" ]; then \
+					missing_files="  - $$secret_name ($$secret_value)"; \
+				else \
+					printf -v missing_files "%s\n  - %s (%s)" "$$missing_files" "$$secret_name" "$$secret_value"; \
+				fi; \
 			fi; \
 		fi; \
-	done; \
+	}; \
+	check_secret DB_SECRET_USERNAME "$(DB_SECRET_USERNAME)"; \
+	check_secret DB_SECRET_PASSWORD "$(DB_SECRET_PASSWORD)"; \
+	check_secret DB_SECRET_DBNAME "$(DB_SECRET_DBNAME)"; \
 	if [ -n "$$missing_values" ]; then \
-		printf "\n$(RED)❌ Missing secret values:$(NC)%s\n" "$$missing_values"; \
+		printf "\n$(RED)❌ Missing secret values:$(NC)\n%s\n" "$$missing_values"; \
 		printf "  Provide them via environment variables or override them when invoking $(BOLD)make run-cli$(NC).\n\n"; \
 		exit 1; \
 	fi; \
 	if [ -n "$$missing_files" ]; then \
-		printf "\n$(RED)❌ Secret file paths not found:$(NC)%s\n" "$$missing_files"; \
+		printf "\n$(RED)❌ Secret file paths not found:$(NC)\n%s\n" "$$missing_files"; \
 		printf "  Ensure the files exist or adjust the overrides before running $(BOLD)make run-cli$(NC).\n\n"; \
 		exit 1; \
 	fi

From d34a645f72d8d7c9475d4d3217ad95f00816157c Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 11:14:05 +0800
Subject: [PATCH 07/13] Ignore Go cache directories

---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index bfd1f298..17ac5765 100644
--- a/.gitignore
+++ b/.gitignore
@@ -45,6 +45,8 @@ storage/sql/*.*
 *.dylib
 *.test
 *.out
+.gocache
+.gopath
 go.work
 go.work.sum
 

From e84ef8013662ee583d3aa00a5aa53b15755fa0b5 Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 11:25:59 +0800
Subject: [PATCH 08/13] Fix run-cli for POSIX shell

---
 metal/makefile/app.mk | 57 +++++++++++++++++++++++--------------------
 1 file changed, 31 insertions(+), 26 deletions(-)

diff --git a/metal/makefile/app.mk b/metal/makefile/app.mk
index ead2fc91..84f18483 100644
--- a/metal/makefile/app.mk
+++ b/metal/makefile/app.mk
@@ -40,40 +40,45 @@ install-air:
 	@go install github.com/air-verse/air@latest
 
 run-cli:
-	@set -euo pipefail; \
-	missing_values=""; \
+	@missing_values=""; \
 	missing_files=""; \
 	check_secret() { \
-		local secret_name="$$1"; \
-		local secret_value="$$2"; \
-		if [ -z "$$secret_value" ]; then \
-			if [ -z "$$missing_values" ]; then \
-				missing_values="  - $$secret_name"; \
-			else \
-				printf -v missing_values "%s\n  - %s" "$$missing_values" "$$secret_name"; \
-			fi; \
-		elif [[ "$$secret_value" == /* || "$$secret_value" == ./* || "$$secret_value" == ../* ]]; then \
-			if [ ! -f "$$secret_value" ]; then \
-				if [ -z "$$missing_files" ]; then \
-					missing_files="  - $$secret_name ($$secret_value)"; \
-				else \
-					printf -v missing_files "%s\n  - %s (%s)" "$$missing_files" "$$secret_name" "$$secret_value"; \
-				fi; \
-			fi; \
-		fi; \
-	}; \
+                secret_name="$$1"; \
+                secret_value="$$2"; \
+        	if [ -z "$$secret_value" ]; then \
+                	if [ -z "$$missing_values" ]; then \
+                        	missing_values="  - $$secret_name"; \
+                	else \
+                        	missing_values="$$missing_values\n  - $$secret_name"; \
+                	fi; \
+        	else \
+                	case "$$secret_value" in \
+                                /*|./*|../*) \
+                                	if [ ! -f "$$secret_value" ]; then \
+                                        	if [ -z "$$missing_files" ]; then \
+                                                	missing_files="  - $$secret_name ($$secret_value)"; \
+                                        	else \
+                                                	missing_files="$$missing_files\n  - $$secret_name ($$secret_value)"; \
+                                        	fi; \
+                                	fi; \
+                                        ;; \
+                	esac; \
+        	fi; \
+        }; \
 	check_secret DB_SECRET_USERNAME "$(DB_SECRET_USERNAME)"; \
 	check_secret DB_SECRET_PASSWORD "$(DB_SECRET_PASSWORD)"; \
 	check_secret DB_SECRET_DBNAME "$(DB_SECRET_DBNAME)"; \
 	if [ -n "$$missing_values" ]; then \
-		printf "\n$(RED)❌ Missing secret values:$(NC)\n%s\n" "$$missing_values"; \
-		printf "  Provide them via environment variables or override them when invoking $(BOLD)make run-cli$(NC).\n\n"; \
-		exit 1; \
+        	printf "\n$(RED)❌ Missing secret values:$(NC)\n"; \
+        	printf '%b\n' "$$missing_values"; \
+        	printf "  Provide them via environment variables or override them when invoking $(BOLD)make run-cli$(NC).\n\n"; \
+        	exit 1; \
 	fi; \
 	if [ -n "$$missing_files" ]; then \
-		printf "\n$(RED)❌ Secret file paths not found:$(NC)\n%s\n" "$$missing_files"; \
-		printf "  Ensure the files exist or adjust the overrides before running $(BOLD)make run-cli$(NC).\n\n"; \
-		exit 1; \
+        	printf "\n$(RED)❌ Secret file paths not found:$(NC)\n"; \
+        	printf '%b\n' "$$missing_files"; \
+        	printf "  Ensure the files exist or adjust the overrides before running $(BOLD)make run-cli$(NC).\n\n"; \
+        	exit 1; \
 	fi
 	@printf "\n$(GREEN)🔒 Running CLI with secrets from:$(NC)\n"
 	@printf "           DB_SECRET_USERNAME=$(DB_SECRET_USERNAME)\n"

From 53f5a95ad3afce1388c41cd8adac0752f0226bbb Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 11:41:16 +0800
Subject: [PATCH 09/13] Normalize run-cli indentation

---
 metal/makefile/app.mk | 60 +++++++++++++++++++++----------------------
 1 file changed, 30 insertions(+), 30 deletions(-)

diff --git a/metal/makefile/app.mk b/metal/makefile/app.mk
index 84f18483..6b5ae836 100644
--- a/metal/makefile/app.mk
+++ b/metal/makefile/app.mk
@@ -43,42 +43,42 @@ run-cli:
 	@missing_values=""; \
 	missing_files=""; \
 	check_secret() { \
-                secret_name="$$1"; \
-                secret_value="$$2"; \
-        	if [ -z "$$secret_value" ]; then \
-                	if [ -z "$$missing_values" ]; then \
-                        	missing_values="  - $$secret_name"; \
-                	else \
-                        	missing_values="$$missing_values\n  - $$secret_name"; \
-                	fi; \
-        	else \
-                	case "$$secret_value" in \
-                                /*|./*|../*) \
-                                	if [ ! -f "$$secret_value" ]; then \
-                                        	if [ -z "$$missing_files" ]; then \
-                                                	missing_files="  - $$secret_name ($$secret_value)"; \
-                                        	else \
-                                                	missing_files="$$missing_files\n  - $$secret_name ($$secret_value)"; \
-                                        	fi; \
-                                	fi; \
-                                        ;; \
-                	esac; \
-        	fi; \
-        }; \
+		secret_name="$$1"; \
+		secret_value="$$2"; \
+		if [ -z "$$secret_value" ]; then \
+			if [ -z "$$missing_values" ]; then \
+				missing_values="  - $$secret_name"; \
+			else \
+				missing_values="$$missing_values\n  - $$secret_name"; \
+			fi; \
+		else \
+			case "$$secret_value" in \
+				/*|./*|../*) \
+					if [ ! -f "$$secret_value" ]; then \
+						if [ -z "$$missing_files" ]; then \
+							missing_files="  - $$secret_name ($$secret_value)"; \
+						else \
+							missing_files="$$missing_files\n  - $$secret_name ($$secret_value)"; \
+						fi; \
+					fi; \
+					;; \
+			esac; \
+		fi; \
+	}; \
 	check_secret DB_SECRET_USERNAME "$(DB_SECRET_USERNAME)"; \
 	check_secret DB_SECRET_PASSWORD "$(DB_SECRET_PASSWORD)"; \
 	check_secret DB_SECRET_DBNAME "$(DB_SECRET_DBNAME)"; \
 	if [ -n "$$missing_values" ]; then \
-        	printf "\n$(RED)❌ Missing secret values:$(NC)\n"; \
-        	printf '%b\n' "$$missing_values"; \
-        	printf "  Provide them via environment variables or override them when invoking $(BOLD)make run-cli$(NC).\n\n"; \
-        	exit 1; \
+		printf "\n$(RED)❌ Missing secret values:$(NC)\n"; \
+		printf '%b\n' "$$missing_values"; \
+		printf "  Provide them via environment variables or override them when invoking $(BOLD)make run-cli$(NC).\n\n"; \
+		exit 1; \
 	fi; \
 	if [ -n "$$missing_files" ]; then \
-        	printf "\n$(RED)❌ Secret file paths not found:$(NC)\n"; \
-        	printf '%b\n' "$$missing_files"; \
-        	printf "  Ensure the files exist or adjust the overrides before running $(BOLD)make run-cli$(NC).\n\n"; \
-        	exit 1; \
+		printf "\n$(RED)❌ Secret file paths not found:$(NC)\n"; \
+		printf '%b\n' "$$missing_files"; \
+		printf "  Ensure the files exist or adjust the overrides before running $(BOLD)make run-cli$(NC).\n\n"; \
+		exit 1; \
 	fi
 	@printf "\n$(GREEN)🔒 Running CLI with secrets from:$(NC)\n"
 	@printf "           DB_SECRET_USERNAME=$(DB_SECRET_USERNAME)\n"

From 091933ca7cf5c873eb845971883e39b394a9338f Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 11:41:24 +0800
Subject: [PATCH 10/13] Ensure run-cli exports secret overrides

---
 metal/makefile/app.mk | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/metal/makefile/app.mk b/metal/makefile/app.mk
index 6b5ae836..254f4218 100644
--- a/metal/makefile/app.mk
+++ b/metal/makefile/app.mk
@@ -86,24 +86,18 @@ run-cli:
 	@printf "           DB_SECRET_DBNAME=$(DB_SECRET_DBNAME)\n\n"
 	@if ! command -v docker >/dev/null 2>&1; then \
 		printf "$(YELLOW)⚠️ Docker not available. Running CLI locally without Docker.\n$(NC)"; \
-		DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" \
-		DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" \
-		DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" \
-		go run ./metal/cli/main.go || { \
+        		DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" go run ./metal/cli/main.go || { \
 			status=$$?; \
 			printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
 			exit $$status; \
-		}; \
-	else \
-		DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" \
-		DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" \
-		DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" \
-		docker compose run --rm api-runner go run ./metal/cli/main.go || { \
+                }; \
+        else \
+        		DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" docker compose run --rm api-runner go run ./metal/cli/main.go || { \
 			status=$$?; \
 			printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
 			exit $$status; \
-		}; \
-	fi
+                }; \
+        fi
 run-cli-docker:
 	make run-cli DB_SECRET_USERNAME=$(DB_SECRET_USERNAME) DB_SECRET_PASSWORD=$(DB_SECRET_PASSWORD) DB_SECRET_DBNAME=$(DB_SECRET_DBNAME)
 

From fe0af6ced50fcf2e6bd404f828126885804f0106 Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 11:47:22 +0800
Subject: [PATCH 11/13] Mask password in run-cli output

---
 metal/makefile/app.mk | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/metal/makefile/app.mk b/metal/makefile/app.mk
index 254f4218..fe5af3d9 100644
--- a/metal/makefile/app.mk
+++ b/metal/makefile/app.mk
@@ -82,7 +82,12 @@ run-cli:
 	fi
 	@printf "\n$(GREEN)🔒 Running CLI with secrets from:$(NC)\n"
 	@printf "           DB_SECRET_USERNAME=$(DB_SECRET_USERNAME)\n"
-	@printf "           DB_SECRET_PASSWORD=$(DB_SECRET_PASSWORD)\n"
+	@DB_SECRET_PASSWORD_DISPLAY=`case "$(DB_SECRET_PASSWORD)" in \
+                /*|./*|../*) printf '%s' "$(DB_SECRET_PASSWORD)";; \
+                "") printf '<unset>';; \
+                *) printf '<redacted>';; \
+        esac`; \
+	printf "           DB_SECRET_PASSWORD=%s\n" "$$DB_SECRET_PASSWORD_DISPLAY"
 	@printf "           DB_SECRET_DBNAME=$(DB_SECRET_DBNAME)\n\n"
 	@if ! command -v docker >/dev/null 2>&1; then \
 		printf "$(YELLOW)⚠️ Docker not available. Running CLI locally without Docker.\n$(NC)"; \

From aa8708ca5e58e1d24e643e87a8a253db7fc447dd Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 11:52:17 +0800
Subject: [PATCH 12/13] Redact CLI secret identifiers

---
 metal/makefile/app.mk | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/metal/makefile/app.mk b/metal/makefile/app.mk
index fe5af3d9..430ddbc3 100644
--- a/metal/makefile/app.mk
+++ b/metal/makefile/app.mk
@@ -81,14 +81,24 @@ run-cli:
 		exit 1; \
 	fi
 	@printf "\n$(GREEN)🔒 Running CLI with secrets from:$(NC)\n"
-	@printf "           DB_SECRET_USERNAME=$(DB_SECRET_USERNAME)\n"
+	@DB_SECRET_USERNAME_DISPLAY=`case "$(DB_SECRET_USERNAME)" in \
+		/*|./*|../*) printf '%s' "$(DB_SECRET_USERNAME)";; \
+		"") printf '<unset>';; \
+		*) printf '<redacted>';; \
+		esac`; \
+	printf "           DB_SECRET_USERNAME=%s\n" "$$DB_SECRET_USERNAME_DISPLAY"
 	@DB_SECRET_PASSWORD_DISPLAY=`case "$(DB_SECRET_PASSWORD)" in \
-                /*|./*|../*) printf '%s' "$(DB_SECRET_PASSWORD)";; \
-                "") printf '<unset>';; \
-                *) printf '<redacted>';; \
-        esac`; \
+		/*|./*|../*) printf '%s' "$(DB_SECRET_PASSWORD)";; \
+		"") printf '<unset>';; \
+		*) printf '<redacted>';; \
+		esac`; \
 	printf "           DB_SECRET_PASSWORD=%s\n" "$$DB_SECRET_PASSWORD_DISPLAY"
-	@printf "           DB_SECRET_DBNAME=$(DB_SECRET_DBNAME)\n\n"
+	@DB_SECRET_DBNAME_DISPLAY=`case "$(DB_SECRET_DBNAME)" in \
+		/*|./*|../*) printf '%s' "$(DB_SECRET_DBNAME)";; \
+		"") printf '<unset>';; \
+		*) printf '<redacted>';; \
+		esac`; \
+	printf "           DB_SECRET_DBNAME=%s\n\n" "$$DB_SECRET_DBNAME_DISPLAY"
 	@if ! command -v docker >/dev/null 2>&1; then \
 		printf "$(YELLOW)⚠️ Docker not available. Running CLI locally without Docker.\n$(NC)"; \
         		DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" go run ./metal/cli/main.go || { \

From 7fada94b1e8bd3bcf5201baf9b2c12119227759b Mon Sep 17 00:00:00 2001
From: Gus <gocanto@users.noreply.github.com>
Date: Tue, 14 Oct 2025 12:00:15 +0800
Subject: [PATCH 13/13] Remove local run-cli fallback

---
 metal/makefile/app.mk | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/metal/makefile/app.mk b/metal/makefile/app.mk
index 430ddbc3..68b2e09b 100644
--- a/metal/makefile/app.mk
+++ b/metal/makefile/app.mk
@@ -99,20 +99,11 @@ run-cli:
 		*) printf '<redacted>';; \
 		esac`; \
 	printf "           DB_SECRET_DBNAME=%s\n\n" "$$DB_SECRET_DBNAME_DISPLAY"
-	@if ! command -v docker >/dev/null 2>&1; then \
-		printf "$(YELLOW)⚠️ Docker not available. Running CLI locally without Docker.\n$(NC)"; \
-        		DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" go run ./metal/cli/main.go || { \
-			status=$$?; \
-			printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
-			exit $$status; \
-                }; \
-        else \
-        		DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" docker compose run --rm api-runner go run ./metal/cli/main.go || { \
-			status=$$?; \
-			printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
-			exit $$status; \
-                }; \
-        fi
+        @DB_SECRET_USERNAME="$(DB_SECRET_USERNAME)" DB_SECRET_PASSWORD="$(DB_SECRET_PASSWORD)" DB_SECRET_DBNAME="$(DB_SECRET_DBNAME)" docker compose run --rm api-runner go run ./metal/cli/main.go || { \
+                status=$$?; \
+                printf "\n$(RED)❌ CLI exited with status $$status.$(NC)\n"; \
+                exit $$status; \
+        }
 run-cli-docker:
 	make run-cli DB_SECRET_USERNAME=$(DB_SECRET_USERNAME) DB_SECRET_PASSWORD=$(DB_SECRET_PASSWORD) DB_SECRET_DBNAME=$(DB_SECRET_DBNAME)