# breakpilot-compliance — developer workflow
#
# Secrets are managed in Infisical (secrets.meghsakha.com). The project
# link lives in .infisical.json. To get started:
#   1) infisical login --domain https://secrets.meghsakha.com   (once per machine)
#   2) make dev
#
# .env / .env.local are NOT used in this repo anymore. Anything that needs
# secrets MUST be launched through `infisical run` so the values come from
# the secrets store instead of disk.

INFISICAL ?= infisical
INFISICAL_DOMAIN ?= https://secrets.meghsakha.com
ENV ?= dev

INFISICAL_RUN := $(INFISICAL) --domain $(INFISICAL_DOMAIN) run --env=$(ENV) --
INFISICAL_SECRETS := $(INFISICAL) --domain $(INFISICAL_DOMAIN) secrets --env=$(ENV)

.PHONY: help dev dev-build dev-down dev-logs dev-ps secrets secrets-set check-loc

help:
	@echo "Targets:"
	@echo "  dev           Start the full compose stack with secrets injected from Infisical"
	@echo "  dev-build     Same as dev, but force a rebuild first"
	@echo "  dev-down      Stop the compose stack (no secrets needed)"
	@echo "  dev-logs      Tail logs from all services"
	@echo "  dev-ps        Show running containers"
	@echo "  secrets       List all secrets in the current env ($(ENV))"
	@echo "  secrets-set   Set a secret (KEY=... VALUE=...)"
	@echo "  check-loc     Run the 500-line LOC guard"

dev:
	$(INFISICAL_RUN) docker compose up

dev-build:
	$(INFISICAL_RUN) docker compose up --build

dev-down:
	docker compose down

dev-logs:
	docker compose logs -f

dev-ps:
	docker compose ps

secrets:
	$(INFISICAL_SECRETS)

secrets-set:
	@if [ -z "$(KEY)" ] || [ -z "$(VALUE)" ]; then \
		echo "Usage: make secrets-set KEY=MY_KEY VALUE=my_value"; exit 1; \
	fi
	$(INFISICAL) --domain $(INFISICAL_DOMAIN) secrets set $(KEY)=$(VALUE) --env=$(ENV)

check-loc:
	bash scripts/check-loc.sh
