diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
index 845c2def5b..6c92f61a59 100644
--- a/.semaphore/semaphore.yml
+++ b/.semaphore/semaphore.yml
@@ -88,6 +88,54 @@ blocks:
           commands:
             - test-results publish . -N "windows/amd64"
 
+  - name: "Muckrake Check linux/amd64"
+    dependencies: []
+    task:
+      agent:
+        machine:
+          type: s1-prod-ubuntu24-04-amd64-1
+      jobs:
+        - name: "Build & Upload linux/amd64"
+          commands:
+            - checkout
+            - "export SHORT_SHA=$(echo $SEMAPHORE_GIT_SHA | cut -c1-8)"
+            - "export TIMESTAMP=$(date -u +%Y%m%d-%H%M%S)"
+            - |
+              if [ "$SEMAPHORE_GIT_BRANCH" = "main" ]; then
+                export BUILD_ID="main/${TIMESTAMP}-${SHORT_SHA}"
+              else
+                export BUILD_ID="branches/${SEMAPHORE_GIT_BRANCH}/${TIMESTAMP}-${SHORT_SHA}"
+              fi
+            - "echo Build ID: $BUILD_ID"
+            - "GOOS=linux GOARCH=amd64 make muckrake-build-docker"
+            - "source assume-iam-role arn:aws:iam::050879227952:role/cli-release-semaphore"
+            - "BUILD_ID=$BUILD_ID BINARY_PATH=dist/confluent_linux_amd64/confluent S3_KEY=confluent_linux_amd64 make muckrake-upload-s3"
+            - "echo ✅ linux/amd64 binary uploaded to s3://confluent.cloud/confluent-cli/development-builds/$BUILD_ID/"
+
+  - name: "Muckrake Check linux/arm64"
+    dependencies: []
+    task:
+      agent:
+        machine:
+          type: s1-prod-ubuntu24-04-arm64-1
+      jobs:
+        - name: "Build & Upload linux/arm64"
+          commands:
+            - checkout
+            - "export SHORT_SHA=$(echo $SEMAPHORE_GIT_SHA | cut -c1-8)"
+            - "export TIMESTAMP=$(date -u +%Y%m%d-%H%M%S)"
+            - |
+              if [ "$SEMAPHORE_GIT_BRANCH" = "main" ]; then
+                export BUILD_ID="main/${TIMESTAMP}-${SHORT_SHA}"
+              else
+                export BUILD_ID="branches/${SEMAPHORE_GIT_BRANCH}/${TIMESTAMP}-${SHORT_SHA}"
+              fi
+            - "echo Build ID: $BUILD_ID"
+            - "GOOS=linux GOARCH=arm64 make muckrake-build-docker"
+            - "source assume-iam-role arn:aws:iam::050879227952:role/cli-release-semaphore"
+            - "BUILD_ID=$BUILD_ID BINARY_PATH=dist/confluent_linux_arm64/confluent S3_KEY=confluent_linux_arm64 make muckrake-upload-s3"
+            - "echo ✅ linux/arm64 binary uploaded to s3://confluent.cloud/confluent-cli/development-builds/$BUILD_ID/"
+
 after_pipeline:
   task:
     jobs:
diff --git a/Makefile b/Makefile
index 75bbe67de9..7d29e76232 100644
--- a/Makefile
+++ b/Makefile
@@ -140,4 +140,56 @@ coverage: ## Merge coverage data from unit and integration tests into coverage.t
 	@tail -n +2 coverage.unit.out >> coverage.txt
 	@tail -n +2 coverage.integration.out >> coverage.txt
 	@echo "Coverage data saved to: coverage.txt"
-	@artifact push workflow coverage.txt
\ No newline at end of file
+	@artifact push workflow coverage.txt
+
+.PHONY: muckrake-build-docker
+muckrake-build-docker:
+	@echo "Building CLI binary with Docker image for Muckrake Check..."
+	@echo "Target: $(GOOS)/$(GOARCH)"
+	@echo "Clean up any possible existing containers under same name..."
+	@docker rm -f confluent-muckrake-builder-container 2>/dev/null || true
+	@echo "Building Docker image..."
+	docker build -f docker/Dockerfile_muckrake \
+		--build-arg GOOS=$(GOOS) \
+		--build-arg GOARCH=$(GOARCH) \
+		-t confluent-muckrake-builder .
+	@echo "Creating a container from the image..."
+	docker create --name confluent-muckrake-builder-container confluent-muckrake-builder
+	@echo "Copy built binary from the container"
+	docker cp confluent-muckrake-builder-container:/workspace/dist/. dist/
+	@echo "Clean up container"
+	docker rm confluent-muckrake-builder-container
+	@echo "✅  Binary built successfully at dist/confluent_$(GOOS)_$(GOARCH)/confluent"
+
+.PHONY: muckrake-upload-s3
+muckrake-upload-s3:
+	@echo "Uploading CLI binary to S3..."
+	@if [ -z "$(BUILD_ID)" ]; then \
+		echo "❌  Error: BUILD_ID is not set"; \
+		exit 1; \
+	fi
+	@if [ -z "$(BINARY_PATH)" ]; then \
+		echo "❌  Error: BINARY_PATH is not set"; \
+		exit 1; \
+	fi
+	@if [ -z "$(S3_KEY)" ]; then \
+		echo "❌  Error: S3_KEY is not set"; \
+		exit 1; \
+	fi
+	@if [ ! -f "$(BINARY_PATH)" ]; then \
+		echo "❌  Error: Binary not found at $(BINARY_PATH)"; \
+		exit 1; \
+	fi
+	@echo "Build ID: $(BUILD_ID)"
+	@echo "Binary: $(BINARY_PATH)"
+	@echo "S3 Key: $(S3_KEY)"
+	@aws s3 cp $(BINARY_PATH) s3://confluent.cloud/confluent-cli/development-builds/$(BUILD_ID)/$(S3_KEY) \
+		--acl public-read --region us-west-2
+	@echo "✅  Binary uploaded to s3://confluent.cloud/confluent-cli/development-builds/$(BUILD_ID)/$(S3_KEY)"
+
+.PHONY: muckrake-clean
+muckrake-clean:
+	@echo "Cleaning up Muckrake Check artifacts..."
+	@docker rm -f confluent-muckrake-builder-container 2>/dev/null || true
+	@docker rmi -f confluent-muckrake-builder 2>/dev/null || true
+	@echo "✅  Cleanup complete"
\ No newline at end of file
diff --git a/debian/patches/standard_build_layout.patch b/debian/patches/standard_build_layout.patch
index d1c3592bcd..133906288b 100644
--- a/debian/patches/standard_build_layout.patch
+++ b/debian/patches/standard_build_layout.patch
@@ -1,6 +1,6 @@
---- cli/Makefile	2025-08-27 10:15:22.860561026 -0700
-+++ debian/Makefile	2025-09-12 11:15:01.286651273 -0700
-@@ -1,143 +1,163 @@
+--- cli/Makefile	2025-10-14 11:32:51.152782132 -0700
++++ debian/Makefile	2025-10-10 18:28:49.581238914 -0700
+@@ -1,195 +1,163 @@
 -SHELL := /bin/bash
 -GORELEASER_VERSION := v1.21.2
 +SHELL=/bin/bash
@@ -296,6 +296,58 @@
 -	@tail -n +2 coverage.integration.out >> coverage.txt
 -	@echo "Coverage data saved to: coverage.txt"
 -	@artifact push workflow coverage.txt
+-
+-.PHONY: muckrake-build-docker
+-muckrake-build-docker:
+-	@echo "Building CLI binary with Docker image for Muckrake Check..."
+-	@echo "Target: $(GOOS)/$(GOARCH)"
+-	@echo "Clean up any possible existing containers under same name..."
+-	@docker rm -f confluent-muckrake-builder-container 2>/dev/null || true
+-	@echo "Building Docker image..."
+-	docker build -f docker/Dockerfile_muckrake \
+-		--build-arg GOOS=$(GOOS) \
+-		--build-arg GOARCH=$(GOARCH) \
+-		-t confluent-muckrake-builder .
+-	@echo "Creating a container from the image..."
+-	docker create --name confluent-muckrake-builder-container confluent-muckrake-builder
+-	@echo "Copy built binary from the container"
+-	docker cp confluent-muckrake-builder-container:/workspace/dist/. dist/
+-	@echo "Clean up container"
+-	docker rm confluent-muckrake-builder-container
+-	@echo "✅  Binary built successfully at dist/confluent_$(GOOS)_$(GOARCH)/confluent"
+-
+-.PHONY: muckrake-upload-s3
+-muckrake-upload-s3:
+-	@echo "Uploading CLI binary to S3..."
+-	@if [ -z "$(BUILD_ID)" ]; then \
+-		echo "❌  Error: BUILD_ID is not set"; \
+-		exit 1; \
+-	fi
+-	@if [ -z "$(BINARY_PATH)" ]; then \
+-		echo "❌  Error: BINARY_PATH is not set"; \
+-		exit 1; \
+-	fi
+-	@if [ -z "$(S3_KEY)" ]; then \
+-		echo "❌  Error: S3_KEY is not set"; \
+-		exit 1; \
+-	fi
+-	@if [ ! -f "$(BINARY_PATH)" ]; then \
+-		echo "❌  Error: Binary not found at $(BINARY_PATH)"; \
+-		exit 1; \
+-	fi
+-	@echo "Build ID: $(BUILD_ID)"
+-	@echo "Binary: $(BINARY_PATH)"
+-	@echo "S3 Key: $(S3_KEY)"
+-	@aws s3 cp $(BINARY_PATH) s3://confluent.cloud/confluent-cli/development-builds/$(BUILD_ID)/$(S3_KEY) \
+-		--acl public-read --region us-west-2
+-	@echo "✅  Binary uploaded to s3://confluent.cloud/confluent-cli/development-builds/$(BUILD_ID)/$(S3_KEY)"
+-
+-.PHONY: muckrake-clean
+-muckrake-clean:
+-	@echo "Cleaning up Muckrake Check artifacts..."
+-	@docker rm -f confluent-muckrake-builder-container 2>/dev/null || true
+-	@docker rmi -f confluent-muckrake-builder 2>/dev/null || true
+-	@echo "✅  Cleanup complete"
 \ No newline at end of file
 +RELEASE_%:
 +	echo 0 > $@
diff --git a/docker/Dockerfile_muckrake b/docker/Dockerfile_muckrake
new file mode 100644
index 0000000000..7ef84d4880
--- /dev/null
+++ b/docker/Dockerfile_muckrake
@@ -0,0 +1,44 @@
+ARG GOOS=linux
+ARG GOARCH=amd64
+
+FROM almalinux:8.10
+
+ARG GOOS
+ARG GOARCH
+
+SHELL ["/bin/bash", "-c"]
+
+RUN yum -y update && \
+    yum -y install make git wget gcc-toolset-9 && \
+    scl enable gcc-toolset-9 bash
+
+COPY . /workspace/
+
+RUN cd /workspace/ && \
+    set -ex && \
+    export GO_VERSION=$(cat .go-version) && \
+    if [ "${GOARCH}" = "amd64" ]; then \
+        wget "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" && \
+        tar -C /usr/local -xzf "go${GO_VERSION}.linux-amd64.tar.gz"; \
+    elif [ "${GOARCH}" = "arm64" ]; then \
+        wget "https://go.dev/dl/go${GO_VERSION}.linux-arm64.tar.gz" && \
+        tar -C /usr/local -xzf "go${GO_VERSION}.linux-arm64.tar.gz"; \
+    fi && \
+    export PATH=${PATH}:/usr/local/go/bin:/root/go/bin && \
+    go mod download && \
+    go mod verify && \
+    mkdir -p dist/confluent_${GOOS}_${GOARCH} && \
+    COMMIT_SHA=$(git rev-parse --short HEAD 2>/dev/null || echo "dev") && \
+    BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) && \
+    echo "Building Confluent Development CLI for ${GOOS}/${GOARCH}" && \
+    echo "  Commit: ${COMMIT_SHA}" && \
+    echo "  Date: ${BUILD_DATE}" && \
+    CGO_ENABLED=1 GOEXPERIMENT=boringcrypto go build \
+    -ldflags="-s -w -X main.commit=${COMMIT_SHA} -X main.date=${BUILD_DATE}" \
+    -o dist/confluent_${GOOS}_${GOARCH}/confluent \
+    ./cmd/confluent && \
+    ls -lh dist/confluent_${GOOS}_${GOARCH}/confluent && \
+    echo "✅ Build completed successfully"
+
+WORKDIR /workspace
+