# cuenv
**A modern application build toolchain with typed environments and CUE-powered task orchestration**
[](https://www.gnu.org/licenses/agpl-3.0)
[](https://github.com/cuenv/cuenv/actions)
[](https://crates.io/crates/cuenv)
> **Status**: Alpha - Core evaluation engine complete, CLI and task runner in active development
---
## Overview
cuenv is a next-generation build toolchain that brings type safety and powerful configuration management to application development. Built around CUE's constraint-based type system, cuenv provides a unified solution for environment management, task orchestration, and secure secret handling.
Unlike traditional build tools, cuenv leverages CUE's ability to compose and validate configuration across directory hierarchies, making it particularly well-suited for monorepos and complex project structures. With integrated Nix support, security isolation, and extensible secret management, cuenv provides a complete development environment solution.
**Perfect for:**
- Monorepos requiring consistent environment management
- Teams needing type-safe configuration
- Projects with complex build dependencies
- Security-conscious development workflows
---
## Features
| â
**CUE Evaluation Engine** | Complete | Fast, reliable CUE evaluation with Rust performance |
| đ§ **CLI Interface** | In Development | Task execution and environment management |
| đ§ **Typed Environments** | In Development | Compose environment constraints from CUE modules |
| đ§ **Task Orchestration** | In Development | Parallel/sequential execution with smart dependencies |
| đ§ **Nix Integration** | In Development | Automatic software provisioning via Nix flakes |
| đ§ **Secret Management** | In Development | Extensible resolvers for 1Password, AWS, GCP, etc. |
| đ **Security Isolation** | Planned | Linux namespaces, landlock, eBPF integration |
| đ§ **Shell Integration** | In Development | Smart hooks for bash, fish, zsh, nushell |
| đ§ **Dev Tool Integration** | In Development | Seamless Nix flake and Flox compatibility |
**Legend:** â
Complete ⢠đ§ In Development ⢠đ Planned
---
## Quick Start
### Installation đ§
```bash
# Install cuenv
cargo install cuenv
# Initialize in your project
cuenv init
# Setup shell integration
cuenv shell setup
```
### Basic Configuration
Create an `env.cue` file in your project root:
```cue
package cuenv
import "github.com/cuenv/cuenv/schema"
schema.#Cuenv
// Environment variables with type constraints
env: {
NODE_ENV: "development" | "staging" | "production"
PORT: >0 & <65536 & *3000
DEBUG: bool | *false
// Environment-specific overrides
environment: production: {
NODE_ENV: "production"
DEBUG: false
}
}
// Task definitions
tasks: {
build: {
description: "Build the application"
command: "npm"
args: ["run", "build"]
inputs: ["src/**/*", "package.json"]
outputs: ["dist/**/*"]
}
test: {
description: "Run tests in parallel"
unit: {
command: "npm"
args: ["run", "test:unit"]
inputs: ["src/**/*.test.js"]
}
integration: {
command: "npm"
args: ["run", "test:integration"]
inputs: ["tests/**/*"]
}
}
}
```
### Running Tasks đ§
```bash
# List available tasks
cuenv task
# Run a specific task
cuenv task build
# Run with specific environment
cuenv --env production task build
# Execute with loaded environment
cuenv exec npm start
```
---
## Core Concepts
### Typed Environments đ§
cuenv uses CUE's constraint system to provide type-safe environment management:
```cue
import (
"github.com/myorg/postgres/schema"
"github.com/myorg/redis/schema"
)
// Compose environment constraints from multiple modules
env: postgres.#Config & redis.#Config & {
DATABASE_URL: string & =~"^postgresql://"
REDIS_URL: string & =~"^redis://"
API_KEY: #Secret & {
resolver: #OnePasswordRef & {
ref: "op://api-keys/production/key"
}
}
}
```
### Task Orchestration đ§
Control execution flow with CUE's structure:
```cue
tasks: {
// Array structure = sequential execution
deploy: {
description: "Deploy application"
tasks: [
{command: "docker", args: ["build", "-t", "myapp", "."]},
{command: "docker", args: ["push", "myapp"]},
{command: "kubectl", args: ["apply", "-f", "k8s/"]}
]
}
// Object structure = parallel execution
test: {
description: "Run all tests"
unit: {command: "npm", args: ["run", "test:unit"]}
integration: {command: "npm", args: ["run", "test:e2e"]}
lint: {command: "npm", args: ["run", "lint"]}
}
}
```
### Secret Management đ§
Extensible secret resolution with multiple providers:
```cue
#OnePasswordRef: #Secret & {
ref: string
resolver: #ExecResolver & {
command: "op"
args: ["read", ref]
}
}
#AWSSecretRef: #Secret & {
region: string
name: string
resolver: #ExecResolver & {
command: "aws"
args: ["secretsmanager", "get-secret-value",
"--region", region, "--secret-id", name,
"--query", "SecretString", "--output", "text"]
}
}
env: {
DB_PASSWORD: #OnePasswordRef & {
ref: "op://vault/database/password"
}
API_KEY: #AWSSecretRef & {
region: "us-west-2"
name: "prod-api-key"
}
}
```
### Shell Integration đ§
Automatic environment loading with shell hooks:
```cue
hooks: {
onEnter: [
// Load Nix environment
schema.#NixFlake & {preload: true},
// Custom initialization
{
command: "echo"
args: ["Entering cuenv environment..."]
}
]
onExit: [
{
command: "echo"
args: ["Goodbye!"]
}
]
}
```
---
## CLI Reference đ§
### Commands
```bash
# Task management
cuenv task # List all tasks
cuenv task build # Run build task
cuenv task test.unit # Run specific subtask
cuenv task --parallel build test # Run multiple tasks
# Environment management
cuenv env # Show current environment
cuenv env --environment production # Switch to production
cuenv exec -- npm start # Execute with loaded env
# Project setup
cuenv init # Create initial env.cue
cuenv discover # Find all CUE packages
cuenv shell setup # Configure shell integration
# Development
cuenv cache clear # Clear task cache
cuenv --audit task build # Run in audit mode
cuenv --trace-output task deploy # Enable tracing
```
### Global Options
| `--env, -e` | Environment to use (dev, staging, production) |
| `--cache` | Cache mode (off, read, read-write, write) |
| `--capability, -c` | Enable specific capabilities |
| `--audit` | Run in audit mode for security analysis |
| `--output-format` | Output format (tui, spinner, simple, tree) |
---
## Advanced Usage
### Monorepo Configuration đ§
cuenv excels at managing complex monorepo environments:
```
myproject/
âââ env.cue # Root configuration
âââ services/
â âââ api/
â â âââ env.cue # API-specific config
â âââ frontend/
â âââ env.cue # Frontend-specific config
âââ shared/
âââ postgres.cue # Shared schemas
```
**Root `env.cue`:**
```cue
package cuenv
// Global environment
env: {
PROJECT_NAME: "myproject"
LOG_LEVEL: "info" | "debug" | "error" | *"info"
}
// Workspace tasks
tasks: {
"build-all": {
description: "Build all services"
tasks: [
{command: "cuenv", args: ["task", "build"], dir: "services/api"},
{command: "cuenv", args: ["task", "build"], dir: "services/frontend"}
]
}
}
```
### CI/CD Integration đ§
```yaml
# .github/workflows/ci.yml
name: CI
on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v22
- run: curl -fsSL https://cuenv.sh/install | sh
- run: cuenv task ci.quality # Run quality checks
- run: cuenv task ci.test # Run all tests
- run: cuenv task ci.build # Build artifacts
```
### Custom Secret Resolvers đ§
Extend cuenv with your own secret providers:
```cue
#HashiCorpVaultRef: #Secret & {
vault_addr: string
path: string
field: string
resolver: #ExecResolver & {
command: "vault"
args: ["kv", "get", "-address=\(vault_addr)",
"-field=\(field)", path]
}
}
env: {
SECRET_KEY: #HashiCorpVaultRef & {
vault_addr: "https://vault.company.com"
path: "secret/myapp"
field: "api_key"
}
}
```
---
## Architecture
### CUE Evaluation Engine â
The core of cuenv is `cuengine`, a high-performance CUE evaluation engine written in Rust with Go FFI integration:
- **Performance**: Native Rust performance with optimized caching
- **Memory Safety**: Zero-copy string handling and safe FFI boundaries
- **Reliability**: Comprehensive error handling and recovery
- **Extensibility**: Plugin architecture for custom functions
### Caching Strategy â
Intelligent caching system for fast repeated evaluations:
- **Input Tracking**: File modification time and content hashing
- **Dependency Resolution**: Automatic cache invalidation
- **LRU Eviction**: Memory-efficient cache management
- **Configurable TTL**: Flexible expiration policies
### Security Model đ
Multi-layered security approach (planned):
- **Linux Namespaces**: Process, network, and filesystem isolation
- **Landlock**: Fine-grained filesystem access control
- **eBPF Integration**: System call monitoring and filtering
- **Capability System**: Principle of least privilege
- **Audit Logging**: Comprehensive security event tracking
---
## Comparison
| Type Safety | â
CUE constraints | â | â
BUILD files | â | â |
| Monorepo Support | â
Native | â ď¸ Basic | â
Excellent | â ď¸ Basic | â ď¸ Per-directory |
| Environment Management | â
Typed + Secrets | â | â | â | â
Basic |
| Task Dependencies | â
Smart | â
| â
Advanced | â
Basic | â |
| Parallel Execution | â
| â ď¸ -j flag | â
| â ď¸ Limited | â |
| Caching | â
Content-aware | â | â
Advanced | â | â |
| Security Isolation | đ Planned | â | â
Sandboxing | â | â |
| Shell Integration | đ§ | â | â | â | â
|
---
## Project Status
### Current Phase: Alpha
**Production Ready:**
- â
CUE evaluation engine with comprehensive test suite
- â
FFI bridge between Rust and Go
- â
Caching and retry mechanisms
- â
Input validation and error handling
**In Active Development:**
- đ§ CLI interface and task runner
- đ§ Shell integration and hooks
- đ§ Secret management framework
- đ§ Nix integration layer
**Planned Features:**
- đ Security isolation (namespaces, landlock)
- đ Web UI and monitoring
- đ SaaS offering for teams
- đ IDE integrations
### Roadmap
**Q1 2025:** Complete CLI, basic task execution, shell integration
**Q2 2025:** Secret management, Nix integration, beta release
**Q3 2025:** Security features, performance optimizations
**Q4 2025:** SaaS platform, enterprise features
---
## Contributing
We welcome contributions! cuenv is licensed under AGPL-3.0, ensuring it remains open source.
### Development Setup
```bash
# Clone the repository
git clone https://github.com/cuenv/cuenv
cd cuenv
# Install Nix (recommended)
# Enter development environment
nix develop
# or with direnv: direnv allow
# Run tests
cargo test
# Check code quality
treefmt && cargo clippy
```
### Architecture Overview
```
cuenv/
âââ crates/
â âââ cuengine/ # Core CUE evaluation engine
â â âââ src/
â â âââ bridge.go # Go FFI bridge
â â âââ tests/
â âââ cuenv-core/ # Shared types and utilities
â âââ cuenv-cli/ # CLI interface (upcoming)
âââ examples/ # CUE configuration examples
âââ docs/ # Documentation
```
### Testing
- Unit tests: `cargo test`
- Integration tests: `cargo test --test integration_tests`
- Example validation: `cargo test --test examples`
- Coverage: `cargo llvm-cov`
---
## License
Licensed under the [GNU Affero General Public License v3.0](LICENSE).
**Why AGPL?** We believe in keeping cuenv open source while building a sustainable business. The AGPL ensures that any modifications or hosted services using cuenv remain open source, benefiting the entire community.
---
## Links
- **Documentation**: [docs.cuenv.sh](https://docs.cuenv.sh) đ§
- **Original POC**: [github.com/rawkode/cuenv](https://github.com/rawkode/cuenv)
- **CUE Language**: [cuelang.org](https://cuelang.org)
- **Discussion**: [GitHub Discussions](https://github.com/cuenv/cuenv/discussions)
---
_Built in đ´ ó §ó ˘ó łó Łó ´ó żw for the open source community_