cuenv
A modern application build toolchain with typed environments and CUE-powered task orchestration
Status: Alpha - Core evaluation engine complete, CLI and task runner in active development
Overview
cuenv is a next-generation build toolchain that brings type safety and powerful configuration management to application development. Built around CUE's constraint-based type system, cuenv provides a unified solution for environment management, task orchestration, and secure secret handling.
Unlike traditional build tools, cuenv leverages CUE's ability to compose and validate configuration across directory hierarchies, making it particularly well-suited for monorepos and complex project structures. With integrated Nix support, security isolation, and extensible secret management, cuenv provides a complete development environment solution.
Perfect for:
- Monorepos requiring consistent environment management
- Teams needing type-safe configuration
- Projects with complex build dependencies
- Security-conscious development workflows
Features
| Feature | Status | Description |
|---|---|---|
| â CUE Evaluation Engine | Complete | Fast, reliable CUE evaluation with Rust performance |
| đ§ CLI Interface | In Development | Task execution and environment management |
| đ§ Typed Environments | In Development | Compose environment constraints from CUE modules |
| đ§ Task Orchestration | In Development | Parallel/sequential execution with smart dependencies |
| đ§ Nix Integration | In Development | Automatic software provisioning via Nix flakes |
| đ§ Secret Management | In Development | Extensible resolvers for 1Password, AWS, GCP, etc. |
| đ Security Isolation | Planned | Linux namespaces, landlock, eBPF integration |
| đ§ Shell Integration | In Development | Smart hooks for bash, fish, zsh, nushell |
| đ§ Dev Tool Integration | In Development | Seamless Nix flake and Flox compatibility |
Legend: â Complete ⢠đ§ In Development ⢠đ Planned
Quick Start
Installation đ§
# Install cuenv
# Initialize in your project
# Setup shell integration
Basic Configuration
Create an env.cue file in your project root:
package cuenv
import "github.com/cuenv/cuenv/schema"
schema.#Cuenv
// Environment variables with type constraints
env: {
NODE_ENV: "development" | "staging" | "production"
PORT: >0 & <65536 & *3000
DEBUG: bool | *false
// Environment-specific overrides
environment: production: {
NODE_ENV: "production"
DEBUG: false
}
}
// Task definitions
tasks: {
build: {
description: "Build the application"
command: "npm"
args: ["run", "build"]
inputs: ["src/**/*", "package.json"]
outputs: ["dist/**/*"]
}
test: {
description: "Run tests in parallel"
unit: {
command: "npm"
args: ["run", "test:unit"]
inputs: ["src/**/*.test.js"]
}
integration: {
command: "npm"
args: ["run", "test:integration"]
inputs: ["tests/**/*"]
}
}
}
Running Tasks đ§
# List available tasks
# Run a specific task
# Run with specific environment
# Execute with loaded environment
Core Concepts
Typed Environments đ§
cuenv uses CUE's constraint system to provide type-safe environment management:
import (
"github.com/myorg/postgres/schema"
"github.com/myorg/redis/schema"
)
// Compose environment constraints from multiple modules
env: postgres.#Config & redis.#Config & {
DATABASE_URL: string & =~"^postgresql://"
REDIS_URL: string & =~"^redis://"
API_KEY: #Secret & {
resolver: #OnePasswordRef & {
ref: "op://api-keys/production/key"
}
}
}
Task Orchestration đ§
Control execution flow with CUE's structure:
tasks: {
// Array structure = sequential execution
deploy: {
description: "Deploy application"
tasks: [
{command: "docker", args: ["build", "-t", "myapp", "."]},
{command: "docker", args: ["push", "myapp"]},
{command: "kubectl", args: ["apply", "-f", "k8s/"]}
]
}
// Object structure = parallel execution
test: {
description: "Run all tests"
unit: {command: "npm", args: ["run", "test:unit"]}
integration: {command: "npm", args: ["run", "test:e2e"]}
lint: {command: "npm", args: ["run", "lint"]}
}
}
Secret Management đ§
Extensible secret resolution with multiple providers:
#OnePasswordRef: #Secret & {
ref: string
resolver: #ExecResolver & {
command: "op"
args: ["read", ref]
}
}
#AWSSecretRef: #Secret & {
region: string
name: string
resolver: #ExecResolver & {
command: "aws"
args: ["secretsmanager", "get-secret-value",
"--region", region, "--secret-id", name,
"--query", "SecretString", "--output", "text"]
}
}
env: {
DB_PASSWORD: #OnePasswordRef & {
ref: "op://vault/database/password"
}
API_KEY: #AWSSecretRef & {
region: "us-west-2"
name: "prod-api-key"
}
}
Shell Integration đ§
Automatic environment loading with shell hooks:
hooks: {
onEnter: [
// Load Nix environment
schema.#NixFlake & {preload: true},
// Custom initialization
{
command: "echo"
args: ["Entering cuenv environment..."]
}
]
onExit: [
{
command: "echo"
args: ["Goodbye!"]
}
]
}
CLI Reference đ§
Commands
# Task management
# Environment management
# Project setup
# Development
Global Options
| Option | Description |
|---|---|
--env, -e |
Environment to use (dev, staging, production) |
--cache |
Cache mode (off, read, read-write, write) |
--capability, -c |
Enable specific capabilities |
--audit |
Run in audit mode for security analysis |
--output-format |
Output format (tui, spinner, simple, tree) |
Advanced Usage
Monorepo Configuration đ§
cuenv excels at managing complex monorepo environments:
myproject/
âââ env.cue # Root configuration
âââ services/
â âââ api/
â â âââ env.cue # API-specific config
â âââ frontend/
â âââ env.cue # Frontend-specific config
âââ shared/
âââ postgres.cue # Shared schemas
Root env.cue:
package cuenv
// Global environment
env: {
PROJECT_NAME: "myproject"
LOG_LEVEL: "info" | "debug" | "error" | *"info"
}
// Workspace tasks
tasks: {
"build-all": {
description: "Build all services"
tasks: [
{command: "cuenv", args: ["task", "build"], dir: "services/api"},
{command: "cuenv", args: ["task", "build"], dir: "services/frontend"}
]
}
}
CI/CD Integration đ§
# .github/workflows/ci.yml
name: CI
on:
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v22
- run: curl -fsSL https://cuenv.sh/install | sh
- run: cuenv task ci.quality # Run quality checks
- run: cuenv task ci.test # Run all tests
- run: cuenv task ci.build # Build artifacts
Custom Secret Resolvers đ§
Extend cuenv with your own secret providers:
#HashiCorpVaultRef: #Secret & {
vault_addr: string
path: string
field: string
resolver: #ExecResolver & {
command: "vault"
args: ["kv", "get", "-address=\(vault_addr)",
"-field=\(field)", path]
}
}
env: {
SECRET_KEY: #HashiCorpVaultRef & {
vault_addr: "https://vault.company.com"
path: "secret/myapp"
field: "api_key"
}
}
Architecture
CUE Evaluation Engine â
The core of cuenv is cuengine, a high-performance CUE evaluation engine written in Rust with Go FFI integration:
- Performance: Native Rust performance with optimized caching
- Memory Safety: Zero-copy string handling and safe FFI boundaries
- Reliability: Comprehensive error handling and recovery
- Extensibility: Plugin architecture for custom functions
Caching Strategy â
Intelligent caching system for fast repeated evaluations:
- Input Tracking: File modification time and content hashing
- Dependency Resolution: Automatic cache invalidation
- LRU Eviction: Memory-efficient cache management
- Configurable TTL: Flexible expiration policies
Security Model đ
Multi-layered security approach (planned):
- Linux Namespaces: Process, network, and filesystem isolation
- Landlock: Fine-grained filesystem access control
- eBPF Integration: System call monitoring and filtering
- Capability System: Principle of least privilege
- Audit Logging: Comprehensive security event tracking
Comparison
| Feature | cuenv | Make | Bazel | Taskfile | direnv |
|---|---|---|---|---|---|
| Type Safety | â CUE constraints | â | â BUILD files | â | â |
| Monorepo Support | â Native | â ď¸ Basic | â Excellent | â ď¸ Basic | â ď¸ Per-directory |
| Environment Management | â Typed + Secrets | â | â | â | â Basic |
| Task Dependencies | â Smart | â | â Advanced | â Basic | â |
| Parallel Execution | â | â ď¸ -j flag | â | â ď¸ Limited | â |
| Caching | â Content-aware | â | â Advanced | â | â |
| Security Isolation | đ Planned | â | â Sandboxing | â | â |
| Shell Integration | đ§ | â | â | â | â |
Project Status
Current Phase: Alpha
Production Ready:
- â CUE evaluation engine with comprehensive test suite
- â FFI bridge between Rust and Go
- â Caching and retry mechanisms
- â Input validation and error handling
In Active Development:
- đ§ CLI interface and task runner
- đ§ Shell integration and hooks
- đ§ Secret management framework
- đ§ Nix integration layer
Planned Features:
- đ Security isolation (namespaces, landlock)
- đ Web UI and monitoring
- đ SaaS offering for teams
- đ IDE integrations
Roadmap
Q1 2025: Complete CLI, basic task execution, shell integration
Q2 2025: Secret management, Nix integration, beta release
Q3 2025: Security features, performance optimizations
Q4 2025: SaaS platform, enterprise features
Contributing
We welcome contributions! cuenv is licensed under AGPL-3.0, ensuring it remains open source.
Development Setup
# Clone the repository
# Install Nix (recommended)
|
# Enter development environment
# or with direnv: direnv allow
# Run tests
# Check code quality
&&
Architecture Overview
cuenv/
âââ crates/
â âââ cuengine/ # Core CUE evaluation engine
â â âââ src/
â â âââ bridge.go # Go FFI bridge
â â âââ tests/
â âââ cuenv-core/ # Shared types and utilities
â âââ cuenv-cli/ # CLI interface (upcoming)
âââ examples/ # CUE configuration examples
âââ docs/ # Documentation
Testing
- Unit tests:
cargo test - Integration tests:
cargo test --test integration_tests - Example validation:
cargo test --test examples - Coverage:
cargo llvm-cov
License
Licensed under the GNU Affero General Public License v3.0.
Why AGPL? We believe in keeping cuenv open source while building a sustainable business. The AGPL ensures that any modifications or hosted services using cuenv remain open source, benefiting the entire community.
Links
- Documentation: docs.cuenv.sh đ§
- Original POC: github.com/rawkode/cuenv
- CUE Language: cuelang.org
- Discussion: GitHub Discussions
Built in đ´ ó §ó ˘ó łó Łó ´ó żw for the open source community