cuenv: one typed file for your whole project — Stable…
    Neura MarketNeura Market/Stable Diffusion
    ChatGPTChatGPTClaudeClaudeGeminiGeminiCursorCursorGrokGrokPerplexityPerplexityStable DiffusionStable Diffusion
    DeepSeekDeepSeekCoPilotCoPilotMidjourneyMidjourney
    View All Directories
    OverviewPromptsBlogVideosGuidesCoursesCommunityModelsLoRAsComfyUI WorkflowsTrending
    Stable DiffusionBlogcuenv: one typed file for your whole project
    Back to Blog
    cuenv: one typed file for your whole project
    automation

    cuenv: one typed file for your whole project

    Peter Jausovec June 23, 2026
    0 views

    Most projects don't have a configuration system — they have a pile: a .env file, a Makefile, a CI workflow, and secrets in a fourth place, none of it validated and all of it slowly drifting apart. cuenv replaces that pile with a single typed env.cue written in CUE. In this overview I'll show you how it validates your config before anything runs, resolves secrets at runtime, runs your tasks as a cached DAG, and generates your CI from the same definitions.


    title: cuenv: one typed file for your whole project published: true description: "Most projects don't have a configuration system — they have a pile: a .env file, a Makefile, a CI workflow, and secrets in a fourth place, none of it validated and all of it slowly drifting apart. cuenv replaces that pile with a single typed env.cue written in CUE. In this overview I'll show you how it validates your config before anything runs, resolves secrets at runtime, runs your tasks as a cached DAG, and generates your CI from the same definitions." tags: cover_image: https://learncloudnative.com/timgs/cuenvthumb.png

    Use a ratio of 100:42 for best results.

    published_at: 2023-08-29 16:08 +0000


    Most projects don't really have a configuration system. They have a pile.

    There's a .env file holding your variables. A Makefile or a justfile holding your tasks. A hand-written CI workflow that tries to reproduce both in YAML. And your secrets live in a fourth place — a password manager, a cloud secret store, or, in the worst case, accidentally committed to the repo. Nothing validates any of it, and the pieces drift apart the moment someone changes one without touching the others.

    cuenv replaces that pile with a single typed file. You describe your project once in CUE, a typed configuration language. Then cuenv validates it, resolves secrets at runtime, runs your tasks, and generates your CI from the same definitions.

    In this post I'll give you a quick overview of cuenv and explain the problem it solves, the core model, and three short demos. If you prefer a video, check the YouTube link below.

    {% youtube AcXkRO1yZh4 %}

    Configuration sprawl problem

    Here's what the typical project setup looks like, and why each layer hurts:

    • .env — flat strings. NODE_ENV=prodction is valid text. Nothing catches the typo until something breaks downstream.
    • Makefile / justfile — shell recipes. Task dependencies are implicit, parallelism is manual, and a mistyped target only fails at runtime.
    • CI YAML — a second copy of your tasks. Hand-maintained to match the Makefile, and it always falls behind.
    • Secrets — a fourth place. Referenced by convention, easy to forget, easy to leak into logs or commits.

    None of these layers know about each other. The .env doesn't know CI needs DATABASE_URL. The CI doesn't know the Makefile renamed build to compile. There's no single place that says "this is what a valid version of this project looks like" — so there's no single place to validate.

    What cuenv does

    cuenv is a single static binary. The whole idea is that one env.cue becomes the source of truth for four concerns that are usually maintained separately:

    1. Typed environment — enums, numeric bounds, regex patterns, and defaults, all checked at evaluation time.
    2. Runtime secrets — resolved from 1Password, AWS Secrets Manager, GCP Secret Manager, Infisical, or any CLI, and redacted from output. They never land in the file or your shell.
    3. A task DAG — declared with CUE references, run in parallel where possible, with opt-in content-addressed caching.
    4. CI generation — cuenv sync ci writes your GitHub Actions workflow from the same task graph, and cuenv ci runs that exact graph locally.

    Because all four come from the same file, they can't fall out of sync.

    Creating your first cuenv project

    cuenv projects are standard CUE modules, so you start by initialising one and pulling in the cuenv schema:

    mkdir cuenv-demo && cd cuenv-demo
    cue mod init github.com/[your_gh_username]/cuenv-demo
    cue mod get github.com/cuenv/cuenv@latest
    

    Then the whole project is one env.cue:

    package cuenv
    
    import "github.com/cuenv/cuenv/schema"
    
    schema.#Project & {
        name: "cuenv-demo"
    
        env: {
            // An enum with a default: only these values are valid.
            NODE_ENV: "development" | "staging" | "production" | *"development"
            PORT:     "3000"
            URL:      "http://127.0.0.1:\(PORT)"
        }
    
        tasks: {
            hello: schema.#Task & {
                command: "echo"
                args: ["Hello from cuenv"]
            }
            greet: schema.#Task & {
                command: "echo"
                args: ["Hello, \(env.NODE_ENV)!"]
            }
        }
    }
    

    With cuenv env print you can resolve all variables and print them out:

    cuenv env print
    
    NODE_ENV=development
    PORT=3000
    URL=http://127.0.0.1:3000
    

    Notice URL is built by interpolation from the other two values. Let's see how the validation looks like. Overwrite the NODE_ENV with a value that's not defined in the enum:

        env: {
            // An enum with a default: only these values are valid.
            NODE_ENV: "development" | "staging" | "production" | *"development"
            NODE_ENV: "prod"
            PORT:     "3000"
            URL:      "http://127.0.0.1:\(PORT)"
        }
    

    IF you re-run the print command again, you'll notice an error, which is expected:

    $ cuenv env print
    # evaluation error: NODE_ENV: 3 errors in empty disjunction ...
    

    Since we clearly require NODE_ENV to be one of the specified values, the invalid configuration (e.g. prod) never reaches a single command. As the docs put it, the cheapest bug is the one that never executes. Validation happens at evaluation time, before anything runs.

    And you can run things inside that validated environment:

    cuenv task            # list tasks
    cuenv task hello      # run one
    cuenv exec -- printenv PORT   # run any command in the resolved env
    

    Running tasks

    This is where cuenv replaces your Makefile. Here's a task group that runs in parallel, and a build task that depends on it:

    tasks: {
        // Object keys in a group run in PARALLEL.
        check: schema.#TaskGroup & {
            type: "group"
            lint:  schema.#Task & {command: "npm", args: ["run", "lint"]}
            types: schema.#Task & {command: "npm", args: ["run", "typecheck"]}
            test:  schema.#Task & {command: "npm", args: ["test"]}
        }
    
        // Waits for `check`; only re-runs when its inputs change.
        build: schema.#Task & {
            command:   "npm"
            args:      ["run", "build"]
            dependsOn: [check]
            inputs:    ["src/**", "package.json"]
            outputs:   ["dist/**"]
            cache: mode: "read-write"
        }
    }
    

    One detail worth dwelling on: dependsOn: [check] is a CUE reference, not a string. It points at the actual check value. Misspell it and CUE refuses to evaluate — a typo is a compile error, not a silent no-op at runtime.

    cuenv derives the graph, runs independent work in parallel, and you can watch it live with the TUI:

    cuenv task build --tui
    

    cuenv terminal UI

    Since we opted into caching, if you re-run the build commmand twice (without changing any source files), you'll see caching in action. The values will be re-used and the task execution will be significantly faster.

    Reading secrets and generating CI workflows

    Two things teams almost always maintain by hand, and separately: secrets and CI. Both come out of this same file.

    There's multiple options to declare secrets inside the .cue file. You can execute a CLI command, read the secrets from GCP, AWS or even 1Password. For example:

    env: {
        // ...existing vars...
    
        // Resolved at runtime from 1Password. Never written to disk or your shell.
        DATABASE_PASSWORD: schema.#OnePasswordRef & {
            ref: "op://Engineering/checkout-db/password"
        }
    }
    

    Then if you run cuenv env print, you'll notice the password shows up redacted. This means it will never be stored in the generated output or in your shell.

    Finally, let's check out the CI. Let's add small pipeline that points at the tasks you already defined:

    ci: {
        providers: ["github"]
        pipelines: {
            default: {
                tasks: [tasks.check, tasks.build]
            }
        }
    }
    

    Run cuenv sync ci and cuenv writes the GitHub Actions workflow for you. You can pretty much commit this file to your repo and you have CI sorted out!

    Conclusion

    The core idea is simple. You have one typed contract for your environment, your secrets, your tasks, and your CI. The whole file gets validated before anything runs, and it's identical on your laptop and in CI. The drift between four files that never agreed with each other just goes away, because there's only one file now.

    If this sounds like something that would help your project, make sure you check out the cuenv.dev documentation or head over to GitHub repo to contribute to the project.

    Tags

    automationcicddevopstooling

    Comments

    More Blog

    View all
    Context bankruptcy: The case for strategic forgetting for AI Agentsai

    Context bankruptcy: The case for strategic forgetting for AI Agents

    Most of us have seen a coding agent fail to complete a task we know it can do. We just don't...

    J
    James O'Reilly
    Parallel Compliance Engine: Drive-to-Sheets Multi-Agent Orchestrationgooglecloud

    Parallel Compliance Engine: Drive-to-Sheets Multi-Agent Orchestration

    When building Generative AI applications, developers often encounter a massive bottleneck: sequential...

    A
    Aryan Irani
    Is It Ethical to Post and Ask About Circuits on Dev.to?discuss

    Is It Ethical to Post and Ask About Circuits on Dev.to?

    I’ve been thinking about sharing some electronic circuit posts on Dev.to — small circuits, DIY...

    C
    codebunny20
    The One-Click Exporter: AI Studio Antigravity, Probed to Its Limitsagents

    The One-Click Exporter: AI Studio Antigravity, Probed to Its Limits

    What nobody tells you about exporting your multi-agent prototype to a local workspace. Every...

    L
    leslysandra
    Guarding the till while autonomous data agents do the diggingagenticarchitect

    Guarding the till while autonomous data agents do the digging

    Autonomous agents are genuinely good at answering messy business questions. Give one an LLM and a set...

    S
    Sireesha Pulipati
    Return on Attention: Why AI Code Reviews Are Wearing Us Outai

    Return on Attention: Why AI Code Reviews Are Wearing Us Out

    PR volume went up, ticket quality didn't, and the gap got filled with LLMs on both sides of the review: bots reviewing, bots replying, bots occasionally arguing with bots about priorities that only existed in a teammate's head. Our CEO named the actual problem, and it's bigger than code review.

    C
    christine

    Stay up to date

    Get the latest Stable Diffusion prompts, rules, and resources delivered to your inbox weekly.

    Neura Market LogoNeura Market

    Discover the best AI prompts, plugins, and resources for Stable Diffusion and more.

    Content Types

    • Rules
    • Prompts
    • MCPs
    • Agents
    • Guides

    Platforms

    • ChatGPT Directory
    • Claude Directory
    • Gemini Directory
    • Cursor Directory
    • Grok Directory
    • Perplexity Directory
    • DeepSeek Directory
    • CoPilot Directory
    • Stable Diffusion Directory
    • Midjourney Directory
    • All Directories

    Resources

    • Blog
    • Documentation
    • Help Center
    • Marketplace

    Legal

    • Privacy Policy
    • Terms of Service

    © 2026 Neura Market. All rights reserved.

    |

    Not affiliated with any AI platform vendors.

    Ready-made automations for this

    Workflows from the Neura Market marketplace related to this Stable Diffusion resource

    • Automate Delesign Project Creation from New FogBugz Projectsmake · Free · Uses make
    • Automate Project Creation in Todoist from New Zoho Projectsmake · Free · Uses make
    • Automatically Create Harvest Projects from Slack Channel Messagesmake · Free · Uses make
    • Automatically Add New BambooHR Employees to HacknPlan Projectsmake · Free · Uses make
    Browse all workflows