Changes

• Fix tools crates (cuenv-tools-oci, cuenv-tools-github, cuenv-tools-nix, cuenv-tools-rustup) versioning for workspace publishing — now inherit workspace version instead of hardcoded 0.1.0
• Update tools dependency versions in root Cargo.toml from 0.1.0 to 0.26.0
• Bump workspace version to 0.26.11

What's Changed

• Enforce task dependencies to be explicit object references in CUE task models instead of allowing plain strings.
• Add compatibility support for task sequence/group dependency enrichment using _name normalization.
• Update module enrichment behavior to normalize non-object dependency values with reference metadata when available.
• Adjust fixture inputs and tests to cover object-form dependencies and serialization shape.

Why this release

Task dependencies now use a single canonical form, improving validation and preventing ambiguous dependency resolution failures when mixing task types.

Highlights

This release is a major code quality and hygiene sweep — removing thousands of lines of dead code, enforcing coding standards
project-wide, and tightening dependency security.

⚠️ Breaking Changes

• owners command removed — CODEOWNERS generation is now handled via cuenv sync using the rules provider. The standalone cuenv owners
  command has been deleted.

🏗️ Refactors

• Type-safe function parameters — All boolean function parameters (json_mode, dry_run, capture_output) replaced with OutputFormat,
  DryRun, and OutputCapture enums across 33 files, enforcing the project coding standard.
• Options structs for large signatures — Functions with >3 parameters collapsed into context/request structs:
  • execute_task_legacy (18 params!) → TaskExecutionRequest
  • TaskBackend::execute → TaskExecutionContext
  • ToolProvider::resolve → ToolResolveRequest
  • save_result → SaveResultData
  • execute_project_pipeline → PipelineExecutionRequest
• Dead code removal (~3,500 lines deleted):
  • Removed unused InlineTui/TuiManager/TuiState from TUI module
  • Removed dead git_hooks helper functions (get_changed_files, find_remote_target, filter_matching_files)
  • Removed stub secret provider crates (aws, gcp, vault) that were never wired into the resolver registry
• #[allow(dead_code)] audit — Removed unnecessary suppression from items that are actually used; added explanatory comments to
  genuinely unused items (serde fields, test helpers). Deleted dead http_credentials_available from the 1Password resolver.
• CODEOWNERS folded into rules sync — Generation and checking now runs through the existing cuenv sync rules provider instead of a
  standalone command path.
• TUI refactored — Event handling consolidated into a shared state-application path, simplifying both runtime and test code.

🧹 Test Cleanup

• Deleted superficial tests that only verify Rust compiler guarantees (struct field assignment, Clone/Debug/Hash derives, Result type
  alias). Tests documenting meaningful behavior contracts were kept.

🔒 Security & Dependencies

• Fixed cargo-deny advisory failures by pinning patched transitive versions (time >= 0.3.47, bytes >= 1.11.1)
• Dropped stale ignored advisory RUSTSEC-2024-0436
• Refreshed Cargo.lock and updated workspace dependency constraints

Bug Fixes

Deterministic CI workflow generation

cuenv sync ci now produces identical output across multiple runs. Previously, the with: block fields in GitHub Action steps (like go-version and cache-dependency-path) could appear in different orders between runs due to HashMap iteration order being non-deterministic. Changed to BTreeMap to ensure consistent alphabetical ordering.

Deploy task dependencies

Fixed dependency resolution for deploy tasks.

Secret redaction alignment

Improved secret redaction to ensure consistent behavior across different contexts.

What's Changed

• feat(ci): use workspace members as path triggers by @rawkode in #277
• Evaluation perf by @rawkode in #278
• feat(env): add interpolated environment variables with secrets by @rawkode in #279

Full Changelog: 0.26.6...0.26.7

Full Changelog: 0.26.5...0.26.6

fix: dependency resolution path wasn't correctly adopting CUE reference metadata

Full Changelog: 0.26.4...0.26.5

fix: bug in pipeline task deserialization

Full Changelog: 0.26.3...0.26.4

fix(ci): add type discriminator to #MatrixTask for CUE disjunction resolution

Fixes an issue where using #TaskGroup or #TaskSequence references directly in CI pipeline tasks would fail with "incomplete value" errors.

The root cause was CUE's inability to disambiguate between #TaskNode and #MatrixTask in the #PipelineTask union type. Added type: "matrix" as a discriminator field to #MatrixTask, following the same pattern used by #TaskGroup (type: "group").

Before:
ci: pipelines: default: tasks: [_t.deploy] // Error: incomplete value

After:
ci: pipelines: default: tasks: [_t.deploy] // Works with groups, sequences, and tasks

Breaking Change: Matrix tasks now require type: "matrix":
// Before
{ task: _t.build, matrix: { arch: ["x64", "arm64"] } }

// After
{ type: "matrix", task: _t.build, matrix: { arch: ["x64", "arm64"] } }

Release 0.26.3

Changes

• fix(tasks): use CUE ReferencePath for canonical dependency resolution (#269)
• fix(ci): add Go cache-dependency-path to setup-go action

Features

• CI Providers Configuration (feat(ci)): Added explicit CI provider configuration to control which manifests are emitted during cuenv sync -A. This is a breaking change requiring explicit opt-in.
  • New #CIProvider type: github | buildkite | gitlab
  • providers field on both #CI (global) and #Pipeline (override)
  • Per-pipeline providers completely override global (no merge)
  • If no providers specified, nothing is emitted

Fixes

• CI Task Group Dependencies (fix(ci)): The CI compiler now correctly expands task group dependencies to leaf tasks. Fixes validation errors like "Task 'check' depends on non-existent task 'tests'"
• Added sibling resolution: when "build" isn't found, tries "docs.build"

Docs

• Documented CI providers feature in cue-schema.md and ci-contributors.md