Cursor

Cursor has accelerated workflows for many development teams. This, however, comes with some risks. Unless your team has gone to great lengths to hide secrets from Cursor, you’re probably sending secrets to their AI agents and potentially leaking them in the code it generates.

varlock exists to solve both of those problems. By never storing the secret values, you never have to worry about sending them to Cursor’s servers. But because of the new .env.schema format you will have better AX (agent experience) when dealing with environment variables.

Get started

To get the most secure experience with Cursor, run:

CLI

varlock init

npm

npx varlock init

yarn

yarn dlx varlock init

pnpm

pnpm dlx varlock init

.cursorignore

By default, cursor now ignores .env.* files. This is a good thing, but it means that you need to explicitly allow the files you want to use with Cursor.

To do this, create a .cursorignore file in the root of your project and add the following:

!.env.schema

Multiple ignore files?

If you have a monorepo, you may need to turn on hierarchical ignore in your Cursor settings.

llms.txt

To give Cursor the full context of what varlock is capable of, you can add custom docs to your project. To do this, follow the instructions to add custom docs and point it to:

https://varlock.dev/llms-full.txt

Cursor rules

Finally, you can add a Cursor rule to your project to ensure that varlock is used when updating environment variables. To do this, follow the instructions to add a project rule and copy our latest Cursor rules.