diff --git a/cmd/holos/tests/cli/cue-vet.txt b/cmd/holos/tests/cli/cue-vet.txt
new file mode 100644
index 00000000..4bd0834f
--- /dev/null
+++ b/cmd/holos/tests/cli/cue-vet.txt
@@ -0,0 +1,12 @@
+# https://github.com/holos-run/holos/issues/358
+# holos cue vet should fail verifications with exit code 1
+! exec holos cue vet ./policy --path strings.ToLower(kind) ./data/secret.yaml
+# holos cue vet should report validation errors to stderr
+stderr 'Forbidden. Use an ExternalSecret instead.'
+
+-- data/secret.yaml --
+kind: Secret
+-- policy/validators.cue --
+package policy
+
+secret: kind: "Forbidden. Use an ExternalSecret instead."
diff --git a/internal/cli/root.go b/internal/cli/root.go
index f6d6336c..4ee3c46f 100644
--- a/internal/cli/root.go
+++ b/internal/cli/root.go
@@ -4,7 +4,6 @@ import (
 	_ "embed"
 	"fmt"
 	"log/slog"
-	"os"
 
 	"github.com/spf13/cobra"
 
@@ -119,7 +118,20 @@ func newOrgCmd(feature holos.Flagger) (cmd *cobra.Command) {
 }
 
 func newCueCmd() (cmd *cobra.Command) {
-	cueCmd, _ := cue.New(os.Args[1:])
-	cmd = cueCmd.Command
-	return
+	// Get a handle on the cue root command fields.
+	root, _ := cue.New([]string{})
+	// Copy the fields to our embedded command.
+	cmd = command.New("cue")
+	cmd.Short = root.Short
+	cmd.Long = root.Long
+	// Pass all arguments through to RunE.
+	cmd.DisableFlagParsing = true
+	cmd.Args = cobra.ArbitraryArgs
+
+	// We do it this way so we handle errors correctly.
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		cueRootCommand, _ := cue.New(args)
+		return cueRootCommand.Run(cmd.Root().Context())
+	}
+	return cmd
 }