Foundational ConfigHub skill — load first for orientation and doctrine. Covers core vocabulary (Unit, Space, Target, Worker, Trigger, Filter, Link), Space layout per environment/region, config-as-data authoring (literal YAML, no Helm/Kustomize templates, one resource per Unit), delete/destroy gates, and routing a task to the right skill. Route obvious tasks directly (image bump -> cub-mutate; find Units -> cub-query).
67
—
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
The foundational skill. Explains ConfigHub's model in plain language, carries the load-bearing doctrine (config-as-data authoring, Space topology, one resource per Unit), covers delete/destroy gates, and routes concrete tasks to the right dedicated skill.
Load this first when the intent is broad. Hand off as soon as the task is concrete.
https://docs.confighub.com/), not a skill.Never compose cub commands from memory. Confirm the verb and its flags with cub <verb> --help (or CONFIGHUB_AGENT=1 cub <verb> --help) before running — never invent flags or function names. cub --help is whitelisted, so this is free.
ConfigHub treats configuration as data: fully materialized YAML stored in a versioned database, not code or templates. Mutations go through server-side functions on that data. Delivery, policy, and audit all hang off that model.
--change-desc and the data diff.get-container-image), setters (set-container-image, set-replicas), defaults (set-container-resources-defaults), validators (vet-schemas, vet-cel), helpers (yq, yq-i).Mutation or PostClone. A failing validator attaches an ApplyGate.TriggerFilterID.serviceAccountName → a ServiceAccount Unit). Enables cross-Unit integrity and needs/provides.OCI (publishes the Unit's data to ConfigHub's built-in OCI registry for ArgoCD or Flux to pull) or ConfigHub (applies ConfigHub-native ConfigHub/YAML config). References a server worker. Typically one OCI Target per Space — the OCI transport accepts Units of any toolchain.cub worker create --is-server-worker). Run an external worker only to host custom worker functions.cub. kubectl / argocd / flux are read-only for diagnosis.--change-desc (summary line, verbatim user prompt, condensed clarifications).-o mutations to show the diff inline.A Unit contains fully materialized YAML with literal values for every field. Code (functions) operates on data; data is the record. This is what makes ConfigHub's query, validation, mutation-graph, and revision-history features work — templated or re-rendered Units break all of them.
If you're tempted to reach for Helm, Kustomize, Jsonnet, cdk8s, or a values file to author new config, stop. Those are one-shot onboarding ramps (the import skill), not an ongoing format.
cub unit get <example-slug> --space skill-examples -o yaml — skill-examples-bootstrap seeds Units for common resource types. Adapt one if it fits.kubectl create … --dry-run=client -o yaml | yq 'del(.metadata.creationTimestamp, .status)', then hand-author the fields kubectl won't generate. Never template. Use confighubplaceholder (strings) / 999999999 (numbers) for values supplied later — vet-placeholders blocks apply while any remain. For specific resource types, hand off to kubernetes-resources.cub unit create --space <space> <unit-slug> file.yaml --change-desc "…".set-container-resources-defaults, set-container-probe-defaults, set-pod-container-security-context-defaults (Namespaces: set-pod-security-defaults; guarantee namespace: with ensure-namespaces).set-container-image, set-replicas, set-env-var. The Space is the parameterization boundary — never a values file or overlay.If the user insists on keeping a values file or template inside a Unit, explain the rule once; if they still want it, stop — this isn't the skill for that.
Default: one Kubernetes resource per Unit. It keeps revisions, ApplyGates, diffs, and blast radius scoped to a single resource, and makes promotion and rollback surgical. A multi-workload app becomes one Unit per workload + one per Service/ConfigMap/etc., not one mega-Unit.
Two facts that follow naturally:
<app>-crds.cub helm install and similar render a bundle and split CRDs automatically; the import skill owns that. You can split further afterward, but for new authoring, one resource per Unit is the rule — don't hand-bundle.One Space per deployment boundary — anything you independently promote, approve, apply, or roll back. For most teams that's (app, environment) or (app, environment, region/cluster).
Corollary: environments are Spaces, not slug suffixes. Don't put web-dev and web-prod in one Space — that collapses Target separation, ApplyGate/approval scoping, and clone-based promotion.
platform ← org-wide Triggers + Filters (no workloads)
app-a-home ← app team's home: ChangeSets, Tags, Filters, Views, Invocations
app-a-dev ← (app, env[, region/cluster]) deployment Spaces
app-a-staging
app-a-prod-us-east
shared-infra-prod ← cluster-wide things (ingress, cert-manager, observability)platform — baseline vet-* / CEL / approval Triggers + the Filters that select them. App Spaces attach via --trigger-filter platform/standard-vets. No workloads.<app>-home — neutral, app-team-scoped home for cross-environment operational artifacts (ChangeSets spanning dev→prod, Tags, the <app>-app Filter, Views, Invocations). No workload Units. Referenced cross-Space by slug: --filter <app>-home/<slug>, --changeset <app>-home/<slug>.(app, env[, region/cluster]). Add region/cluster suffixes only when you deploy separately per region.Slug: <app>-<env>[-<region-or-cluster>], lowercase, hyphenated. Reserve platform. Don't encode space-/config-/cub- in slugs. Put structured metadata on the Space (not the slug) with PascalCase, non-abbreviated keys:
cub space update app-a-prod-us-east \
--label Application=app-a --label Environment=prod \
--label Region=us-east --label Cluster=prod-us-east-1This enables cross-Space queries slug-parsing can't: cub unit list --space "*" --where "Space.Labels.Environment = 'prod'". Recommended set: Application, Environment, plus Region / Cluster / Tier when relevant.
OCI and ConfigHub Targets are served by server workers — no process to run. Create one server worker (cub worker create --is-server-worker, often in default) and reference it cross-Space (<space>/server-worker); give each Space its own OCI Target bound to it. Delivery to a cluster from an OCI Target is done by ArgoCD/Flux pulling the published artifact — configured outside ConfigHub. You only run an external worker to host custom worker functions. See worker-bootstrap and target-bind.
cub unit create --dest-space app-a-staging --space app-a-dev # clone a Space forward
cub unit create --space app-a-staging <unit> --upstream-unit app-a-dev/<unit> # single Unit
cub unit update --space app-a-staging <unit> --upgrade # later, pull upstream changesThe upstream-unit link makes --upgrade propagate while preserving per-Space customizations. Note: a Link points downstream→upstream (dependency edge), the opposite of data-flow direction. For the full promotion arc, use promote-release.
ConfigHub makes bulk and cross-Space operations easy — which is also how you accidentally delete a prod Space or destroy live resources. Gates are the opt-in protection (https://docs.confighub.com/markdown/guide/protecting.md).
cub <entity> delete until removed.cub unit destroy (which removes the live cluster resources). Orthogonal to Delete Gates.# Unit — protect prod data and its live resources.
cub unit update --patch --space <app>-prod <unit> --delete-gate prod-critical --destroy-gate prod-critical
# Space — delete only (Spaces have no destroy).
cub space update --patch <space> --delete-gate used-until-dec25
# Remove with the '-' sentinel (empty string won't clear), then delete.
cub space update --patch <space> --delete-gate used-until-dec25=-The gate name carries the why — prefer specific (used-until-dec25, team-payments-owns, in-use-by-argocd) over a generic critical everywhere. Gates stack; all must be removed. Recommend a gate in the same turn you create any prod-bound Space/Unit, shared-infra Space, platform Trigger/Filter, or hard-to-replace Worker.
| User intent | Skill |
|---|---|
| Authoring a specific K8s resource type (StatefulSet, Ingress, NetworkPolicy, …) | kubernetes-resources |
| App config files (.env / .properties / .yaml) → ConfigMap | app-config |
| Validation/policy that actually blocks bad config | triggers-and-applygates |
| Changing data in an existing Unit (image, replicas, env, defaults) | cub-mutate |
| Finding, listing, auditing, inspecting config across Units/Spaces | cub-query |
| A playground Space to tinker with | skill-examples-bootstrap |
| Setting up a worker (server worker for delivery; external for custom functions) | worker-bootstrap |
| Creating a Target / binding a Unit to one | target-bind |
| Applying a Unit to its Target (publish to OCI / ConfigHub) | cub-apply |
| Post-apply verification, troubleshooting, close-out | verify-apply |
| Onboarding existing Helm / Kustomize config | import |
| Promoting a release env-to-env or fleet-wide; variants | promote-release |
| Rolling back by moving head | rollback-revision |
| Orchestrating a production incident | incident-management |
cub unit create/update, cub function …, cub run, cub link … (always --change-desc + -o mutations); cub space create/update; kubectl create --dry-run=client / kubectl explain for scaffolding only.helm install/upgrade, kustomize build piped into ongoing editing, values files, template syntax inside a Unit, mutating kubectl/argocd/flux.Every mutation passes --change-desc:
<summary line>
User prompt: <verbatim user prompt>
Clarifications: <one line per resolved ambiguity, or "none">cub unit get <slug> --space <space> — confirm literal YAML; run vet-placeholders / vet-schemas / vet-format (or rely on the Space's Triggers).cub space list; cub space get <space> -o json (labels); a cross-Space --where "Space.Labels.X = ..." query returns the expected set.cub unit get --web, cub space get --web, cub revision list --web — open entity pages in the GUI.https://docs.confighub.com/markdown/index.md; SDK: https://github.com/confighub/sdk.references/cub-cli.md — CLI discipline, Read/Write permission sets, --change-desc, -o mutations, --where AND-only, --trigger-filter / --where-trigger.references/functions-catalog.md — the function surface.references/filters-and-queries.md — query vocabulary.references/triggers-recipes.md — platform-Space pattern.references/yaml-patterns.md — literal-value authoring for all common resource types.https://docs.confighub.com/markdown/background/config-as-data.md, .../guide/environments.md, .../guide/protecting.md.82d0282
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.