Find, count, inspect, or audit Kubernetes workloads and config stored in ConfigHub — fleet sweeps and single-workload lookups. Use for "where is checkout deployed?", "which Deployments run over 5 replicas?", "find workloads missing resource limits", "what image tag is our worker on?". Not for live cluster state (use kubectl).
82
—
Does it follow best practices?
Impact
100%
2.27xAverage score across 1 eval scenario
Risky
Do not use without reviewing
The database-like query surface of ConfigHub. Most users don't discover this from the CLI help alone; the skill makes it the first-reach tool for any "find / list / audit" intent.
Configuration is stored as data. Every field of every resource in every Unit in every Space is queryable — by metadata (--where), by content (--where-data), by resource type, and via functions that return structured values. This replaces "clone the repo, grep, try to figure out which env does what." Also, it is generally unnecessary to list all configuration Units or other entities and post-process locally — prefer server-side --where plus -o jq/-o yq. One caveat: a singular get returns the whole entity, but a list returns only default fields (entity IDs + Slug + a few) even with -o json/-o yaml. To pull any other field from a list (e.g. Labels, DisplayName, ApplyGates/ApplyWarnings), name it with --select (or --select "*" for everything) — see Output shaping.
The same toolkit covers two scopes:
SELECT ... FROM units WHERE ... over the database.SELECT * FROM units WHERE id = ? or cat workload.yaml.Single-workload lookups belong here too: cub unit data, cub unit livedata, and getter functions scoped with --unit are the right tools, not kubectl and not a hand-edit.
Users most often phrase questions in workload/application/environment terms: "our frontend in us-east", "checkout in prod", "the nonprod worker". Those map onto ConfigHub primitives:
metadata.name inside the Unit's Data.prod-use2-…) or as a Space Label (Region=us-east-2).--space "*", optionally narrowed with --where "Space.Labels.Environment = 'prod'".Concrete conventions (slug shapes, which Label keys are in use, whether environment is a slug prefix or a Label) belong to the team — load the confighub-core skill if the mapping is unclear or needs to be established. Before asking the user to restate in ConfigHub terms, try cub space list and cub unit list --space <candidate> to discover the actual names.
checkout in dev/staging/prod.cub-mutate).confighub-core).confighub-core).kubectl get).cub auth status succeeds — it contacts the server's /me endpoint to confirm the token is still valid (not just local login state). If it fails, ask the user to run cub auth login (an interactive browser sign-in an agent cannot complete).--space "*"), user has read permission on the spaces of interest.cub unit data / livedata / livestate + scoped gettersFor "what's our frontend running in us-east?" / "what image is our worker on?" / "show me the YAML of this workload":
# ConfigHub's latest YAML for a Unit — the content that would be applied. This is the config data at HeadRevisionNum.
# cub unit get -o data is invalid. cub unit get -o jq='.Unit.Data' will return the configuration data base64 encoded and
# is not recommended. The best command to use is cub unit data:
cub unit data <slug> --space <space>
# ConfigHub's data at the applied revision. Use .Unit.LiveRevisionNum for the most recently confirmed live revision,
# if any, and .Unit.PreviousLiveRevisionNum for the previous live revision, if any.
revision=$(cub unit get --space <space> <slug> -o jq=".Unit.LastAppliedRevisionNum")
cub revision data --space <space> <unit-slug> $revision
# What the bridge reported as live at the last action. For OCI/ConfigHub server bridges this echoes the published
# Data (no cluster read); it is the running cluster only for external cluster-reading bridges. See references/cub-cli.md.
cub unit livedata <slug> --space <space>
# The unelided live-state view at the last action. For OCI/ConfigHub Targets this mirrors the published Data;
# for actual running-workload troubleshooting use kubectl / argocd / flux directly (see verify-apply).
cub unit livestate <slug> --space <space>For extracting one field from one Unit (cleaner than grepping YAML), scope a getter with --unit:
# Image of container "worker" in one Unit.
cub function get --space <space> --unit <slug> get-container-image worker \
--show values
# Just the tag/digest portion.
cub function get --space <space> --unit <slug> get-container-image-reference worker \
--show values
# Replica count.
cub function get --space <space> --unit <slug> get-replicas \
--show values
# One env var.
cub function get --space <space> --unit <slug> get-env-var worker LOG_LEVEL \
--show values
# Any path (generic).
cub function get --space <space> --unit <slug> \
get-string-path "spec.template.spec.containers.0.image" \
--show valuesIf the user named the workload in application/environment terms and you don't yet know the Space or Unit slug, resolve the mapping before querying: cub space list to find the Space matching the environment/region (slug pattern or Space.Labels.Region=...), then cub unit list --space <space> to find the Unit matching the workload name. Do not guess a naming convention from another environment's Space — slugs vary. If the layout is unfamiliar, load confighub-core for the conventions; the canonical name is always whatever cub unit list prints.
See references/cub-cli.md (Data / LiveData / LiveState / BridgeState rows) for the semantics of each read surface, and references/functions-catalog.md for the full getter catalog.
cub unit list# All Deployments across all spaces.
cub unit list --space "*" --resource-type apps/v1/Deployment
# Units labeled Environment=prod.
cub unit list --space "*" --where "Labels.Environment = 'prod'"
# Units in Spaces matching a pattern.
cub unit list --space "*" --where "Space.Slug LIKE 'myapp-%'"Useful --where fields: Slug, DisplayName, ToolchainType, Labels.<Key>, Space.Slug, Space.Labels.<Key>, UpstreamRevisionNum, HeadRevisionNum, LiveRevisionNum, TargetID. To filter on a Kubernetes resource kind (Deployment, Service, etc.), use --where-data "ConfigHub.ResourceType = 'apps/v1/Deployment'" — ResourceType is not a --where metadata field. UnappliedChanges is also not a field.
--where-dataFilters on the actual configuration content using path expressions:
# Deployments with more than 5 replicas.
cub unit list --space "*" --resource-type apps/v1/Deployment \
--where-data "spec.replicas > 5"
# Any Unit containing a container image with a specific tag.
cub unit list --space "*" \
--where-data "spec.template.spec.containers.*.image#reference = ':v1.2.3'"
# Units with an image from a specific registry.
cub unit list --space "*" \
--where-data "spec.template.spec.containers.*.image#uri ~ 'ghcr.io/acme/'"cub function get + getters--where and --where-data select units (and other entities). To extract values from configuration data, use getter functions. For the single-Unit case, scope with --unit (see §0). The examples here sweep across Units:
# Get the current image for the "main" container of every Deployment.
cub function get --space "*" --resource-type apps/v1/Deployment \
get-container-image main \
--show values
# Find placeholder values that still need to be filled.
cub function get --space "*" get-placeholders \
--show valuesvet- functions# Run a validator as a one-off audit (without attaching a gate).
cub function vet --space "*" vet-placeholders \
--show output -o jq='.Output[] | select(.Passed == false)'
# Custom CEL audit with a readable message per failing resource, correlated to its Space and Unit.
cub function vet --space "*" \
vet-cel 'r.kind != "Deployment" || r.spec.replicas >= 2 ? {"passed": true} : {"passed": false, "details": [r.metadata.name + " has < 2 replicas"]}' \
--show output -o jq='. as $e | .Output[] | select(.Passed == false) | {space: $e.SpaceSlug, unit: $e.UnitSlug, details: .Details}'Each Unit's output is wrapped in an envelope with SpaceID / UnitID / SpaceSlug / UnitSlug / OutputType / Output. Use .Output[] to iterate the underlying list, and . as $e to bind the envelope so identity fields stay in scope inside the list. See references/cub-cli.md for the full schema.
# Recent revisions on a Unit with change descriptions.
cub revision list <slug> --space <space> --where "UpdatedAt > '2026-04-01'"
# Who changed what, when — across a Space.
cub revision list --space <space> --where "UpdatedAt > '2026-04-01'"
# Recent actions on a Unit.
cub unit-action list <slug> --space <space> --where "UpdatedAt > '2026-04-01'"
# Recent apply actions across a Space.
cub unit-action list --space <space> --where "Action = 'Apply'"
# Recent apply progress events across a Space.
cub unit-event list --space <space> --where "Action = 'Apply'"The --change-desc captured at mutation time (see cub-mutate) makes the revision history self-explaining.
-o json / -o yaml — structured. For list commands this is NOT the whole entity — only the default fields (IDs + Slug + a few). A singular get does return the whole entity.--select "<fields>" / --select "*" — choose which fields a list retrieves (comma-separated; IDs + Slug always included). Required to read any non-default field via -o json/-o jq from a list — e.g. a Unit's ApplyGates/ApplyWarnings, a View's DisplayName, or a Worker's ProvidedInfo.FunctionWorkerInfo.SupportedFunctions. Without it those fields come back null/absent even though the entity has them. --select "*" returns all fields.-o jq=<expression> / -o yq=<expression> — selected structured properties. When filtering metadata like .Slug note that list and get commands return an envelope structure that contains the requested entity and related entities, so a Unit Slug would be extracted with -o jq=.Unit.Slug. (On a list, combine with --select if the expression reads a non-default field.)-o name — slugs only (space-resident entities print as <space-slug>/<slug>).--show output -o jq=<expr> — post-process function output with jq. Each Unit's output is wrapped in a per-Unit envelope (SpaceSlug / UnitSlug / OutputType / Output), so use .Output[] to iterate results and .SpaceSlug / .UnitSlug for identity. See references/cub-cli.md.--show values — strip the envelope and emit raw scalar values from AttributeValueList outputs (one per line).wc -l, sort -u, etc. for quick counts.cub unit list, cub revision list, cub space list, cub function get/vet with getter/validator functions, cub trigger list, cub filter list, etc.cub-mutate.cub-mutate.Queries are read-only; the "verify" is cross-checking:
cub unit get <slug> --space <space> --web.cub unit get <slug> --space <space> --web — the Unit page.cub space get <slug> --web — Space page with attached Triggers/Filter.cub revision list <slug> --space <space> --web — revision history.references/filters-and-queries.md — full filter vocabulary, named Filter entities, operational recipes (apply-not-completed, unapplied-changes, not-approved, has-apply-gates, needs-upgrade, has-upstream).references/cub-cli.md — cub unit data / livedata / livestate / bridgestate semantics (see the "Data / LiveData / LiveState / BridgeState" table) and the where/where-data/output flags.references/functions-catalog.md — getter functions by purpose (get-container-image, get-container-image-reference, get-replicas, get-env-var, get-*-path, get-placeholders, etc.).82d0282
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.