[CUE](https://cuelang.org/) vetting demo for embedded YAML (YAML serialized as a string in outer YAML, in this case Prometheus Alertmanager rules inside a Kubernetes ConfigMap resource)

check.sh

#!/bin/sh

cue vet sample.cue sample.yaml

sample.cue

import "encoding/yaml"

#AlertRules: {
	groups: [...#Group]
}

#Group: {
	name: string
	rules: [...#Rule]
}

// Duration format: number + unit
#DurationString: string & =~"^\\d+[smh]$"

#Rule: {
	alert: =~"\\w{10,20}"
	expr:  string
	for?:  #DurationString
	labels: {
		severity: "critical" | "warning" | "info"
		[string]: string
	}
	annotations: {
		summary:     string
		description: string
		[string]:    string
	}
}

// This looks at any actual, concrete `data` key, and validates the serialized YAML.
// See also https://cuelang.org/docs/concept/how-cue-works-with-yaml/#validating-embedded-yaml
data: [string]: yaml.Validate(#AlertRules)

sample.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: alertmanager-rules
  namespace: monitoring
  labels:
    app: prometheus
data:
  custom-alerts.yaml: |
    groups:
      - name: application.rules
        rules:
          - alert: HighErrorRate
            expr: |
              sum(rate(http_requests_total{status=~"5.."}[5m]))
              /
              sum(rate(http_requests_total[5m])) * 100 > 5
            for: 15m
            labels:
              severity: critical
              team: platform
            annotations:
              summary: High HTTP error rate detected
              description: "Error rate is {{ $value }}% for the last 15 minutes (threshold: 5%)"