This spec uses FileUtils.mkdir_p/FileUtils.rm_f later but never require 'fileutils'. Without it, the spec will raise NameError: uninitialized constant FileUtils in a clean test environment. Add the missing require (or avoid FileUtils usage).

The spec creates spec/fixtures via FileUtils.mkdir_p(config_dir) but only removes the YAML file in the ensure block. This leaves the fixtures directory behind after the test run. Consider removing the directory as well (when empty) or using a temp directory (e.g., Dir.mktmpdir) to avoid polluting the working tree.

Search expression interpolation only matches ${Resource::...} keys made of letters (/\${Resource::([A-Za-z]+)}/). This is more restrictive than the dimension-variable interpolation above and contradicts the docs that say “any key from the resource definition” (keys may contain digits/underscores). Consider broadening the regex (e.g., allow [A-Za-z0-9_]+), and prefer Regexp.last_match(1) over $1 for clarity.

resource.search_expression.empty? assumes search_expression is a String. If a user misconfigures YAML (e.g., SearchExpression: []), this will raise a NoMethodError during validation instead of producing a helpful validation message. Consider validating search_expression.is_a?(String) and treating blank/whitespace-only strings as invalid (e.g., strip.empty?) to keep validation robust.

search_aggregation is inserted directly into the metric-math expression ("#{aggregation}(search_expression)") without validation/normalization. A typo or lowercase value will generate an invalid CloudWatch expression and fail at deploy time. Consider upcasing the value and validating it against the supported set (MAX/MIN/AVG/SUM), surfacing a compile-time validation error when invalid.

add_search_expression_alarm duplicates most of the CloudWatch_Alarm property wiring from add_standard_alarm, which increases the chance of future drift (e.g., tags/unit/low-sample settings). Consider extracting the common alarm property assignment into a shared helper, and only branching for the mutually-exclusive metric configuration (Dimensions/MetricName/etc vs Metrics).

This doc says Guardian “emits MetricDataQueries”, but the CloudFormation AWS::CloudWatch::Alarm property name is Metrics (a list of MetricDataQuery objects). Consider adjusting wording to avoid confusion for readers cross-referencing the CFN spec.

This example is described as having “no metric_name or namespace”, but it overrides an existing AutoScalingGroup default alarm (CPUUtilizationHighBase) that already sets both fields, so it doesn’t actually exercise the validation change. Consider adding a new alarm (one that doesn’t exist in defaults) with only SearchExpression set, and assert that validation passes and the created alarm has metric_name (and/or namespace) still nil.

The workflow installs Bundler 2.4.22, but the lockfile was generated with Bundler 2.3.19 (BUNDLED WITH). This often produces warnings and may cause unintended lockfile churn. Consider aligning the workflow Bundler version with the lockfile, or update the lockfile’s BUNDLED WITH to match the workflow version.

When using the CloudFormation Metrics property (metric math alarms), ThresholdMetricId is required to tell CloudWatch which query ID to evaluate against Threshold. Without it, the generated alarm resource may fail template validation or evaluate an unexpected metric. Set ThresholdMetricId to the ID of the return-data query (likely aggregate).

The gsub replacement block must return a String. If a resource value is numeric/boolean (e.g., a Port), returning it directly will raise TypeError during interpolation. Convert interpolated values to strings (e.g., @resource[resource_key].to_s) before returning from the block.

New validation behavior was added for SearchExpression (non-empty string) and SearchAggregation (must be one of MAX/MIN/AVG/SUM and normalized to uppercase), but there are no specs asserting these error cases and normalization. Add RSpec coverage that (1) invalid/blank SearchExpression causes CfnGuardian::ValidationError, and (2) invalid SearchAggregation is rejected while valid lowercase values are normalized.

The markdown table under "Properties" is malformed (lines start with ||), which renders as an empty first column in most markdown parsers. Use standard table syntax with a single leading/trailing | per row.

fileutils and term/ansicolor are required but not used anywhere in this spec. Removing unused requires reduces load time and avoids pulling extra dependencies into the test process unnecessarily.

use_search is true for any non-nil value, including an empty string. Since '' is truthy in Ruby, this would emit a Metrics-based alarm with a blank Expression, producing an invalid CloudFormation template. Consider basing use_search on alarm.search_expression.is_a?(String) && !alarm.search_expression.strip.empty? (or raising early) to align with validation behavior.

When using the CloudWatch Alarm Metrics property (metric math), CloudFormation expects a ThresholdMetricId to indicate which MetricDataQuery is evaluated against Threshold/ComparisonOperator. This block builds queries search_expression and aggregate but never sets ThresholdMetricId, which can cause the alarm to fail creation or evaluate the wrong series. Set ThresholdMetricId to the query id that returns data (e.g. aggregate).