iam-policy-validator 1.13.1__py3-none-any.whl → 1.14.1__py3-none-any.whl

iam_validator/core/config/check_documentation.py

@@ -0,0 +1,390 @@
+"""Check Documentation Registry.
+
+This module provides centralized documentation for all built-in checks,
+including risk explanations, AWS documentation links, and remediation steps.
+
+Used to enhance ValidationIssue objects with actionable guidance.
+"""
+
+from dataclasses import dataclass, field
+from typing import ClassVar
+
+
+@dataclass
+class CheckDocumentation:
+    """Documentation for a single check.
+
+    Attributes:
+        check_id: Unique check identifier (e.g., "wildcard_action")
+        risk_explanation: Why this issue is a security risk
+        documentation_url: Link to relevant AWS docs or runbook
+        remediation_steps: Step-by-step fix guidance
+    """
+
+    check_id: str
+    risk_explanation: str
+    documentation_url: str
+    remediation_steps: list[str] = field(default_factory=list)
+
+
+class CheckDocumentationRegistry:
+    """Registry for check documentation.
+
+    Provides centralized lookup for risk explanations, documentation links,
+    and remediation steps for all built-in checks.
+    """
+
+    # AWS IAM documentation base URLs
+    AWS_IAM_DOCS = "https://docs.aws.amazon.com/IAM/latest/UserGuide"
+    AWS_IAM_REFERENCE = "https://docs.aws.amazon.com/service-authorization/latest/reference"
+
+    # Registry of all check documentation
+    _registry: ClassVar[dict[str, CheckDocumentation]] = {}
+
+    @classmethod
+    def register(cls, doc: CheckDocumentation) -> None:
+        """Register documentation for a check."""
+        cls._registry[doc.check_id] = doc
+
+    @classmethod
+    def get(cls, check_id: str) -> CheckDocumentation | None:
+        """Get documentation for a check by ID."""
+        return cls._registry.get(check_id)
+
+    @classmethod
+    def get_risk_explanation(cls, check_id: str) -> str | None:
+        """Get risk explanation for a check."""
+        doc = cls.get(check_id)
+        return doc.risk_explanation if doc else None
+
+    @classmethod
+    def get_documentation_url(cls, check_id: str) -> str | None:
+        """Get documentation URL for a check."""
+        doc = cls.get(check_id)
+        return doc.documentation_url if doc else None
+
+    @classmethod
+    def get_remediation_steps(cls, check_id: str) -> list[str] | None:
+        """Get remediation steps for a check."""
+        doc = cls.get(check_id)
+        return doc.remediation_steps if doc else None
+
+
+# Register documentation for all built-in checks
+# ==============================================
+
+# AWS Validation Checks
+# ---------------------
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="action_validation",
+        risk_explanation=(
+            "Invalid actions may silently fail to grant intended permissions, "
+            "or indicate a typo that could expose unintended access."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_REFERENCE}/reference_policies_actions-resources-contextkeys.html",
+        remediation_steps=[
+            "Verify the action name against AWS documentation for the target service",
+            "Use the IAM policy simulator to test your intended permissions",
+            "Check for common typos (e.g., 'S3' vs 's3', 'GetObjects' vs 'GetObject')",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="condition_key_validation",
+        risk_explanation=(
+            "Invalid condition keys are silently ignored by IAM, meaning your "
+            "intended access restrictions may not be enforced."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/reference_policies_condition-keys.html",
+        remediation_steps=[
+            "Verify the condition key exists for the target service",
+            "Check AWS documentation for the correct key name and format",
+            "Use global condition keys (aws:*) for cross-service restrictions",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="condition_type_mismatch",
+        risk_explanation=(
+            "Using the wrong condition operator type (e.g., StringEquals with a "
+            "numeric value) may cause unexpected behavior or silent failures."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/reference_policies_elements_condition_operators.html",
+        remediation_steps=[
+            "Match the condition operator to the key's data type",
+            "Use String operators for string keys, Numeric for numbers, Date for timestamps",
+            "Consider using IfExists variants for optional conditions",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="resource_validation",
+        risk_explanation=(
+            "Invalid resource ARNs may silently fail to match intended resources, "
+            "leaving permissions ineffective or overly broad."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_REFERENCE}/reference_policies_actions-resources-contextkeys.html",
+        remediation_steps=[
+            "Verify ARN format matches the target service's documentation",
+            "Ensure region and account ID are correct or use wildcards intentionally",
+            "Test the policy with IAM policy simulator before deployment",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="sid_uniqueness",
+        risk_explanation=(
+            "Duplicate SIDs can cause confusion and make policy auditing difficult. "
+            "Some AWS services may behave unexpectedly with duplicate SIDs."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/reference_policies_elements_sid.html",
+        remediation_steps=[
+            "Ensure each statement has a unique SID within the policy",
+            "Use descriptive SIDs that indicate the statement's purpose",
+            "Consider a naming convention like 'AllowS3ReadAccess' or 'DenyPublicAccess'",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="policy_size",
+        risk_explanation=(
+            "Policies exceeding AWS size limits cannot be attached to IAM entities. "
+            "Inline policies have a 2KB limit, managed policies have a 6KB limit."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/reference_iam-quotas.html",
+        remediation_steps=[
+            "Split large policies into multiple smaller policies",
+            "Use managed policies instead of inline policies for larger permissions",
+            "Remove redundant statements or consolidate similar actions",
+            "Consider using permission boundaries or SCPs for broad restrictions",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="policy_structure",
+        risk_explanation=(
+            "Malformed policy structure will cause IAM to reject the policy entirely, "
+            "preventing any permissions from being granted."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/reference_policies_grammar.html",
+        remediation_steps=[
+            "Verify the policy follows AWS IAM policy grammar",
+            "Ensure all required elements (Version, Statement) are present",
+            "Check that Effect, Action, and Resource are properly formatted",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="set_operator_validation",
+        risk_explanation=(
+            "Invalid ForAllValues/ForAnyValue operators may cause conditions to "
+            "behave unexpectedly, potentially granting or denying unintended access."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/reference_policies_multi-value-conditions.html",
+        remediation_steps=[
+            "Use ForAllValues when ALL values must match the condition",
+            "Use ForAnyValue when ANY value matching is sufficient",
+            "Consider the empty set behavior: ForAllValues returns true for empty sets",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="mfa_condition_check",
+        risk_explanation=(
+            "Sensitive operations without MFA requirements may be performed by "
+            "compromised credentials, increasing the blast radius of credential theft."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/id_credentials_mfa_configure-api-require.html",
+        remediation_steps=[
+            "Add 'aws:MultiFactorAuthPresent': 'true' condition for sensitive actions",
+            "Consider using 'aws:MultiFactorAuthAge' to require recent MFA",
+            "Ensure MFA is enforced at the identity level as well as policy level",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="principal_validation",
+        risk_explanation=(
+            "Invalid principals in resource policies may fail to grant access to "
+            "intended entities, or may inadvertently grant access to unintended parties."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/reference_policies_elements_principal.html",
+        remediation_steps=[
+            "Verify AWS account IDs and IAM ARNs are correct",
+            "Use specific principals instead of wildcards where possible",
+            "For service principals, use the canonical format (e.g., 's3.amazonaws.com')",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="policy_type_validation",
+        risk_explanation=(
+            "Using policy elements not supported by the policy type may cause "
+            "silent failures or unexpected behavior."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/access_policies.html",
+        remediation_steps=[
+            "Identity policies: Don't include Principal element",
+            "Resource policies: Include Principal element",
+            "SCPs: Use only Allow statements with specific conditions",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="action_resource_matching",
+        risk_explanation=(
+            "Actions that don't support the specified resources will silently fail, "
+            "resulting in permissions that don't work as intended."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_REFERENCE}/reference_policies_actions-resources-contextkeys.html",
+        remediation_steps=[
+            "Check AWS documentation for supported resource types per action",
+            "Use '*' for actions that don't support resource-level permissions",
+            "Split statements when actions require different resource types",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="trust_policy_validation",
+        risk_explanation=(
+            "Misconfigured trust policies can allow unauthorized principals to "
+            "assume roles, potentially leading to privilege escalation."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/id_roles_create_for-user.html",
+        remediation_steps=[
+            "Restrict Principal to specific accounts/roles/users",
+            "Add conditions to limit who can assume the role",
+            "Avoid wildcards in Principal unless absolutely necessary",
+            "Use ExternalId for cross-account role assumption",
+        ],
+    )
+)
+
+# Security Checks
+# ---------------
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="wildcard_action",
+        risk_explanation=(
+            "Wildcard actions (e.g., 's3:*') grant all current AND future permissions "
+            "for a service, violating least privilege and increasing attack surface."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/best-practices.html#grant-least-privilege",
+        remediation_steps=[
+            "Replace wildcards with specific actions needed for the use case",
+            "Use action groups like 's3:Get*' for read-only access",
+            "Document why each action is required",
+            "Review and reduce permissions periodically",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="wildcard_resource",
+        risk_explanation=(
+            "Wildcard resources ('*') grant access to ALL resources of a type, "
+            "including resources created in the future, violating least privilege."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/best-practices.html#grant-least-privilege",
+        remediation_steps=[
+            "Specify exact resource ARNs when possible",
+            "Use resource tags and conditions for dynamic access control",
+            "Limit scope to specific accounts, regions, or resource prefixes",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="full_wildcard",
+        risk_explanation=(
+            "Full wildcard access ('Action': '*', 'Resource': '*') grants complete "
+            "control over all AWS resources, equivalent to administrator access."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/best-practices.html#grant-least-privilege",
+        remediation_steps=[
+            "Immediately restrict to specific services and actions needed",
+            "Use AWS managed policies like PowerUserAccess for broad access",
+            "Implement permission boundaries to limit maximum possible permissions",
+            "Consider using service control policies (SCPs) as guardrails",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="service_wildcard",
+        risk_explanation=(
+            "Service-level wildcards (e.g., 'iam:*') grant all permissions for "
+            "an entire service, including destructive and privilege escalation actions."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/best-practices.html#grant-least-privilege",
+        remediation_steps=[
+            "Replace with specific actions required for the use case",
+            "Use AWS managed policies for common patterns",
+            "Consider permission boundaries to limit sensitive actions",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="sensitive_action",
+        risk_explanation=(
+            "Sensitive actions (e.g., iam:*, sts:AssumeRole, kms:Decrypt) can lead "
+            "to privilege escalation, data exfiltration, or account compromise."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/best-practices.html#grant-least-privilege",
+        remediation_steps=[
+            "Add conditions to restrict when these actions can be used",
+            "Require MFA for sensitive operations",
+            "Limit to specific resources where possible",
+            "Implement monitoring and alerting for sensitive action usage",
+        ],
+    )
+)
+
+CheckDocumentationRegistry.register(
+    CheckDocumentation(
+        check_id="action_condition_enforcement",
+        risk_explanation=(
+            "Certain sensitive actions should always have conditions to prevent "
+            "misuse, such as IP restrictions, MFA requirements, or time-based access."
+        ),
+        documentation_url=f"{CheckDocumentationRegistry.AWS_IAM_DOCS}/reference_policies_elements_condition.html",
+        remediation_steps=[
+            "Add appropriate conditions based on the action type",
+            "Use aws:SourceIp for network-restricted actions",
+            "Use aws:MultiFactorAuthPresent for authentication-sensitive actions",
+            "Use aws:RequestedRegion to limit geographic scope",
+        ],
+    )
+)

iam_validator/core/config/config_loader.py

@@ -14,6 +14,7 @@ from pathlib import Path
 from typing import Any
 
 import yaml
+from pydantic import BaseModel, ConfigDict, field_validator, model_validator
 
 from iam_validator.core.check_registry import CheckConfig, CheckRegistry, PolicyCheck
 from iam_validator.core.config.defaults import get_default_config
@@ -21,6 +22,204 @@ from iam_validator.core.constants import DEFAULT_CONFIG_FILENAMES
 
 logger = logging.getLogger(__name__)
 
+# Valid severity levels for validation
+SEVERITY_LEVELS = frozenset(["error", "warning", "info", "critical", "high", "medium", "low"])
+
+# Known built-in check IDs for validation warnings
+KNOWN_CHECK_IDS = frozenset(
+    [
+        "action_validation",
+        "condition_key_validation",
+        "condition_type_mismatch",
+        "resource_validation",
+        "sid_uniqueness",
+        "policy_size",
+        "policy_structure",
+        "set_operator_validation",
+        "mfa_condition_check",
+        "principal_validation",
+        "policy_type_validation",
+        "action_resource_matching",
+        "trust_policy_validation",
+        "wildcard_action",
+        "wildcard_resource",
+        "full_wildcard",
+        "service_wildcard",
+        "sensitive_action",
+        "action_condition_enforcement",
+    ]
+)
+
+
+# =============================================================================
+# Pydantic Configuration Schemas
+# =============================================================================
+
+
+class IgnorePatternSchema(BaseModel):
+    """Schema for ignore patterns within check configurations."""
+
+    model_config = ConfigDict(extra="forbid")
+
+    # At least one of these should be specified
+    file: str | None = None
+    action: str | None = None
+    resource: str | None = None
+    sid: str | None = None
+
+
+class CheckConfigSchema(BaseModel):
+    """Flexible check config - validates core fields, allows extras for custom options.
+
+    This schema validates common check configuration fields while allowing
+    arbitrary additional options that specific checks may require (e.g.,
+    allowed_wildcards, categories, requirements).
+    """
+
+    model_config = ConfigDict(extra="allow")  # Allow arbitrary check-specific options
+
+    enabled: bool = True
+    severity: str | None = None
+    description: str | None = None
+    ignore_patterns: list[dict[str, Any]] = []
+
+    @field_validator("severity")
+    @classmethod
+    def validate_severity(cls, v: str | None) -> str | None:
+        if v is not None and v not in SEVERITY_LEVELS:
+            raise ValueError(f"Invalid severity: {v}. Must be one of: {sorted(SEVERITY_LEVELS)}")
+        return v
+
+
+class IgnoreSettingsSchema(BaseModel):
+    """Schema for ignore settings."""
+
+    model_config = ConfigDict(extra="forbid")
+
+    enabled: bool = True
+    allowed_users: list[str] = []
+    post_denial_feedback: bool = False
+
+
+class DocumentationSettingsSchema(BaseModel):
+    """Schema for documentation settings."""
+
+    model_config = ConfigDict(extra="forbid")
+
+    base_url: str | None = None
+    include_aws_docs: bool = True
+
+
+class SettingsSchema(BaseModel):
+    """Schema for global settings."""
+
+    model_config = ConfigDict(extra="allow")  # Allow additional settings
+
+    fail_fast: bool = False
+    parallel: bool = True
+    max_workers: int | None = None
+    fail_on_severity: list[str] = ["error", "critical"]
+    severity_labels: dict[str, str | list[str]] = {}
+    ignore_settings: IgnoreSettingsSchema = IgnoreSettingsSchema()
+    documentation: DocumentationSettingsSchema = DocumentationSettingsSchema()
+
+    @field_validator("fail_on_severity")
+    @classmethod
+    def validate_fail_on_severity(cls, v: list[str]) -> list[str]:
+        for severity in v:
+            if severity not in SEVERITY_LEVELS:
+                raise ValueError(
+                    f"Invalid severity in fail_on_severity: {severity}. "
+                    f"Must be one of: {sorted(SEVERITY_LEVELS)}"
+                )
+        return v
+
+
+class CustomCheckSchema(BaseModel):
+    """Schema for custom check definitions."""
+
+    model_config = ConfigDict(extra="allow")
+
+    module: str
+    enabled: bool = True
+    severity: str | None = None
+    description: str | None = None
+    config: dict[str, Any] = {}
+
+    @field_validator("severity")
+    @classmethod
+    def validate_severity(cls, v: str | None) -> str | None:
+        if v is not None and v not in SEVERITY_LEVELS:
+            raise ValueError(f"Invalid severity: {v}. Must be one of: {sorted(SEVERITY_LEVELS)}")
+        return v
+
+
+class ConfigSchema(BaseModel):
+    """Top-level configuration schema.
+
+    Validates the overall structure while allowing flexibility for check configs.
+    """
+
+    model_config = ConfigDict(extra="allow")  # Allow check configs at top level
+
+    settings: SettingsSchema = SettingsSchema()
+    custom_checks: list[CustomCheckSchema] = []
+    custom_checks_dir: str | None = None
+
+    @model_validator(mode="after")
+    def warn_unknown_checks(self) -> "ConfigSchema":
+        """Warn about unknown check IDs (potential typos)."""
+        # Get all extra fields that might be check configs
+        if not self.model_extra:
+            return self
+
+        for key, value in self.model_extra.items():
+            if isinstance(value, dict):
+                # This looks like a check config
+                check_id = key.removesuffix("_check") if key.endswith("_check") else key
+                if check_id not in KNOWN_CHECK_IDS:
+                    logger.warning(
+                        f"Unknown check ID '{check_id}' in configuration. "
+                        f"This may be a custom check or a typo."
+                    )
+        return self
+
+
+class ConfigValidationError(Exception):
+    """Raised when configuration validation fails."""
+
+    def __init__(self, errors: list[str]):
+        self.errors = errors
+        super().__init__(
+            "Configuration validation failed:\n" + "\n".join(f"  - {e}" for e in errors)
+        )
+
+
+def validate_config(config_dict: dict[str, Any]) -> tuple[bool, list[str]]:
+    """Validate configuration dictionary against schema.
+
+    Args:
+        config_dict: Raw configuration dictionary
+
+    Returns:
+        Tuple of (is_valid, list of error messages)
+    """
+    errors: list[str] = []
+
+    try:
+        ConfigSchema.model_validate(config_dict)
+    except Exception as e:
+        # Parse Pydantic validation errors
+        if hasattr(e, "errors"):
+            for error in e.errors():  # type: ignore
+                loc = ".".join(str(x) for x in error.get("loc", []))
+                msg = error.get("msg", str(e))
+                errors.append(f"{loc}: {msg}")
+        else:
+            errors.append(str(e))
+
+    return len(errors) == 0, errors
+
 
 def deep_merge(base: dict, override: dict) -> dict:
     """

iam_validator/core/config/defaults.py

@@ -85,6 +85,31 @@ DEFAULT_CONFIG = {
         #   Mixed: {"error": "iam-validity-error", "critical": ["security-critical", "needs-review"]}
         # Default: {} (disabled)
         "severity_labels": {},
+        # CODEOWNERS-based finding ignore settings
+        # Allows CODEOWNERS to ignore validation findings by replying "ignore" to PR comments
+        # Ignored findings won't cause the action to fail and won't be posted as comments
+        "ignore_settings": {
+            # Enable/disable the CODEOWNERS ignore feature
+            "enabled": True,
+            # Fallback list of users who can ignore findings when no CODEOWNERS file exists
+            # If empty and no CODEOWNERS, all ignore requests are denied (fail secure)
+            # Example: ["security-team-lead", "platform-admin"]
+            "allowed_users": [],
+            # Whether to post visible replies when ignore requests are denied
+            # When False (default), denials are only logged
+            # When True, a reply is posted explaining why the ignore was denied
+            "post_denial_feedback": False,
+        },
+        # Organization-specific documentation URL configuration
+        # Allows overriding default AWS documentation links with org-specific runbooks
+        "documentation": {
+            # Base URL for org-specific runbooks (null = use AWS docs)
+            # Example: "https://wiki.mycompany.com/security/iam-checks"
+            # When set, check documentation URLs will be: {base_url}/{check_id}
+            "base_url": None,
+            # Include AWS documentation links alongside org docs
+            "include_aws_docs": True,
+        },
     },
     # ========================================================================
     # AWS IAM Validation Checks (17 checks total)

iam_validator/core/constants.py

@@ -87,6 +87,7 @@ BOT_IDENTIFIER = "🤖 IAM Policy Validator"
 # HTML comment markers for identifying bot-generated content (for cleanup/updates)
 SUMMARY_IDENTIFIER = "<!-- iam-policy-validator-summary -->"
 REVIEW_IDENTIFIER = "<!-- iam-policy-validator-review -->"
+IGNORED_FINDINGS_IDENTIFIER = "<!-- iam-policy-validator-ignored-findings -->"
 
 # GitHub comment size limits
 # GitHub's actual limit is 65536 characters, but we use a smaller limit for safety

iam_validator/core/diff_parser.py

@@ -87,15 +87,19 @@ class DiffParser:
             patch = file_info.get("patch")
 
             # Files without patches (e.g., binary files, very large files)
+            # For added/modified files, we use a "no_patch" marker to indicate
+            # that we should allow comments on any line (handled in pr_commenter)
             if not patch or not isinstance(patch, str):
-                logger.debug(f"No patch available for {filename}, skipping diff parsing")
-                # Still track the file with empty change sets
+                logger.debug(f"No patch available for {filename} (status={status})")
+                # Mark as "no_patch" so pr_commenter can handle this specially
+                # For added/modified files without patch, we'll allow inline comments
+                # on any line since GitHub likely truncated the diff due to size
                 parsed[filename] = ParsedDiff(
                     file_path=filename,
-                    changed_lines=set(),
+                    changed_lines=set(),  # Empty, but status indicates handling
                     added_lines=set(),
                     deleted_lines=set(),
-                    status=status,
+                    status=f"{status}_no_patch",  # Mark as no_patch variant
                 )
                 continue