iam-policy-validator 1.7.1__py3-none-any.whl → 1.7.2__py3-none-any.whl

iam_validator/checks/principal_validation.py

@@ -112,12 +112,12 @@ class PrincipalValidationCheck(PolicyCheck):
                     ValidationIssue(
                         severity=self.get_severity(config),
                         issue_type="blocked_principal",
-                        message=f"Blocked principal detected: {principal}. "
+                        message=f"Blocked principal detected: `{principal}`. "
                         f"This principal is explicitly blocked by your security policy.",
                         statement_index=statement_idx,
                         statement_sid=statement.sid,
                         line_number=statement.line_number,
-                        suggestion=f"Remove the principal '{principal}' or add appropriate conditions to restrict access. "
+                        suggestion=f"Remove the principal `{principal}` or add appropriate conditions to restrict access. "
                         "Consider using more specific principals instead of wildcards.",
                     )
                 )
@@ -131,8 +131,8 @@ class PrincipalValidationCheck(PolicyCheck):
                     ValidationIssue(
                         severity=self.get_severity(config),
                         issue_type="unauthorized_principal",
-                        message=f"Principal not in allowed list: {principal}. "
-                        f"Only principals in the allowed_principals whitelist are permitted.",
+                        message=f"Principal not in allowed list: `{principal}`. "
+                        f"Only principals in the `allowed_principals` whitelist are permitted.",
                         statement_index=statement_idx,
                         statement_sid=statement.sid,
                         line_number=statement.line_number,
@@ -151,7 +151,7 @@ class PrincipalValidationCheck(PolicyCheck):
                         ValidationIssue(
                             severity=self.get_severity(config),
                             issue_type="missing_principal_conditions",
-                            message=f"Principal '{principal}' requires conditions: {', '.join(missing_conditions)}. "
+                            message=f"Principal `{principal}` requires conditions: {', '.join(f'`{c}`' for c in missing_conditions)}. "
                             f"This principal must have these condition keys to restrict access.",
                             statement_index=statement_idx,
                             statement_sid=statement.sid,
@@ -169,7 +169,11 @@ class PrincipalValidationCheck(PolicyCheck):
         # Check advanced format: principal_condition_requirements
         if principal_condition_requirements:
             condition_issues = self._validate_principal_condition_requirements(
-                statement, statement_idx, principals, principal_condition_requirements, config
+                statement,
+                statement_idx,
+                principals,
+                principal_condition_requirements,
+                config,
             )
             issues.extend(condition_issues)
 
@@ -629,15 +633,18 @@ class PrincipalValidationCheck(PolicyCheck):
             or self.get_severity(config)
         )
 
+        suggestion_text, example_code = self._build_condition_suggestion(
+            condition_key, description, example, expected_value, operator
+        )
+
         return ValidationIssue(
             severity=severity,
             statement_sid=statement.sid,
             statement_index=statement_idx,
             issue_type="missing_principal_condition",
             message=f"{message_prefix} Principal(s) {matching_principals} require condition '{condition_key}'",
-            suggestion=self._build_condition_suggestion(
-                condition_key, description, example, expected_value, operator
-            ),
+            suggestion=suggestion_text,
+            example=example_code,
             line_number=statement.line_number,
         )
 
@@ -648,8 +655,8 @@ class PrincipalValidationCheck(PolicyCheck):
         example: str,
         expected_value: Any = None,
         operator: str = "StringEquals",
-    ) -> str:
-        """Build a helpful suggestion for adding the missing condition.
+    ) -> tuple[str, str]:
+        """Build suggestion and example for adding the missing condition.
 
         Args:
             condition_key: The condition key
@@ -659,19 +666,16 @@ class PrincipalValidationCheck(PolicyCheck):
             operator: Condition operator
 
         Returns:
-            Suggestion string
+            Tuple of (suggestion_text, example_code)
         """
-        parts = []
-
-        if description:
-            parts.append(description)
+        suggestion = description if description else f"Add condition: {condition_key}"
 
         # Build example based on condition key type
         if example:
-            parts.append(f"Example:\n```json\n{example}\n```")
+            example_code = example
         else:
             # Auto-generate example
-            example_lines = ['Add to "Condition" block:', f'  "{operator}": {{']
+            example_lines = [f'  "{operator}": {{']
 
             if isinstance(expected_value, list):
                 value_str = (
@@ -698,9 +702,9 @@ class PrincipalValidationCheck(PolicyCheck):
             example_lines.append(f'    "{condition_key}": {value_str}')
             example_lines.append("  }")
 
-            parts.append("\n".join(example_lines))
+            example_code = "\n".join(example_lines)
 
-        return ". ".join(parts) if parts else f"Add condition: {condition_key}"
+        return suggestion, example_code
 
     def _build_any_of_suggestion(self, any_of_conditions: list[dict[str, Any]]) -> str:
         """Build suggestion for any_of conditions.

iam_validator/checks/sensitive_action.py

@@ -85,7 +85,7 @@ class SensitiveActionCheck(PolicyCheck):
         # Generic ABAC fallback for uncategorized actions
         return (
             "Add IAM conditions to limit when this action can be used. Use ABAC for scalability:\n"
-            "• Match principal tags to resource tags (aws:PrincipalTag/X = aws:ResourceTag/X)\n"
+            "• Match principal tags to resource tags (aws:PrincipalTag/<tag-name> = aws:ResourceTag/<tag-name>)\n"
             "• Require MFA (aws:MultiFactorAuthPresent = true)\n"
             "• Restrict by IP (aws:SourceIp) or VPC (aws:SourceVpc)",
             '"Condition": {\n'
@@ -142,13 +142,6 @@ class SensitiveActionCheck(PolicyCheck):
                 matched_actions[0], config
             )
 
-            # Combine suggestion + example
-            suggestion = (
-                f"{suggestion_text}\n\nExample:\n```json\n{example}\n```"
-                if example
-                else suggestion_text
-            )
-
             # Determine severity based on the highest severity action in the list
             # If single action, use its category severity
             # If multiple actions, use the highest severity among them
@@ -165,7 +158,8 @@ class SensitiveActionCheck(PolicyCheck):
                     issue_type="missing_condition",
                     message=message,
                     action=(matched_actions[0] if len(matched_actions) == 1 else None),
-                    suggestion=suggestion,
+                    suggestion=suggestion_text,
+                    example=example if example else None,
                     line_number=statement.line_number,
                 )
             )

iam_validator/checks/service_wildcard.py

@@ -60,20 +60,13 @@ class ServiceWildcardCheck(PolicyCheck):
                     example_template = config.config.get("example", "")
 
                     message = message_template.format(action=action, service=service)
-                    suggestion_text = suggestion_template.format(action=action, service=service)
+                    suggestion = suggestion_template.format(action=action, service=service)
                     example = (
                         example_template.format(action=action, service=service)
                         if example_template
                         else ""
                     )
 
-                    # Combine suggestion + example
-                    suggestion = (
-                        f"{suggestion_text}\nExample:\n```json\n{example}\n```"
-                        if example
-                        else suggestion_text
-                    )
-
                     issues.append(
                         ValidationIssue(
                             severity=self.get_severity(config),
@@ -83,6 +76,7 @@ class ServiceWildcardCheck(PolicyCheck):
                             message=message,
                             action=action,
                             suggestion=suggestion,
+                            example=example if example else None,
                             line_number=statement.line_number,
                         )
                     )

iam_validator/checks/sid_uniqueness.py

@@ -91,7 +91,7 @@ def _check_sid_uniqueness_impl(policy: IAMPolicy, severity: str) -> list[Validat
                     statement_sid=duplicate_sid,
                     statement_index=idx,
                     issue_type="duplicate_sid",
-                    message=f"Statement ID '{duplicate_sid}' is used {count} times in this policy (found in statements {statement_numbers})",
+                    message=f"Statement ID `{duplicate_sid}` is used **{count} times** in this policy (found in statements {statement_numbers})",
                     suggestion="Change this SID to a unique value. Statement IDs help identify and reference specific statements, so duplicates can cause confusion.",
                     line_number=statement.line_number,
                 )

iam_validator/checks/wildcard_action.py

@@ -39,19 +39,12 @@ class WildcardActionCheck(PolicyCheck):
         # Check for wildcard action (Action: "*")
         if "*" in actions:
             message = config.config.get("message", "Statement allows all actions (*)")
-            suggestion_text = config.config.get(
+            suggestion = config.config.get(
                 "suggestion",
                 "Replace wildcard with specific actions needed for your use case",
             )
             example = config.config.get("example", "")
 
-            # Combine suggestion + example
-            suggestion = (
-                f"{suggestion_text}\nExample:\n```json\n{example}\n```"
-                if example
-                else suggestion_text
-            )
-
             issues.append(
                 ValidationIssue(
                     severity=self.get_severity(config),
@@ -60,6 +53,7 @@ class WildcardActionCheck(PolicyCheck):
                     issue_type="overly_permissive",
                     message=message,
                     suggestion=suggestion,
+                    example=example if example else None,
                     line_number=statement.line_number,
                 )
             )

iam_validator/checks/wildcard_resource.py

@@ -63,18 +63,11 @@ class WildcardResourceCheck(PolicyCheck):
 
             # Flag the issue if actions are not all allowed or no allowed_wildcards configured
             message = config.config.get("message", "Statement applies to all resources (*)")
-            suggestion_text = config.config.get(
+            suggestion = config.config.get(
                 "suggestion", "Replace wildcard with specific resource ARNs"
             )
             example = config.config.get("example", "")
 
-            # Combine suggestion + example
-            suggestion = (
-                f"{suggestion_text}\nExample:\n```json\n{example}\n```"
-                if example
-                else suggestion_text
-            )
-
             issues.append(
                 ValidationIssue(
                     severity=self.get_severity(config),
@@ -83,6 +76,7 @@ class WildcardResourceCheck(PolicyCheck):
                     issue_type="overly_permissive",
                     message=message,
                     suggestion=suggestion,
+                    example=example if example else None,
                     line_number=statement.line_number,
                 )
             )

iam_validator/commands/validate.py

@@ -254,9 +254,9 @@ Examples:
             policy_type=policy_type,
         )
 
-        # Generate report
+        # Generate report (include parsing errors if any)
         generator = ReportGenerator()
-        report = generator.generate_report(results)
+        report = generator.generate_report(results, parsing_errors=loader.parsing_errors)
 
         # Output results
         if args.format is None:

iam_validator/core/aws_fetcher.py

@@ -27,11 +27,13 @@ import os
 import re
 import sys
 import time
+from dataclasses import dataclass
 from pathlib import Path
 from typing import Any
 
 import httpx
 
+from iam_validator.core import constants
 from iam_validator.core.config import AWS_SERVICE_REFERENCE_BASE_URL
 from iam_validator.core.models import ServiceDetail, ServiceInfo
 from iam_validator.utils.cache import LRUCache
@@ -39,6 +41,23 @@ from iam_validator.utils.cache import LRUCache
 logger = logging.getLogger(__name__)
 
 
+@dataclass
+class ConditionKeyValidationResult:
+    """Result of condition key validation.
+
+    Attributes:
+        is_valid: True if the condition key is valid for the action
+        error_message: Short error message if invalid (shown prominently)
+        warning_message: Warning message if valid but not recommended
+        suggestion: Detailed suggestion with valid keys (shown in collapsible section)
+    """
+
+    is_valid: bool
+    error_message: str | None = None
+    warning_message: str | None = None
+    suggestion: str | None = None
+
+
 class CompiledPatterns:
     """Pre-compiled regex patterns for validation.
 
@@ -199,10 +218,10 @@ class AWSServiceFetcher:
 
     def __init__(
         self,
-        timeout: float = 30.0,
+        timeout: float = constants.DEFAULT_HTTP_TIMEOUT_SECONDS,
         retries: int = 3,
         enable_cache: bool = True,
-        cache_ttl: int = 604800,
+        cache_ttl: int = constants.DEFAULT_CACHE_TTL_SECONDS,
         memory_cache_size: int = 256,
         connection_pool_size: int = 50,
         keepalive_connections: int = 20,
@@ -303,7 +322,7 @@ class AWSServiceFetcher:
             limits=httpx.Limits(
                 max_keepalive_connections=self.keepalive_connections,
                 max_connections=self.connection_pool_size,
-                keepalive_expiry=30.0,  # Keep connections alive for 30 seconds
+                keepalive_expiry=constants.DEFAULT_HTTP_TIMEOUT_SECONDS,  # Keep connections alive
             ),
             http2=True,  # Enable HTTP/2 for multiplexing
         )
@@ -658,7 +677,7 @@ class AWSServiceFetcher:
                             return service_detail
                         except FileNotFoundError:
                             pass
-                raise ValueError(f"Service '{service_name}' not found in {self.aws_services_dir}")
+                raise ValueError(f"Service `{service_name}` not found in {self.aws_services_dir}")
 
         # Fetch service list and find URL from API
         services = await self.fetch_services()
@@ -676,7 +695,7 @@ class AWSServiceFetcher:
 
                 return service_detail
 
-        raise ValueError(f"Service '{service_name}' not found")
+        raise ValueError(f"Service `{service_name}` not found")
 
     async def fetch_multiple_services(self, service_names: list[str]) -> dict[str, ServiceDetail]:
         """Fetch multiple services concurrently with optimized batching."""
@@ -823,7 +842,7 @@ class AWSServiceFetcher:
 
     async def validate_condition_key(
         self, action: str, condition_key: str, resources: list[str] | None = None
-    ) -> tuple[bool, str | None, str | None]:
+    ) -> ConditionKeyValidationResult:
         """
         Validate condition key against action and optionally resource types.
 
@@ -833,10 +852,11 @@ class AWSServiceFetcher:
             resources: Optional list of resource ARNs to validate against
 
         Returns:
-            Tuple of (is_valid, error_message, warning_message)
+            ConditionKeyValidationResult with:
             - is_valid: True if key is valid (even with warning)
-            - error_message: Error message if invalid (is_valid=False)
+            - error_message: Short error message if invalid (shown prominently)
             - warning_message: Warning message if valid but not recommended
+            - suggestion: Detailed suggestion with valid keys (shown in collapsible section)
         """
         try:
             from iam_validator.core.config.aws_global_conditions import (
@@ -852,10 +872,9 @@ class AWSServiceFetcher:
                 if global_conditions.is_valid_global_key(condition_key):
                     is_global_key = True
                 else:
-                    return (
-                        False,
-                        f"Invalid AWS global condition key: '{condition_key}'.",
-                        None,
+                    return ConditionKeyValidationResult(
+                        is_valid=False,
+                        error_message=f"Invalid AWS global condition key: `{condition_key}`.",
                     )
 
             # Fetch service detail (cached)
@@ -863,7 +882,7 @@ class AWSServiceFetcher:
 
             # Check service-specific condition keys
             if condition_key in service_detail.condition_keys:
-                return True, None, None
+                return ConditionKeyValidationResult(is_valid=True)
 
             # Check action-specific condition keys
             if action_name in service_detail.actions:
@@ -872,7 +891,7 @@ class AWSServiceFetcher:
                     action_detail.action_condition_keys
                     and condition_key in action_detail.action_condition_keys
                 ):
-                    return True, None, None
+                    return ConditionKeyValidationResult(is_valid=True)
 
                 # Check resource-specific condition keys
                 # Get resource types required by this action
@@ -886,7 +905,7 @@ class AWSServiceFetcher:
                         resource_type = service_detail.resources.get(resource_name)
                         if resource_type and resource_type.condition_keys:
                             if condition_key in resource_type.condition_keys:
-                                return True, None, None
+                                return ConditionKeyValidationResult(is_valid=True)
 
                 # If it's a global key but the action has specific condition keys defined,
                 # AWS allows it but the key may not be available in every request context
@@ -898,21 +917,95 @@ class AWSServiceFetcher:
                         f"Verify that '{condition_key}' is available for this specific action's request context. "
                         f"Consider using '*IfExists' operators (e.g., StringEqualsIfExists) if the key might be missing."
                     )
-                    return True, None, warning_msg
+                    return ConditionKeyValidationResult(is_valid=True, warning_message=warning_msg)
 
             # If it's a global key and action doesn't define specific keys, allow it
             if is_global_key:
-                return True, None, None
+                return ConditionKeyValidationResult(is_valid=True)
+
+            # Short error message
+            error_msg = f"Condition key `{condition_key}` is not valid for action `{action}`"
+
+            # Collect valid condition keys for this action
+            valid_keys = set()
 
-            return (
-                False,
-                f"Condition key '{condition_key}' is not valid for action '{action}'",
-                None,
+            # Add service-level condition keys
+            if service_detail.condition_keys:
+                if isinstance(service_detail.condition_keys, dict):
+                    valid_keys.update(service_detail.condition_keys.keys())
+                elif isinstance(service_detail.condition_keys, list):
+                    valid_keys.update(service_detail.condition_keys)
+
+            # Add action-specific condition keys
+            if action_name in service_detail.actions:
+                action_detail = service_detail.actions[action_name]
+                if action_detail.action_condition_keys:
+                    if isinstance(action_detail.action_condition_keys, dict):
+                        valid_keys.update(action_detail.action_condition_keys.keys())
+                    elif isinstance(action_detail.action_condition_keys, list):
+                        valid_keys.update(action_detail.action_condition_keys)
+
+                # Add resource-specific condition keys
+                if action_detail.resources:
+                    for res_req in action_detail.resources:
+                        resource_name = res_req.get("Name", "")
+                        if resource_name:
+                            resource_type = service_detail.resources.get(resource_name)
+                            if resource_type and resource_type.condition_keys:
+                                if isinstance(resource_type.condition_keys, dict):
+                                    valid_keys.update(resource_type.condition_keys.keys())
+                                elif isinstance(resource_type.condition_keys, list):
+                                    valid_keys.update(resource_type.condition_keys)
+
+            # Build detailed suggestion with valid keys (goes in collapsible section)
+            suggestion_parts = []
+
+            if valid_keys:
+                # Sort and limit to first 10 keys for readability
+                sorted_keys = sorted(valid_keys)
+                suggestion_parts.append("**Valid condition keys for this action:**")
+                if len(sorted_keys) <= 10:
+                    for key in sorted_keys:
+                        suggestion_parts.append(f"- `{key}`")
+                else:
+                    for key in sorted_keys[:10]:
+                        suggestion_parts.append(f"- `{key}`")
+                    suggestion_parts.append(f"- ... and {len(sorted_keys) - 10} more")
+
+                suggestion_parts.append("")
+                suggestion_parts.append(
+                    "**Global condition keys** (e.g., `aws:ResourceOrgID`, `aws:RequestedRegion`, `aws:SourceIp`, `aws:SourceVpce`) "
+                    "can also be used with any AWS action"
+                )
+            else:
+                # No action-specific keys - mention global keys
+                suggestion_parts.append(
+                    "This action does not have specific condition keys defined.\n\n"
+                    "However, you can use **global condition keys** such as:\n"
+                    "- `aws:RequestedRegion`\n"
+                    "- `aws:SourceIp`\n"
+                    "- `aws:SourceVpce`\n"
+                    "- `aws:UserAgent`\n"
+                    "- `aws:CurrentTime`\n"
+                    "- `aws:SecureTransport`\n"
+                    "- `aws:PrincipalArn`\n"
+                    "- And many others"
+                )
+
+            suggestion = "\n".join(suggestion_parts)
+
+            return ConditionKeyValidationResult(
+                is_valid=False,
+                error_message=error_msg,
+                suggestion=suggestion,
             )
 
         except Exception as e:
             logger.error(f"Error validating condition key {condition_key} for {action}: {e}")
-            return False, f"Failed to validate condition key: {str(e)}", None
+            return ConditionKeyValidationResult(
+                is_valid=False,
+                error_message=f"Failed to validate condition key: {str(e)}",
+            )
 
     async def clear_caches(self) -> None:
         """Clear all caches (memory and disk)."""

iam_validator/core/config/config_loader.py

@@ -5,6 +5,7 @@ Loads and parses configuration from YAML files, environment variables,
 and command-line arguments.
 """
 
+import importlib
 import importlib.util
 import inspect
 import logging
@@ -314,8 +315,6 @@ class ConfigLoader:
                 module_name, class_name = parts
 
                 # Import the module
-                import importlib
-
                 module = importlib.import_module(module_name)
                 check_class = getattr(module, class_name)
 

iam_validator/core/config/defaults.py

@@ -16,6 +16,7 @@ Benefits of code-first approach:
 - 5-10x faster than YAML parsing
 """
 
+from iam_validator.core import constants
 from iam_validator.core.config.category_suggestions import get_category_suggestions
 from iam_validator.core.config.condition_requirements import CONDITION_REQUIREMENTS
 from iam_validator.core.config.principal_requirements import (
@@ -70,11 +71,11 @@ DEFAULT_CONFIG = {
         # Cache AWS service definitions locally (persists between runs)
         "cache_enabled": True,
         # Cache TTL in hours (default: 168 = 7 days)
-        "cache_ttl_hours": 168,
+        "cache_ttl_hours": constants.DEFAULT_CACHE_TTL_HOURS,
         # Severity levels that cause validation to fail
         # IAM Validity: error, warning, info
         # Security: critical, high, medium, low
-        "fail_on_severity": ["error", "critical", "high"],
+        "fail_on_severity": list(constants.HIGH_SEVERITY_LEVELS),
     },
     # ========================================================================
     # AWS IAM Validation Checks (17 checks total)
@@ -188,7 +189,7 @@ DEFAULT_CONFIG = {
         "enabled": True,
         "severity": "error",  # IAM validity error
         "description": "Validates ARN format for resources",
-        "arn_pattern": "^arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):[a-z0-9\\-]+:[a-z0-9\\-*]*:[0-9*]*:.+$",
+        "arn_pattern": constants.DEFAULT_ARN_VALIDATION_PATTERN,
     },
     # ========================================================================
     # 9. PRINCIPAL VALIDATION
@@ -389,6 +390,18 @@ DEFAULT_CONFIG = {
         # Services that are allowed to use wildcards (default: logs, cloudwatch, xray)
         # See: iam_validator/core/config/wildcards.py
         "allowed_services": list(DEFAULT_SERVICE_WILDCARDS),
+        "message": "Service wildcard '{action}' grants all permissions for the {service} service",
+        "suggestion": (
+            "Replace '{action}' with specific actions needed for your use case to follow least-privilege principle.\n"
+            "Find valid {service} actions: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html"
+        ),
+        "example": (
+            "Replace:\n"
+            '  "Action": ["{action}"]\n'
+            "\n"
+            "With specific actions:\n"
+            '  "Action": ["{service}:Describe*", "{service}:List*"]\n'
+        ),
     },
     # ========================================================================
     # 16. SENSITIVE ACTION
@@ -482,10 +495,6 @@ DEFAULT_CONFIG = {
     #     - prevent_public_ip: Prevents 0.0.0.0/0 IP ranges
     #
     # See: iam_validator/core/config/condition_requirements.py
-    # Python API:
-    #   from iam_validator.core.config import CONDITION_REQUIREMENTS
-    #   import copy
-    #   requirements = copy.deepcopy(CONDITION_REQUIREMENTS)
     "action_condition_enforcement": {
         "enabled": True,
         "severity": "high",  # Default severity (can be overridden per-requirement)

iam_validator/core/constants.py

@@ -62,6 +62,21 @@ DEFAULT_CONFIG_FILENAMES = [
     ".iam-validator.yml",
 ]
 
+# ============================================================================
+# Severity Levels
+# ============================================================================
+# Severity level groupings for filtering and categorization
+# Used across formatters and report generation
+
+# High severity issues that typically fail validation
+HIGH_SEVERITY_LEVELS = ("error", "critical", "high")
+
+# Medium severity issues (warnings)
+MEDIUM_SEVERITY_LEVELS = ("warning", "medium")
+
+# Low severity issues (informational)
+LOW_SEVERITY_LEVELS = ("info", "low")
+
 # ============================================================================
 # GitHub Integration
 # ============================================================================
@@ -72,3 +87,45 @@ BOT_IDENTIFIER = "🤖 IAM Policy Validator"
 # HTML comment markers for identifying bot-generated content (for cleanup/updates)
 SUMMARY_IDENTIFIER = "<!-- iam-policy-validator-summary -->"
 REVIEW_IDENTIFIER = "<!-- iam-policy-validator-review -->"
+
+# GitHub comment size limits
+# GitHub's actual limit is 65536 characters, but we use a smaller limit for safety
+GITHUB_MAX_COMMENT_LENGTH = 65000  # Maximum single comment length
+GITHUB_COMMENT_SPLIT_LIMIT = 60000  # Target size when splitting into multiple parts
+
+# Comment size estimation parameters (used for multi-part comment splitting)
+COMMENT_BASE_OVERHEAD_CHARS = 2000  # Base overhead for headers/footers
+COMMENT_CHARS_PER_ISSUE_ESTIMATE = 500  # Average characters per issue
+COMMENT_CONTINUATION_OVERHEAD_CHARS = 200  # Overhead for continuation markers
+FORMATTING_SAFETY_BUFFER = 100  # Safety buffer for formatting calculations
+
+# ============================================================================
+# Console Display Settings
+# ============================================================================
+
+# Panel width for formatted console output
+CONSOLE_PANEL_WIDTH = 100
+
+# Rich console color styles
+CONSOLE_HEADER_COLOR = "bright_blue"
+
+# ============================================================================
+# Cache and Timeout Settings
+# ============================================================================
+
+# Cache TTL (Time To Live) - 7 days
+DEFAULT_CACHE_TTL_HOURS = 168  # 7 days in hours
+DEFAULT_CACHE_TTL_SECONDS = 604800  # 7 days in seconds (168 * 3600)
+
+# HTTP request timeout in seconds
+DEFAULT_HTTP_TIMEOUT_SECONDS = 30.0
+
+# Time conversion constants
+SECONDS_PER_HOUR = 3600
+
+# ============================================================================
+# AWS Documentation URLs
+# ============================================================================
+
+# AWS Service Authorization Reference (for finding valid actions, resources, and condition keys)
+AWS_SERVICE_AUTH_REF_URL = "https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html"