workspaces-euc-mcp-server 0.1.3__tar.gz → 0.1.5__tar.gz

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/CHANGELOG.md

@@ -5,6 +5,38 @@ All notable changes to this project are documented here. The format is based on
 
 ## [Unreleased]
 
+## [0.1.5] - 2026-06-02
+
+### Added
+- `get_euc_audit_trail` — a new read-only (Tier 0) tool that reports recent EUC management activity
+  from CloudTrail (always-on `LookupEvents`, 90-day window, no trail required) across WorkSpaces
+  Personal/Pools/Core, WorkSpaces Applications, Secure Browser, and Core Managed Instances.
+  Mutations-only by default ("who created/modified/terminated what"); flags destructive actions and
+  errors (e.g. AccessDenied). Adds `cloudtrail:LookupEvents` to every IAM tier.
+- `get_euc_service_quotas` — a new read-only (Tier 0) tool that reports Service Quotas limits per
+  EUC service and, where AWS publishes a linked usage metric (`AWS/Usage` `ResourceCount`), the
+  current usage and utilisation %, flagging quotas approaching their limit (capacity planning).
+  Adds `servicequotas:ListServiceQuotas` / `GetServiceQuota` to every IAM tier.
+- `audit_application_images` — a new read-only (Tier 0) tool that audits WorkSpaces Applications
+  (AppStream 2.0) **images and image builders**: lists your PRIVATE/SHARED images (skipping PUBLIC
+  base images) and flags stale base images (likely unpatched OS), pinned/old AppStream agents,
+  non-AVAILABLE or errored images, SHARED cross-account visibility, and image builders left
+  **RUNNING** (per-hour cost + interactive admin surface). Adds `appstream:DescribeImages` and
+  `appstream:DescribeImageBuilders` to every IAM tier.
+
+### Docs
+- README and DESIGN.md reconciled to the shipped state: 21 read-only tools (Tiers 0–1) + 10 write
+  (Tier 2) + 3 destructive (Tier 3); `tools/` layout, §5 tool catalog (image audit + governance),
+  and the Tier 0 IAM action list all updated.
+
+## [0.1.4] - 2026-06-02
+
+### Added
+- `get_euc_cost_summary` now returns `by_period` — a per-bucket time series (one entry per day for
+  `DAILY`, per month for `MONTHLY`), each with its own per-service split. Previously the tool
+  collapsed all periods into per-service totals, so a `DAILY` request lost the daily breakdown and
+  clients had to query each day individually to chart trends.
+
 ## [0.1.3] - 2026-06-02
 
 ### Fixed

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/DESIGN.md

@@ -4,12 +4,14 @@
 > inventory, troubleshooting, cost/utilization optimization, and guarded lifecycle management
 > across the Amazon WorkSpaces family of End User Computing services.
 >
-> **Shipped:** 18 read-only tools (Tier 0/1) + 10 guarded write tools (Tier 2) + 3 destructive
+> **Shipped:** 21 read-only tools (Tier 0/1) + 10 guarded write tools (Tier 2) + 3 destructive
 > tools (Tier 3), all behind opt-in flags with dry-run/confirm/blast-radius/typed-acknowledgement
-> guards. All four IAM policy tiers ship in `iam/`. CI (ruff/format/pyright/bandit/pytest on
-> Py 3.11–3.13) is green; published to PyPI and GHCR. **`README.md` is the source of truth for the
-> live tool catalog and exact tool names** — §5 below records the original design intent and is
-> kept reconciled with what shipped. See `CHANGELOG.md` for per-version detail.
+> guards. Read-only coverage now includes image auditing and governance (CloudTrail audit trail +
+> Service Quotas headroom). All four IAM policy tiers ship in `iam/`. CI
+> (ruff/format/pyright/bandit/pytest on Py 3.11–3.13) is green; published to PyPI and GHCR.
+> **`README.md` is the source of truth for the live tool catalog and exact tool names** — §5 below
+> records the original design intent and is kept reconciled with what shipped. See `CHANGELOG.md`
+> for per-version detail.
 
 ## 1. Principles
 
@@ -72,6 +74,8 @@
       reporting.py
       secure_browser.py
       pricing.py       # AWS Price List lookups for $ estimates
+      images.py        # WorkSpaces Applications image / image-builder audit
+      governance.py    # CloudTrail audit trail + Service Quotas headroom
       lifecycle.py     # Tier 2 (guarded writes)
       destructive.py   # Tier 3 (terminate/rebuild/restore)
   iam/                 # shippable least-privilege policy docs per tier (0–3)
@@ -137,8 +141,15 @@ and return a synthesized result, not raw API passthroughs.
 | Tool | Purpose | IAM actions |
 |---|---|---|
 | `audit_security_posture` | Encryption at rest, IP access control groups, directory config, portal policies | `workspaces:Describe*`, `workspaces-web:Get*/List*`, `appstream:Describe*` |
+| `audit_application_images` | WorkSpaces Applications image/image-builder audit — stale base, pinned agent, errored/SHARED images, RUNNING builders | `appstream:DescribeImages`, `appstream:DescribeImageBuilders` |
 | `list_unused_resources` | Idle desktops / empty fleets / orphaned resources | describes + `cloudwatch:GetMetricData` |
 
+**Governance** (cross-service)
+| Tool | Purpose | IAM actions |
+|---|---|---|
+| `get_euc_audit_trail` | "Who changed what" — recent EUC management events (mutations by default), 90-day CloudTrail history | `cloudtrail:LookupEvents` |
+| `get_euc_service_quotas` | Quota limits + usage headroom per EUC service (capacity planning) | `servicequotas:ListServiceQuotas`, `servicequotas:GetServiceQuota`, `cloudwatch:GetMetricData` |
+
 ### Phase 2 — Guarded lifecycle (writes; Tier 2, `--enable-writes`)
 All support `dry_run`, return a plan + blast-radius before acting, and honor `--max-bulk-targets`.
 
@@ -162,9 +173,12 @@ All support `dry_run`, return a plan + blast-radius before acting, and honor `--
 
 We ship a managed policy document per tier so customers grant exactly what they enable.
 
-- **Tier 0 — Diagnostics (read-only):** `workspaces:Describe*`, `appstream:Describe*`,
-  `workspaces-web:Get*`/`List*`, `ds:DescribeDirectories`, `cloudwatch:GetMetricData`,
-  `application-autoscaling:DescribeScalingActivities`.
+- **Tier 0 — Diagnostics (read-only):** `workspaces:Describe*`, `appstream:Describe*` (incl.
+  `DescribeImages`/`DescribeImageBuilders`), `workspaces-web:Get*`/`List*`,
+  `workspaces-instances:List*`/`Get*`, `ds:DescribeDirectories`,
+  `cloudwatch:GetMetricData`/`ListMetrics`, `application-autoscaling:DescribeScalingActivities`,
+  `ec2:DescribeInstances`, `cloudtrail:LookupEvents`,
+  `servicequotas:ListServiceQuotas`/`GetServiceQuota`.
 - **Tier 1 — Cost/optimization (read-only):** Tier 0 + `ce:GetCostAndUsage`,
   `ce:GetDimensionValues`, `pricing:GetProducts`.
 - **Tier 2 — Lifecycle (writes):** Tier 1 + `workspaces:Start/Stop/Reboot/ModifyWorkspace*`,

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: workspaces-euc-mcp-server
-Version: 0.1.3
+Version: 0.1.5
 Summary: MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core).
 Project-URL: Homepage, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
 Project-URL: Repository, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
@@ -70,7 +70,9 @@ diagnosis, a right-sizing recommendation) instead of returning raw API output. S
 
 ## Status
 
-**Phase 1 (in progress)** — read-only inventory and troubleshooting tools:
+**Shipped** (published to PyPI + GHCR) — **21 read-only tools** (Tiers 0–1) plus opt-in **10 write**
+(Tier 2) and **3 destructive** (Tier 3) tools. The read-only inventory, troubleshooting, cost,
+audit, and governance tools:
 
 | Tool | Description |
 |------|-------------|
@@ -89,6 +91,9 @@ diagnosis, a right-sizing recommendation) instead of returning raw API output. S
 | `get_euc_cost_summary` | EUC spend by service over a window (or an explicit `start_date`/`end_date` calendar month) via Cost Explorer, account-wide. Services are matched by keyword so naming variants (e.g. AppStream 2.0) aren't dropped; note Cost Explorer bills WorkSpaces Personal/Pools/Core together as one "Amazon WorkSpaces" line (Tier 1). |
 | `generate_inventory_report` | Detailed per-resource inventory (desktops **with assigned user / computer name / IP**, pools, fleets, **stacks + their associated fleets**, portals) with key attributes (Tier 0). |
 | `audit_security_posture` | Cross-service: flags unencrypted WorkSpace volumes, directories without IP access control groups, and **Secure Browser portals / Applications stacks that allow data egress** (clipboard/download/print) (Tier 0). |
+| `audit_application_images` | Audits WorkSpaces Applications (AppStream 2.0) **images and image builders** — flags stale base images (unpatched OS), pinned/old AppStream agents, non-AVAILABLE/errored images, SHARED cross-account visibility, and **image builders left RUNNING** (cost + admin surface) (Tier 0). |
+| `get_euc_audit_trail` | **"Who changed what"** — recent EUC management events from CloudTrail (last 90 days, no trail required) across all services; mutations-only by default, flags destructive actions and errors (e.g. AccessDenied) (Tier 0). |
+| `get_euc_service_quotas` | **Service-quota limits + usage headroom** per EUC service; pairs limits with current usage (where AWS publishes a usage metric) to flag quotas approaching their limit — capacity planning (Tier 0). |
 | `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, and attached policies (Tier 0). |
 | `get_secure_browser_portal_usage` | A Secure Browser portal's `AWS/WorkSpacesWeb` session metrics over a window (empty until the portal has sessions; Session Logger gives detail) (Tier 0). |
 | `list_unused_resources` | Unused WorkSpaces desktops and stopped/zero-capacity fleets worth reclaiming (Tier 0). |

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/README.md

@@ -40,7 +40,9 @@ diagnosis, a right-sizing recommendation) instead of returning raw API output. S
 
 ## Status
 
-**Phase 1 (in progress)** — read-only inventory and troubleshooting tools:
+**Shipped** (published to PyPI + GHCR) — **21 read-only tools** (Tiers 0–1) plus opt-in **10 write**
+(Tier 2) and **3 destructive** (Tier 3) tools. The read-only inventory, troubleshooting, cost,
+audit, and governance tools:
 
 | Tool | Description |
 |------|-------------|
@@ -59,6 +61,9 @@ diagnosis, a right-sizing recommendation) instead of returning raw API output. S
 | `get_euc_cost_summary` | EUC spend by service over a window (or an explicit `start_date`/`end_date` calendar month) via Cost Explorer, account-wide. Services are matched by keyword so naming variants (e.g. AppStream 2.0) aren't dropped; note Cost Explorer bills WorkSpaces Personal/Pools/Core together as one "Amazon WorkSpaces" line (Tier 1). |
 | `generate_inventory_report` | Detailed per-resource inventory (desktops **with assigned user / computer name / IP**, pools, fleets, **stacks + their associated fleets**, portals) with key attributes (Tier 0). |
 | `audit_security_posture` | Cross-service: flags unencrypted WorkSpace volumes, directories without IP access control groups, and **Secure Browser portals / Applications stacks that allow data egress** (clipboard/download/print) (Tier 0). |
+| `audit_application_images` | Audits WorkSpaces Applications (AppStream 2.0) **images and image builders** — flags stale base images (unpatched OS), pinned/old AppStream agents, non-AVAILABLE/errored images, SHARED cross-account visibility, and **image builders left RUNNING** (cost + admin surface) (Tier 0). |
+| `get_euc_audit_trail` | **"Who changed what"** — recent EUC management events from CloudTrail (last 90 days, no trail required) across all services; mutations-only by default, flags destructive actions and errors (e.g. AccessDenied) (Tier 0). |
+| `get_euc_service_quotas` | **Service-quota limits + usage headroom** per EUC service; pairs limits with current usage (where AWS publishes a usage metric) to flag quotas approaching their limit — capacity planning (Tier 0). |
 | `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, and attached policies (Tier 0). |
 | `get_secure_browser_portal_usage` | A Secure Browser portal's `AWS/WorkSpacesWeb` session metrics over a window (empty until the portal has sessions; Session Logger gives detail) (Tier 0). |
 | `list_unused_resources` | Unused WorkSpaces desktops and stopped/zero-capacity fleets worth reclaiming (Tier 0). |

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/iam/tier0-diagnostics.json

@@ -23,7 +23,9 @@
         "appstream:DescribeStacks",
         "appstream:ListAssociatedFleets",
         "appstream:ListAssociatedStacks",
-        "appstream:DescribeSessions"
+        "appstream:DescribeSessions",
+        "appstream:DescribeImages",
+        "appstream:DescribeImageBuilders"
       ],
       "Resource": "*"
     },
@@ -60,7 +62,10 @@
         "cloudwatch:GetMetricData",
         "cloudwatch:ListMetrics",
         "application-autoscaling:DescribeScalingActivities",
-        "ec2:DescribeInstances"
+        "ec2:DescribeInstances",
+        "cloudtrail:LookupEvents",
+        "servicequotas:ListServiceQuotas",
+        "servicequotas:GetServiceQuota"
       ],
       "Resource": "*"
     }

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/iam/tier1-cost.json

@@ -23,7 +23,9 @@
         "appstream:DescribeStacks",
         "appstream:ListAssociatedFleets",
         "appstream:ListAssociatedStacks",
-        "appstream:DescribeSessions"
+        "appstream:DescribeSessions",
+        "appstream:DescribeImages",
+        "appstream:DescribeImageBuilders"
       ],
       "Resource": "*"
     },
@@ -60,7 +62,10 @@
         "cloudwatch:GetMetricData",
         "cloudwatch:ListMetrics",
         "application-autoscaling:DescribeScalingActivities",
-        "ec2:DescribeInstances"
+        "ec2:DescribeInstances",
+        "cloudtrail:LookupEvents",
+        "servicequotas:ListServiceQuotas",
+        "servicequotas:GetServiceQuota"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/iam/tier2-lifecycle.json

@@ -23,7 +23,9 @@
         "appstream:DescribeStacks",
         "appstream:ListAssociatedFleets",
         "appstream:ListAssociatedStacks",
-        "appstream:DescribeSessions"
+        "appstream:DescribeSessions",
+        "appstream:DescribeImages",
+        "appstream:DescribeImageBuilders"
       ],
       "Resource": "*"
     },
@@ -60,7 +62,10 @@
         "cloudwatch:GetMetricData",
         "cloudwatch:ListMetrics",
         "application-autoscaling:DescribeScalingActivities",
-        "ec2:DescribeInstances"
+        "ec2:DescribeInstances",
+        "cloudtrail:LookupEvents",
+        "servicequotas:ListServiceQuotas",
+        "servicequotas:GetServiceQuota"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/iam/tier3-destructive.json

@@ -23,7 +23,9 @@
         "appstream:DescribeStacks",
         "appstream:ListAssociatedFleets",
         "appstream:ListAssociatedStacks",
-        "appstream:DescribeSessions"
+        "appstream:DescribeSessions",
+        "appstream:DescribeImages",
+        "appstream:DescribeImageBuilders"
       ],
       "Resource": "*"
     },
@@ -60,7 +62,10 @@
         "cloudwatch:GetMetricData",
         "cloudwatch:ListMetrics",
         "application-autoscaling:DescribeScalingActivities",
-        "ec2:DescribeInstances"
+        "ec2:DescribeInstances",
+        "cloudtrail:LookupEvents",
+        "servicequotas:ListServiceQuotas",
+        "servicequotas:GetServiceQuota"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "workspaces-euc-mcp-server"
-version = "0.1.3"
+version = "0.1.5"
 description = "MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core)."
 readme = "README.md"
 requires-python = ">=3.11"

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/tests/test_cost.py

@@ -172,6 +172,49 @@ def test_cost_summary_keyword_matches_variants_and_excludes_noneuc():
     assert summary.total == 1701.82
 
 
+def test_cost_summary_daily_returns_per_period_time_series():
+    # DAILY granularity must preserve the per-day breakdown in by_period (for charts), not just
+    # collapse everything into by_service totals.
+    ce = types.SimpleNamespace(
+        get_cost_and_usage=lambda **_: {
+            "ResultsByTime": [
+                {
+                    "TimePeriod": {"Start": "2026-05-01", "End": "2026-05-02"},
+                    "Groups": [
+                        {
+                            "Keys": ["Amazon WorkSpaces Applications"],
+                            "Metrics": {"UnblendedCost": {"Amount": "30.00", "Unit": "USD"}},
+                        }
+                    ],
+                },
+                {
+                    "TimePeriod": {"Start": "2026-05-02", "End": "2026-05-03"},
+                    "Groups": [
+                        {
+                            "Keys": ["Amazon WorkSpaces Applications"],
+                            "Metrics": {"UnblendedCost": {"Amount": "45.00", "Unit": "USD"}},
+                        }
+                    ],
+                },
+            ]
+        }
+    )
+    factory = FakeFactory({consts.COST_EXPLORER_API: ce})
+
+    summary = cost.get_euc_cost_summary_core(
+        factory, granularity="DAILY", start_date="2026-05-01", end_date="2026-05-03"
+    )
+
+    # Aggregate total preserved...
+    assert summary.total == 75.0
+    # ...and the daily series is available, ordered by date.
+    assert [(p.start, p.total) for p in summary.by_period] == [
+        ("2026-05-01", 30.0),
+        ("2026-05-02", 45.0),
+    ]
+    assert summary.by_period[0].by_service[0].service == "Amazon WorkSpaces Applications"
+
+
 def test_cost_summary_explicit_date_range_overrides_lookback():
     captured: dict = {}
 

workspaces_euc_mcp_server-0.1.5/tests/test_governance.py

@@ -0,0 +1,133 @@
+# Copyright bengroeneveldsg. Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
+"""Tests for the governance tools (audit trail + service quotas)."""
+
+from __future__ import annotations
+
+import json
+import types
+from datetime import UTC, datetime
+
+from workspaces_euc_mcp_server import consts
+from workspaces_euc_mcp_server.tools import governance
+
+
+class FakeFactory:
+    region = "ap-southeast-1"
+
+    def __init__(self, clients: dict[str, object]) -> None:
+        self._clients = clients
+
+    def client(self, service_name: str, region: str | None = None):
+        assert service_name in self._clients, f"unexpected client: {service_name}"
+        return self._clients[service_name]
+
+
+def _event(name, source, user, *, read_only=False, error=None, resource=None):
+    detail = {"sourceIPAddress": "203.0.113.5", "awsRegion": "ap-southeast-1"}
+    if error:
+        detail["errorCode"] = error
+    return {
+        "EventName": name,
+        "EventSource": source,
+        "Username": user,
+        "ReadOnly": read_only,
+        "EventTime": datetime(2026, 5, 30, 9, 0, tzinfo=UTC),
+        "Resources": [{"ResourceName": resource}] if resource else [],
+        "CloudTrailEvent": json.dumps(detail),
+    }
+
+
+def test_audit_trail_filters_euc_and_flags_destructive():
+    events = [
+        _event("TerminateWorkspaces", "workspaces.amazonaws.com", "admin", resource="ws-abc"),
+        _event("CreateFleet", "appstream.amazonaws.com", "ops"),
+        _event("RunInstances", "ec2.amazonaws.com", "someone"),  # non-EUC, must be dropped
+    ]
+    trail = types.SimpleNamespace(lookup_events=lambda **_: {"Events": events})
+    factory = FakeFactory({consts.CLOUDTRAIL_API: trail})
+
+    report = governance.get_euc_audit_trail_core(factory, "ap-southeast-1", lookback_days=7)
+
+    names = {e.event_name for e in report.events}
+    assert names == {"TerminateWorkspaces", "CreateFleet"}  # EC2 dropped
+    assert report.total_events == 2
+    assert any(
+        "Destructive" in f.issue and "TerminateWorkspaces" in f.issue for f in report.findings
+    )
+    # Service label resolved from the event source.
+    assert any(e.service == "Amazon WorkSpaces" for e in report.events)
+
+
+def test_audit_trail_flags_access_denied():
+    events = [_event("DeletePortal", "workspaces-web.amazonaws.com", "x", error="AccessDenied")]
+    trail = types.SimpleNamespace(lookup_events=lambda **_: {"Events": events})
+    factory = FakeFactory({consts.CLOUDTRAIL_API: trail})
+
+    report = governance.get_euc_audit_trail_core(factory, "ap-southeast-1")
+
+    assert any("AccessDenied" in f.issue and f.severity == "warning" for f in report.findings)
+
+
+def test_audit_trail_lookback_capped_at_90():
+    trail = types.SimpleNamespace(lookup_events=lambda **_: {"Events": []})
+    factory = FakeFactory({consts.CLOUDTRAIL_API: trail})
+    report = governance.get_euc_audit_trail_core(factory, "ap-southeast-1", lookback_days=365)
+    assert report.lookback_days == 90
+
+
+def test_service_quotas_computes_headroom_and_flags():
+    quotas = {
+        "Quotas": [
+            {
+                "QuotaName": "WorkSpaces",
+                "QuotaCode": "L-1",
+                "Value": 200.0,
+                "Adjustable": True,
+                "UsageMetric": {
+                    "MetricNamespace": "AWS/Usage",
+                    "MetricName": "ResourceCount",
+                    "MetricDimensions": {"Service": "WorkSpaces", "Resource": "WorkSpace"},
+                    "MetricStatisticRecommendation": "Maximum",
+                },
+            },
+            {
+                "QuotaName": "WorkSpaces Pools",
+                "QuotaCode": "L-2",
+                "Value": 10.0,
+                "Adjustable": False,
+                "UsageMetric": {
+                    "MetricNamespace": "AWS/Usage",
+                    "MetricName": "ResourceCount",
+                    "MetricDimensions": {"Service": "WorkSpaces", "Resource": "Pool"},
+                    "MetricStatisticRecommendation": "Maximum",
+                },
+            },
+            {"QuotaName": "Zero thing", "QuotaCode": "L-3", "Value": 0.0, "Adjustable": True},
+        ]
+    }
+    sq = types.SimpleNamespace(list_service_quotas=lambda **_: quotas)
+    # u0 -> WorkSpaces (14/200 = 7%), u1 -> Pools (9/10 = 90% -> flagged, not adjustable)
+    cw = types.SimpleNamespace(
+        get_metric_data=lambda **_: {
+            "MetricDataResults": [
+                {"Id": "u0", "Values": [14.0]},
+                {"Id": "u1", "Values": [9.0]},
+            ]
+        }
+    )
+    factory = FakeFactory({consts.SERVICE_QUOTAS_API: sq, consts.CLOUDWATCH_API: cw})
+
+    report = governance.get_euc_service_quotas_core(
+        factory, "ap-southeast-1", service="workspaces", approaching_pct=80.0
+    )
+
+    by_name = {q.quota_name: q for q in report.quotas}
+    assert "Zero thing" not in by_name  # zero-limit hidden by default
+    assert by_name["WorkSpaces"].utilization_pct == 7.0
+    assert by_name["WorkSpaces Pools"].utilization_pct == 90.0
+    # Only the Pools quota (90% >= 80) is flagged, and noted as non-adjustable.
+    assert len(report.findings) == 1
+    assert "WorkSpaces Pools" in report.findings[0].target
+    assert "NOT adjustable" in report.findings[0].issue

workspaces_euc_mcp_server-0.1.5/tests/test_images.py

@@ -0,0 +1,115 @@
+# Copyright bengroeneveldsg. Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
+"""Tests for the WorkSpaces Applications image-audit tool, using fake boto3 clients."""
+
+from __future__ import annotations
+
+import types
+from datetime import UTC, datetime, timedelta
+
+from workspaces_euc_mcp_server import consts
+from workspaces_euc_mcp_server.tools import images
+
+
+class FakeFactory:
+    region = "ap-southeast-1"
+
+    def __init__(self, client: object) -> None:
+        self._client = client
+
+    def client(self, service_name: str, region: str | None = None):
+        assert service_name == consts.APPSTREAM_API
+        return self._client
+
+
+def _appstream(images_by_type: dict[str, list[dict]], builders: list[dict]):
+    def describe_images(**kwargs):
+        return {"Images": images_by_type.get(kwargs.get("Type"), [])}
+
+    def describe_image_builders(**_):
+        return {"ImageBuilders": builders}
+
+    return types.SimpleNamespace(
+        describe_images=describe_images, describe_image_builders=describe_image_builders
+    )
+
+
+def test_audit_flags_stale_base_pinned_agent_and_running_builder():
+    old_base = datetime.now(UTC) - timedelta(days=400)
+    fresh_base = datetime.now(UTC) - timedelta(days=10)
+    client = _appstream(
+        {
+            "PRIVATE": [
+                {
+                    "Name": "StaleImage",
+                    "Visibility": "PRIVATE",
+                    "Platform": "WINDOWS_SERVER_2022",
+                    "State": "AVAILABLE",
+                    "AppstreamAgentVersion": "10-02-2025",  # pinned, not LATEST
+                    "Applications": [{"Name": "chrome", "Enabled": True}],
+                    "PublicBaseImageReleasedDate": old_base,
+                    "CreatedTime": old_base,
+                },
+                {
+                    "Name": "GoodImage",
+                    "Visibility": "PRIVATE",
+                    "Platform": "WINDOWS_SERVER_2022",
+                    "State": "AVAILABLE",
+                    "AppstreamAgentVersion": "LATEST",
+                    "Applications": [{"Name": "vscode", "Enabled": True}],
+                    "PublicBaseImageReleasedDate": fresh_base,
+                    "CreatedTime": fresh_base,
+                },
+            ],
+            "SHARED": [],
+        },
+        builders=[
+            {"Name": "Builder-Idle", "State": "STOPPED", "Platform": "WINDOWS_SERVER_2022"},
+            {"Name": "Builder-Live", "State": "RUNNING", "Platform": "WINDOWS_SERVER_2025"},
+        ],
+    )
+    report = images.audit_application_images_core(FakeFactory(client), "ap-southeast-1")
+
+    assert report.image_count == 2
+    assert report.image_builder_count == 2
+    assert report.running_image_builders == 1
+
+    issues = {(f.target, f.issue) for f in report.findings}
+    # Stale base + pinned agent on StaleImage; running builder flagged; GoodImage clean.
+    assert any(t == "StaleImage" and "base image released" in i for t, i in issues)
+    assert any(t == "StaleImage" and "pinned" in i for t, i in issues)
+    assert any(t == "Builder-Live" and "RUNNING" in i for t, i in issues)
+    assert not any(t == "GoodImage" for t, _ in issues)
+
+
+def test_audit_flags_shared_visibility_and_records_errors():
+    from botocore.exceptions import ClientError
+
+    def describe_images(**kwargs):
+        if kwargs.get("Type") == "SHARED":
+            return {
+                "Images": [
+                    {
+                        "Name": "SharedIn",
+                        "Visibility": "SHARED",
+                        "State": "AVAILABLE",
+                        "AppstreamAgentVersion": "LATEST",
+                    }
+                ]
+            }
+        return {"Images": []}
+
+    def describe_image_builders(**_):
+        raise ClientError(
+            {"Error": {"Code": "AccessDeniedException", "Message": "no"}},
+            "DescribeImageBuilders",
+        )
+
+    client = types.SimpleNamespace(
+        describe_images=describe_images, describe_image_builders=describe_image_builders
+    )
+    report = images.audit_application_images_core(FakeFactory(client), "ap-southeast-1")
+
+    assert any(f.target == "SharedIn" and "SHARED" in f.issue for f in report.findings)
+    assert any(e.operation == "DescribeImageBuilders" for e in report.errors)

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/workspaces_euc_mcp_server/__init__.py

@@ -3,4 +3,4 @@
 # A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
 """MCP server for administering the Amazon WorkSpaces End User Computing portfolio."""
 
-__version__ = "0.1.3"
+__version__ = "0.1.5"

{workspaces_euc_mcp_server-0.1.3 → workspaces_euc_mcp_server-0.1.5}/workspaces_euc_mcp_server/consts.py

@@ -22,6 +22,8 @@ CLOUDWATCH_API = "cloudwatch"  # Telemetry for diagnostics/cost tools.
 EC2_API = "ec2"  # Used to enrich WorkSpaces Core Managed Instances with EC2 details.
 COST_EXPLORER_API = "ce"  # Cost Explorer (global; account-wide, not region-scoped).
 PRICING_API = "pricing"  # AWS Price List (global).
+CLOUDTRAIL_API = "cloudtrail"  # Management-event history (LookupEvents) for the audit trail.
+SERVICE_QUOTAS_API = "service-quotas"  # Quota limits + linked usage metrics for headroom.
 
 # Cost Explorer is a global endpoint served from us-east-1 regardless of the working region.
 COST_EXPLORER_REGION = "us-east-1"
@@ -44,6 +46,50 @@ PRODUCT_WORKSPACES_APPLICATIONS = "Amazon WorkSpaces Applications"
 PRODUCT_SECURE_BROWSER = "Amazon WorkSpaces Secure Browser"
 PRODUCT_WORKSPACES_CORE_INSTANCES = "Amazon WorkSpaces Core Managed Instances"
 
+# --- Governance: CloudTrail event sources + Service Quotas codes per EUC service group ---
+# CloudTrail EventSource -> human product label (workspaces source covers Personal/Pools/Core).
+EUC_AUDIT_SOURCES = {
+    "workspaces.amazonaws.com": "Amazon WorkSpaces",
+    "appstream.amazonaws.com": PRODUCT_WORKSPACES_APPLICATIONS,
+    "workspaces-web.amazonaws.com": PRODUCT_SECURE_BROWSER,
+    "workspaces-instances.amazonaws.com": PRODUCT_WORKSPACES_CORE_INSTANCES,
+}
+# Friendly service filter -> the CloudTrail EventSource(s) it selects.
+EUC_AUDIT_SERVICE_FILTER = {
+    "all": list(EUC_AUDIT_SOURCES),
+    "workspaces": ["workspaces.amazonaws.com"],
+    "applications": ["appstream.amazonaws.com"],
+    "secure-browser": ["workspaces-web.amazonaws.com"],
+    "core": ["workspaces-instances.amazonaws.com"],
+}
+# Service Quotas service code -> human product label.
+EUC_QUOTA_SERVICE_CODES = {
+    "workspaces": "Amazon WorkSpaces",
+    "appstream2": PRODUCT_WORKSPACES_APPLICATIONS,
+    "workspaces-web": PRODUCT_SECURE_BROWSER,
+    "workspaces-instances": PRODUCT_WORKSPACES_CORE_INSTANCES,
+}
+# Friendly service filter -> the Service Quotas code(s) it selects.
+EUC_QUOTA_SERVICE_FILTER = {
+    "all": list(EUC_QUOTA_SERVICE_CODES),
+    "workspaces": ["workspaces"],
+    "applications": ["appstream2"],
+    "secure-browser": ["workspaces-web"],
+    "core": ["workspaces-instances"],
+}
+# CloudTrail event-name prefixes treated as destructive/high-impact in audit findings.
+AUDIT_DESTRUCTIVE_PREFIXES = (
+    "Terminate",
+    "Delete",
+    "Reboot",
+    "Rebuild",
+    "Restore",
+    "Revoke",
+    "Disassociate",
+    "Stop",
+    "Expire",
+)
+
 # Legacy / former product names mapped to their current official name. Accept these as INPUT
 # (users will keep saying them) but always emit the current name in output. This is surfaced to the
 # MCP client model via the server instructions and tool descriptions so a query about, say,