workspaces-euc-mcp-server 0.1.4__tar.gz → 0.1.6__tar.gz

{workspaces_euc_mcp_server-0.1.4 → workspaces_euc_mcp_server-0.1.6}/CHANGELOG.md

@@ -5,6 +5,42 @@ All notable changes to this project are documented here. The format is based on
 
 ## [Unreleased]
 
+## [0.1.6] - 2026-06-02
+
+### Added
+- `check_directory_health` now surfaces each directory's **registration properties** in its
+  signals — notably the target **OU** (`WorkspaceCreationProperties.DefaultOu`), plus custom
+  security group, local-admin / internet-access / maintenance-mode flags, and directory/workspace
+  type. (AD-backed directories carry an OU; WorkSpaces-managed ones return none.)
+- `get_secure_browser_portal_details` now resolves the portal's **data-protection configuration**
+  when attached: the redacted built-in/custom inline-redaction patterns, global confidence level,
+  and enforced/exempt URLs — not just whether data protection is on. Adds
+  `workspaces-web:GetDataProtectionSettings` to every IAM tier.
+
+## [0.1.5] - 2026-06-02
+
+### Added
+- `get_euc_audit_trail` — a new read-only (Tier 0) tool that reports recent EUC management activity
+  from CloudTrail (always-on `LookupEvents`, 90-day window, no trail required) across WorkSpaces
+  Personal/Pools/Core, WorkSpaces Applications, Secure Browser, and Core Managed Instances.
+  Mutations-only by default ("who created/modified/terminated what"); flags destructive actions and
+  errors (e.g. AccessDenied). Adds `cloudtrail:LookupEvents` to every IAM tier.
+- `get_euc_service_quotas` — a new read-only (Tier 0) tool that reports Service Quotas limits per
+  EUC service and, where AWS publishes a linked usage metric (`AWS/Usage` `ResourceCount`), the
+  current usage and utilisation %, flagging quotas approaching their limit (capacity planning).
+  Adds `servicequotas:ListServiceQuotas` / `GetServiceQuota` to every IAM tier.
+- `audit_application_images` — a new read-only (Tier 0) tool that audits WorkSpaces Applications
+  (AppStream 2.0) **images and image builders**: lists your PRIVATE/SHARED images (skipping PUBLIC
+  base images) and flags stale base images (likely unpatched OS), pinned/old AppStream agents,
+  non-AVAILABLE or errored images, SHARED cross-account visibility, and image builders left
+  **RUNNING** (per-hour cost + interactive admin surface). Adds `appstream:DescribeImages` and
+  `appstream:DescribeImageBuilders` to every IAM tier.
+
+### Docs
+- README and DESIGN.md reconciled to the shipped state: 21 read-only tools (Tiers 0–1) + 10 write
+  (Tier 2) + 3 destructive (Tier 3); `tools/` layout, §5 tool catalog (image audit + governance),
+  and the Tier 0 IAM action list all updated.
+
 ## [0.1.4] - 2026-06-02
 
 ### Added

{workspaces_euc_mcp_server-0.1.4 → workspaces_euc_mcp_server-0.1.6}/DESIGN.md

@@ -4,12 +4,14 @@
 > inventory, troubleshooting, cost/utilization optimization, and guarded lifecycle management
 > across the Amazon WorkSpaces family of End User Computing services.
 >
-> **Shipped:** 18 read-only tools (Tier 0/1) + 10 guarded write tools (Tier 2) + 3 destructive
+> **Shipped:** 21 read-only tools (Tier 0/1) + 10 guarded write tools (Tier 2) + 3 destructive
 > tools (Tier 3), all behind opt-in flags with dry-run/confirm/blast-radius/typed-acknowledgement
-> guards. All four IAM policy tiers ship in `iam/`. CI (ruff/format/pyright/bandit/pytest on
-> Py 3.11–3.13) is green; published to PyPI and GHCR. **`README.md` is the source of truth for the
-> live tool catalog and exact tool names** — §5 below records the original design intent and is
-> kept reconciled with what shipped. See `CHANGELOG.md` for per-version detail.
+> guards. Read-only coverage now includes image auditing and governance (CloudTrail audit trail +
+> Service Quotas headroom). All four IAM policy tiers ship in `iam/`. CI
+> (ruff/format/pyright/bandit/pytest on Py 3.11–3.13) is green; published to PyPI and GHCR.
+> **`README.md` is the source of truth for the live tool catalog and exact tool names** — §5 below
+> records the original design intent and is kept reconciled with what shipped. See `CHANGELOG.md`
+> for per-version detail.
 
 ## 1. Principles
 
@@ -72,6 +74,8 @@
       reporting.py
       secure_browser.py
       pricing.py       # AWS Price List lookups for $ estimates
+      images.py        # WorkSpaces Applications image / image-builder audit
+      governance.py    # CloudTrail audit trail + Service Quotas headroom
       lifecycle.py     # Tier 2 (guarded writes)
       destructive.py   # Tier 3 (terminate/rebuild/restore)
   iam/                 # shippable least-privilege policy docs per tier (0–3)
@@ -113,7 +117,7 @@ and return a synthesized result, not raw API passthroughs.
 | `diagnose_workspace_connectivity` | Correlate a Personal WorkSpace's state + connection status + directory health + CloudWatch into a root-cause narrative | `workspaces:Describe*`, `ds:DescribeDirectories`, `cloudwatch:GetMetricData` |
 | `diagnose_pool` | Why a Pool is unhealthy/queued — capacity status, sessions, errors, scaling | `workspaces:DescribeWorkspacesPool*`, `cloudwatch:GetMetricData` |
 | `diagnose_application_fleet` | Fleet state, capacity, scaling activity, fleet errors | `appstream:DescribeFleets`, `appstream:ListAssociatedStacks`, `cloudwatch:GetMetricData`, `application-autoscaling:DescribeScalingActivities` |
-| `check_directory_health` | Shared dependency: directory reachability/registration (skips `ds` for WorkSpaces-managed `wsd-` directories) | `ds:DescribeDirectories`, `workspaces:DescribeWorkspaceDirectories` |
+| `check_directory_health` | Shared dependency: directory reachability/registration + registration properties (target OU, security group, flags); skips `ds` for WorkSpaces-managed `wsd-` directories | `ds:DescribeDirectories`, `workspaces:DescribeWorkspaceDirectories` |
 
 **Cost, utilization & performance**
 | Tool | Purpose | IAM actions |
@@ -130,15 +134,22 @@ and return a synthesized result, not raw API passthroughs.
 **Secure Browser**
 | Tool | Purpose | IAM actions |
 |---|---|---|
-| `get_secure_browser_portal_details` | Portal config + associated settings (browser/network/user/IP-access) | `workspaces-web:GetPortal`, `workspaces-web:List*`, `workspaces-web:Get*Settings` |
+| `get_secure_browser_portal_details` | Portal config + associated settings (browser/network/user/IP-access) + resolved data-protection redaction config | `workspaces-web:GetPortal`, `workspaces-web:List*`, `workspaces-web:Get*Settings`, `workspaces-web:GetDataProtectionSettings` |
 | `get_secure_browser_portal_usage` | Portal session/usage metrics | `workspaces-web:ListPortals`, `cloudwatch:GetMetricData` |
 
 **Reporting & audit**
 | Tool | Purpose | IAM actions |
 |---|---|---|
 | `audit_security_posture` | Encryption at rest, IP access control groups, directory config, portal policies | `workspaces:Describe*`, `workspaces-web:Get*/List*`, `appstream:Describe*` |
+| `audit_application_images` | WorkSpaces Applications image/image-builder audit — stale base, pinned agent, errored/SHARED images, RUNNING builders | `appstream:DescribeImages`, `appstream:DescribeImageBuilders` |
 | `list_unused_resources` | Idle desktops / empty fleets / orphaned resources | describes + `cloudwatch:GetMetricData` |
 
+**Governance** (cross-service)
+| Tool | Purpose | IAM actions |
+|---|---|---|
+| `get_euc_audit_trail` | "Who changed what" — recent EUC management events (mutations by default), 90-day CloudTrail history | `cloudtrail:LookupEvents` |
+| `get_euc_service_quotas` | Quota limits + usage headroom per EUC service (capacity planning) | `servicequotas:ListServiceQuotas`, `servicequotas:GetServiceQuota`, `cloudwatch:GetMetricData` |
+
 ### Phase 2 — Guarded lifecycle (writes; Tier 2, `--enable-writes`)
 All support `dry_run`, return a plan + blast-radius before acting, and honor `--max-bulk-targets`.
 
@@ -162,9 +173,12 @@ All support `dry_run`, return a plan + blast-radius before acting, and honor `--
 
 We ship a managed policy document per tier so customers grant exactly what they enable.
 
-- **Tier 0 — Diagnostics (read-only):** `workspaces:Describe*`, `appstream:Describe*`,
-  `workspaces-web:Get*`/`List*`, `ds:DescribeDirectories`, `cloudwatch:GetMetricData`,
-  `application-autoscaling:DescribeScalingActivities`.
+- **Tier 0 — Diagnostics (read-only):** `workspaces:Describe*`, `appstream:Describe*` (incl.
+  `DescribeImages`/`DescribeImageBuilders`), `workspaces-web:Get*`/`List*`,
+  `workspaces-instances:List*`/`Get*`, `ds:DescribeDirectories`,
+  `cloudwatch:GetMetricData`/`ListMetrics`, `application-autoscaling:DescribeScalingActivities`,
+  `ec2:DescribeInstances`, `cloudtrail:LookupEvents`,
+  `servicequotas:ListServiceQuotas`/`GetServiceQuota`.
 - **Tier 1 — Cost/optimization (read-only):** Tier 0 + `ce:GetCostAndUsage`,
   `ce:GetDimensionValues`, `pricing:GetProducts`.
 - **Tier 2 — Lifecycle (writes):** Tier 1 + `workspaces:Start/Stop/Reboot/ModifyWorkspace*`,

{workspaces_euc_mcp_server-0.1.4 → workspaces_euc_mcp_server-0.1.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: workspaces-euc-mcp-server
-Version: 0.1.4
+Version: 0.1.6
 Summary: MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core).
 Project-URL: Homepage, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
 Project-URL: Repository, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
@@ -70,7 +70,9 @@ diagnosis, a right-sizing recommendation) instead of returning raw API output. S
 
 ## Status
 
-**Phase 1 (in progress)** — read-only inventory and troubleshooting tools:
+**Shipped** (published to PyPI + GHCR) — **21 read-only tools** (Tiers 0–1) plus opt-in **10 write**
+(Tier 2) and **3 destructive** (Tier 3) tools. The read-only inventory, troubleshooting, cost,
+audit, and governance tools:
 
 | Tool | Description |
 |------|-------------|
@@ -79,7 +81,7 @@ diagnosis, a right-sizing recommendation) instead of returning raw API output. S
 | `diagnose_application_fleet` | A WorkSpaces Applications fleet's health and capacity — fleet state, fleet errors, compute capacity, auto-scaling activity, and insufficient-capacity errors. |
 | `diagnose_pool` | A WorkSpaces Pool's health — state, pool errors, user-session capacity, backing directory health, and session-utilization. |
 | `get_application_fleet_usage` | A WorkSpaces Applications fleet's **usage history** — AWS/AppStream capacity/utilization time-series over a window, with a plain-language summary (e.g. idle running capacity) (Tier 0). |
-| `check_directory_health` | Registration state and AWS Directory Service stage for one or all WorkSpaces-registered directories. |
+| `check_directory_health` | Registration state, AWS Directory Service stage, and **registration properties** (target **OU**, custom security group, local-admin / internet-access / maintenance-mode flags) for one or all WorkSpaces-registered directories. |
 | `analyze_workspace_utilization` | Classifies WorkSpaces Personal desktops as unused / idle / active from the `UserConnected` metric (Tier 1). |
 | `recommend_running_mode` | Flags AlwaysOn desktops with low usage as AutoStop candidates, with an **estimated $/mo saving** where the bundle price can be matched (Tier 1). |
 | `get_workspace_performance` | Native CPU / memory / disk / GPU / latency / uptime metrics per desktop from `AWS/WorkSpaces` — no CloudWatch agent (Tier 0). |
@@ -89,7 +91,10 @@ diagnosis, a right-sizing recommendation) instead of returning raw API output. S
 | `get_euc_cost_summary` | EUC spend by service over a window (or an explicit `start_date`/`end_date` calendar month) via Cost Explorer, account-wide. Services are matched by keyword so naming variants (e.g. AppStream 2.0) aren't dropped; note Cost Explorer bills WorkSpaces Personal/Pools/Core together as one "Amazon WorkSpaces" line (Tier 1). |
 | `generate_inventory_report` | Detailed per-resource inventory (desktops **with assigned user / computer name / IP**, pools, fleets, **stacks + their associated fleets**, portals) with key attributes (Tier 0). |
 | `audit_security_posture` | Cross-service: flags unencrypted WorkSpace volumes, directories without IP access control groups, and **Secure Browser portals / Applications stacks that allow data egress** (clipboard/download/print) (Tier 0). |
-| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, and attached policies (Tier 0). |
+| `audit_application_images` | Audits WorkSpaces Applications (AppStream 2.0) **images and image builders** — flags stale base images (unpatched OS), pinned/old AppStream agents, non-AVAILABLE/errored images, SHARED cross-account visibility, and **image builders left RUNNING** (cost + admin surface) (Tier 0). |
+| `get_euc_audit_trail` | **"Who changed what"** — recent EUC management events from CloudTrail (last 90 days, no trail required) across all services; mutations-only by default, flags destructive actions and errors (e.g. AccessDenied) (Tier 0). |
+| `get_euc_service_quotas` | **Service-quota limits + usage headroom** per EUC service; pairs limits with current usage (where AWS publishes a usage metric) to flag quotas approaching their limit — capacity planning (Tier 0). |
+| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, attached policies, and — when configured — the **data-protection redaction config** (which built-in/custom patterns are redacted, confidence level, enforced/exempt URLs) (Tier 0). |
 | `get_secure_browser_portal_usage` | A Secure Browser portal's `AWS/WorkSpacesWeb` session metrics over a window (empty until the portal has sessions; Session Logger gives detail) (Tier 0). |
 | `list_unused_resources` | Unused WorkSpaces desktops and stopped/zero-capacity fleets worth reclaiming (Tier 0). |
 

{workspaces_euc_mcp_server-0.1.4 → workspaces_euc_mcp_server-0.1.6}/README.md

@@ -40,7 +40,9 @@ diagnosis, a right-sizing recommendation) instead of returning raw API output. S
 
 ## Status
 
-**Phase 1 (in progress)** — read-only inventory and troubleshooting tools:
+**Shipped** (published to PyPI + GHCR) — **21 read-only tools** (Tiers 0–1) plus opt-in **10 write**
+(Tier 2) and **3 destructive** (Tier 3) tools. The read-only inventory, troubleshooting, cost,
+audit, and governance tools:
 
 | Tool | Description |
 |------|-------------|
@@ -49,7 +51,7 @@ diagnosis, a right-sizing recommendation) instead of returning raw API output. S
 | `diagnose_application_fleet` | A WorkSpaces Applications fleet's health and capacity — fleet state, fleet errors, compute capacity, auto-scaling activity, and insufficient-capacity errors. |
 | `diagnose_pool` | A WorkSpaces Pool's health — state, pool errors, user-session capacity, backing directory health, and session-utilization. |
 | `get_application_fleet_usage` | A WorkSpaces Applications fleet's **usage history** — AWS/AppStream capacity/utilization time-series over a window, with a plain-language summary (e.g. idle running capacity) (Tier 0). |
-| `check_directory_health` | Registration state and AWS Directory Service stage for one or all WorkSpaces-registered directories. |
+| `check_directory_health` | Registration state, AWS Directory Service stage, and **registration properties** (target **OU**, custom security group, local-admin / internet-access / maintenance-mode flags) for one or all WorkSpaces-registered directories. |
 | `analyze_workspace_utilization` | Classifies WorkSpaces Personal desktops as unused / idle / active from the `UserConnected` metric (Tier 1). |
 | `recommend_running_mode` | Flags AlwaysOn desktops with low usage as AutoStop candidates, with an **estimated $/mo saving** where the bundle price can be matched (Tier 1). |
 | `get_workspace_performance` | Native CPU / memory / disk / GPU / latency / uptime metrics per desktop from `AWS/WorkSpaces` — no CloudWatch agent (Tier 0). |
@@ -59,7 +61,10 @@ diagnosis, a right-sizing recommendation) instead of returning raw API output. S
 | `get_euc_cost_summary` | EUC spend by service over a window (or an explicit `start_date`/`end_date` calendar month) via Cost Explorer, account-wide. Services are matched by keyword so naming variants (e.g. AppStream 2.0) aren't dropped; note Cost Explorer bills WorkSpaces Personal/Pools/Core together as one "Amazon WorkSpaces" line (Tier 1). |
 | `generate_inventory_report` | Detailed per-resource inventory (desktops **with assigned user / computer name / IP**, pools, fleets, **stacks + their associated fleets**, portals) with key attributes (Tier 0). |
 | `audit_security_posture` | Cross-service: flags unencrypted WorkSpace volumes, directories without IP access control groups, and **Secure Browser portals / Applications stacks that allow data egress** (clipboard/download/print) (Tier 0). |
-| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, and attached policies (Tier 0). |
+| `audit_application_images` | Audits WorkSpaces Applications (AppStream 2.0) **images and image builders** — flags stale base images (unpatched OS), pinned/old AppStream agents, non-AVAILABLE/errored images, SHARED cross-account visibility, and **image builders left RUNNING** (cost + admin surface) (Tier 0). |
+| `get_euc_audit_trail` | **"Who changed what"** — recent EUC management events from CloudTrail (last 90 days, no trail required) across all services; mutations-only by default, flags destructive actions and errors (e.g. AccessDenied) (Tier 0). |
+| `get_euc_service_quotas` | **Service-quota limits + usage headroom** per EUC service; pairs limits with current usage (where AWS publishes a usage metric) to flag quotas approaching their limit — capacity planning (Tier 0). |
+| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, attached policies, and — when configured — the **data-protection redaction config** (which built-in/custom patterns are redacted, confidence level, enforced/exempt URLs) (Tier 0). |
 | `get_secure_browser_portal_usage` | A Secure Browser portal's `AWS/WorkSpacesWeb` session metrics over a window (empty until the portal has sessions; Session Logger gives detail) (Tier 0). |
 | `list_unused_resources` | Unused WorkSpaces desktops and stopped/zero-capacity fleets worth reclaiming (Tier 0). |
 

{workspaces_euc_mcp_server-0.1.4 → workspaces_euc_mcp_server-0.1.6}/iam/tier0-diagnostics.json

@@ -23,7 +23,9 @@
         "appstream:DescribeStacks",
         "appstream:ListAssociatedFleets",
         "appstream:ListAssociatedStacks",
-        "appstream:DescribeSessions"
+        "appstream:DescribeSessions",
+        "appstream:DescribeImages",
+        "appstream:DescribeImageBuilders"
       ],
       "Resource": "*"
     },
@@ -37,7 +39,8 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings"
       ],
       "Resource": "*"
     },
@@ -60,7 +63,10 @@
         "cloudwatch:GetMetricData",
         "cloudwatch:ListMetrics",
         "application-autoscaling:DescribeScalingActivities",
-        "ec2:DescribeInstances"
+        "ec2:DescribeInstances",
+        "cloudtrail:LookupEvents",
+        "servicequotas:ListServiceQuotas",
+        "servicequotas:GetServiceQuota"
       ],
       "Resource": "*"
     }

{workspaces_euc_mcp_server-0.1.4 → workspaces_euc_mcp_server-0.1.6}/iam/tier1-cost.json

@@ -23,7 +23,9 @@
         "appstream:DescribeStacks",
         "appstream:ListAssociatedFleets",
         "appstream:ListAssociatedStacks",
-        "appstream:DescribeSessions"
+        "appstream:DescribeSessions",
+        "appstream:DescribeImages",
+        "appstream:DescribeImageBuilders"
       ],
       "Resource": "*"
     },
@@ -37,7 +39,8 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings"
       ],
       "Resource": "*"
     },
@@ -60,7 +63,10 @@
         "cloudwatch:GetMetricData",
         "cloudwatch:ListMetrics",
         "application-autoscaling:DescribeScalingActivities",
-        "ec2:DescribeInstances"
+        "ec2:DescribeInstances",
+        "cloudtrail:LookupEvents",
+        "servicequotas:ListServiceQuotas",
+        "servicequotas:GetServiceQuota"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.4 → workspaces_euc_mcp_server-0.1.6}/iam/tier2-lifecycle.json

@@ -23,7 +23,9 @@
         "appstream:DescribeStacks",
         "appstream:ListAssociatedFleets",
         "appstream:ListAssociatedStacks",
-        "appstream:DescribeSessions"
+        "appstream:DescribeSessions",
+        "appstream:DescribeImages",
+        "appstream:DescribeImageBuilders"
       ],
       "Resource": "*"
     },
@@ -37,7 +39,8 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings"
       ],
       "Resource": "*"
     },
@@ -60,7 +63,10 @@
         "cloudwatch:GetMetricData",
         "cloudwatch:ListMetrics",
         "application-autoscaling:DescribeScalingActivities",
-        "ec2:DescribeInstances"
+        "ec2:DescribeInstances",
+        "cloudtrail:LookupEvents",
+        "servicequotas:ListServiceQuotas",
+        "servicequotas:GetServiceQuota"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.4 → workspaces_euc_mcp_server-0.1.6}/iam/tier3-destructive.json

@@ -23,7 +23,9 @@
         "appstream:DescribeStacks",
         "appstream:ListAssociatedFleets",
         "appstream:ListAssociatedStacks",
-        "appstream:DescribeSessions"
+        "appstream:DescribeSessions",
+        "appstream:DescribeImages",
+        "appstream:DescribeImageBuilders"
       ],
       "Resource": "*"
     },
@@ -37,7 +39,8 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings"
       ],
       "Resource": "*"
     },
@@ -60,7 +63,10 @@
         "cloudwatch:GetMetricData",
         "cloudwatch:ListMetrics",
         "application-autoscaling:DescribeScalingActivities",
-        "ec2:DescribeInstances"
+        "ec2:DescribeInstances",
+        "cloudtrail:LookupEvents",
+        "servicequotas:ListServiceQuotas",
+        "servicequotas:GetServiceQuota"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.4 → workspaces_euc_mcp_server-0.1.6}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "workspaces-euc-mcp-server"
-version = "0.1.4"
+version = "0.1.6"
 description = "MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core)."
 readme = "README.md"
 requires-python = ">=3.11"

{workspaces_euc_mcp_server-0.1.4 → workspaces_euc_mcp_server-0.1.6}/tests/test_diagnostics.py

@@ -161,6 +161,45 @@ def test_directory_health_skips_ds_for_workspaces_managed_directory():
     assert any("WorkSpaces-managed" in f.title for f in d.findings)
 
 
+def test_directory_health_surfaces_registration_ou_and_properties():
+    # The registration OU (WorkspaceCreationProperties.DefaultOu) and related properties must be
+    # exposed in the diagnosis signals.
+    workspaces = types.SimpleNamespace(
+        describe_workspace_directories=lambda **_: {
+            "Directories": [
+                {
+                    "DirectoryId": "d-0123456789",
+                    "State": "REGISTERED",
+                    "DirectoryType": "AD_CONNECTOR",
+                    "WorkspaceType": "PERSONAL",
+                    "WorkspaceCreationProperties": {
+                        "DefaultOu": "OU=AmazonWorkspaces,OU=Singapore,DC=bg,DC=local",
+                        "CustomSecurityGroupId": "sg-0abc",
+                        "UserEnabledAsLocalAdministrator": True,
+                        "EnableInternetAccess": False,
+                        "EnableMaintenanceMode": True,
+                    },
+                }
+            ]
+        },
+    )
+    ds = types.SimpleNamespace(
+        describe_directories=lambda **_: {
+            "DirectoryDescriptions": [{"DirectoryId": "d-0123456789", "Stage": "Active"}]
+        },
+    )
+    factory = FakeFactory({consts.WORKSPACES_API: workspaces, consts.DIRECTORY_API: ds})
+
+    report = diagnostics.check_directory_health_core(factory, "d-0123456789", "us-east-1")
+
+    sig = report.directories[0].signals
+    assert sig["default_ou"] == "OU=AmazonWorkspaces,OU=Singapore,DC=bg,DC=local"
+    assert sig["directory_type"] == "AD_CONNECTOR"
+    assert sig["custom_security_group_id"] == "sg-0abc"
+    assert sig["user_enabled_as_local_administrator"] is True
+    assert sig["enable_maintenance_mode"] is True
+
+
 def test_directory_health_flags_impaired_stage():
     workspaces = types.SimpleNamespace(
         describe_workspace_directories=lambda **_: {

workspaces_euc_mcp_server-0.1.6/tests/test_governance.py

@@ -0,0 +1,133 @@
+# Copyright bengroeneveldsg. Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
+"""Tests for the governance tools (audit trail + service quotas)."""
+
+from __future__ import annotations
+
+import json
+import types
+from datetime import UTC, datetime
+
+from workspaces_euc_mcp_server import consts
+from workspaces_euc_mcp_server.tools import governance
+
+
+class FakeFactory:
+    region = "ap-southeast-1"
+
+    def __init__(self, clients: dict[str, object]) -> None:
+        self._clients = clients
+
+    def client(self, service_name: str, region: str | None = None):
+        assert service_name in self._clients, f"unexpected client: {service_name}"
+        return self._clients[service_name]
+
+
+def _event(name, source, user, *, read_only=False, error=None, resource=None):
+    detail = {"sourceIPAddress": "203.0.113.5", "awsRegion": "ap-southeast-1"}
+    if error:
+        detail["errorCode"] = error
+    return {
+        "EventName": name,
+        "EventSource": source,
+        "Username": user,
+        "ReadOnly": read_only,
+        "EventTime": datetime(2026, 5, 30, 9, 0, tzinfo=UTC),
+        "Resources": [{"ResourceName": resource}] if resource else [],
+        "CloudTrailEvent": json.dumps(detail),
+    }
+
+
+def test_audit_trail_filters_euc_and_flags_destructive():
+    events = [
+        _event("TerminateWorkspaces", "workspaces.amazonaws.com", "admin", resource="ws-abc"),
+        _event("CreateFleet", "appstream.amazonaws.com", "ops"),
+        _event("RunInstances", "ec2.amazonaws.com", "someone"),  # non-EUC, must be dropped
+    ]
+    trail = types.SimpleNamespace(lookup_events=lambda **_: {"Events": events})
+    factory = FakeFactory({consts.CLOUDTRAIL_API: trail})
+
+    report = governance.get_euc_audit_trail_core(factory, "ap-southeast-1", lookback_days=7)
+
+    names = {e.event_name for e in report.events}
+    assert names == {"TerminateWorkspaces", "CreateFleet"}  # EC2 dropped
+    assert report.total_events == 2
+    assert any(
+        "Destructive" in f.issue and "TerminateWorkspaces" in f.issue for f in report.findings
+    )
+    # Service label resolved from the event source.
+    assert any(e.service == "Amazon WorkSpaces" for e in report.events)
+
+
+def test_audit_trail_flags_access_denied():
+    events = [_event("DeletePortal", "workspaces-web.amazonaws.com", "x", error="AccessDenied")]
+    trail = types.SimpleNamespace(lookup_events=lambda **_: {"Events": events})
+    factory = FakeFactory({consts.CLOUDTRAIL_API: trail})
+
+    report = governance.get_euc_audit_trail_core(factory, "ap-southeast-1")
+
+    assert any("AccessDenied" in f.issue and f.severity == "warning" for f in report.findings)
+
+
+def test_audit_trail_lookback_capped_at_90():
+    trail = types.SimpleNamespace(lookup_events=lambda **_: {"Events": []})
+    factory = FakeFactory({consts.CLOUDTRAIL_API: trail})
+    report = governance.get_euc_audit_trail_core(factory, "ap-southeast-1", lookback_days=365)
+    assert report.lookback_days == 90
+
+
+def test_service_quotas_computes_headroom_and_flags():
+    quotas = {
+        "Quotas": [
+            {
+                "QuotaName": "WorkSpaces",
+                "QuotaCode": "L-1",
+                "Value": 200.0,
+                "Adjustable": True,
+                "UsageMetric": {
+                    "MetricNamespace": "AWS/Usage",
+                    "MetricName": "ResourceCount",
+                    "MetricDimensions": {"Service": "WorkSpaces", "Resource": "WorkSpace"},
+                    "MetricStatisticRecommendation": "Maximum",
+                },
+            },
+            {
+                "QuotaName": "WorkSpaces Pools",
+                "QuotaCode": "L-2",
+                "Value": 10.0,
+                "Adjustable": False,
+                "UsageMetric": {
+                    "MetricNamespace": "AWS/Usage",
+                    "MetricName": "ResourceCount",
+                    "MetricDimensions": {"Service": "WorkSpaces", "Resource": "Pool"},
+                    "MetricStatisticRecommendation": "Maximum",
+                },
+            },
+            {"QuotaName": "Zero thing", "QuotaCode": "L-3", "Value": 0.0, "Adjustable": True},
+        ]
+    }
+    sq = types.SimpleNamespace(list_service_quotas=lambda **_: quotas)
+    # u0 -> WorkSpaces (14/200 = 7%), u1 -> Pools (9/10 = 90% -> flagged, not adjustable)
+    cw = types.SimpleNamespace(
+        get_metric_data=lambda **_: {
+            "MetricDataResults": [
+                {"Id": "u0", "Values": [14.0]},
+                {"Id": "u1", "Values": [9.0]},
+            ]
+        }
+    )
+    factory = FakeFactory({consts.SERVICE_QUOTAS_API: sq, consts.CLOUDWATCH_API: cw})
+
+    report = governance.get_euc_service_quotas_core(
+        factory, "ap-southeast-1", service="workspaces", approaching_pct=80.0
+    )
+
+    by_name = {q.quota_name: q for q in report.quotas}
+    assert "Zero thing" not in by_name  # zero-limit hidden by default
+    assert by_name["WorkSpaces"].utilization_pct == 7.0
+    assert by_name["WorkSpaces Pools"].utilization_pct == 90.0
+    # Only the Pools quota (90% >= 80) is flagged, and noted as non-adjustable.
+    assert len(report.findings) == 1
+    assert "WorkSpaces Pools" in report.findings[0].target
+    assert "NOT adjustable" in report.findings[0].issue

workspaces_euc_mcp_server-0.1.6/tests/test_images.py

@@ -0,0 +1,115 @@
+# Copyright bengroeneveldsg. Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
+"""Tests for the WorkSpaces Applications image-audit tool, using fake boto3 clients."""
+
+from __future__ import annotations
+
+import types
+from datetime import UTC, datetime, timedelta
+
+from workspaces_euc_mcp_server import consts
+from workspaces_euc_mcp_server.tools import images
+
+
+class FakeFactory:
+    region = "ap-southeast-1"
+
+    def __init__(self, client: object) -> None:
+        self._client = client
+
+    def client(self, service_name: str, region: str | None = None):
+        assert service_name == consts.APPSTREAM_API
+        return self._client
+
+
+def _appstream(images_by_type: dict[str, list[dict]], builders: list[dict]):
+    def describe_images(**kwargs):
+        return {"Images": images_by_type.get(kwargs.get("Type"), [])}
+
+    def describe_image_builders(**_):
+        return {"ImageBuilders": builders}
+
+    return types.SimpleNamespace(
+        describe_images=describe_images, describe_image_builders=describe_image_builders
+    )
+
+
+def test_audit_flags_stale_base_pinned_agent_and_running_builder():
+    old_base = datetime.now(UTC) - timedelta(days=400)
+    fresh_base = datetime.now(UTC) - timedelta(days=10)
+    client = _appstream(
+        {
+            "PRIVATE": [
+                {
+                    "Name": "StaleImage",
+                    "Visibility": "PRIVATE",
+                    "Platform": "WINDOWS_SERVER_2022",
+                    "State": "AVAILABLE",
+                    "AppstreamAgentVersion": "10-02-2025",  # pinned, not LATEST
+                    "Applications": [{"Name": "chrome", "Enabled": True}],
+                    "PublicBaseImageReleasedDate": old_base,
+                    "CreatedTime": old_base,
+                },
+                {
+                    "Name": "GoodImage",
+                    "Visibility": "PRIVATE",
+                    "Platform": "WINDOWS_SERVER_2022",
+                    "State": "AVAILABLE",
+                    "AppstreamAgentVersion": "LATEST",
+                    "Applications": [{"Name": "vscode", "Enabled": True}],
+                    "PublicBaseImageReleasedDate": fresh_base,
+                    "CreatedTime": fresh_base,
+                },
+            ],
+            "SHARED": [],
+        },
+        builders=[
+            {"Name": "Builder-Idle", "State": "STOPPED", "Platform": "WINDOWS_SERVER_2022"},
+            {"Name": "Builder-Live", "State": "RUNNING", "Platform": "WINDOWS_SERVER_2025"},
+        ],
+    )
+    report = images.audit_application_images_core(FakeFactory(client), "ap-southeast-1")
+
+    assert report.image_count == 2
+    assert report.image_builder_count == 2
+    assert report.running_image_builders == 1
+
+    issues = {(f.target, f.issue) for f in report.findings}
+    # Stale base + pinned agent on StaleImage; running builder flagged; GoodImage clean.
+    assert any(t == "StaleImage" and "base image released" in i for t, i in issues)
+    assert any(t == "StaleImage" and "pinned" in i for t, i in issues)
+    assert any(t == "Builder-Live" and "RUNNING" in i for t, i in issues)
+    assert not any(t == "GoodImage" for t, _ in issues)
+
+
+def test_audit_flags_shared_visibility_and_records_errors():
+    from botocore.exceptions import ClientError
+
+    def describe_images(**kwargs):
+        if kwargs.get("Type") == "SHARED":
+            return {
+                "Images": [
+                    {
+                        "Name": "SharedIn",
+                        "Visibility": "SHARED",
+                        "State": "AVAILABLE",
+                        "AppstreamAgentVersion": "LATEST",
+                    }
+                ]
+            }
+        return {"Images": []}
+
+    def describe_image_builders(**_):
+        raise ClientError(
+            {"Error": {"Code": "AccessDeniedException", "Message": "no"}},
+            "DescribeImageBuilders",
+        )
+
+    client = types.SimpleNamespace(
+        describe_images=describe_images, describe_image_builders=describe_image_builders
+    )
+    report = images.audit_application_images_core(FakeFactory(client), "ap-southeast-1")
+
+    assert any(f.target == "SharedIn" and "SHARED" in f.issue for f in report.findings)
+    assert any(e.operation == "DescribeImageBuilders" for e in report.errors)