workspaces-euc-mcp-server 0.1.5__tar.gz → 0.1.7__tar.gz

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/CHANGELOG.md

@@ -5,6 +5,28 @@ All notable changes to this project are documented here. The format is based on
 
 ## [Unreleased]
 
+## [0.1.7] - 2026-06-02
+
+### Fixed
+- `get_secure_browser_portal_usage` now reports **current active sessions live via
+  `workspaces-web:ListSessions`** (the same source as the console's active-sessions view) instead
+  of inferring "active" from CloudWatch. CloudWatch (`AWS/WorkSpacesWeb`) is now used **only for
+  historic** metrics, and the summary clearly separates live vs historic. Adds
+  `workspaces-web:ListSessions` to every IAM tier. The tool now returns a `SecureBrowserPortalUsage`
+  result (`active_session_count`, `active_sessions`, `historic_metrics`).
+
+## [0.1.6] - 2026-06-02
+
+### Added
+- `check_directory_health` now surfaces each directory's **registration properties** in its
+  signals — notably the target **OU** (`WorkspaceCreationProperties.DefaultOu`), plus custom
+  security group, local-admin / internet-access / maintenance-mode flags, and directory/workspace
+  type. (AD-backed directories carry an OU; WorkSpaces-managed ones return none.)
+- `get_secure_browser_portal_details` now resolves the portal's **data-protection configuration**
+  when attached: the redacted built-in/custom inline-redaction patterns, global confidence level,
+  and enforced/exempt URLs — not just whether data protection is on. Adds
+  `workspaces-web:GetDataProtectionSettings` to every IAM tier.
+
 ## [0.1.5] - 2026-06-02
 
 ### Added

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/DESIGN.md

@@ -117,7 +117,7 @@ and return a synthesized result, not raw API passthroughs.
 | `diagnose_workspace_connectivity` | Correlate a Personal WorkSpace's state + connection status + directory health + CloudWatch into a root-cause narrative | `workspaces:Describe*`, `ds:DescribeDirectories`, `cloudwatch:GetMetricData` |
 | `diagnose_pool` | Why a Pool is unhealthy/queued — capacity status, sessions, errors, scaling | `workspaces:DescribeWorkspacesPool*`, `cloudwatch:GetMetricData` |
 | `diagnose_application_fleet` | Fleet state, capacity, scaling activity, fleet errors | `appstream:DescribeFleets`, `appstream:ListAssociatedStacks`, `cloudwatch:GetMetricData`, `application-autoscaling:DescribeScalingActivities` |
-| `check_directory_health` | Shared dependency: directory reachability/registration (skips `ds` for WorkSpaces-managed `wsd-` directories) | `ds:DescribeDirectories`, `workspaces:DescribeWorkspaceDirectories` |
+| `check_directory_health` | Shared dependency: directory reachability/registration + registration properties (target OU, security group, flags); skips `ds` for WorkSpaces-managed `wsd-` directories | `ds:DescribeDirectories`, `workspaces:DescribeWorkspaceDirectories` |
 
 **Cost, utilization & performance**
 | Tool | Purpose | IAM actions |
@@ -134,8 +134,8 @@ and return a synthesized result, not raw API passthroughs.
 **Secure Browser**
 | Tool | Purpose | IAM actions |
 |---|---|---|
-| `get_secure_browser_portal_details` | Portal config + associated settings (browser/network/user/IP-access) | `workspaces-web:GetPortal`, `workspaces-web:List*`, `workspaces-web:Get*Settings` |
-| `get_secure_browser_portal_usage` | Portal session/usage metrics | `workspaces-web:ListPortals`, `cloudwatch:GetMetricData` |
+| `get_secure_browser_portal_details` | Portal config + associated settings (browser/network/user/IP-access) + resolved data-protection redaction config | `workspaces-web:GetPortal`, `workspaces-web:List*`, `workspaces-web:Get*Settings`, `workspaces-web:GetDataProtectionSettings` |
+| `get_secure_browser_portal_usage` | Current active sessions (live, `ListSessions`) + historic CloudWatch metrics | `workspaces-web:ListPortals`, `workspaces-web:ListSessions`, `cloudwatch:GetMetricData` |
 
 **Reporting & audit**
 | Tool | Purpose | IAM actions |

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: workspaces-euc-mcp-server
-Version: 0.1.5
+Version: 0.1.7
 Summary: MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core).
 Project-URL: Homepage, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
 Project-URL: Repository, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
@@ -81,7 +81,7 @@ audit, and governance tools:
 | `diagnose_application_fleet` | A WorkSpaces Applications fleet's health and capacity — fleet state, fleet errors, compute capacity, auto-scaling activity, and insufficient-capacity errors. |
 | `diagnose_pool` | A WorkSpaces Pool's health — state, pool errors, user-session capacity, backing directory health, and session-utilization. |
 | `get_application_fleet_usage` | A WorkSpaces Applications fleet's **usage history** — AWS/AppStream capacity/utilization time-series over a window, with a plain-language summary (e.g. idle running capacity) (Tier 0). |
-| `check_directory_health` | Registration state and AWS Directory Service stage for one or all WorkSpaces-registered directories. |
+| `check_directory_health` | Registration state, AWS Directory Service stage, and **registration properties** (target **OU**, custom security group, local-admin / internet-access / maintenance-mode flags) for one or all WorkSpaces-registered directories. |
 | `analyze_workspace_utilization` | Classifies WorkSpaces Personal desktops as unused / idle / active from the `UserConnected` metric (Tier 1). |
 | `recommend_running_mode` | Flags AlwaysOn desktops with low usage as AutoStop candidates, with an **estimated $/mo saving** where the bundle price can be matched (Tier 1). |
 | `get_workspace_performance` | Native CPU / memory / disk / GPU / latency / uptime metrics per desktop from `AWS/WorkSpaces` — no CloudWatch agent (Tier 0). |
@@ -94,8 +94,8 @@ audit, and governance tools:
 | `audit_application_images` | Audits WorkSpaces Applications (AppStream 2.0) **images and image builders** — flags stale base images (unpatched OS), pinned/old AppStream agents, non-AVAILABLE/errored images, SHARED cross-account visibility, and **image builders left RUNNING** (cost + admin surface) (Tier 0). |
 | `get_euc_audit_trail` | **"Who changed what"** — recent EUC management events from CloudTrail (last 90 days, no trail required) across all services; mutations-only by default, flags destructive actions and errors (e.g. AccessDenied) (Tier 0). |
 | `get_euc_service_quotas` | **Service-quota limits + usage headroom** per EUC service; pairs limits with current usage (where AWS publishes a usage metric) to flag quotas approaching their limit — capacity planning (Tier 0). |
-| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, and attached policies (Tier 0). |
-| `get_secure_browser_portal_usage` | A Secure Browser portal's `AWS/WorkSpacesWeb` session metrics over a window (empty until the portal has sessions; Session Logger gives detail) (Tier 0). |
+| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, attached policies, and — when configured — the **data-protection redaction config** (which built-in/custom patterns are redacted, confidence level, enforced/exempt URLs) (Tier 0). |
+| `get_secure_browser_portal_usage` | A Secure Browser portal's **current active sessions** (live, via `ListSessions` — same as the console) plus **historic** `AWS/WorkSpacesWeb` metrics over a window (CloudWatch is historic-only; idle portals publish none) (Tier 0). |
 | `list_unused_resources` | Unused WorkSpaces desktops and stopped/zero-capacity fleets worth reclaiming (Tier 0). |
 
 Cost/utilization tools need the **Tier 1** IAM policy ([`iam/tier1-cost.json`](iam/tier1-cost.json));

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/README.md

@@ -51,7 +51,7 @@ audit, and governance tools:
 | `diagnose_application_fleet` | A WorkSpaces Applications fleet's health and capacity — fleet state, fleet errors, compute capacity, auto-scaling activity, and insufficient-capacity errors. |
 | `diagnose_pool` | A WorkSpaces Pool's health — state, pool errors, user-session capacity, backing directory health, and session-utilization. |
 | `get_application_fleet_usage` | A WorkSpaces Applications fleet's **usage history** — AWS/AppStream capacity/utilization time-series over a window, with a plain-language summary (e.g. idle running capacity) (Tier 0). |
-| `check_directory_health` | Registration state and AWS Directory Service stage for one or all WorkSpaces-registered directories. |
+| `check_directory_health` | Registration state, AWS Directory Service stage, and **registration properties** (target **OU**, custom security group, local-admin / internet-access / maintenance-mode flags) for one or all WorkSpaces-registered directories. |
 | `analyze_workspace_utilization` | Classifies WorkSpaces Personal desktops as unused / idle / active from the `UserConnected` metric (Tier 1). |
 | `recommend_running_mode` | Flags AlwaysOn desktops with low usage as AutoStop candidates, with an **estimated $/mo saving** where the bundle price can be matched (Tier 1). |
 | `get_workspace_performance` | Native CPU / memory / disk / GPU / latency / uptime metrics per desktop from `AWS/WorkSpaces` — no CloudWatch agent (Tier 0). |
@@ -64,8 +64,8 @@ audit, and governance tools:
 | `audit_application_images` | Audits WorkSpaces Applications (AppStream 2.0) **images and image builders** — flags stale base images (unpatched OS), pinned/old AppStream agents, non-AVAILABLE/errored images, SHARED cross-account visibility, and **image builders left RUNNING** (cost + admin surface) (Tier 0). |
 | `get_euc_audit_trail` | **"Who changed what"** — recent EUC management events from CloudTrail (last 90 days, no trail required) across all services; mutations-only by default, flags destructive actions and errors (e.g. AccessDenied) (Tier 0). |
 | `get_euc_service_quotas` | **Service-quota limits + usage headroom** per EUC service; pairs limits with current usage (where AWS publishes a usage metric) to flag quotas approaching their limit — capacity planning (Tier 0). |
-| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, and attached policies (Tier 0). |
-| `get_secure_browser_portal_usage` | A Secure Browser portal's `AWS/WorkSpacesWeb` session metrics over a window (empty until the portal has sessions; Session Logger gives detail) (Tier 0). |
+| `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, attached policies, and — when configured — the **data-protection redaction config** (which built-in/custom patterns are redacted, confidence level, enforced/exempt URLs) (Tier 0). |
+| `get_secure_browser_portal_usage` | A Secure Browser portal's **current active sessions** (live, via `ListSessions` — same as the console) plus **historic** `AWS/WorkSpacesWeb` metrics over a window (CloudWatch is historic-only; idle portals publish none) (Tier 0). |
 | `list_unused_resources` | Unused WorkSpaces desktops and stopped/zero-capacity fleets worth reclaiming (Tier 0). |
 
 Cost/utilization tools need the **Tier 1** IAM policy ([`iam/tier1-cost.json`](iam/tier1-cost.json));

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/iam/tier0-diagnostics.json

@@ -39,7 +39,9 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings",
+        "workspaces-web:ListSessions"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/iam/tier1-cost.json

@@ -39,7 +39,9 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings",
+        "workspaces-web:ListSessions"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/iam/tier2-lifecycle.json

@@ -39,7 +39,9 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings",
+        "workspaces-web:ListSessions"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/iam/tier3-destructive.json

@@ -39,7 +39,9 @@
         "workspaces-web:ListUserSettings",
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
-        "workspaces-web:GetNetworkSettings"
+        "workspaces-web:GetNetworkSettings",
+        "workspaces-web:GetDataProtectionSettings",
+        "workspaces-web:ListSessions"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "workspaces-euc-mcp-server"
-version = "0.1.5"
+version = "0.1.7"
 description = "MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core)."
 readme = "README.md"
 requires-python = ">=3.11"

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/tests/test_diagnostics.py

@@ -161,6 +161,45 @@ def test_directory_health_skips_ds_for_workspaces_managed_directory():
     assert any("WorkSpaces-managed" in f.title for f in d.findings)
 
 
+def test_directory_health_surfaces_registration_ou_and_properties():
+    # The registration OU (WorkspaceCreationProperties.DefaultOu) and related properties must be
+    # exposed in the diagnosis signals.
+    workspaces = types.SimpleNamespace(
+        describe_workspace_directories=lambda **_: {
+            "Directories": [
+                {
+                    "DirectoryId": "d-0123456789",
+                    "State": "REGISTERED",
+                    "DirectoryType": "AD_CONNECTOR",
+                    "WorkspaceType": "PERSONAL",
+                    "WorkspaceCreationProperties": {
+                        "DefaultOu": "OU=AmazonWorkspaces,OU=Singapore,DC=bg,DC=local",
+                        "CustomSecurityGroupId": "sg-0abc",
+                        "UserEnabledAsLocalAdministrator": True,
+                        "EnableInternetAccess": False,
+                        "EnableMaintenanceMode": True,
+                    },
+                }
+            ]
+        },
+    )
+    ds = types.SimpleNamespace(
+        describe_directories=lambda **_: {
+            "DirectoryDescriptions": [{"DirectoryId": "d-0123456789", "Stage": "Active"}]
+        },
+    )
+    factory = FakeFactory({consts.WORKSPACES_API: workspaces, consts.DIRECTORY_API: ds})
+
+    report = diagnostics.check_directory_health_core(factory, "d-0123456789", "us-east-1")
+
+    sig = report.directories[0].signals
+    assert sig["default_ou"] == "OU=AmazonWorkspaces,OU=Singapore,DC=bg,DC=local"
+    assert sig["directory_type"] == "AD_CONNECTOR"
+    assert sig["custom_security_group_id"] == "sg-0abc"
+    assert sig["user_enabled_as_local_administrator"] is True
+    assert sig["enable_maintenance_mode"] is True
+
+
 def test_directory_health_flags_impaired_stage():
     workspaces = types.SimpleNamespace(
         describe_workspace_directories=lambda **_: {

workspaces_euc_mcp_server-0.1.7/tests/test_secure_browser.py

@@ -0,0 +1,144 @@
+# Copyright bengroeneveldsg. Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
+"""Tests for the WorkSpaces Secure Browser tools."""
+
+from __future__ import annotations
+
+import types
+
+from workspaces_euc_mcp_server import consts
+from workspaces_euc_mcp_server.tools import secure_browser
+
+
+class FakeFactory:
+    region = "us-east-1"
+
+    def __init__(self, clients: dict[str, object]) -> None:
+        self._clients = clients
+
+    def client(self, service_name: str, region: str | None = None):
+        if service_name not in self._clients:
+            raise AssertionError(f"unexpected client requested: {service_name}")
+        return self._clients[service_name]
+
+
+def test_portal_details_resolves_settings():
+    web = types.SimpleNamespace(
+        get_portal=lambda **_: {
+            "portal": {
+                "portalArn": "arn:portal/1",
+                "displayName": "P1",
+                "authenticationType": "Standard",
+                "portalStatus": "Active",
+                "userSettingsArn": "arn:us/1",
+                "networkSettingsArn": "arn:ns/1",
+                "browserSettingsArn": "arn:bs/1",
+            }
+        },
+        get_user_settings=lambda **_: {
+            "userSettings": {
+                "copyAllowed": "Disabled",
+                "downloadAllowed": "Enabled",
+                "printAllowed": "Disabled",
+                "idleDisconnectTimeoutInMinutes": 15,
+                "associatedPortalArns": ["arn:portal/1"],  # should be dropped
+            }
+        },
+        get_network_settings=lambda **_: {
+            "networkSettings": {
+                "vpcId": "vpc-1",
+                "subnetIds": ["s-1"],
+                "securityGroupIds": ["sg-1"],
+            }
+        },
+    )
+    factory = FakeFactory({consts.SECURE_BROWSER_API: web})
+
+    d = secure_browser.get_secure_browser_portal_details_core(factory, "arn:portal/1", "us-east-1")
+
+    assert d.display_name == "P1"
+    assert d.user_settings["downloadAllowed"] == "Enabled"
+    assert "associatedPortalArns" not in d.user_settings  # bulky/identifying field dropped
+    assert d.network["vpcId"] == "vpc-1"
+    assert d.has_browser_policy is True
+    assert d.has_data_protection is False
+
+
+def test_portal_details_resolves_data_protection_config():
+    web = types.SimpleNamespace(
+        get_portal=lambda **_: {
+            "portal": {
+                "portalArn": "arn:portal/2",
+                "displayName": "Okta",
+                "dataProtectionSettingsArn": "arn:dp/1",
+            }
+        },
+        get_data_protection_settings=lambda **_: {
+            "dataProtectionSettings": {
+                "displayName": "ip-address-dp",
+                "inlineRedactionConfiguration": {
+                    "inlineRedactionPatterns": [
+                        {"builtInPatternId": "ipAddr"},
+                        {"builtInPatternId": "macAddr"},
+                        {
+                            "customPattern": {
+                                "patternName": "EmployeeId",
+                                "keywordRegex": "EMP-\\d+",
+                            }
+                        },
+                    ],
+                    "globalEnforcedUrls": ["*"],
+                    "globalConfidenceLevel": 2,
+                },
+            }
+        },
+    )
+    factory = FakeFactory({consts.SECURE_BROWSER_API: web})
+
+    d = secure_browser.get_secure_browser_portal_details_core(factory, "arn:portal/2", "us-east-1")
+
+    assert d.has_data_protection is True
+    dp = d.data_protection
+    assert dp["display_name"] == "ip-address-dp"
+    assert dp["redacted_pattern_count"] == 3
+    assert dp["builtin_patterns"] == ["ipAddr", "macAddr"]
+    assert dp["custom_patterns"][0]["name"] == "EmployeeId"
+    assert dp["global_confidence_level"] == 2
+    assert dp["global_enforced_urls"] == ["*"]
+
+
+def test_portal_usage_returns_live_active_sessions_and_historic():
+    # Active sessions must come LIVE from ListSessions (status=Active), not from CloudWatch.
+    captured = {}
+
+    def list_sessions(**kwargs):
+        captured.update(kwargs)
+        return {
+            "sessions": [
+                {"sessionId": "s-1", "username": "alice", "status": "Active"},
+                {"sessionId": "s-2", "username": "bob", "status": "Active"},
+            ]
+        }
+
+    web = types.SimpleNamespace(list_sessions=list_sessions)
+    cw = types.SimpleNamespace(get_metric_data=lambda **_: {"MetricDataResults": []})  # no historic
+    factory = FakeFactory({consts.SECURE_BROWSER_API: web, consts.CLOUDWATCH_API: cw})
+
+    usage = secure_browser.get_secure_browser_portal_usage_core(
+        factory, "arn:aws:workspaces-web:r:a:portal/abc123", "us-east-1"
+    )
+
+    # Queried ListSessions for the portal id with status=Active.
+    assert captured["portalId"] == "abc123"
+    assert captured["status"] == "Active"
+    # Live active sessions populated; CloudWatch reserved for (empty) historic.
+    assert usage.active_session_count == 2
+    assert {s.username for s in usage.active_sessions} == {"alice", "bob"}
+    assert usage.historic_metrics == {}
+    assert "active session(s) right now" in (usage.summary or "")
+
+
+def test_portal_id_extracted_from_arn():
+    assert secure_browser._portal_id("arn:aws:workspaces-web:r:a:portal/abc123") == "abc123"
+    assert secure_browser._portal_id("abc123") == "abc123"

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/workspaces_euc_mcp_server/__init__.py

@@ -3,4 +3,4 @@
 # A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
 """MCP server for administering the Amazon WorkSpaces End User Computing portfolio."""
 
-__version__ = "0.1.5"
+__version__ = "0.1.7"

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/workspaces_euc_mcp_server/models.py

@@ -156,6 +156,42 @@ class SecureBrowserPortalDetails(BaseModel):
     network: dict[str, object] = Field(default_factory=dict)
     has_browser_policy: bool = False
     has_data_protection: bool = False
+    data_protection: dict[str, object] = Field(
+        default_factory=dict,
+        description=(
+            "Resolved inline-redaction configuration when data protection is attached: redacted "
+            "patterns (built-in + custom), global confidence level, and enforced/exempt URLs."
+        ),
+    )
+    errors: list[ServiceError] = Field(default_factory=list)
+
+
+class SecureBrowserSession(BaseModel):
+    """A single Secure Browser portal session (from ListSessions)."""
+
+    session_id: str
+    username: str | None = None
+    status: str | None = None
+    start_time: str | None = None
+
+
+class SecureBrowserPortalUsage(BaseModel):
+    """Live active sessions (ListSessions) plus historic metrics (CloudWatch) for a portal."""
+
+    portal: str
+    active_session_count: int = 0
+    active_sessions: list[SecureBrowserSession] = Field(
+        default_factory=list,
+        description="Sessions currently Active, retrieved live from ListSessions (like the "
+        "console).",
+    )
+    lookback_days: int
+    period_hours: int
+    historic_metrics: dict[str, FleetMetricSeries] = Field(
+        default_factory=dict,
+        description="Historic session metrics from CloudWatch (AWS/WorkSpacesWeb) over the window.",
+    )
+    summary: str | None = None
     errors: list[ServiceError] = Field(default_factory=list)
 
 

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/workspaces_euc_mcp_server/tools/diagnostics.py

@@ -279,9 +279,22 @@ def _diagnose_directory_into(
     )
     dirs = (reg or {}).get("Directories", [])
     if dirs:
-        reg_state = dirs[0].get("State", "UNKNOWN")
+        d0 = dirs[0]
+        reg_state = d0.get("State", "UNKNOWN")
         if signals is not None:
             signals[f"{signals_prefix}registration_state"] = reg_state
+            signals[f"{signals_prefix}directory_type"] = d0.get("DirectoryType")
+            signals[f"{signals_prefix}workspace_type"] = d0.get("WorkspaceType")
+            # Registration-level WorkspaceCreationProperties — notably the target OU. Only AD-backed
+            # directories carry a DefaultOu; WorkSpaces-managed (Entra/internal) ones return None.
+            wcp = d0.get("WorkspaceCreationProperties") or {}
+            signals[f"{signals_prefix}default_ou"] = wcp.get("DefaultOu")
+            signals[f"{signals_prefix}custom_security_group_id"] = wcp.get("CustomSecurityGroupId")
+            signals[f"{signals_prefix}user_enabled_as_local_administrator"] = wcp.get(
+                "UserEnabledAsLocalAdministrator"
+            )
+            signals[f"{signals_prefix}enable_internet_access"] = wcp.get("EnableInternetAccess")
+            signals[f"{signals_prefix}enable_maintenance_mode"] = wcp.get("EnableMaintenanceMode")
         if reg_state != "REGISTERED":
             findings.append(
                 Finding(

{workspaces_euc_mcp_server-0.1.5 → workspaces_euc_mcp_server-0.1.7}/workspaces_euc_mcp_server/tools/secure_browser.py

@@ -18,8 +18,13 @@ from typing import Any
 
 from .. import consts
 from ..clients import ClientFactory
-from ..models import SecureBrowserPortalDetails, ServiceError, UsageHistory
-from ._common import read_only, try_call
+from ..models import (
+    SecureBrowserPortalDetails,
+    SecureBrowserPortalUsage,
+    SecureBrowserSession,
+    ServiceError,
+)
+from ._common import paginate, read_only, try_call
 from .performance import _fetch_metric_series
 
 
@@ -78,6 +83,19 @@ def get_secure_browser_portal_details_core(
             if key in (ns or {}):
                 network[key] = ns[key]
 
+    data_protection: dict[str, object] = {}
+    if portal.get("dataProtectionSettingsArn"):
+        dps = try_call(
+            errors,
+            consts.PRODUCT_SECURE_BROWSER,
+            "GetDataProtectionSettings",
+            lambda: web.get_data_protection_settings(
+                dataProtectionSettingsArn=portal["dataProtectionSettingsArn"]
+            ).get("dataProtectionSettings", {}),
+            default={},
+        )
+        data_protection = _summarize_data_protection(dps or {})
+
     return SecureBrowserPortalDetails(
         portal_arn=portal_arn,
         display_name=portal.get("displayName"),
@@ -87,23 +105,93 @@ def get_secure_browser_portal_details_core(
         network=network,
         has_browser_policy=bool(portal.get("browserSettingsArn")),
         has_data_protection=bool(portal.get("dataProtectionSettingsArn")),
+        data_protection=data_protection,
         errors=errors,
     )
 
 
+def _summarize_data_protection(dps: dict[str, Any]) -> dict[str, Any]:
+    """Reduce a data-protection settings object to the policy-relevant redaction configuration."""
+    inline: dict[str, Any] = dps.get("inlineRedactionConfiguration") or {}
+    patterns: list[dict[str, Any]] = inline.get("inlineRedactionPatterns") or []
+    builtin: list[str] = []
+    custom: list[dict[str, Any]] = []
+    for p in patterns:
+        if p.get("builtInPatternId"):
+            builtin.append(p["builtInPatternId"])
+        elif p.get("customPattern"):
+            cp = p["customPattern"]
+            custom.append(
+                {
+                    "name": cp.get("patternName"),
+                    "description": cp.get("patternDescription"),
+                    "keyword_regex": cp.get("keywordRegex"),
+                }
+            )
+    return {
+        "display_name": dps.get("displayName"),
+        "redacted_pattern_count": len(patterns),
+        "builtin_patterns": builtin,
+        "custom_patterns": custom,
+        "global_confidence_level": inline.get("globalConfidenceLevel"),
+        "global_enforced_urls": inline.get("globalEnforcedUrls"),
+        "global_exempt_urls": inline.get("globalExemptUrls"),
+    }
+
+
 def _portal_id(portal: str) -> str:
     """Accept a portal ARN or id; the CloudWatch dimension uses the id (last ARN segment)."""
     return portal.rsplit("/", 1)[-1] if "/" in portal else portal
 
 
+def _list_active_sessions(
+    web: Any, portal_id: str, errors: list[ServiceError]
+) -> list[SecureBrowserSession]:
+    """Current Active sessions for a portal, live from ListSessions (what the console shows)."""
+    raw = try_call(
+        errors,
+        consts.PRODUCT_SECURE_BROWSER,
+        "ListSessions",
+        lambda: paginate(
+            web.list_sessions,
+            "sessions",
+            pagination_in="nextToken",
+            pagination_out="nextToken",
+            portalId=portal_id,
+            status="Active",
+        ),
+        default=[],
+    )
+    sessions: list[SecureBrowserSession] = []
+    for s in raw or []:
+        start = s.get("startTime")
+        sessions.append(
+            SecureBrowserSession(
+                session_id=s.get("sessionId", ""),
+                username=s.get("username"),
+                status=s.get("status"),
+                start_time=start.isoformat() if hasattr(start, "isoformat") else None,
+            )
+        )
+    return sessions
+
+
 def get_secure_browser_portal_usage_core(
     factory: ClientFactory,
     portal: str,
     region: str | None,
     lookback_days: int = 7,
     period_hours: int = 24,
-) -> UsageHistory:
+) -> SecureBrowserPortalUsage:
     errors: list[ServiceError] = []
+    portal_id = _portal_id(portal)
+    web = factory.client(consts.SECURE_BROWSER_API, region=region)
+
+    # LIVE: current active sessions come from ListSessions (the real-time source the console uses),
+    # NOT from CloudWatch.
+    active = _list_active_sessions(web, portal_id, errors)
+
+    # HISTORIC: CloudWatch (AWS/WorkSpacesWeb) over the window — only meaningful for past activity.
     cloudwatch = factory.client(consts.CLOUDWATCH_API, region=region)
     metrics = try_call(
         errors,
@@ -113,26 +201,30 @@ def get_secure_browser_portal_usage_core(
             cloudwatch,
             consts.SECURE_BROWSER_NAMESPACE,
             consts.SECURE_BROWSER_PORTAL_DIMENSION,
-            _portal_id(portal),
+            portal_id,
             consts.SECURE_BROWSER_SESSION_METRICS,
             lookback_days,
             period_hours,
         ),
         default={},
     )
+
+    hist = (
+        f"historic metrics over {lookback_days}d available (see historic_metrics)"
+        if metrics
+        else f"no historic session metrics in the last {lookback_days}d (idle portals publish "
+        "none to CloudWatch; enable the portal's Session Logger for detail)"
+    )
     summary = (
-        "No session metrics in the window. Secure Browser only emits CloudWatch metrics when "
-        "sessions occur (idle portals publish nothing); for detailed usage enable the portal's "
-        "Session Logger."
-        if not metrics
-        else f"Session metrics over {lookback_days}d: see series."
+        f"{len(active)} active session(s) right now (live via ListSessions). Historic: {hist}."
     )
-    return UsageHistory(
-        target_type=consts.PRODUCT_SECURE_BROWSER,
-        target_id=portal,
+    return SecureBrowserPortalUsage(
+        portal=portal,
+        active_session_count=len(active),
+        active_sessions=active,
         lookback_days=lookback_days,
         period_hours=period_hours,
-        metrics=metrics or {},
+        historic_metrics=metrics or {},
         summary=summary,
         errors=errors,
     )
@@ -147,8 +239,10 @@ def register(mcp: Any, factory: ClientFactory) -> None:
         """Resolve a WorkSpaces Secure Browser portal's settings (security-relevant).
 
         Returns the portal's user settings (clipboard copy/paste, file download/upload, print
-        controls + timeouts), network (VPC/subnets/security groups), and whether a browser policy
-        and data-protection settings are attached. Read-only.
+        controls + timeouts), network (VPC/subnets/security groups), whether a browser policy is
+        attached, and — when data protection is configured — the resolved inline-redaction config
+        (which built-in/custom patterns are redacted, global confidence, enforced/exempt URLs).
+        Read-only.
 
         Args:
             portal_arn: The portal ARN (from get_euc_inventory_summary / generate_inventory_report).
@@ -165,10 +259,12 @@ def register(mcp: Any, factory: ClientFactory) -> None:
         lookback_days: int = 7,
         period_hours: int = 24,
     ) -> dict[str, Any]:
-        """Get a Secure Browser portal's session metrics (AWS/WorkSpacesWeb) over a window.
+        """Get a Secure Browser portal's CURRENT active sessions plus historic session metrics.
 
-        NOTE: Secure Browser only emits these metrics when sessions occur, so idle portals return
-        nothing; richer per-session data is available via the portal's Session Logger. Read-only.
+        Active sessions are retrieved **live** from ListSessions (the same source as the console's
+        active-sessions view). Historic usage comes from CloudWatch (AWS/WorkSpacesWeb) over the
+        window — CloudWatch is only meaningful for *past* activity, and idle portals publish none.
+        Read-only.
 
         Args:
             portal: The portal id or ARN.

workspaces_euc_mcp_server-0.1.5/tests/test_secure_browser.py

@@ -1,85 +0,0 @@
-# Copyright bengroeneveldsg. Licensed under the Apache License, Version 2.0 (the "License").
-# You may not use this file except in compliance with the License.
-# A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
-"""Tests for the WorkSpaces Secure Browser tools."""
-
-from __future__ import annotations
-
-import types
-
-from workspaces_euc_mcp_server import consts
-from workspaces_euc_mcp_server.tools import secure_browser
-
-
-class FakeFactory:
-    region = "us-east-1"
-
-    def __init__(self, clients: dict[str, object]) -> None:
-        self._clients = clients
-
-    def client(self, service_name: str, region: str | None = None):
-        if service_name not in self._clients:
-            raise AssertionError(f"unexpected client requested: {service_name}")
-        return self._clients[service_name]
-
-
-def test_portal_details_resolves_settings():
-    web = types.SimpleNamespace(
-        get_portal=lambda **_: {
-            "portal": {
-                "portalArn": "arn:portal/1",
-                "displayName": "P1",
-                "authenticationType": "Standard",
-                "portalStatus": "Active",
-                "userSettingsArn": "arn:us/1",
-                "networkSettingsArn": "arn:ns/1",
-                "browserSettingsArn": "arn:bs/1",
-            }
-        },
-        get_user_settings=lambda **_: {
-            "userSettings": {
-                "copyAllowed": "Disabled",
-                "downloadAllowed": "Enabled",
-                "printAllowed": "Disabled",
-                "idleDisconnectTimeoutInMinutes": 15,
-                "associatedPortalArns": ["arn:portal/1"],  # should be dropped
-            }
-        },
-        get_network_settings=lambda **_: {
-            "networkSettings": {
-                "vpcId": "vpc-1",
-                "subnetIds": ["s-1"],
-                "securityGroupIds": ["sg-1"],
-            }
-        },
-    )
-    factory = FakeFactory({consts.SECURE_BROWSER_API: web})
-
-    d = secure_browser.get_secure_browser_portal_details_core(factory, "arn:portal/1", "us-east-1")
-
-    assert d.display_name == "P1"
-    assert d.user_settings["downloadAllowed"] == "Enabled"
-    assert "associatedPortalArns" not in d.user_settings  # bulky/identifying field dropped
-    assert d.network["vpcId"] == "vpc-1"
-    assert d.has_browser_policy is True
-    assert d.has_data_protection is False
-
-
-def test_portal_usage_empty_explains_session_model():
-    cw = types.SimpleNamespace(
-        get_metric_data=lambda **_: {"MetricDataResults": []}  # no data
-    )
-    factory = FakeFactory({consts.CLOUDWATCH_API: cw})
-
-    usage = secure_browser.get_secure_browser_portal_usage_core(
-        factory, "arn:aws:workspaces-web:r:a:portal/abc123", "us-east-1"
-    )
-
-    assert usage.target_type == consts.PRODUCT_SECURE_BROWSER
-    assert usage.target_id.endswith("portal/abc123")
-    assert "Session Logger" in (usage.summary or "")
-
-
-def test_portal_id_extracted_from_arn():
-    assert secure_browser._portal_id("arn:aws:workspaces-web:r:a:portal/abc123") == "abc123"
-    assert secure_browser._portal_id("abc123") == "abc123"