PyPI - workspaces-euc-mcp-server - Versions diffs - 0.1.6__tar.gz → 0.1.7__tar.gz - Mend

workspaces-euc-mcp-server 0.1.6tar.gz → 0.1.7tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/CHANGELOG.md RENAMED Viewed

@@ -5,6 +5,16 @@ All notable changes to this project are documented here. The format is based on
 ## [Unreleased]
+## [0.1.7] - 2026-06-02
+### Fixed
+- `get_secure_browser_portal_usage` now reports **current active sessions live via
+  `workspaces-web:ListSessions`** (the same source as the console's active-sessions view) instead
+  of inferring "active" from CloudWatch. CloudWatch (`AWS/WorkSpacesWeb`) is now used **only for
+  historic** metrics, and the summary clearly separates live vs historic. Adds
+  `workspaces-web:ListSessions` to every IAM tier. The tool now returns a `SecureBrowserPortalUsage`
+  result (`active_session_count`, `active_sessions`, `historic_metrics`).
 ## [0.1.6] - 2026-06-02
 ### Added

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/DESIGN.md RENAMED Viewed

@@ -135,7 +135,7 @@ and return a synthesized result, not raw API passthroughs.
 | Tool | Purpose | IAM actions |
 |---|---|---|
 | `get_secure_browser_portal_details` | Portal config + associated settings (browser/network/user/IP-access) + resolved data-protection redaction config | `workspaces-web:GetPortal`, `workspaces-web:List*`, `workspaces-web:Get*Settings`, `workspaces-web:GetDataProtectionSettings` |
-| `get_secure_browser_portal_usage` | Portal session/usage metrics | `workspaces-web:ListPortals`, `cloudwatch:GetMetricData` |
+| `get_secure_browser_portal_usage` | Current active sessions (live, `ListSessions`) + historic CloudWatch metrics | `workspaces-web:ListPortals`, `workspaces-web:ListSessions`, `cloudwatch:GetMetricData` |
 **Reporting & audit**
 | Tool | Purpose | IAM actions |

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: workspaces-euc-mcp-server
-Version: 0.1.6
+Version: 0.1.7
 Summary: MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core).
 Project-URL: Homepage, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
 Project-URL: Repository, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
@@ -95,7 +95,7 @@ audit, and governance tools:
 | `get_euc_audit_trail` | **"Who changed what"** — recent EUC management events from CloudTrail (last 90 days, no trail required) across all services; mutations-only by default, flags destructive actions and errors (e.g. AccessDenied) (Tier 0). |
 | `get_euc_service_quotas` | **Service-quota limits + usage headroom** per EUC service; pairs limits with current usage (where AWS publishes a usage metric) to flag quotas approaching their limit — capacity planning (Tier 0). |
 | `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, attached policies, and — when configured — the **data-protection redaction config** (which built-in/custom patterns are redacted, confidence level, enforced/exempt URLs) (Tier 0). |
-| `get_secure_browser_portal_usage` | A Secure Browser portal's `AWS/WorkSpacesWeb` session metrics over a window (empty until the portal has sessions; Session Logger gives detail) (Tier 0). |
+| `get_secure_browser_portal_usage` | A Secure Browser portal's **current active sessions** (live, via `ListSessions` — same as the console) plus **historic** `AWS/WorkSpacesWeb` metrics over a window (CloudWatch is historic-only; idle portals publish none) (Tier 0). |
 | `list_unused_resources` | Unused WorkSpaces desktops and stopped/zero-capacity fleets worth reclaiming (Tier 0). |
 Cost/utilization tools need the **Tier 1** IAM policy ([`iam/tier1-cost.json`](iam/tier1-cost.json));

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/README.md RENAMED Viewed

@@ -65,7 +65,7 @@ audit, and governance tools:
 | `get_euc_audit_trail` | **"Who changed what"** — recent EUC management events from CloudTrail (last 90 days, no trail required) across all services; mutations-only by default, flags destructive actions and errors (e.g. AccessDenied) (Tier 0). |
 | `get_euc_service_quotas` | **Service-quota limits + usage headroom** per EUC service; pairs limits with current usage (where AWS publishes a usage metric) to flag quotas approaching their limit — capacity planning (Tier 0). |
 | `get_secure_browser_portal_details` | Resolves a Secure Browser portal's user settings (clipboard/print/download controls + timeouts), network, attached policies, and — when configured — the **data-protection redaction config** (which built-in/custom patterns are redacted, confidence level, enforced/exempt URLs) (Tier 0). |
-| `get_secure_browser_portal_usage` | A Secure Browser portal's `AWS/WorkSpacesWeb` session metrics over a window (empty until the portal has sessions; Session Logger gives detail) (Tier 0). |
+| `get_secure_browser_portal_usage` | A Secure Browser portal's **current active sessions** (live, via `ListSessions` — same as the console) plus **historic** `AWS/WorkSpacesWeb` metrics over a window (CloudWatch is historic-only; idle portals publish none) (Tier 0). |
 | `list_unused_resources` | Unused WorkSpaces desktops and stopped/zero-capacity fleets worth reclaiming (Tier 0). |
 Cost/utilization tools need the **Tier 1** IAM policy ([`iam/tier1-cost.json`](iam/tier1-cost.json));

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/iam/tier0-diagnostics.json RENAMED Viewed

@@ -40,7 +40,8 @@
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
         "workspaces-web:GetNetworkSettings",
-        "workspaces-web:GetDataProtectionSettings"
+        "workspaces-web:GetDataProtectionSettings",
+        "workspaces-web:ListSessions"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/iam/tier1-cost.json RENAMED Viewed

@@ -40,7 +40,8 @@
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
         "workspaces-web:GetNetworkSettings",
-        "workspaces-web:GetDataProtectionSettings"
+        "workspaces-web:GetDataProtectionSettings",
+        "workspaces-web:ListSessions"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/iam/tier2-lifecycle.json RENAMED Viewed

@@ -40,7 +40,8 @@
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
         "workspaces-web:GetNetworkSettings",
-        "workspaces-web:GetDataProtectionSettings"
+        "workspaces-web:GetDataProtectionSettings",
+        "workspaces-web:ListSessions"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/iam/tier3-destructive.json RENAMED Viewed

@@ -40,7 +40,8 @@
         "workspaces-web:ListNetworkSettings",
         "workspaces-web:GetUserSettings",
         "workspaces-web:GetNetworkSettings",
-        "workspaces-web:GetDataProtectionSettings"
+        "workspaces-web:GetDataProtectionSettings",
+        "workspaces-web:ListSessions"
       ],
       "Resource": "*"
     },

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "workspaces-euc-mcp-server"
-version = "0.1.6"
+version = "0.1.7"
 description = "MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core)."
 readme = "README.md"
 requires-python = ">=3.11"

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/tests/test_secure_browser.py RENAMED Viewed

@@ -108,19 +108,35 @@ def test_portal_details_resolves_data_protection_config():
     assert dp["global_enforced_urls"] == ["*"]
-def test_portal_usage_empty_explains_session_model():
-    cw = types.SimpleNamespace(
-        get_metric_data=lambda **_: {"MetricDataResults": []}  # no data
-    )
-    factory = FakeFactory({consts.CLOUDWATCH_API: cw})
+def test_portal_usage_returns_live_active_sessions_and_historic():
+    # Active sessions must come LIVE from ListSessions (status=Active), not from CloudWatch.
+    captured = {}
+    def list_sessions(**kwargs):
+        captured.update(kwargs)
+        return {
+            "sessions": [
+                {"sessionId": "s-1", "username": "alice", "status": "Active"},
+                {"sessionId": "s-2", "username": "bob", "status": "Active"},
+            ]
+        }
+    web = types.SimpleNamespace(list_sessions=list_sessions)
+    cw = types.SimpleNamespace(get_metric_data=lambda **_: {"MetricDataResults": []})  # no historic
+    factory = FakeFactory({consts.SECURE_BROWSER_API: web, consts.CLOUDWATCH_API: cw})
     usage = secure_browser.get_secure_browser_portal_usage_core(
         factory, "arn:aws:workspaces-web:r:a:portal/abc123", "us-east-1"
     )
-    assert usage.target_type == consts.PRODUCT_SECURE_BROWSER
-    assert usage.target_id.endswith("portal/abc123")
-    assert "Session Logger" in (usage.summary or "")
+    # Queried ListSessions for the portal id with status=Active.
+    assert captured["portalId"] == "abc123"
+    assert captured["status"] == "Active"
+    # Live active sessions populated; CloudWatch reserved for (empty) historic.
+    assert usage.active_session_count == 2
+    assert {s.username for s in usage.active_sessions} == {"alice", "bob"}
+    assert usage.historic_metrics == {}
+    assert "active session(s) right now" in (usage.summary or "")
 def test_portal_id_extracted_from_arn():

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/workspaces_euc_mcp_server/__init__.py RENAMED Viewed

@@ -3,4 +3,4 @@
 # A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
 """MCP server for administering the Amazon WorkSpaces End User Computing portfolio."""
-__version__ = "0.1.6"
+__version__ = "0.1.7"

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/workspaces_euc_mcp_server/models.py RENAMED Viewed

@@ -166,6 +166,35 @@ class SecureBrowserPortalDetails(BaseModel):
     errors: list[ServiceError] = Field(default_factory=list)
+class SecureBrowserSession(BaseModel):
+    """A single Secure Browser portal session (from ListSessions)."""
+    session_id: str
+    username: str | None = None
+    status: str | None = None
+    start_time: str | None = None
+class SecureBrowserPortalUsage(BaseModel):
+    """Live active sessions (ListSessions) plus historic metrics (CloudWatch) for a portal."""
+    portal: str
+    active_session_count: int = 0
+    active_sessions: list[SecureBrowserSession] = Field(
+        default_factory=list,
+        description="Sessions currently Active, retrieved live from ListSessions (like the "
+        "console).",
+    )
+    lookback_days: int
+    period_hours: int
+    historic_metrics: dict[str, FleetMetricSeries] = Field(
+        default_factory=dict,
+        description="Historic session metrics from CloudWatch (AWS/WorkSpacesWeb) over the window.",
+    )
+    summary: str | None = None
+    errors: list[ServiceError] = Field(default_factory=list)
 class UsageHistory(BaseModel):
     """Generic metric time-series history for a single EUC resource over a window."""

{workspaces_euc_mcp_server-0.1.6 → workspaces_euc_mcp_server-0.1.7}/workspaces_euc_mcp_server/tools/secure_browser.py RENAMED Viewed

@@ -18,8 +18,13 @@ from typing import Any
 from .. import consts
 from ..clients import ClientFactory
-from ..models import SecureBrowserPortalDetails, ServiceError, UsageHistory
-from ._common import read_only, try_call
+from ..models import (
+    SecureBrowserPortalDetails,
+    SecureBrowserPortalUsage,
+    SecureBrowserSession,
+    ServiceError,
+)
+from ._common import paginate, read_only, try_call
 from .performance import _fetch_metric_series
@@ -139,14 +144,54 @@ def _portal_id(portal: str) -> str:
     return portal.rsplit("/", 1)[-1] if "/" in portal else portal
+def _list_active_sessions(
+    web: Any, portal_id: str, errors: list[ServiceError]
+) -> list[SecureBrowserSession]:
+    """Current Active sessions for a portal, live from ListSessions (what the console shows)."""
+    raw = try_call(
+        errors,
+        consts.PRODUCT_SECURE_BROWSER,
+        "ListSessions",
+        lambda: paginate(
+            web.list_sessions,
+            "sessions",
+            pagination_in="nextToken",
+            pagination_out="nextToken",
+            portalId=portal_id,
+            status="Active",
+        ),
+        default=[],
+    )
+    sessions: list[SecureBrowserSession] = []
+    for s in raw or []:
+        start = s.get("startTime")
+        sessions.append(
+            SecureBrowserSession(
+                session_id=s.get("sessionId", ""),
+                username=s.get("username"),
+                status=s.get("status"),
+                start_time=start.isoformat() if hasattr(start, "isoformat") else None,
+            )
+        )
+    return sessions
 def get_secure_browser_portal_usage_core(
     factory: ClientFactory,
     portal: str,
     region: str | None,
     lookback_days: int = 7,
     period_hours: int = 24,
-) -> UsageHistory:
+) -> SecureBrowserPortalUsage:
     errors: list[ServiceError] = []
+    portal_id = _portal_id(portal)
+    web = factory.client(consts.SECURE_BROWSER_API, region=region)
+    # LIVE: current active sessions come from ListSessions (the real-time source the console uses),
+    # NOT from CloudWatch.
+    active = _list_active_sessions(web, portal_id, errors)
+    # HISTORIC: CloudWatch (AWS/WorkSpacesWeb) over the window — only meaningful for past activity.
     cloudwatch = factory.client(consts.CLOUDWATCH_API, region=region)
     metrics = try_call(
         errors,
@@ -156,26 +201,30 @@ def get_secure_browser_portal_usage_core(
             cloudwatch,
             consts.SECURE_BROWSER_NAMESPACE,
             consts.SECURE_BROWSER_PORTAL_DIMENSION,
-            _portal_id(portal),
+            portal_id,
             consts.SECURE_BROWSER_SESSION_METRICS,
             lookback_days,
             period_hours,
         ),
         default={},
     )
+    hist = (
+        f"historic metrics over {lookback_days}d available (see historic_metrics)"
+        if metrics
+        else f"no historic session metrics in the last {lookback_days}d (idle portals publish "
+        "none to CloudWatch; enable the portal's Session Logger for detail)"
+    )
     summary = (
-        "No session metrics in the window. Secure Browser only emits CloudWatch metrics when "
-        "sessions occur (idle portals publish nothing); for detailed usage enable the portal's "
-        "Session Logger."
-        if not metrics
-        else f"Session metrics over {lookback_days}d: see series."
+        f"{len(active)} active session(s) right now (live via ListSessions). Historic: {hist}."
     )
-    return UsageHistory(
-        target_type=consts.PRODUCT_SECURE_BROWSER,
-        target_id=portal,
+    return SecureBrowserPortalUsage(
+        portal=portal,
+        active_session_count=len(active),
+        active_sessions=active,
         lookback_days=lookback_days,
         period_hours=period_hours,
-        metrics=metrics or {},
+        historic_metrics=metrics or {},
         summary=summary,
         errors=errors,
     )
@@ -210,10 +259,12 @@ def register(mcp: Any, factory: ClientFactory) -> None:
         lookback_days: int = 7,
         period_hours: int = 24,
     ) -> dict[str, Any]:
-        """Get a Secure Browser portal's session metrics (AWS/WorkSpacesWeb) over a window.
+        """Get a Secure Browser portal's CURRENT active sessions plus historic session metrics.
-        NOTE: Secure Browser only emits these metrics when sessions occur, so idle portals return
-        nothing; richer per-session data is available via the portal's Session Logger. Read-only.
+        Active sessions are retrieved **live** from ListSessions (the same source as the console's
+        active-sessions view). Historic usage comes from CloudWatch (AWS/WorkSpacesWeb) over the
+        window — CloudWatch is only meaningful for *past* activity, and idle portals publish none.
+        Read-only.
         Args:
             portal: The portal id or ARN.