workspaces-euc-mcp-server 0.1.8__tar.gz → 0.1.10__tar.gz

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project are documented here. The format is based on
 
 ## [Unreleased]
 
+## [0.1.10] - 2026-06-03
+
+### Added
+- `get_euc_cost_summary` now returns **`workspaces_breakdown`** — the single "Amazon WorkSpaces"
+  Cost Explorer line split into **Personal / Pools / Core** via `USAGE_TYPE` (which the SERVICE
+  dimension cannot do; pool charges carry `Pools`, Core carries `ManagedInstances`, the rest is
+  Personal). This answers "is this WorkSpaces figure Personal-only or does it include Pools/Core?".
+  Controlled by `split_workspaces` (default true). A note also explains that AlwaysOn monthly bundle
+  charges post on the 1st, so day-1 of a DAILY series spikes legitimately.
+
+## [0.1.9] - 2026-06-03
+
+### Changed
+- **SSO auto-login is now ON by default** (previously opt-in via `--sso-auto-login`). When an AWS
+  call fails with an expired SSO token, the server automatically runs `aws sso login` (opens the
+  browser) and reports in the result that the token expired and that sign-in was launched — no flag
+  needed. Disable with **`--no-sso-auto-login`** or `WORKSPACES_EUC_SSO_AUTO_LOGIN=0` (e.g.
+  headless/CI). The browser approval is still required and credentials are still never stored.
+
 ## [0.1.8] - 2026-06-03
 
 ### Added

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/DESIGN.md

@@ -94,10 +94,12 @@
 - `--enable-writes`: registers Phase-2 lifecycle tools (still dry-run/confirm gated).
 - `--enable-destructive`: separately gates terminate/rebuild/restore.
 - `--max-bulk-targets N`: blast-radius cap for any bulk mutation.
-- `--sso-auto-login` (default **off**): on an expired-SSO-token error, launch `aws sso login`
-  (opens the browser) so the user needn't use a terminal. Opt-in; never stores credentials — it
-  only invokes the AWS CLI, which writes the standard token cache. Debounced so a burst of failing
-  calls opens the browser once.
+- `--sso-auto-login` / `--no-sso-auto-login` (default **on**): on an expired-SSO-token error,
+  launch `aws sso login` (opens the browser) so the user needn't use a terminal, and report in the
+  result that the token expired and sign-in was launched. Never stores credentials — it only
+  invokes the AWS CLI, which writes the standard token cache. Debounced so a burst of failing calls
+  opens the browser once. Disable with `--no-sso-auto-login` / `WORKSPACES_EUC_SSO_AUTO_LOGIN=0`
+  for headless/CI.
 - `AWS_REGION` / `AWS_PROFILE`: standard.
 
 ## 5. Tool inventory
@@ -134,7 +136,7 @@ and return a synthesized result, not raw API passthroughs.
 | `get_workspace_connection_history` | Per-WorkSpace connection timeline | `workspaces:DescribeWorkspaces*`, `cloudwatch:GetMetricData` |
 | `get_pool_session_history` | Pool session/capacity history | `workspaces:DescribeWorkspacesPool*`, `cloudwatch:GetMetricData` |
 | `get_application_fleet_usage` | Applications fleet utilization vs capacity | `appstream:DescribeFleets`, `cloudwatch:GetMetricData` |
-| `get_euc_cost_summary` | Spend rollup filtered to EUC services | `ce:GetCostAndUsage`, `ce:GetDimensionValues` |
+| `get_euc_cost_summary` | EUC spend by service + WorkSpaces Personal/Pools/Core split (USAGE_TYPE) + daily/monthly time series | `ce:GetCostAndUsage` |
 
 **Secure Browser**
 | Tool | Purpose | IAM actions |

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: workspaces-euc-mcp-server
-Version: 0.1.8
+Version: 0.1.10
 Summary: MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core).
 Project-URL: Homepage, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
 Project-URL: Repository, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
@@ -88,7 +88,7 @@ audit, and governance tools:
 | `get_workspace_connection_history` | A desktop's connection/session **history** (UserConnected + connection attempts/failures) over a window, with a summary (Tier 0). |
 | `get_pool_session_history` | A WorkSpaces Pool's user-**session history** (active/available/utilization capacity time-series), flags idle pool capacity (Tier 0). |
 | `recommend_bundle_rightsizing` | Suggests smaller/larger compute types from CPU & memory headroom (general families; graphics excluded) (Tier 0). |
-| `get_euc_cost_summary` | EUC spend by service over a window (or an explicit `start_date`/`end_date` calendar month) via Cost Explorer, account-wide. Services are matched by keyword so naming variants (e.g. AppStream 2.0) aren't dropped; note Cost Explorer bills WorkSpaces Personal/Pools/Core together as one "Amazon WorkSpaces" line (Tier 1). |
+| `get_euc_cost_summary` | EUC spend by service over a window (or an explicit `start_date`/`end_date` calendar month) via Cost Explorer, account-wide. Services are matched by keyword so naming variants (e.g. AppStream 2.0) aren't dropped. Cost Explorer bills WorkSpaces Personal/Pools/Core as one "Amazon WorkSpaces" line, so the tool **splits it into Personal / Pools / Core via USAGE_TYPE** (`workspaces_breakdown`); also returns a daily/monthly time series (`by_period`) for charts (Tier 1). |
 | `generate_inventory_report` | Detailed per-resource inventory (desktops **with assigned user / computer name / IP**, pools, fleets, **stacks + their associated fleets**, portals) with key attributes (Tier 0). |
 | `audit_security_posture` | Cross-service: flags unencrypted WorkSpace volumes, directories without IP access control groups, and **Secure Browser portals / Applications stacks that allow data egress** (clipboard/download/print) (Tier 0). |
 | `audit_application_images` | Audits WorkSpaces Applications (AppStream 2.0) **images and image builders** — flags stale base images (unpatched OS), pinned/old AppStream agents, non-AVAILABLE/errored images, SHARED cross-account visibility, and **image builders left RUNNING** (cost + admin surface) (Tier 0). |
@@ -264,13 +264,14 @@ If calls fail with an expired-token / `UnauthorizedException` error, your sessio
 re-authenticate (for SSO, `aws sso login --profile <name>`) and retry. Nothing in the MCP config
 changes.
 
-> **Tip — auto re-login (no terminal):** launch the server with **`--sso-auto-login`** (or set
-> `WORKSPACES_EUC_SSO_AUTO_LOGIN=1`). When an AWS call then fails with an expired SSO token, the
-> server **automatically runs `aws sso login` for you** — opening your browser to the approval
-> screen — so you just click *Allow* and re-ask, without ever opening a terminal. Off by default;
-> the browser approval itself is still required (inherent to SSO), and the server still never
-> stores credentials (it just invokes the AWS CLI). Note: signing into the AWS **Console** does
-> *not* refresh the CLI/SSO token — only `aws sso login` does.
+> **Auto re-login (no terminal) — on by default:** when an AWS call fails with an expired SSO
+> token, the server **automatically runs `aws sso login` for you** — opening your browser to the
+> approval screen — and tells you in chat that the token expired and that sign-in was launched. You
+> just click *Allow* and re-ask, without ever opening a terminal. The browser approval itself is
+> still required (inherent to SSO), and the server still never stores credentials (it just invokes
+> the AWS CLI). Disable with **`--no-sso-auto-login`** (or `WORKSPACES_EUC_SSO_AUTO_LOGIN=0`) for
+> headless/CI use. Note: signing into the AWS **Console** does *not* refresh the CLI/SSO token —
+> only `aws sso login` does.
 
 ## Enabling write / destructive tools — the safety gates
 
@@ -367,7 +368,7 @@ workspaces-euc-mcp-server --enable-writes --enable-destructive --max-bulk-target
 | `--enable-writes` | off | Register Phase 2 lifecycle (write) tools. |
 | `--enable-destructive` | off | Allow terminate/rebuild/restore (requires `--enable-writes`). |
 | `--max-bulk-targets` | 25 | Blast-radius cap for bulk mutations (Phase 2). |
-| `--sso-auto-login` | off | On an expired SSO token, auto-launch `aws sso login` (opens your browser) instead of requiring a manual terminal command. Also via `WORKSPACES_EUC_SSO_AUTO_LOGIN=1`. |
+| `--sso-auto-login` / `--no-sso-auto-login` | **on** | On an expired SSO token, auto-launch `aws sso login` (opens your browser) instead of requiring a manual terminal command. **On by default**; disable with `--no-sso-auto-login` or `WORKSPACES_EUC_SSO_AUTO_LOGIN=0` (e.g. headless/CI). |
 
 The server starts **read-only**; mutating tools require both the launch flag **and** the matching
 IAM tier.

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/README.md

@@ -58,7 +58,7 @@ audit, and governance tools:
 | `get_workspace_connection_history` | A desktop's connection/session **history** (UserConnected + connection attempts/failures) over a window, with a summary (Tier 0). |
 | `get_pool_session_history` | A WorkSpaces Pool's user-**session history** (active/available/utilization capacity time-series), flags idle pool capacity (Tier 0). |
 | `recommend_bundle_rightsizing` | Suggests smaller/larger compute types from CPU & memory headroom (general families; graphics excluded) (Tier 0). |
-| `get_euc_cost_summary` | EUC spend by service over a window (or an explicit `start_date`/`end_date` calendar month) via Cost Explorer, account-wide. Services are matched by keyword so naming variants (e.g. AppStream 2.0) aren't dropped; note Cost Explorer bills WorkSpaces Personal/Pools/Core together as one "Amazon WorkSpaces" line (Tier 1). |
+| `get_euc_cost_summary` | EUC spend by service over a window (or an explicit `start_date`/`end_date` calendar month) via Cost Explorer, account-wide. Services are matched by keyword so naming variants (e.g. AppStream 2.0) aren't dropped. Cost Explorer bills WorkSpaces Personal/Pools/Core as one "Amazon WorkSpaces" line, so the tool **splits it into Personal / Pools / Core via USAGE_TYPE** (`workspaces_breakdown`); also returns a daily/monthly time series (`by_period`) for charts (Tier 1). |
 | `generate_inventory_report` | Detailed per-resource inventory (desktops **with assigned user / computer name / IP**, pools, fleets, **stacks + their associated fleets**, portals) with key attributes (Tier 0). |
 | `audit_security_posture` | Cross-service: flags unencrypted WorkSpace volumes, directories without IP access control groups, and **Secure Browser portals / Applications stacks that allow data egress** (clipboard/download/print) (Tier 0). |
 | `audit_application_images` | Audits WorkSpaces Applications (AppStream 2.0) **images and image builders** — flags stale base images (unpatched OS), pinned/old AppStream agents, non-AVAILABLE/errored images, SHARED cross-account visibility, and **image builders left RUNNING** (cost + admin surface) (Tier 0). |
@@ -234,13 +234,14 @@ If calls fail with an expired-token / `UnauthorizedException` error, your sessio
 re-authenticate (for SSO, `aws sso login --profile <name>`) and retry. Nothing in the MCP config
 changes.
 
-> **Tip — auto re-login (no terminal):** launch the server with **`--sso-auto-login`** (or set
-> `WORKSPACES_EUC_SSO_AUTO_LOGIN=1`). When an AWS call then fails with an expired SSO token, the
-> server **automatically runs `aws sso login` for you** — opening your browser to the approval
-> screen — so you just click *Allow* and re-ask, without ever opening a terminal. Off by default;
-> the browser approval itself is still required (inherent to SSO), and the server still never
-> stores credentials (it just invokes the AWS CLI). Note: signing into the AWS **Console** does
-> *not* refresh the CLI/SSO token — only `aws sso login` does.
+> **Auto re-login (no terminal) — on by default:** when an AWS call fails with an expired SSO
+> token, the server **automatically runs `aws sso login` for you** — opening your browser to the
+> approval screen — and tells you in chat that the token expired and that sign-in was launched. You
+> just click *Allow* and re-ask, without ever opening a terminal. The browser approval itself is
+> still required (inherent to SSO), and the server still never stores credentials (it just invokes
+> the AWS CLI). Disable with **`--no-sso-auto-login`** (or `WORKSPACES_EUC_SSO_AUTO_LOGIN=0`) for
+> headless/CI use. Note: signing into the AWS **Console** does *not* refresh the CLI/SSO token —
+> only `aws sso login` does.
 
 ## Enabling write / destructive tools — the safety gates
 
@@ -337,7 +338,7 @@ workspaces-euc-mcp-server --enable-writes --enable-destructive --max-bulk-target
 | `--enable-writes` | off | Register Phase 2 lifecycle (write) tools. |
 | `--enable-destructive` | off | Allow terminate/rebuild/restore (requires `--enable-writes`). |
 | `--max-bulk-targets` | 25 | Blast-radius cap for bulk mutations (Phase 2). |
-| `--sso-auto-login` | off | On an expired SSO token, auto-launch `aws sso login` (opens your browser) instead of requiring a manual terminal command. Also via `WORKSPACES_EUC_SSO_AUTO_LOGIN=1`. |
+| `--sso-auto-login` / `--no-sso-auto-login` | **on** | On an expired SSO token, auto-launch `aws sso login` (opens your browser) instead of requiring a manual terminal command. **On by default**; disable with `--no-sso-auto-login` or `WORKSPACES_EUC_SSO_AUTO_LOGIN=0` (e.g. headless/CI). |
 
 The server starts **read-only**; mutating tools require both the launch flag **and** the matching
 IAM tier.

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "workspaces-euc-mcp-server"
-version = "0.1.8"
+version = "0.1.10"
 description = "MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core)."
 readme = "README.md"
 requires-python = ">=3.11"

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/tests/test_cost.py

@@ -215,6 +215,72 @@ def test_cost_summary_daily_returns_per_period_time_series():
     assert summary.by_period[0].by_service[0].service == "Amazon WorkSpaces Applications"
 
 
+def test_cost_summary_splits_workspaces_personal_pools_core():
+    # First CE call = SERVICE grouping; second = USAGE_TYPE grouping (the breakdown).
+    service_resp = {
+        "ResultsByTime": [
+            {
+                "Groups": [
+                    {
+                        "Keys": ["Amazon WorkSpaces"],
+                        "Metrics": {"UnblendedCost": {"Amount": "547.53", "Unit": "USD"}},
+                    }
+                ]
+            }
+        ]
+    }
+    usage_resp = {
+        "ResultsByTime": [
+            {
+                "Groups": [
+                    {
+                        "Keys": ["APS1-AW-HWB5-0"],  # Personal AlwaysOn monthly
+                        "Metrics": {"UnblendedCost": {"Amount": "386.25", "Unit": "USD"}},
+                    },
+                    {
+                        "Keys": ["APS1-AW-HW-Pools-Stopped-Usage"],  # Pools
+                        "Metrics": {"UnblendedCost": {"Amount": "146.68", "Unit": "USD"}},
+                    },
+                    {
+                        "Keys": ["APS1-WH-ManagedInstances-Usage"],  # Core
+                        "Metrics": {"UnblendedCost": {"Amount": "14.60", "Unit": "USD"}},
+                    },
+                ]
+            }
+        ]
+    }
+    calls = {"n": 0}
+
+    def get_cost_and_usage(**kwargs):
+        # The breakdown call carries a SERVICE filter + USAGE_TYPE grouping.
+        is_breakdown = kwargs.get("GroupBy", [{}])[0].get("Key") == "USAGE_TYPE"
+        calls["n"] += 1
+        return usage_resp if is_breakdown else service_resp
+
+    ce = types.SimpleNamespace(get_cost_and_usage=get_cost_and_usage)
+    factory = FakeFactory({consts.COST_EXPLORER_API: ce})
+
+    summary = cost.get_euc_cost_summary_core(factory, lookback_days=30)
+
+    assert summary.workspaces_breakdown == {
+        "WorkSpaces Personal": 386.25,
+        "WorkSpaces Pools": 146.68,
+        "WorkSpaces Core (Managed Instances)": 14.6,
+    }
+    assert calls["n"] == 2  # one SERVICE call + one USAGE_TYPE breakdown call
+
+
+def test_cost_summary_classify_usage_type():
+    assert (
+        cost._classify_workspaces_usage_type("APS1-AW-HW-Pools-Stopped-Usage") == "WorkSpaces Pools"
+    )
+    assert (
+        cost._classify_workspaces_usage_type("APS1-WH-ManagedInstances-Usage")
+        == "WorkSpaces Core (Managed Instances)"
+    )
+    assert cost._classify_workspaces_usage_type("APS1-AW-HWB5-0") == "WorkSpaces Personal"
+
+
 def test_cost_summary_explicit_date_range_overrides_lookback():
     captured: dict = {}
 

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/tests/test_sso.py

@@ -92,6 +92,20 @@ def test_try_call_hint_when_auto_login_disabled():
     assert "Console does NOT refresh" in errors[0].message
 
 
+def test_create_server_enables_sso_auto_login_by_default():
+    from workspaces_euc_mcp_server.server import create_server
+
+    try:
+        create_server(region="us-east-1")
+        assert _common._SSO_HANDLER is not None
+        assert _common._SSO_HANDLER.enabled is True
+        # Opt-out still works.
+        create_server(region="us-east-1", sso_auto_login=False)
+        assert _common._SSO_HANDLER is None
+    finally:
+        _common.register_sso_handler(None)
+
+
 class _FakeTokenError(BotoCoreError):
     """A BotoCoreError subclass whose str() is a controllable token-error message."""
 

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/workspaces_euc_mcp_server/__init__.py

@@ -3,4 +3,4 @@
 # A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
 """MCP server for administering the Amazon WorkSpaces End User Computing portfolio."""
 
-__version__ = "0.1.8"
+__version__ = "0.1.10"

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/workspaces_euc_mcp_server/consts.py

@@ -34,6 +34,15 @@ COST_EXPLORER_REGION = "us-east-1"
 # silently dropped. "workspaces" covers Personal/Pools/Core/Web/Secure Browser; "appstream" covers
 # WorkSpaces Applications (AppStream 2.0).
 EUC_COST_EXPLORER_SERVICE_TOKENS = ["workspaces", "appstream"]
+# Cost Explorer bills WorkSpaces Personal, Pools, and Core under one "Amazon WorkSpaces" SERVICE
+# line. They can still be split by USAGE_TYPE: pool charges carry "Pools", Core Managed Instances
+# carry "ManagedInstances", everything else under that service is Personal. Matched lowercased,
+# first hit wins.
+WORKSPACES_USAGE_TYPE_CLASSES = (
+    ("pools", "WorkSpaces Pools"),
+    ("managedinstances", "WorkSpaces Core (Managed Instances)"),
+)
+WORKSPACES_USAGE_TYPE_DEFAULT_CLASS = "WorkSpaces Personal"
 # Substrings that EXCLUDE a service even when an include token matches. WorkSpaces Thin Client is
 # out of scope for this server, but its Cost Explorer name ("Amazon WorkSpaces Thin Client")
 # contains "workspaces" — so exclude it explicitly.

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/workspaces_euc_mcp_server/models.py

@@ -289,6 +289,13 @@ class CostSummary(BaseModel):
     currency: str = "USD"
     total: float
     by_service: list[CostLineItem] = Field(default_factory=list)
+    workspaces_breakdown: dict[str, float] = Field(
+        default_factory=dict,
+        description=(
+            "The single 'Amazon WorkSpaces' SERVICE line split into Personal / Pools / Core via "
+            "USAGE_TYPE (which SERVICE cannot do). Populated when WorkSpaces has spend."
+        ),
+    )
     by_period: list[CostPeriod] = Field(
         default_factory=list,
         description=(

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/workspaces_euc_mcp_server/server.py

@@ -39,20 +39,23 @@ def create_server(
     enable_writes: bool = False,
     enable_destructive: bool = False,
     max_bulk_targets: int = consts.DEFAULT_MAX_BULK_TARGETS,
-    sso_auto_login: bool = False,
+    sso_auto_login: bool = True,
 ) -> FastMCP:
     """Build the FastMCP server, registering tools according to the safety flags."""
     factory = ClientFactory(
         region=region, profile=profile, role_arn=role_arn, external_id=external_id
     )
 
-    # Opt-in: when an AWS call fails with an expired SSO token, auto-launch `aws sso login`
-    # (opens the browser) so the user never has to use a terminal. No-op unless enabled.
+    # On by default: when an AWS call fails with an expired SSO token, auto-launch `aws sso login`
+    # (opens the browser) so the user never has to use a terminal. Disable for headless/CI.
     _common.register_sso_handler(
         SsoAutoLogin(profile=profile, enabled=sso_auto_login) if sso_auto_login else None
     )
-    if sso_auto_login:
-        logger.info("SSO auto-login enabled: expired tokens will trigger `aws sso login`.")
+    logger.info(
+        "SSO auto-login {}: expired tokens {} trigger `aws sso login`.",
+        "enabled" if sso_auto_login else "disabled",
+        "will" if sso_auto_login else "will NOT",
+    )
 
     mcp = FastMCP(consts.SERVER_NAME, instructions=consts.SERVER_INSTRUCTIONS)
 
@@ -123,19 +126,22 @@ def main() -> None:
     )
     parser.add_argument(
         "--sso-auto-login",
-        action="store_true",
-        help="When an AWS call fails with an expired SSO token, auto-launch `aws sso login` "
-        "(opens your browser) instead of requiring a manual terminal command. Off by default; "
-        "can also be enabled with WORKSPACES_EUC_SSO_AUTO_LOGIN=1.",
+        action=argparse.BooleanOptionalAction,
+        default=True,
+        help="On an expired SSO token, auto-launch `aws sso login` (opens your browser) so you "
+        "re-authenticate without a terminal. ON by default; disable with --no-sso-auto-login "
+        "(or WORKSPACES_EUC_SSO_AUTO_LOGIN=0) for headless/CI environments.",
     )
     args = parser.parse_args()
 
     if args.enable_destructive and not args.enable_writes:
         parser.error("--enable-destructive requires --enable-writes.")
 
-    sso_auto_login = args.sso_auto_login or os.environ.get(
-        "WORKSPACES_EUC_SSO_AUTO_LOGIN", ""
-    ).strip().lower() in ("1", "true", "yes")
+    # On by default; an explicit env var (if set) overrides the flag, so it can force-disable too.
+    sso_auto_login = args.sso_auto_login
+    _sso_env = os.environ.get("WORKSPACES_EUC_SSO_AUTO_LOGIN")
+    if _sso_env is not None:
+        sso_auto_login = _sso_env.strip().lower() in ("1", "true", "yes", "on")
 
     logger.remove()
     logger.add(sys.stderr, level=os.environ.get("FASTMCP_LOG_LEVEL", "INFO").upper())

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/workspaces_euc_mcp_server/tools/_common.py

@@ -79,7 +79,7 @@ def _sso_hint() -> str:
         )
     return (
         " [SSO session expired — run `aws sso login --profile <your-profile>` to re-authenticate "
-        "(or launch the server with --sso-auto-login to open sign-in automatically). "
+        "(automatic sign-in is disabled via --no-sso-auto-login). "
         "Note: signing into the AWS Console does NOT refresh the CLI/SSO token.]"
     )
 

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.10}/workspaces_euc_mcp_server/tools/cost.py

@@ -208,12 +208,73 @@ def _is_euc_service(service_name: str) -> bool:
     return any(token in name for token in consts.EUC_COST_EXPLORER_SERVICE_TOKENS)
 
 
+def _is_core_workspaces_service(name: str) -> bool:
+    """True for the 'Amazon WorkSpaces' SERVICE line (Personal/Pools/Core), not Applications/Web."""
+    n = name.lower()
+    if "workspaces" not in n:
+        return False
+    return not any(t in n for t in ("applications", "secure browser", "web", "thin client"))
+
+
+def _classify_workspaces_usage_type(usage_type: str) -> str:
+    """Map a WorkSpaces Cost Explorer USAGE_TYPE to Personal / Pools / Core."""
+    u = usage_type.lower()
+    for token, label in consts.WORKSPACES_USAGE_TYPE_CLASSES:
+        if token in u:
+            return label
+    return consts.WORKSPACES_USAGE_TYPE_DEFAULT_CLASS
+
+
+def _fetch_workspaces_breakdown(
+    cost_explorer: Any,
+    start: str,
+    end: str,
+    granularity: str,
+    service_names: list[str],
+    errors: list[ServiceError],
+) -> dict[str, float]:
+    """Split the 'Amazon WorkSpaces' line into Personal/Pools/Core via a USAGE_TYPE query."""
+    out: dict[str, float] = {}
+    next_token: str | None = None
+    while True:
+        kwargs: dict[str, Any] = {
+            "TimePeriod": {"Start": start, "End": end},
+            "Granularity": granularity,
+            "Metrics": ["UnblendedCost"],
+            # Exact names taken from the SERVICE results above — safe to filter on (no guessing).
+            "Filter": {"Dimensions": {"Key": "SERVICE", "Values": service_names}},
+            "GroupBy": [{"Type": "DIMENSION", "Key": "USAGE_TYPE"}],
+        }
+        if next_token:
+            kwargs["NextPageToken"] = next_token
+        resp = try_call(
+            errors,
+            "AWS Cost Explorer",
+            "GetCostAndUsage",
+            lambda kwargs=kwargs: cost_explorer.get_cost_and_usage(**kwargs),
+            default={},
+        )
+        if not resp:
+            break
+        for period in resp.get("ResultsByTime", []):
+            for group in period.get("Groups", []):
+                usage_type = (group.get("Keys") or [""])[0]
+                amount = float(group.get("Metrics", {}).get("UnblendedCost", {}).get("Amount", 0.0))
+                label = _classify_workspaces_usage_type(usage_type)
+                out[label] = out.get(label, 0.0) + amount
+        next_token = resp.get("NextPageToken")
+        if not next_token:
+            break
+    return {k: round(v, 2) for k, v in out.items() if round(v, 2) != 0.0}
+
+
 def get_euc_cost_summary_core(
     factory: ClientFactory,
     lookback_days: int = 30,
     granularity: str = "MONTHLY",
     start_date: str | None = None,
     end_date: str | None = None,
+    split_workspaces: bool = True,
 ) -> CostSummary:
     errors: list[ServiceError] = []
     # Cost Explorer is a global endpoint served from us-east-1, regardless of working region.
@@ -273,6 +334,17 @@ def get_euc_cost_summary_core(
         for s, a in sorted(totals_by_service.items(), key=lambda kv: kv[1], reverse=True)
     ]
     total = round(sum(item.amount for item in by_service), 2)
+
+    # Split the single "Amazon WorkSpaces" line into Personal/Pools/Core via USAGE_TYPE.
+    workspaces_breakdown: dict[str, float] = {}
+    core_ws = [
+        it.service for it in by_service if _is_core_workspaces_service(it.service) and it.amount
+    ]
+    if split_workspaces and core_ws:
+        workspaces_breakdown = _fetch_workspaces_breakdown(
+            cost_explorer, start, end, granularity, core_ws, errors
+        )
+
     by_period = [
         CostPeriod(
             start=p_start,
@@ -293,15 +365,20 @@ def get_euc_cost_summary_core(
         currency=currency,
         total=total,
         by_service=by_service,
+        workspaces_breakdown=workspaces_breakdown,
         by_period=by_period,
         errors=errors,
         notes=[
             "EUC services are selected by matching the Cost Explorer SERVICE name against the EUC "
             "keyword set (workspaces / appstream), so naming variants are not dropped.",
-            "Cost Explorer bills WorkSpaces Personal, Pools, and Core together under the single "
-            "'Amazon WorkSpaces' service; they cannot be separated via the SERVICE dimension.",
+            "Cost Explorer bills WorkSpaces Personal, Pools, and Core under one 'Amazon "
+            "WorkSpaces' SERVICE line; workspaces_breakdown splits them via USAGE_TYPE (Personal "
+            "vs Pools vs Core) — a heuristic on usage-type names, so treat sub-totals as "
+            "estimates.",
             "by_period gives the per-bucket time series (per day for DAILY, per month for MONTHLY) "
             "for charts/trends; by_service is the total across the whole window.",
+            "On MONTHLY granularity, AlwaysOn monthly bundle charges post on the 1st of the month, "
+            "so day-1 of a DAILY series legitimately spikes — it is not a Pools/Core artefact.",
         ],
     )
 
@@ -347,6 +424,7 @@ def register(mcp: Any, factory: ClientFactory) -> None:
         granularity: Literal["MONTHLY", "DAILY"] = "MONTHLY",
         start_date: str | None = None,
         end_date: str | None = None,
+        split_workspaces: bool = True,
     ) -> dict[str, Any]:
         """Summarize EUC spend by service over a window (account-wide via Cost Explorer).
 
@@ -356,10 +434,14 @@ def register(mcp: Any, factory: ClientFactory) -> None:
         variants are never dropped. Cost Explorer is not region-scoped, so figures are account-wide.
         Read-only.
 
-        Returns both `by_service` (totals across the whole window) and `by_period` (a per-bucket
-        time series — one entry per day for DAILY, per month for MONTHLY — each with its own
-        per-service split). Use `by_period` with granularity="DAILY" to chart daily trends in a
-        single call.
+        Returns `by_service` (totals per service), `by_period` (a per-bucket time series — one entry
+        per day for DAILY, per month for MONTHLY — for charts), and `workspaces_breakdown`: the
+        single "Amazon WorkSpaces" line split into **Personal / Pools / Core** via USAGE_TYPE
+        (which the SERVICE dimension cannot do). Use this when you need to know whether a WorkSpaces
+        figure is Personal-only or includes Pools/Core.
+
+        Note: on MONTHLY granularity, AlwaysOn monthly bundle charges post on the 1st, so day-1 of a
+        DAILY series spikes legitimately (not a Pools/Core artefact).
 
         For a specific calendar month, pass start_date/end_date instead of lookback_days — Cost
         Explorer's end is EXCLUSIVE, so for May 2026 use start_date="2026-05-01",
@@ -371,9 +453,10 @@ def register(mcp: Any, factory: ClientFactory) -> None:
             start_date: Optional inclusive start, "YYYY-MM-DD". Use with end_date; overrides
                 lookback_days.
             end_date: Optional EXCLUSIVE end, "YYYY-MM-DD". Use with start_date.
+            split_workspaces: Split the WorkSpaces line into Personal/Pools/Core (default True).
         """
         summary = get_euc_cost_summary_core(
-            factory, lookback_days, granularity, start_date, end_date
+            factory, lookback_days, granularity, start_date, end_date, split_workspaces
         )
         return summary.model_dump()