workspaces-euc-mcp-server 0.1.8__tar.gz → 0.1.9__tar.gz

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.9}/CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to this project are documented here. The format is based on
 
 ## [Unreleased]
 
+## [0.1.9] - 2026-06-03
+
+### Changed
+- **SSO auto-login is now ON by default** (previously opt-in via `--sso-auto-login`). When an AWS
+  call fails with an expired SSO token, the server automatically runs `aws sso login` (opens the
+  browser) and reports in the result that the token expired and that sign-in was launched — no flag
+  needed. Disable with **`--no-sso-auto-login`** or `WORKSPACES_EUC_SSO_AUTO_LOGIN=0` (e.g.
+  headless/CI). The browser approval is still required and credentials are still never stored.
+
 ## [0.1.8] - 2026-06-03
 
 ### Added

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.9}/DESIGN.md

@@ -94,10 +94,12 @@
 - `--enable-writes`: registers Phase-2 lifecycle tools (still dry-run/confirm gated).
 - `--enable-destructive`: separately gates terminate/rebuild/restore.
 - `--max-bulk-targets N`: blast-radius cap for any bulk mutation.
-- `--sso-auto-login` (default **off**): on an expired-SSO-token error, launch `aws sso login`
-  (opens the browser) so the user needn't use a terminal. Opt-in; never stores credentials — it
-  only invokes the AWS CLI, which writes the standard token cache. Debounced so a burst of failing
-  calls opens the browser once.
+- `--sso-auto-login` / `--no-sso-auto-login` (default **on**): on an expired-SSO-token error,
+  launch `aws sso login` (opens the browser) so the user needn't use a terminal, and report in the
+  result that the token expired and sign-in was launched. Never stores credentials — it only
+  invokes the AWS CLI, which writes the standard token cache. Debounced so a burst of failing calls
+  opens the browser once. Disable with `--no-sso-auto-login` / `WORKSPACES_EUC_SSO_AUTO_LOGIN=0`
+  for headless/CI.
 - `AWS_REGION` / `AWS_PROFILE`: standard.
 
 ## 5. Tool inventory

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.9}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: workspaces-euc-mcp-server
-Version: 0.1.8
+Version: 0.1.9
 Summary: MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core).
 Project-URL: Homepage, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
 Project-URL: Repository, https://github.com/bengroeneveldsg/aws-workspaces-euc-mcp
@@ -264,13 +264,14 @@ If calls fail with an expired-token / `UnauthorizedException` error, your sessio
 re-authenticate (for SSO, `aws sso login --profile <name>`) and retry. Nothing in the MCP config
 changes.
 
-> **Tip — auto re-login (no terminal):** launch the server with **`--sso-auto-login`** (or set
-> `WORKSPACES_EUC_SSO_AUTO_LOGIN=1`). When an AWS call then fails with an expired SSO token, the
-> server **automatically runs `aws sso login` for you** — opening your browser to the approval
-> screen — so you just click *Allow* and re-ask, without ever opening a terminal. Off by default;
-> the browser approval itself is still required (inherent to SSO), and the server still never
-> stores credentials (it just invokes the AWS CLI). Note: signing into the AWS **Console** does
-> *not* refresh the CLI/SSO token — only `aws sso login` does.
+> **Auto re-login (no terminal) — on by default:** when an AWS call fails with an expired SSO
+> token, the server **automatically runs `aws sso login` for you** — opening your browser to the
+> approval screen — and tells you in chat that the token expired and that sign-in was launched. You
+> just click *Allow* and re-ask, without ever opening a terminal. The browser approval itself is
+> still required (inherent to SSO), and the server still never stores credentials (it just invokes
+> the AWS CLI). Disable with **`--no-sso-auto-login`** (or `WORKSPACES_EUC_SSO_AUTO_LOGIN=0`) for
+> headless/CI use. Note: signing into the AWS **Console** does *not* refresh the CLI/SSO token —
+> only `aws sso login` does.
 
 ## Enabling write / destructive tools — the safety gates
 
@@ -367,7 +368,7 @@ workspaces-euc-mcp-server --enable-writes --enable-destructive --max-bulk-target
 | `--enable-writes` | off | Register Phase 2 lifecycle (write) tools. |
 | `--enable-destructive` | off | Allow terminate/rebuild/restore (requires `--enable-writes`). |
 | `--max-bulk-targets` | 25 | Blast-radius cap for bulk mutations (Phase 2). |
-| `--sso-auto-login` | off | On an expired SSO token, auto-launch `aws sso login` (opens your browser) instead of requiring a manual terminal command. Also via `WORKSPACES_EUC_SSO_AUTO_LOGIN=1`. |
+| `--sso-auto-login` / `--no-sso-auto-login` | **on** | On an expired SSO token, auto-launch `aws sso login` (opens your browser) instead of requiring a manual terminal command. **On by default**; disable with `--no-sso-auto-login` or `WORKSPACES_EUC_SSO_AUTO_LOGIN=0` (e.g. headless/CI). |
 
 The server starts **read-only**; mutating tools require both the launch flag **and** the matching
 IAM tier.

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.9}/README.md

@@ -234,13 +234,14 @@ If calls fail with an expired-token / `UnauthorizedException` error, your sessio
 re-authenticate (for SSO, `aws sso login --profile <name>`) and retry. Nothing in the MCP config
 changes.
 
-> **Tip — auto re-login (no terminal):** launch the server with **`--sso-auto-login`** (or set
-> `WORKSPACES_EUC_SSO_AUTO_LOGIN=1`). When an AWS call then fails with an expired SSO token, the
-> server **automatically runs `aws sso login` for you** — opening your browser to the approval
-> screen — so you just click *Allow* and re-ask, without ever opening a terminal. Off by default;
-> the browser approval itself is still required (inherent to SSO), and the server still never
-> stores credentials (it just invokes the AWS CLI). Note: signing into the AWS **Console** does
-> *not* refresh the CLI/SSO token — only `aws sso login` does.
+> **Auto re-login (no terminal) — on by default:** when an AWS call fails with an expired SSO
+> token, the server **automatically runs `aws sso login` for you** — opening your browser to the
+> approval screen — and tells you in chat that the token expired and that sign-in was launched. You
+> just click *Allow* and re-ask, without ever opening a terminal. The browser approval itself is
+> still required (inherent to SSO), and the server still never stores credentials (it just invokes
+> the AWS CLI). Disable with **`--no-sso-auto-login`** (or `WORKSPACES_EUC_SSO_AUTO_LOGIN=0`) for
+> headless/CI use. Note: signing into the AWS **Console** does *not* refresh the CLI/SSO token —
+> only `aws sso login` does.
 
 ## Enabling write / destructive tools — the safety gates
 
@@ -337,7 +338,7 @@ workspaces-euc-mcp-server --enable-writes --enable-destructive --max-bulk-target
 | `--enable-writes` | off | Register Phase 2 lifecycle (write) tools. |
 | `--enable-destructive` | off | Allow terminate/rebuild/restore (requires `--enable-writes`). |
 | `--max-bulk-targets` | 25 | Blast-radius cap for bulk mutations (Phase 2). |
-| `--sso-auto-login` | off | On an expired SSO token, auto-launch `aws sso login` (opens your browser) instead of requiring a manual terminal command. Also via `WORKSPACES_EUC_SSO_AUTO_LOGIN=1`. |
+| `--sso-auto-login` / `--no-sso-auto-login` | **on** | On an expired SSO token, auto-launch `aws sso login` (opens your browser) instead of requiring a manual terminal command. **On by default**; disable with `--no-sso-auto-login` or `WORKSPACES_EUC_SSO_AUTO_LOGIN=0` (e.g. headless/CI). |
 
 The server starts **read-only**; mutating tools require both the launch flag **and** the matching
 IAM tier.

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.9}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "workspaces-euc-mcp-server"
-version = "0.1.8"
+version = "0.1.9"
 description = "MCP server for administering the Amazon WorkSpaces family of End User Computing services (Personal, Pools, Applications, Secure Browser, Core)."
 readme = "README.md"
 requires-python = ">=3.11"

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.9}/tests/test_sso.py

@@ -92,6 +92,20 @@ def test_try_call_hint_when_auto_login_disabled():
     assert "Console does NOT refresh" in errors[0].message
 
 
+def test_create_server_enables_sso_auto_login_by_default():
+    from workspaces_euc_mcp_server.server import create_server
+
+    try:
+        create_server(region="us-east-1")
+        assert _common._SSO_HANDLER is not None
+        assert _common._SSO_HANDLER.enabled is True
+        # Opt-out still works.
+        create_server(region="us-east-1", sso_auto_login=False)
+        assert _common._SSO_HANDLER is None
+    finally:
+        _common.register_sso_handler(None)
+
+
 class _FakeTokenError(BotoCoreError):
     """A BotoCoreError subclass whose str() is a controllable token-error message."""
 

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.9}/workspaces_euc_mcp_server/__init__.py

@@ -3,4 +3,4 @@
 # A copy of the License is located at http://www.apache.org/licenses/LICENSE-2.0
 """MCP server for administering the Amazon WorkSpaces End User Computing portfolio."""
 
-__version__ = "0.1.8"
+__version__ = "0.1.9"

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.9}/workspaces_euc_mcp_server/server.py

@@ -39,20 +39,23 @@ def create_server(
     enable_writes: bool = False,
     enable_destructive: bool = False,
     max_bulk_targets: int = consts.DEFAULT_MAX_BULK_TARGETS,
-    sso_auto_login: bool = False,
+    sso_auto_login: bool = True,
 ) -> FastMCP:
     """Build the FastMCP server, registering tools according to the safety flags."""
     factory = ClientFactory(
         region=region, profile=profile, role_arn=role_arn, external_id=external_id
     )
 
-    # Opt-in: when an AWS call fails with an expired SSO token, auto-launch `aws sso login`
-    # (opens the browser) so the user never has to use a terminal. No-op unless enabled.
+    # On by default: when an AWS call fails with an expired SSO token, auto-launch `aws sso login`
+    # (opens the browser) so the user never has to use a terminal. Disable for headless/CI.
     _common.register_sso_handler(
         SsoAutoLogin(profile=profile, enabled=sso_auto_login) if sso_auto_login else None
     )
-    if sso_auto_login:
-        logger.info("SSO auto-login enabled: expired tokens will trigger `aws sso login`.")
+    logger.info(
+        "SSO auto-login {}: expired tokens {} trigger `aws sso login`.",
+        "enabled" if sso_auto_login else "disabled",
+        "will" if sso_auto_login else "will NOT",
+    )
 
     mcp = FastMCP(consts.SERVER_NAME, instructions=consts.SERVER_INSTRUCTIONS)
 
@@ -123,19 +126,22 @@ def main() -> None:
     )
     parser.add_argument(
         "--sso-auto-login",
-        action="store_true",
-        help="When an AWS call fails with an expired SSO token, auto-launch `aws sso login` "
-        "(opens your browser) instead of requiring a manual terminal command. Off by default; "
-        "can also be enabled with WORKSPACES_EUC_SSO_AUTO_LOGIN=1.",
+        action=argparse.BooleanOptionalAction,
+        default=True,
+        help="On an expired SSO token, auto-launch `aws sso login` (opens your browser) so you "
+        "re-authenticate without a terminal. ON by default; disable with --no-sso-auto-login "
+        "(or WORKSPACES_EUC_SSO_AUTO_LOGIN=0) for headless/CI environments.",
     )
     args = parser.parse_args()
 
     if args.enable_destructive and not args.enable_writes:
         parser.error("--enable-destructive requires --enable-writes.")
 
-    sso_auto_login = args.sso_auto_login or os.environ.get(
-        "WORKSPACES_EUC_SSO_AUTO_LOGIN", ""
-    ).strip().lower() in ("1", "true", "yes")
+    # On by default; an explicit env var (if set) overrides the flag, so it can force-disable too.
+    sso_auto_login = args.sso_auto_login
+    _sso_env = os.environ.get("WORKSPACES_EUC_SSO_AUTO_LOGIN")
+    if _sso_env is not None:
+        sso_auto_login = _sso_env.strip().lower() in ("1", "true", "yes", "on")
 
     logger.remove()
     logger.add(sys.stderr, level=os.environ.get("FASTMCP_LOG_LEVEL", "INFO").upper())

{workspaces_euc_mcp_server-0.1.8 → workspaces_euc_mcp_server-0.1.9}/workspaces_euc_mcp_server/tools/_common.py

@@ -79,7 +79,7 @@ def _sso_hint() -> str:
         )
     return (
         " [SSO session expired — run `aws sso login --profile <your-profile>` to re-authenticate "
-        "(or launch the server with --sso-auto-login to open sign-in automatically). "
+        "(automatic sign-in is disabled via --no-sso-auto-login). "
         "Note: signing into the AWS Console does NOT refresh the CLI/SSO token.]"
     )