write initialize error to stdout

[wzxxing]

Summary

Changes

Please provide a summary of what's being changed

When client fails, we want to the see the failure reason in the MCP client. This was possible with v1.0 where every request is independent, but with v1.1.1, to reuse the MCP session for every request, proxy takes an already connected mcp client, so the client initialization happens outside of the MCP client life cycle.

User experience

Please share what the user experience looks like before and after this change

The user should see a more detailed error message such as below, immediately after the connection is closed:

Failed to connect to MCP server "aws-local": MCP error -32001: Your AWS session token has expired. Please refresh your credentials and try again. If you're using temporary credentials, you may need to re-authenticate to obtain new credentials.

Previously v1.1.1 make the error message very unclear:

Failed to connect to MCP server "AWSMCPFromLatestPyPi": MCP error -32000: Connection closed

Testing

update MCP config as

"aws": {
      "command": "uvx",
      "args": [
        "--from",
        "git+https://github.com/aws/mcp-proxy-for-aws@wzxxing/write-last-error",
        "mcp-proxy-for-aws",
        "--service",
        "aws-mcp",
        "--profile",
        "mcp-tester",
        "--region",
        "us-east-1",
        "--log-level",
        "DEBUG",
        "<remote-mcp-server-url>"
      ]
    },

Expired credentials (Authn failure):

Credentials without permission (Authz faillure)

Tool call failure (Authz), normal without terminating the transport

Checklist

If your change doesn't seem to apply, please leave them unchecked.

• I have reviewed the contributing guidelines
• I have performed a self-review of this change
• Changes have been tested
• Changes are documented

Is this a breaking change? (Y/N)

• Yes
• No

Please add details about how this change was tested.

• Did integration tests succeed?
• If the feature is a new use case, is it necessary to add a new integration test case?

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[wzxxing]

This is to print the initialization error to the process stdout so that the client can receive it and show the error message properly.

[arangatang]

nit/qq: Maybe we want to do this also via the logger but point it to sys.stdout only in this case.

[PCManticore]

Typo here.

[PCManticore]

Why is this thrown only on initialize? I presume because other MCP operations would normally return 200 if they are implemented according to the spec. But we can't make that assumption especially as the proxy can be leveraged by any non-AWS service specific MCP server (for example an AgentCore Runtime MCP server would be feasible to use with the proxy).

[arangatang]

would normally return 200 if they are implemented according to the spec.

Note, this is wrong. If done by spec, e.g. when a SessionId is expired the server must return 404 if its passed.
However I do agree this is not really respected properly 😓

[arangatang]

nit: SigV4 authentication and we don't really do any routing.

[arangatang]

nit/qq: Maybe we want to do this also via the logger but point it to sys.stdout only in this case.

[arangatang]

nit: raise

Suggested change

	raise e
	raise

[arangatang]

would normally return 200 if they are implemented according to the spec.

Note, this is wrong. If done by spec, e.g. when a SessionId is expired the server must return 404 if its passed.
However I do agree this is not really respected properly 😓

[arangatang]

Should we do this on any 4xx / 5xx errors per default and ignore failures for maybe GET requests?

e.g. allowlist for know "ok" failures like GET requests instad of this surgical way?
wdyt?

[wzxxing]

Move the error handling outside of sigv4 helper

[arangatang]

Suggested change

	# line = sys.stdin.readline()
	# logger.debug('First line from kiro %s', line)