@geekbeer/minion 2.70.2 → 3.4.7

package/win/minion-cli.ps1

@@ -1,9 +1,12 @@
 #Requires -Version 5.1
 # Minion Agent CLI for Windows (@geekbeer/minion)
+# Administrator required only for: setup, uninstall
+# All other commands (start/stop/restart/status/etc.) work as regular user after setup.
+#
 # Usage:
-#   minion-cli-win setup --hq-url https://... --minion-id <UUID> --api-token <TOKEN>
-#   minion-cli-win setup --setup-tunnel
-#   minion-cli-win uninstall [--keep-data]
+#   minion-cli-win setup                    # Install software & register services (admin required)
+#   minion-cli-win configure --hq-url https://... --minion-id <UUID> --api-token <TOKEN>
+#   minion-cli-win uninstall [--keep-data]  # Remove agent (admin required)
 #   minion-cli-win start | stop | restart | status | health | daemons | diagnose | version | help
 
 # Parse arguments manually to avoid issues with npm wrapper passing $args as array
@@ -18,7 +21,7 @@ $i = 0
 while ($i -lt $args.Count) {
     $arg = [string]$args[$i]
     switch -Regex ($arg) {
-        '^(setup|reconfigure|uninstall|start|stop|restart|status|health|daemons|diagnose|version|help)$' { $Command = $arg }
+        '^(setup|configure|reconfigure|uninstall|start|stop|restart|status|health|daemons|diagnose|version|help)$' { $Command = $arg }
         '^(-v|--version)$' { $Command = 'version' }
         '^--hq-url$' { $i++; if ($i -lt $args.Count) { $HqUrl = [string]$args[$i] } }
         '^--minion-id$' { $i++; if ($i -lt $args.Count) { $MinionId = [string]$args[$i] } }
@@ -32,16 +35,42 @@ while ($i -lt $args.Count) {
 
 $ErrorActionPreference = 'Stop'
 
+# Load System.Web for password generation (used in setup)
+Add-Type -AssemblyName System.Web -ErrorAction SilentlyContinue
+
+# ============================================================
+# Require Administrator for service management commands
+# ============================================================
+$adminRequired = @('setup', 'uninstall')
+if ($Command -in $adminRequired) {
+    $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
+    if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
+        Write-Host "ERROR: '$Command' requires Administrator privileges." -ForegroundColor Red
+        Write-Host "  Right-click PowerShell and select 'Run as administrator'." -ForegroundColor Yellow
+        exit 1
+    }
+}
+
 # Constants
 $DataDir = Join-Path $env:USERPROFILE '.minion'
 $EnvFile = Join-Path $DataDir '.env'
-$PidFile = Join-Path $DataDir 'minion-agent.pid'
 $LogDir = Join-Path $DataDir 'logs'
-$StartAgentScript = Join-Path $DataDir 'start-agent.ps1'
 $AgentUrl = if ($env:MINION_AGENT_URL) { $env:MINION_AGENT_URL } else { 'http://localhost:8080' }
 
-# Resolve CLI version from package.json
+# Resolve NSSM path: bundled in npm package > data dir > PATH
 $CliDir = Split-Path -Parent $PSScriptRoot
+$NssmPath = $null
+$vendorNssm = Join-Path $CliDir 'win\vendor\nssm.exe'
+if (Test-Path $vendorNssm) { $NssmPath = $vendorNssm }
+elseif (Test-Path (Join-Path $DataDir 'nssm.exe')) { $NssmPath = Join-Path $DataDir 'nssm.exe' }
+elseif (Get-Command nssm -ErrorAction SilentlyContinue) { $NssmPath = (Get-Command nssm).Source }
+else {
+    # Fallback: try alternate vendor path (when run from package root)
+    $altVendor = Join-Path $PSScriptRoot 'vendor\nssm.exe'
+    if (Test-Path $altVendor) { $NssmPath = $altVendor }
+}
+
+# Resolve CLI version from package.json
 $CliVersion = try {
     (Get-Content (Join-Path $CliDir 'package.json') -Raw | ConvertFrom-Json).version
 }
@@ -66,6 +95,22 @@ function Write-Warn {
     Write-Host "  WARNING: $Message" -ForegroundColor Yellow
 }
 
+function Invoke-Nssm {
+    # Wrapper to call nssm.exe without $ErrorActionPreference = 'Stop' killing the script.
+    # NSSM writes informational output (version banner, status messages) to stderr,
+    # which PowerShell converts to ErrorRecords. Under $ErrorActionPreference = 'Stop'
+    # these become terminating errors even with 2>$null redirection.
+    $prevPref = $ErrorActionPreference
+    $ErrorActionPreference = 'Continue'
+    try {
+        $output = & $NssmPath @args 2>&1
+        # Filter out ErrorRecord objects (stderr), return stdout as strings
+        $output | Where-Object { $_ -isnot [System.Management.Automation.ErrorRecord] } | ForEach-Object { "$_" }
+    } finally {
+        $ErrorActionPreference = $prevPref
+    }
+}
+
 function Test-CommandExists {
     param([string]$Name)
     $null -ne (Get-Command $Name -ErrorAction SilentlyContinue)
@@ -73,24 +118,32 @@ function Test-CommandExists {
 
 function Get-WebsockifyCommand {
     # Returns @(executable, args-prefix) for launching websockify.
-    # 1) websockify.exe on PATH
-    if (Get-Command websockify -ErrorAction SilentlyContinue) {
-        return @((Get-Command websockify).Source)
-    }
-    # 2) Look in Python Scripts directories
-    if (Test-CommandExists 'python') {
-        $scriptsDir = & python -c "import sysconfig; print(sysconfig.get_path('scripts'))" 2>$null
-        if ($scriptsDir) {
-            $wsExe = Join-Path $scriptsDir 'websockify.exe'
-            if (Test-Path $wsExe) { return @($wsExe) }
+    # Python writes informational output to stderr, which causes terminating errors
+    # under $ErrorActionPreference = 'Stop'. Temporarily switch to 'Continue'.
+    $prevPref = $ErrorActionPreference
+    $ErrorActionPreference = 'Continue'
+    try {
+        # 1) websockify.exe on PATH
+        if (Get-Command websockify -ErrorAction SilentlyContinue) {
+            return @((Get-Command websockify).Source)
         }
+        # 2) Look in Python Scripts directories
+        if (Test-CommandExists 'python') {
+            $scriptsDir = & python -c "import sysconfig; print(sysconfig.get_path('scripts'))" 2>$null
+            if ($scriptsDir) {
+                $wsExe = Join-Path $scriptsDir 'websockify.exe'
+                if (Test-Path $wsExe) { return @($wsExe) }
+            }
+        }
+        # 3) Fallback: python -m websockify
+        if (Test-CommandExists 'python') {
+            $check = & python -c "import websockify" 2>&1
+            if ($LASTEXITCODE -eq 0) { return @('python', '-m', 'websockify') }
+        }
+        return $null
+    } finally {
+        $ErrorActionPreference = $prevPref
     }
-    # 3) Fallback: python -m websockify
-    if (Test-CommandExists 'python') {
-        $check = & python -c "import websockify" 2>&1
-        if ($LASTEXITCODE -eq 0) { return @('python', '-m', 'websockify') }
-    }
-    return $null
 }
 
 function Get-LanIPAddress {
@@ -109,8 +162,74 @@ function Get-LanIPAddress {
 }
 
 function Get-MinionServerJs {
-    $npmRoot = & npm root -g 2>$null
-    return Join-Path $npmRoot '@geekbeer\minion\win\server.js'
+    # Use $CliDir (script's package root) instead of npm root -g,
+    # which may point to a different user's npm global when run as admin.
+    return Join-Path $CliDir 'win\server.js'
+}
+
+function Resolve-TargetUserProfile {
+    # Resolve the target user's profile directory.
+    # In setup: interactively ask if the current admin account differs from the intended user.
+    # In configure/uninstall: read from saved .target-user-profile file.
+    param([switch]$Interactive)
+
+    if ($Interactive) {
+        # Detect all local user profiles (excluding system accounts)
+        $profiles = @()
+        Get-CimInstance Win32_UserProfile -ErrorAction SilentlyContinue |
+            Where-Object { -not $_.Special -and $_.LocalPath -and $_.LocalPath -notmatch '\\(systemprofile|LocalService|NetworkService)$' } |
+            ForEach-Object {
+                $profilePath = $_.LocalPath
+                $sid = $_.SID
+                try {
+                    $objSID = New-Object System.Security.Principal.SecurityIdentifier($sid)
+                    $objUser = $objSID.Translate([System.Security.Principal.NTAccount])
+                    $userName = $objUser.Value -replace '^.*\\'
+                }
+                catch { $userName = Split-Path $profilePath -Leaf }
+                $profiles += @{ Name = $userName; Path = $profilePath }
+            }
+
+        # If only one profile, use it directly
+        if ($profiles.Count -le 1) {
+            return $env:USERPROFILE
+        }
+
+        # Check if current user matches a non-admin typical user
+        $currentUser = $env:USERNAME
+        Write-Host "  Detected user profiles on this machine:" -ForegroundColor Yellow
+        Write-Host ""
+        for ($idx = 0; $idx -lt $profiles.Count; $idx++) {
+            $marker = if ($profiles[$idx].Name -eq $currentUser) { " (current)" } else { "" }
+            Write-Host "    [$($idx + 1)] $($profiles[$idx].Name) - $($profiles[$idx].Path)$marker"
+        }
+        Write-Host ""
+        Write-Host "  Which user should own the minion data (.minion, .claude directories)?" -ForegroundColor Yellow
+        Write-Host "  If you are running this from a different admin account, select the" -ForegroundColor Yellow
+        Write-Host "  regular user account that normally uses this machine." -ForegroundColor Yellow
+        Write-Host ""
+
+        while ($true) {
+            $selection = Read-Host "  Enter number [1-$($profiles.Count)] (default: 1)"
+            if ([string]::IsNullOrWhiteSpace($selection)) { $selection = '1' }
+            $selIdx = 0
+            if ([int]::TryParse($selection, [ref]$selIdx) -and $selIdx -ge 1 -and $selIdx -le $profiles.Count) {
+                $chosen = $profiles[$selIdx - 1]
+                Write-Host ""
+                Write-Detail "Target user: $($chosen.Name) ($($chosen.Path))"
+                return $chosen.Path
+            }
+            Write-Host "  Invalid selection. Please enter a number between 1 and $($profiles.Count)." -ForegroundColor Red
+        }
+    }
+
+    # Non-interactive: read from saved file
+    $savedFile = Join-Path $DataDir '.target-user-profile'
+    if (Test-Path $savedFile) {
+        $saved = ([System.IO.File]::ReadAllText($savedFile)).Trim()
+        if ($saved -and (Test-Path $saved)) { return $saved }
+    }
+    return $env:USERPROFILE
 }
 
 function Read-EnvFile {
@@ -158,76 +277,114 @@ function Invoke-HealthCheck {
     return $false
 }
 
-function Start-MinionProcess {
-    # Check if already running via PID file
-    if (Test-Path $PidFile) {
-        $existingPid = (Get-Content $PidFile -Raw).Trim()
-        $proc = Get-Process -Id $existingPid -ErrorAction SilentlyContinue
-        if ($proc) {
-            Write-Host "minion-agent is already running (PID: $existingPid)"
-            return
-        }
-        Remove-Item $PidFile -Force
-    }
-
-    if (-not (Test-Path $StartAgentScript)) {
-        Write-Error "start-agent.ps1 not found. Run 'minion-cli-win setup' first."
+function Assert-NssmAvailable {
+    if (-not $NssmPath -or -not (Test-Path $NssmPath)) {
+        Write-Error "NSSM not found. Expected at: $vendorNssm"
+        Write-Host "  Reinstall the package: npm install -g @geekbeer/minion" -ForegroundColor Yellow
         exit 1
     }
+}
 
-    # Launch start-agent.ps1 as a hidden background process
-    Start-Process powershell -ArgumentList "-ExecutionPolicy Bypass -WindowStyle Hidden -File `"$StartAgentScript`"" `
-        -WindowStyle Hidden
-    Start-Sleep -Seconds 2
+# ============================================================
+# Service SDDL helpers (grant control to non-admin user)
+# ============================================================
 
-    if (Test-Path $PidFile) {
-        $newPid = (Get-Content $PidFile -Raw).Trim()
-        Write-Host "minion-agent started (PID: $newPid)"
-    } else {
-        Write-Host "minion-agent starting... (check logs at $LogDir)"
+function Get-SetupUserSid {
+    # Returns SID of the user who invoked setup (for SDDL grant).
+    # In admin shell, $env:USERNAME is the admin account.
+    # We store the setup user's SID in .minion/.setup-user-sid during setup.
+    $sidFile = Join-Path $DataDir '.setup-user-sid'
+    if (Test-Path $sidFile) {
+        return ([System.IO.File]::ReadAllText($sidFile)).Trim()
     }
+    # Fallback: current user
+    return ([System.Security.Principal.WindowsIdentity]::GetCurrent().User).Value
+}
+
+function Grant-ServiceControlToUser {
+    param([string]$ServiceName, [string]$UserSid)
+    # Grant Start/Stop/Pause/QueryStatus/QueryConfig/Interrogate/UserDefined rights
+    # RPWPDTLOCRRC = RP (read property) WP (write property) DT (delete tree) LO (list object)
+    #                CR (control rights) RC (read control)
+    # Simpler: use standard rights for service control
+    # GA=Generic All is too broad. Use specific rights:
+    #   CC=ServiceQueryConfig, LC=ServiceQueryStatus, SW=ServiceEnumerateDependents,
+    #   RP=ServiceStart, WP=ServiceStop, DT=ServicePauseContinue, LO=ServiceInterrogate,
+    #   CR=ServiceUserDefinedControl, RC=ReadControl
+    $ace = "(A;;CCLCSWRPWPDTLOCRRC;;;$UserSid)"
+    try {
+        $sdShowOutput = sc.exe sdshow $ServiceName 2>&1
+        $currentSddl = ($sdShowOutput | Where-Object { $_ -match '^D:' }) -as [string]
+        if (-not $currentSddl) { return }
+        # Insert ACE before S: (SACL) section if present, otherwise append
+        if ($currentSddl -match '(S:.*)$') {
+            $newSddl = $currentSddl -replace '(S:.*)', "$ace`$1"
+        } else {
+            $newSddl = $currentSddl + $ace
+        }
+        sc.exe sdset $ServiceName $newSddl 2>&1 | Out-Null
+    } catch { }
 }
 
-function Stop-MinionProcess {
-    if (-not (Test-Path $PidFile)) {
-        Write-Host "minion-agent is not running (no PID file)"
+# ============================================================
+# Service management (sc.exe-based, no admin required after setup)
+# ============================================================
+
+function Get-ServiceState {
+    param([string]$ServiceName)
+    # Query service state via sc.exe (works without admin if SDDL grants query rights)
+    $output = sc.exe query $ServiceName 2>&1
+    if ($output -match 'RUNNING') { return 'RUNNING' }
+    if ($output -match 'STOPPED') { return 'STOPPED' }
+    if ($output -match 'PAUSED') { return 'PAUSED' }
+    if ($output -match 'PENDING') { return 'PENDING' }
+    if ($output -match '1060') { return $null }  # service not installed
+    return 'UNKNOWN'
+}
+
+function Start-MinionService {
+    $state = Get-ServiceState 'minion-agent'
+    if (-not $state) {
+        Write-Host "minion-agent: not installed (run 'setup' as administrator first)" -ForegroundColor Red
         return
     }
-    $agentPid = (Get-Content $PidFile -Raw).Trim()
-    $proc = Get-Process -Id $agentPid -ErrorAction SilentlyContinue
-    if ($proc) {
-        # Graceful shutdown via HTTP API (sends offline heartbeat to HQ)
-        # This mirrors Linux's SIGTERM → shutdown() flow.
-        $token = ''
-        if (Test-Path $EnvFile) {
-            $envVars = Read-EnvFile $EnvFile
-            if ($envVars['API_TOKEN']) { $token = $envVars['API_TOKEN'] }
-        }
-        try {
-            $headers = @{}
-            if ($token) { $headers['Authorization'] = "Bearer $token" }
-            Invoke-RestMethod -Uri "$AgentUrl/api/shutdown" -Method POST -ContentType 'application/json' -Headers $headers -TimeoutSec 5 | Out-Null
-            Write-Host "Graceful shutdown requested, waiting..."
-            Start-Sleep -Seconds 4
-        } catch {
-            Write-Host "Graceful shutdown failed, force stopping..."
-        }
+    if ($state -eq 'RUNNING') {
+        Write-Host "minion-agent service is already running"
+        return
+    }
+    sc.exe start minion-agent 2>&1 | Out-Null
+    Write-Host "minion-agent service started"
+}
 
-        # Force kill remaining processes (node, websockify, cloudflared)
-        Get-CimInstance Win32_Process -Filter "ParentProcessId = $agentPid" -ErrorAction SilentlyContinue |
-            ForEach-Object { Stop-Process -Id $_.ProcessId -Force -ErrorAction SilentlyContinue }
-        Stop-Process -Id $agentPid -Force -ErrorAction SilentlyContinue
-        Write-Host "minion-agent stopped (PID: $agentPid)"
-    } else {
-        Write-Host "minion-agent was not running (stale PID file)"
+function Stop-MinionService {
+    $state = Get-ServiceState 'minion-agent'
+    if (-not $state) {
+        Write-Host "minion-agent: not installed" -ForegroundColor Red
+        return
+    }
+    # Graceful shutdown via HTTP API first (sends offline heartbeat to HQ)
+    $token = ''
+    if (Test-Path $EnvFile) {
+        $envVars = Read-EnvFile $EnvFile
+        if ($envVars['API_TOKEN']) { $token = $envVars['API_TOKEN'] }
     }
-    Remove-Item $PidFile -Force -ErrorAction SilentlyContinue
+    try {
+        $headers = @{}
+        if ($token) { $headers['Authorization'] = "Bearer $token" }
+        Invoke-RestMethod -Uri "$AgentUrl/api/shutdown" -Method POST -ContentType 'application/json' -Headers $headers -TimeoutSec 5 | Out-Null
+        Write-Host "Graceful shutdown requested, waiting..."
+        Start-Sleep -Seconds 4
+    } catch {
+        Write-Host "Graceful shutdown skipped (agent may not be running)"
+    }
+    sc.exe stop minion-agent 2>&1 | Out-Null
+    Write-Host "minion-agent service stopped"
 }
 
-function Restart-MinionProcess {
-    Stop-MinionProcess
+function Restart-MinionService {
+    Stop-MinionService
     Start-Sleep -Seconds 2
-    Start-MinionProcess
+    Start-MinionService
 }
 
 # ============================================================
@@ -236,7 +393,6 @@ function Restart-MinionProcess {
 
 function Invoke-Setup {
     $totalSteps = 10
-    if ($SetupTunnel) { $totalSteps = 11 }
 
     # Minionization warning
     Write-Host ""
@@ -245,27 +401,14 @@ function Invoke-Setup {
     Write-Host "=========================================" -ForegroundColor Red
     Write-Host ""
 
-    # Check if current user is in Administrators group
-    $adminGroupMembers = net localgroup Administrators 2>$null
-    if ($adminGroupMembers -match [regex]::Escape($env:USERNAME)) {
-        Write-Host "  SECURITY WARNING: User '$env:USERNAME' has Administrator privileges." -ForegroundColor Yellow
-        Write-Host "  We recommend setting up the minion under a Standard user account." -ForegroundColor Yellow
-        Write-Host "  If this machine is compromised, an Administrator account gives" -ForegroundColor Yellow
-        Write-Host "  the attacker full control over the system." -ForegroundColor Yellow
-        Write-Host ""
-        Write-Host "  To create a Standard user:" -ForegroundColor Gray
-        Write-Host "    net user minion <password> /add" -ForegroundColor Gray
-        Write-Host "  Then log in as that user and run setup again." -ForegroundColor Gray
-        Write-Host ""
-    }
-
     Write-Host "  This setup will:" -ForegroundColor Yellow
-    Write-Host "    - Install and configure software (Node.js, Claude Code)"
-    Write-Host "    - Register auto-start via Startup folder"
-    Write-Host "    - Overwrite Claude Code settings (permissions, rules, skills)"
+    Write-Host "    - Install and configure software (Node.js, Claude Code, VNC)"
+    Write-Host "    - Create dedicated 'minion' service account"
+    Write-Host "    - Register Windows Services via NSSM"
+    Write-Host "    - Configure firewall rules"
     Write-Host ""
+    Write-Host "  After setup, run 'minion-cli-win configure' to connect to HQ." -ForegroundColor Yellow
     Write-Host "  This machine should be DEDICATED to the minion agent." -ForegroundColor Yellow
-    Write-Host "  Do not use it as your daily workstation after setup." -ForegroundColor Yellow
     Write-Host ""
     $confirm = Read-Host "  Type 'yes' to continue"
     if ($confirm -ne 'yes') {
@@ -274,29 +417,54 @@ function Invoke-Setup {
     }
     Write-Host ""
 
-    # Load existing .env for redeploy scenario
-    $envValues = @{}
-    if (-not $HqUrl -and -not $MinionId -and -not $ApiToken -and (Test-Path $EnvFile)) {
-        Write-Host "Reading existing .env values (redeploy mode)..."
-        $envValues = Read-EnvFile $EnvFile
-        if (-not $HqUrl -and $envValues['HQ_URL']) { $HqUrl = $envValues['HQ_URL'] }
-        if (-not $MinionId -and $envValues['MINION_ID']) { $MinionId = $envValues['MINION_ID'] }
-        if (-not $ApiToken -and $envValues['API_TOKEN']) { $ApiToken = $envValues['API_TOKEN'] }
+    # Ask which user profile to target (handles admin account != regular user case)
+    Write-Host "=========================================" -ForegroundColor Cyan
+    Write-Host " Target User Selection" -ForegroundColor Cyan
+    Write-Host "=========================================" -ForegroundColor Cyan
+    Write-Host ""
+    $TargetUserProfile = Resolve-TargetUserProfile -Interactive
+    # Recalculate paths based on target user
+    $DataDir = Join-Path $TargetUserProfile '.minion'
+    $EnvFile = Join-Path $DataDir '.env'
+    $LogDir = Join-Path $DataDir 'logs'
+    Write-Host ""
+
+    # Save setup user's SID for SDDL grants (so non-admin can control services later)
+    $setupUserSid = ([System.Security.Principal.WindowsIdentity]::GetCurrent().User).Value
+    New-Item -Path $DataDir -ItemType Directory -Force | Out-Null
+    [System.IO.File]::WriteAllText((Join-Path $DataDir '.setup-user-sid'), $setupUserSid)
+    # Save target user profile so configure/uninstall can find it
+    [System.IO.File]::WriteAllText((Join-Path $DataDir '.target-user-profile'), $TargetUserProfile)
+
+    # Migrate from old user-process mode if detected
+    $oldStartScript = Join-Path $DataDir 'start-agent.ps1'
+    $oldPidFile = Join-Path $DataDir 'minion-agent.pid'
+    if (Test-Path $oldStartScript) {
+        Write-Host "Migrating from user-process mode..." -ForegroundColor Yellow
+        if (Test-Path $oldPidFile) {
+            $oldPid = (Get-Content $oldPidFile -Raw).Trim()
+            $proc = Get-Process -Id $oldPid -ErrorAction SilentlyContinue
+            if ($proc) {
+                Get-CimInstance Win32_Process -Filter "ParentProcessId = $oldPid" -ErrorAction SilentlyContinue |
+                    ForEach-Object { Stop-Process -Id $_.ProcessId -Force -ErrorAction SilentlyContinue }
+                Stop-Process -Id $oldPid -Force -ErrorAction SilentlyContinue
+            }
+            Remove-Item $oldPidFile -Force -ErrorAction SilentlyContinue
+        }
+        Remove-Item $oldStartScript -Force
+        $oldShortcut = Join-Path ([Environment]::GetFolderPath('Startup')) 'MinionAgent.lnk'
+        Remove-Item $oldShortcut -Force -ErrorAction SilentlyContinue
+        Write-Detail "Migrated from user-process mode (old artifacts removed)"
+        Write-Host ""
     }
 
     Write-Host "=========================================" -ForegroundColor Cyan
     Write-Host " @geekbeer/minion Windows Setup" -ForegroundColor Cyan
     Write-Host "=========================================" -ForegroundColor Cyan
-    Write-Host "Platform: Windows (no admin required)"
-    Write-Host "User: $env:USERNAME ($env:USERPROFILE)"
+    Write-Host "Platform: Windows (Administrator mode)"
+    Write-Host "User: $env:USERNAME (target: $TargetUserProfile)"
     Write-Host "Data: $DataDir"
-    if ($HqUrl) {
-        Write-Host "Mode: Connected to HQ ($HqUrl)"
-    }
-    else {
-        Write-Host "Mode: Standalone (no HQ connection)"
-    }
-    if ($SetupTunnel) { Write-Host "Tunnel: Enabled" }
+    Write-Host "Service Manager: NSSM"
     Write-Host ""
 
     # Step 1: Check/Install Node.js
@@ -403,25 +571,99 @@ function Invoke-Setup {
     Write-Host "  Please run 'claude' in a terminal to complete the authentication process." -ForegroundColor Yellow
     Write-Host ""
 
-    # Step 4: Create config directory and .env
-    Write-Step 4 $totalSteps "Creating config directory and .env..."
+    # Step 4: Create dedicated 'minion' service account
+    Write-Step 4 $totalSteps "Creating dedicated service account..."
+    $MinionSvcUser = 'minion'
+    $MinionSvcUserFull = ".\$MinionSvcUser"
+    $minionUserExists = [bool](Get-LocalUser -Name $MinionSvcUser -ErrorAction SilentlyContinue)
+    if ($minionUserExists) {
+        Write-Detail "Service account '$MinionSvcUser' already exists"
+    } else {
+        # Generate a random password (service account — not used interactively)
+        $svcPassword = [System.Web.Security.Membership]::GeneratePassword(24, 4)
+        $securePassword = ConvertTo-SecureString $svcPassword -AsPlainText -Force
+        New-LocalUser -Name $MinionSvcUser -Password $securePassword -Description 'Minion Agent Service Account' -PasswordNeverExpires -UserMayNotChangePassword -AccountNeverExpires | Out-Null
+        # Deny interactive/remote logon (service-only account)
+        & net localgroup "Users" $MinionSvcUser /delete 2>$null
+        Write-Detail "Service account '$MinionSvcUser' created (non-interactive)"
+    }
+    # Store password for NSSM ObjectName configuration
+    if (-not $minionUserExists) {
+        # Save password to a protected file for NSSM service registration
+        $svcPasswordFile = Join-Path $DataDir '.svc-password'
+        New-Item -Path (Split-Path $svcPasswordFile) -ItemType Directory -Force | Out-Null
+        [System.IO.File]::WriteAllText($svcPasswordFile, $svcPassword)
+        # Restrict file access to current user only
+        $acl = Get-Acl $svcPasswordFile
+        $acl.SetAccessRuleProtection($true, $false)
+        $adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
+            [System.Security.Principal.WindowsIdentity]::GetCurrent().Name, 'FullControl', 'Allow')
+        $acl.AddAccessRule($adminRule)
+        Set-Acl $svcPasswordFile $acl
+        Write-Detail "Service account credentials stored"
+    } else {
+        $svcPasswordFile = Join-Path $DataDir '.svc-password'
+        if (Test-Path $svcPasswordFile) {
+            $svcPassword = [System.IO.File]::ReadAllText($svcPasswordFile).Trim()
+        } else {
+            # Re-generate password for existing account (reset)
+            $svcPassword = [System.Web.Security.Membership]::GeneratePassword(24, 4)
+            $securePassword = ConvertTo-SecureString $svcPassword -AsPlainText -Force
+            Set-LocalUser -Name $MinionSvcUser -Password $securePassword
+            New-Item -Path (Split-Path $svcPasswordFile) -ItemType Directory -Force | Out-Null
+            [System.IO.File]::WriteAllText($svcPasswordFile, $svcPassword)
+            $acl = Get-Acl $svcPasswordFile
+            $acl.SetAccessRuleProtection($true, $false)
+            $adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
+                [System.Security.Principal.WindowsIdentity]::GetCurrent().Name, 'FullControl', 'Allow')
+            $acl.AddAccessRule($adminRule)
+            Set-Acl $svcPasswordFile $acl
+            Write-Detail "Service account password reset and stored"
+        }
+    }
+    # Grant 'Log on as a service' right to the minion user
+    $tempCfg = Join-Path $env:TEMP 'minion-secedit.cfg'
+    $tempDb = Join-Path $env:TEMP 'minion-secedit.sdb'
+    & secedit /export /cfg $tempCfg /areas USER_RIGHTS 2>$null
+    $cfgContent = Get-Content $tempCfg -Raw
+    if ($cfgContent -match 'SeServiceLogonRight\s*=\s*(.*)') {
+        $existing = $Matches[1]
+        if ($existing -notmatch $MinionSvcUser) {
+            $cfgContent = $cfgContent -replace "(SeServiceLogonRight\s*=\s*)(.*)", "`$1`$2,$MinionSvcUser"
+            [System.IO.File]::WriteAllText($tempCfg, $cfgContent)
+            & secedit /configure /db $tempDb /cfg $tempCfg /areas USER_RIGHTS 2>$null
+            Write-Detail "Granted 'Log on as a service' right to '$MinionSvcUser'"
+        }
+    }
+    Remove-Item $tempCfg, $tempDb -Force -ErrorAction SilentlyContinue
+
+    # Step 5: Create config directory and default .env
+    Write-Step 5 $totalSteps "Creating config directory..."
     New-Item -Path $DataDir -ItemType Directory -Force | Out-Null
     New-Item -Path $LogDir -ItemType Directory -Force | Out-Null
-    $envValues = @{
-        'AGENT_PORT'         = '8080'
-        'MINION_USER'        = $env:USERNAME
-        'REFLECTION_TIME'    = '03:00'
-    }
-    if ($HqUrl) { $envValues['HQ_URL'] = $HqUrl }
-    if ($ApiToken) { $envValues['API_TOKEN'] = $ApiToken }
-    if ($MinionId) { $envValues['MINION_ID'] = $MinionId }
-    Write-EnvFile $EnvFile $envValues
-    Write-Detail "$EnvFile generated"
+    if (-not (Test-Path $EnvFile)) {
+        $envValues = @{
+            'AGENT_PORT'         = '8080'
+            'MINION_USER'        = (Split-Path $TargetUserProfile -Leaf)
+            'REFLECTION_TIME'    = '03:00'
+        }
+        Write-EnvFile $EnvFile $envValues
+        Write-Detail "$EnvFile created (run 'configure' to set HQ credentials)"
+    } else {
+        Write-Detail "$EnvFile already exists, preserving"
+    }
+
+    # Grant minion service account read/write access to data directory
+    $minionAcl = Get-Acl $DataDir
+    $minionRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
+        $MinionSvcUser, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
+    $minionAcl.AddAccessRule($minionRule)
+    Set-Acl $DataDir $minionAcl
+    Write-Detail "Granted '$MinionSvcUser' access to $DataDir"
 
-    # Step 5: Install node-pty (required for Windows terminal management)
-    Write-Step 5 $totalSteps "Installing terminal support (node-pty)..."
-    $npmRoot = & npm root -g 2>$null
-    $minionPkgDir = Join-Path $npmRoot '@geekbeer\minion'
+    # Step 6: Install node-pty (required for Windows terminal management)
+    Write-Step 6 $totalSteps "Installing terminal support (node-pty)..."
+    $minionPkgDir = $CliDir
     if (Test-Path $minionPkgDir) {
         Push-Location $minionPkgDir
         $ptyInstalled = $false
@@ -457,227 +699,96 @@ function Invoke-Setup {
         Write-Host "  Please run: npm install -g @geekbeer/minion"
     }
 
-    # Step 6: Generate start-agent.ps1 and register auto-start
-    Write-Step 6 $totalSteps "Registering auto-start..."
+    # Step 7: Verify NSSM
+    Write-Step 7 $totalSteps "Verifying NSSM..."
+    Assert-NssmAvailable
+    $nssmVersion = Invoke-Nssm version
+    Write-Detail "NSSM available: $NssmPath ($nssmVersion)"
+
+    # Step 8: Register Windows Services via NSSM
+    Write-Step 8 $totalSteps "Registering Windows Services..."
+
     $serverJs = Join-Path $minionPkgDir 'win\server.js'
-    if (-not (Test-Path $serverJs)) {
-        $serverJs = Join-Path $minionPkgDir 'win' 'server.js'
-    }
     if (-not (Test-Path $serverJs)) {
         Write-Error "server.js not found at $serverJs"
         Write-Host "  Please run: npm install -g @geekbeer/minion"
         exit 1
     }
+    $nodePath = (Get-Command node).Source
 
-    # Generate start-agent.ps1 (watchdog script)
-    $startAgentContent = @"
-# Auto-generated by minion-cli-win setup
-# Starts minion agent with watchdog (auto-restart on crash)
-
-`$DataDir = '$DataDir'
-`$EnvFile = Join-Path `$DataDir '.env'
-`$PidFile = Join-Path `$DataDir 'minion-agent.pid'
-`$LogDir = Join-Path `$DataDir 'logs'
-`$ServerJs = '$serverJs'
-
-# Load .env
-if (Test-Path `$EnvFile) {
-    Get-Content `$EnvFile | ForEach-Object {
-        `$line = `$_.Trim()
-        if (`$line -and -not `$line.StartsWith('#') -and `$line.Contains('=')) {
-            `$idx = `$line.IndexOf('=')
-            `$key = `$line.Substring(0, `$idx).Trim()
-            `$value = `$line.Substring(`$idx + 1).Trim()
-            [Environment]::SetEnvironmentVariable(`$key, `$value, 'Process')
-        }
-    }
-}
-
-New-Item -Path `$LogDir -ItemType Directory -Force | Out-Null
-
-# Startup log for debugging VNC/websockify/cloudflared launch
-`$StartupLog = Join-Path `$LogDir 'startup.log'
-function Write-StartupLog {
-    param([string]`$Message)
-    `$ts = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
-    Add-Content -Path `$StartupLog -Value "[`$ts] `$Message"
-}
-Write-StartupLog "=== start-agent.ps1 starting (PID: `$PID) ==="
-Write-StartupLog "DataDir: `$DataDir"
-Write-StartupLog "ServerJs: `$ServerJs"
-
-# Write PID of this watchdog process
-Set-Content -Path `$PidFile -Value `$PID
-
-# Helper: find websockify executable
-function Get-WebsockifyCommand {
-    if (Get-Command websockify -ErrorAction SilentlyContinue) {
-        `$found = (Get-Command websockify).Source
-        Write-StartupLog "websockify found on PATH: `$found"
-        return @(`$found)
-    }
-    Write-StartupLog "websockify not on PATH, checking Python..."
-    if (Get-Command python -ErrorAction SilentlyContinue) {
-        `$pyPath = (Get-Command python).Source
-        Write-StartupLog "Python found: `$pyPath"
-        `$scriptsDir = & python -c "import sysconfig; print(sysconfig.get_path('scripts'))" 2>`$null
-        Write-StartupLog "Python Scripts dir: `$scriptsDir"
-        if (`$scriptsDir) {
-            `$wsExe = Join-Path `$scriptsDir 'websockify.exe'
-            Write-StartupLog "Checking `$wsExe : exists=$(Test-Path `$wsExe)"
-            if (Test-Path `$wsExe) { return @(`$wsExe) }
-        }
-        `$check = & python -c "import websockify" 2>&1
-        Write-StartupLog "python -c 'import websockify' exit code: `$LASTEXITCODE"
-        if (`$LASTEXITCODE -eq 0) { return @('python', '-m', 'websockify') }
-    } else {
-        Write-StartupLog "Python not found"
-    }
-    Write-StartupLog "websockify not found by any method"
-    return `$null
-}
-
-# Start TightVNC + websockify if available
-`$vncExe = `$null
-if (Test-Path 'C:\Program Files\TightVNC\tvnserver.exe') {
-    `$vncExe = 'C:\Program Files\TightVNC\tvnserver.exe'
-} elseif (Test-Path (Join-Path `$DataDir 'tightvnc\PFiles\TightVNC\tvnserver.exe')) {
-    `$vncExe = Join-Path `$DataDir 'tightvnc\PFiles\TightVNC\tvnserver.exe'
-}
-Write-StartupLog "VNC exe: `$vncExe"
-if (`$vncExe) {
-    # Start VNC server in application mode (no admin, no service registration)
-    `$vncProc = Get-Process -Name tvnserver -ErrorAction SilentlyContinue
-    if (-not `$vncProc) {
-        Write-StartupLog "Starting TightVNC server..."
-        Start-Process -FilePath `$vncExe -ArgumentList '-run' -WindowStyle Hidden
-        # Wait for VNC server to bind port 5900 before starting websockify
-        Start-Sleep -Seconds 3
-    } else {
-        Write-StartupLog "TightVNC already running (PID: `$(`$vncProc.Id))"
-    }
-    # Reload registry config (ensures no-auth settings are applied)
-    & `$vncExe -controlapp -reload 2>`$null
-    [array]`$wsCmd = Get-WebsockifyCommand
-    Write-StartupLog "websockify command result (count=`$(`$wsCmd.Count)): `$(`$wsCmd -join ' ')"
-    if (`$wsCmd) {
-        `$wsProc = Get-Process -Name websockify -ErrorAction SilentlyContinue
-        if (-not `$wsProc) {
-            Write-StartupLog "Starting websockify (count=`$(`$wsCmd.Count))..."
-            if (`$wsCmd.Count -eq 1) {
-                Start-Process -FilePath `$wsCmd[0] -ArgumentList '6080', 'localhost:5900' -WindowStyle Hidden
-                Write-StartupLog "websockify started: `$(`$wsCmd[0]) 6080 localhost:5900"
-            } else {
-                # python -m websockify 6080 localhost:5900
-                `$wsArgs = (`$wsCmd[1..(`$wsCmd.Count-1)] + @('6080', 'localhost:5900')) -join ' '
-                Start-Process -FilePath `$wsCmd[0] -ArgumentList `$wsArgs -WindowStyle Hidden
-                Write-StartupLog "websockify started: `$(`$wsCmd[0]) `$wsArgs"
-            }
-        } else {
-            Write-StartupLog "websockify already running (PID: `$(`$wsProc.Id))"
-        }
-    } else {
-        Write-StartupLog "ERROR: websockify command not found, skipping"
-    }
-} else {
-    Write-StartupLog "VNC server not found, skipping VNC+websockify setup"
-}
-
-# Start cloudflared tunnel if configured
-`$cfConfig = Join-Path `$env:USERPROFILE '.cloudflared\config.yml'
-if (Test-Path `$cfConfig) {
-    `$cfExe = `$null
-    if (Get-Command cloudflared -ErrorAction SilentlyContinue) {
-        `$cfExe = (Get-Command cloudflared).Source
-    } elseif (Test-Path (Join-Path `$DataDir 'cloudflared.exe')) {
-        `$cfExe = Join-Path `$DataDir 'cloudflared.exe'
-    }
-    if (`$cfExe) {
-        Start-Process -FilePath `$cfExe -ArgumentList 'tunnel', 'run' -WindowStyle Hidden
-        Write-StartupLog "cloudflared started: `$cfExe"
-    }
-}
-
-Write-StartupLog "=== Startup sequence complete, entering watchdog loop ==="
-
-# Watchdog loop: restart node if it crashes
-`$nodePath = (Get-Command node).Source
-while (`$true) {
-    `$stdoutLog = Join-Path `$LogDir 'service-stdout.log'
-    `$stderrLog = Join-Path `$LogDir 'service-stderr.log'
-    `$proc = Start-Process -FilePath `$nodePath -ArgumentList `$ServerJs ``
-        -WorkingDirectory `$DataDir ``
-        -RedirectStandardOutput `$stdoutLog ``
-        -RedirectStandardError `$stderrLog ``
-        -WindowStyle Hidden -PassThru
-    `$proc.WaitForExit()
-    if (`$proc.ExitCode -eq 0) { break }
-    Start-Sleep -Seconds 5
-}
-
-# Cleanup PID file on normal exit
-Remove-Item `$PidFile -Force -ErrorAction SilentlyContinue
-"@
-    Set-Content -Path $StartAgentScript -Value $startAgentContent -Encoding UTF8
-    Write-Detail "Generated $StartAgentScript"
-
-    # Create shortcut in Startup folder
-    $startupDir = [Environment]::GetFolderPath('Startup')
-    $shortcutPath = Join-Path $startupDir 'MinionAgent.lnk'
-    $wsShell = New-Object -ComObject WScript.Shell
-    $shortcut = $wsShell.CreateShortcut($shortcutPath)
-    $shortcut.TargetPath = 'powershell.exe'
-    $shortcut.Arguments = "-ExecutionPolicy Bypass -WindowStyle Hidden -File `"$StartAgentScript`""
-    $shortcut.WorkingDirectory = $DataDir
-    $shortcut.WindowStyle = 7  # Minimized
-    $shortcut.Description = 'Minion Agent auto-start'
-    $shortcut.Save()
-    Write-Detail "Startup shortcut created: $shortcutPath"
-
-    # Step 7: Disable screensaver, lock screen, and sleep
-    Write-Step 7 $totalSteps "Disabling screensaver, lock screen, and sleep..."
-    # Screensaver off
-    Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name ScreenSaveActive -Value '0'
-    Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name ScreenSaveTimeOut -Value '0'
-    Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name SCRNSAVE.EXE -Value ''
-    Write-Detail "Screensaver disabled"
-    # Lock screen off (user-level: disable lock on resume)
-    Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name ScreenSaverIsSecure -Value '0'
-    Write-Detail "Lock on resume disabled"
-    # Power settings: never sleep, never turn off display
-    & powercfg -change -standby-timeout-ac 0 2>$null
-    & powercfg -change -standby-timeout-dc 0 2>$null
-    & powercfg -change -monitor-timeout-ac 0 2>$null
-    & powercfg -change -monitor-timeout-dc 0 2>$null
-    Write-Detail "Sleep and monitor timeout disabled"
-
-    # Step 8: Install TightVNC Server
-    Write-Step 8 $totalSteps "Setting up TightVNC Server..."
+    # Build environment string for NSSM (static vars only — .env is read by config.js at startup)
+    $envLines = @(
+        "USERPROFILE=$TargetUserProfile",
+        "HOME=$TargetUserProfile"
+    )
+    if ($env:CLAUDE_CODE_GIT_BASH_PATH) {
+        $envLines += "CLAUDE_CODE_GIT_BASH_PATH=$($env:CLAUDE_CODE_GIT_BASH_PATH)"
+    }
+
+    # Remove existing service if present (idempotent re-setup)
+    Invoke-Nssm stop minion-agent
+    Invoke-Nssm remove minion-agent confirm
+
+    # Install minion-agent service
+    Invoke-Nssm install minion-agent $nodePath $serverJs
+    Invoke-Nssm set minion-agent AppDirectory $DataDir
+    Invoke-Nssm set minion-agent AppEnvironmentExtra ($envLines -join "`n")
+    Invoke-Nssm set minion-agent AppStdout (Join-Path $LogDir 'service-stdout.log')
+    Invoke-Nssm set minion-agent AppStderr (Join-Path $LogDir 'service-stderr.log')
+    Invoke-Nssm set minion-agent AppStdoutCreationDisposition 4
+    Invoke-Nssm set minion-agent AppStderrCreationDisposition 4
+    Invoke-Nssm set minion-agent AppRotateFiles 1
+    Invoke-Nssm set minion-agent AppRotateBytes 10485760
+    Invoke-Nssm set minion-agent AppRestartDelay 5000
+    Invoke-Nssm set minion-agent Start SERVICE_AUTO_START
+    Invoke-Nssm set minion-agent DisplayName "Minion Agent"
+    Invoke-Nssm set minion-agent Description "GeekBeer Minion AI Agent Service"
+    # Run as dedicated minion service account (not LocalSystem)
+    Invoke-Nssm set minion-agent ObjectName $MinionSvcUserFull $svcPassword
+    Grant-ServiceControlToUser 'minion-agent' $setupUserSid
+    Write-Detail "minion-agent service registered (runs as '$MinionSvcUser')"
+
+    # Step 9: Install and configure TightVNC (runs as LocalSystem for desktop capture)
+    Write-Step 9 $totalSteps "Setting up TightVNC Server..."
     $vncSystemPath = 'C:\Program Files\TightVNC\tvnserver.exe'
     $vncPortableDir = Join-Path $DataDir 'tightvnc'
     $vncPortablePath = Join-Path $vncPortableDir 'PFiles\TightVNC\tvnserver.exe'
+    $vncExePath = $null
 
     if (Test-Path $vncSystemPath) {
         Write-Detail "TightVNC Server already installed (system)"
+        $vncExePath = $vncSystemPath
     }
     elseif (Test-Path $vncPortablePath) {
         Write-Detail "TightVNC Server already installed (portable)"
+        $vncExePath = $vncPortablePath
     }
     else {
-        Write-Host "  Downloading TightVNC portable..."
+        Write-Host "  Installing TightVNC via MSI..."
         try {
             $msiUrl = 'https://www.tightvnc.com/download/2.8.85/tightvnc-2.8.85-gpl-setup-64bit.msi'
             $msiPath = Join-Path $env:TEMP 'tightvnc-setup.msi'
             Invoke-WebRequest -Uri $msiUrl -OutFile $msiPath -UseBasicParsing
-            New-Item -Path $vncPortableDir -ItemType Directory -Force | Out-Null
-            # Extract MSI without admin (administrative install = extract only)
-            # Creates PFiles\TightVNC\ subdirectory structure
-            Start-Process msiexec -ArgumentList "/a `"$msiPath`" /qn TARGETDIR=`"$vncPortableDir`"" -Wait -NoNewWindow
+            # With admin, do a proper quiet install
+            Start-Process msiexec -ArgumentList "/i `"$msiPath`" /qn /norestart ADDLOCAL=Server SET_ALLOWLOOPBACK=1 SET_LOOPBACKONLY=1 SET_USEVNCAUTHENTICATION=0 SET_USECONTROLAUTHENTICATION=0 VALUE_OF_RFBPORT=5900" -Wait -NoNewWindow
             Remove-Item $msiPath -Force -ErrorAction SilentlyContinue
-            if (Test-Path $vncPortablePath) {
-                Write-Detail "TightVNC portable extracted to $vncPortableDir"
+            if (Test-Path $vncSystemPath) {
+                Write-Detail "TightVNC installed to $vncSystemPath"
+                $vncExePath = $vncSystemPath
+                # Stop the TightVNC service if the MSI auto-started it (we manage via NSSM)
+                Stop-Service TightVNC -ErrorAction SilentlyContinue
+                Set-Service TightVNC -StartupType Disabled -ErrorAction SilentlyContinue
             } else {
-                Write-Warn "TightVNC extraction failed. Check $vncPortableDir"
+                Write-Warn "TightVNC MSI install failed, trying portable extraction..."
+                # Fallback to portable extraction
+                New-Item -Path $vncPortableDir -ItemType Directory -Force | Out-Null
+                Start-Process msiexec -ArgumentList "/a `"$msiPath`" /qn TARGETDIR=`"$vncPortableDir`"" -Wait -NoNewWindow
+                if (Test-Path $vncPortablePath) {
+                    Write-Detail "TightVNC portable extracted to $vncPortableDir"
+                    $vncExePath = $vncPortablePath
+                } else {
+                    Write-Warn "TightVNC extraction also failed."
+                }
             }
         }
         catch {
@@ -686,13 +797,9 @@ Remove-Item `$PidFile -Force -ErrorAction SilentlyContinue
         }
     }
 
-    # Configure TightVNC for no-auth localhost-only mode via registry
-    # - LoopbackOnly=1: only accept connections from localhost (security)
-    # - AllowLoopback=1: enable loopback connections
-    # - UseVncAuthentication=0: no password prompt (websockify connects via localhost,
-    #   HQ WebSocket proxy provides its own Supabase session authentication)
+    # Configure TightVNC registry (localhost-only, no VNC auth)
     $vncRegPath = 'HKCU:\Software\TightVNC\Server'
-    if ((Test-Path $vncSystemPath) -or (Test-Path $vncPortablePath)) {
+    if ($vncExePath) {
         if (-not (Test-Path $vncRegPath)) {
             New-Item -Path $vncRegPath -Force | Out-Null
         }
@@ -701,27 +808,29 @@ Remove-Item `$PidFile -Force -ErrorAction SilentlyContinue
         Set-ItemProperty -Path $vncRegPath -Name 'UseVncAuthentication' -Value 0 -Type DWord
         Set-ItemProperty -Path $vncRegPath -Name 'UseControlAuthentication' -Value 0 -Type DWord
         Set-ItemProperty -Path $vncRegPath -Name 'RfbPort' -Value 5900 -Type DWord
-        # Reload config if tvnserver is already running (re-setup scenario)
-        $vncProc = Get-Process -Name tvnserver -ErrorAction SilentlyContinue
-        if ($vncProc) {
-            $vncExePath = if (Test-Path $vncSystemPath) { $vncSystemPath } else { $vncPortablePath }
-            & $vncExePath -controlapp -reload 2>$null
-            Write-Detail "TightVNC config reloaded"
-        }
-        Write-Detail "TightVNC configured: localhost-only, no VNC password (auth via HQ proxy)"
-    }
 
-    # Step 9: Setup websockify (WebSocket proxy for VNC)
-    Write-Step 9 $totalSteps "Setting up websockify..."
-    if (Get-WebsockifyCommand) {
-        Write-Detail "websockify already installed"
-    }
-    else {
-        # Ensure Python is installed (Microsoft Store stub doesn't include pip)
+        # Register VNC as NSSM service (application mode, not TightVNC's own service)
+        Invoke-Nssm stop minion-vnc
+        Invoke-Nssm remove minion-vnc confirm
+        Invoke-Nssm install minion-vnc $vncExePath '-run'
+        Invoke-Nssm set minion-vnc Start SERVICE_AUTO_START
+        Invoke-Nssm set minion-vnc DisplayName "Minion VNC Server"
+        Invoke-Nssm set minion-vnc Description "TightVNC for Minion remote desktop"
+        Invoke-Nssm set minion-vnc AppRestartDelay 3000
+        Grant-ServiceControlToUser 'minion-vnc' $setupUserSid
+        Write-Detail "minion-vnc service registered"
+    }
+
+    # Step 10: Setup websockify (runs as LocalSystem, paired with VNC)
+    Write-Step 10 $totalSteps "Setting up websockify..."
+    [array]$wsCmd = Get-WebsockifyCommand
+    if (-not $wsCmd) {
+        # Ensure Python is installed
         $pythonUsable = $false
         if (Test-CommandExists 'python') {
+            $prevPref = $ErrorActionPreference; $ErrorActionPreference = 'Continue'
             $pyVer = & python --version 2>&1
-            # Microsoft Store stub returns just "Python" with no version number
+            $ErrorActionPreference = $prevPref
             if ($pyVer -match '\d+\.\d+') { $pythonUsable = $true }
         }
         if (-not $pythonUsable) {
@@ -740,8 +849,6 @@ Remove-Item `$PidFile -Force -ErrorAction SilentlyContinue
 
         Write-Host "  Installing websockify via pip..."
         try {
-            # Use cmd /c to prevent pip's stderr (progress bars, warnings) from
-            # becoming RemoteException errors in PowerShell remoting sessions.
             if (Test-CommandExists 'pip') {
                 $pipResult = cmd /c "pip install websockify 2>&1"
                 if ($LASTEXITCODE -eq 0) { Write-Detail "websockify installed" }
@@ -760,148 +867,88 @@ Remove-Item `$PidFile -Force -ErrorAction SilentlyContinue
             else {
                 Write-Warn "pip not found. Install Python first, then: pip install websockify"
             }
-            # Refresh PATH so websockify.exe in Python Scripts dir is discoverable
             $env:PATH = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' + [System.Environment]::GetEnvironmentVariable('PATH', 'User')
         }
         catch {
             Write-Warn "Failed to install websockify: $_"
         }
-    }
-
-    # Step 10 (optional): Cloudflare Tunnel
-    if ($SetupTunnel) {
-        $currentStep = $totalSteps - 1
-        Write-Step $currentStep $totalSteps "Setting up Cloudflare Tunnel..."
-
-        if (-not $HqUrl -or -not $ApiToken) {
-            Write-Error "--setup-tunnel requires --hq-url and --api-token"
-            exit 1
-        }
-
-        # Install cloudflared
-        if (-not (Test-CommandExists 'cloudflared')) {
-            Write-Host "  Installing cloudflared..."
-            if (Test-CommandExists 'winget') {
-                & winget install --id Cloudflare.cloudflared --accept-package-agreements --accept-source-agreements
-                $env:PATH = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' + [System.Environment]::GetEnvironmentVariable('PATH', 'User')
-            }
-            elseif (Test-CommandExists 'choco') {
-                & choco install cloudflared -y
-            }
-            else {
-                Write-Host "  Downloading cloudflared..."
-                $cfUrl = 'https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.exe'
-                $cfPath = Join-Path $DataDir 'cloudflared.exe'
-                Invoke-WebRequest -Uri $cfUrl -OutFile $cfPath
-                Write-Detail "cloudflared downloaded to $cfPath"
-            }
-        }
-        else {
-            Write-Detail "cloudflared already installed"
-        }
-
-        # Fetch tunnel config from HQ
-        Write-Host "  Fetching tunnel configuration from HQ..."
-        try {
-            $headers = @{ 'Authorization' = "Bearer $ApiToken" }
-            $tunnelData = Invoke-RestMethod -Uri "$HqUrl/api/minion/tunnel-credentials?platform=windows" -Headers $headers
-
-            if ($tunnelData.tunnel_id) {
-                $cfConfigDir = Join-Path $env:USERPROFILE '.cloudflared'
-                New-Item -Path $cfConfigDir -ItemType Directory -Force | Out-Null
-
-                # Save credentials (BOM-free UTF-8, required by cloudflared)
-                [System.IO.File]::WriteAllText((Join-Path $cfConfigDir "$($tunnelData.tunnel_id).json"), $tunnelData.credentials_json, [System.Text.UTF8Encoding]::new($false))
-                Write-Detail "Tunnel credentials saved"
-
-                # Save config (BOM-free UTF-8)
-                [System.IO.File]::WriteAllText((Join-Path $cfConfigDir 'config.yml'), $tunnelData.config_yml, [System.Text.UTF8Encoding]::new($false))
-                Write-Detail "Tunnel config saved (will run as user process on start)"
-            }
-            else {
-                Write-Warn "Tunnel not configured for this minion"
-            }
-        }
-        catch {
-            Write-Warn "Failed to fetch tunnel credentials: $_"
-        }
-    }
 
-    # Deploy bundled skills
-    Write-Host ""
-    Write-Host "Deploying bundled assets..."
-    $claudeSkillsDir = Join-Path $env:USERPROFILE '.claude\skills'
-    $bundledSkillsDir = Join-Path $minionPkgDir 'skills'
-    if (Test-Path $bundledSkillsDir) {
-        New-Item -Path $claudeSkillsDir -ItemType Directory -Force | Out-Null
-        Get-ChildItem -Path $bundledSkillsDir -Directory | ForEach-Object {
-            Copy-Item $_.FullName -Destination (Join-Path $claudeSkillsDir $_.Name) -Recurse -Force
-            Write-Detail "Deployed skill: $($_.Name)"
-        }
+        # Re-check after install
+        [array]$wsCmd = Get-WebsockifyCommand
     }
 
-    # Deploy bundled rules
-    $claudeRulesDir = Join-Path $env:USERPROFILE '.claude\rules'
-    $bundledRulesDir = Join-Path $minionPkgDir 'rules'
-    if (Test-Path $bundledRulesDir) {
-        New-Item -Path $claudeRulesDir -ItemType Directory -Force | Out-Null
-        $coreRule = Join-Path $bundledRulesDir 'core.md'
-        if (Test-Path $coreRule) {
-            Copy-Item $coreRule -Destination (Join-Path $claudeRulesDir 'core.md') -Force
-            Write-Detail "Deployed rules: core.md"
+    if ($wsCmd -and $vncExePath) {
+        # Register websockify as NSSM service
+        Invoke-Nssm stop minion-websockify
+        Invoke-Nssm remove minion-websockify confirm
+        if ($wsCmd.Count -eq 1) {
+            Invoke-Nssm install minion-websockify $wsCmd[0] '6080 localhost:5900'
+        } else {
+            # python -m websockify 6080 localhost:5900
+            $wsArgs = ($wsCmd[1..($wsCmd.Count-1)] + @('6080', 'localhost:5900')) -join ' '
+            Invoke-Nssm install minion-websockify $wsCmd[0] $wsArgs
         }
+        Invoke-Nssm set minion-websockify DependOnService minion-vnc
+        Invoke-Nssm set minion-websockify Start SERVICE_AUTO_START
+        Invoke-Nssm set minion-websockify DisplayName "Minion Websockify"
+        Invoke-Nssm set minion-websockify Description "WebSocket proxy for VNC (6080 -> 5900)"
+        Invoke-Nssm set minion-websockify AppRestartDelay 3000
+        Grant-ServiceControlToUser 'minion-websockify' $setupUserSid
+        Write-Detail "minion-websockify service registered (depends on minion-vnc)"
+    } else {
+        Write-Warn "websockify not available, VNC WebSocket proxy will not be registered"
     }
 
-    # Start (or restart) agent so updated .env takes effect
-    Write-Step $totalSteps $totalSteps "Starting agent..."
-    Restart-MinionProcess
+    # Step 11: Disable screensaver, lock screen, and sleep
+    Write-Step 11 $totalSteps "Disabling screensaver, lock screen, and sleep..."
+    Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name ScreenSaveActive -Value '0'
+    Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name ScreenSaveTimeOut -Value '0'
+    Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name SCRNSAVE.EXE -Value ''
+    Write-Detail "Screensaver disabled"
+    Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name ScreenSaverIsSecure -Value '0'
+    Write-Detail "Lock on resume disabled"
+    & powercfg -change -standby-timeout-ac 0 2>$null
+    & powercfg -change -standby-timeout-dc 0 2>$null
+    & powercfg -change -monitor-timeout-ac 0 2>$null
+    & powercfg -change -monitor-timeout-dc 0 2>$null
+    Write-Detail "Sleep and monitor timeout disabled"
 
-    # Health check
-    if (Invoke-HealthCheck) {
-        Write-Detail "Health check passed"
-    }
-    else {
-        Write-Warn "Health check failed after 5 attempts"
-        Write-Host "  Check logs at: $LogDir"
+    # Configure firewall rules
+    Write-Step 10 $totalSteps "Configuring firewall rules..."
+    $fwRules = @(
+        @{ Name = 'Minion Agent'; Port = 8080 },
+        @{ Name = 'Minion Terminal'; Port = 7681 },
+        @{ Name = 'Minion VNC'; Port = 6080 }
+    )
+    foreach ($rule in $fwRules) {
+        $existing = Get-NetFirewallRule -DisplayName $rule.Name -ErrorAction SilentlyContinue
+        if (-not $existing) {
+            New-NetFirewallRule -DisplayName $rule.Name -Direction Inbound -Protocol TCP -LocalPort $rule.Port -Action Allow -Profile Any | Out-Null
+            Write-Detail "Firewall rule added: $($rule.Name) (TCP $($rule.Port))"
+        } else {
+            Write-Detail "Firewall rule exists: $($rule.Name)"
+        }
     }
 
-    # Firewall notice
-    Write-Host ""
-    Write-Host "NOTE: Firewall rules are NOT configured automatically (requires admin)." -ForegroundColor Yellow
-    Write-Host "  If you need LAN access without Cloudflare Tunnel, ask an administrator to run:" -ForegroundColor Yellow
-    Write-Host "    New-NetFirewallRule -DisplayName 'Minion Agent' -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow" -ForegroundColor Gray
-    Write-Host "    New-NetFirewallRule -DisplayName 'Minion Terminal' -Direction Inbound -Protocol TCP -LocalPort 7681 -Action Allow" -ForegroundColor Gray
-    Write-Host "    New-NetFirewallRule -DisplayName 'Minion VNC' -Direction Inbound -Protocol TCP -LocalPort 6080 -Action Allow" -ForegroundColor Gray
-    Write-Host "  Or use Cloudflare Tunnel (--setup-tunnel) to avoid firewall configuration." -ForegroundColor Yellow
+    # Grant minion service account access to .claude directory (skills, rules, settings)
+    $claudeDir = Join-Path $TargetUserProfile '.claude'
+    New-Item -Path $claudeDir -ItemType Directory -Force | Out-Null
+    $claudeAcl = Get-Acl $claudeDir
+    $claudeRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
+        $MinionSvcUser, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
+    $claudeAcl.AddAccessRule($claudeRule)
+    Set-Acl $claudeDir $claudeAcl
+    Write-Detail "Granted '$MinionSvcUser' access to $claudeDir"
 
-    # Notify HQ
-    if ($HqUrl -and $ApiToken) {
-        Write-Host ""
-        Write-Host "Notifying HQ of setup completion..."
-        try {
-            $lanIp = Get-LanIPAddress
-            $headers = @{
-                'Authorization' = "Bearer $ApiToken"
-                'Content-Type'  = 'application/json'
-            }
-            $bodyHash = @{}
-            if ($lanIp) {
-                $bodyHash['ip_address'] = $lanIp
-                $bodyHash['internal_ip_address'] = $lanIp
-            } else {
-                $bodyHash['internal_ip_address'] = [System.Net.Dns]::GetHostName()
-            }
-            $body = $bodyHash | ConvertTo-Json
-            Invoke-RestMethod -Uri "$HqUrl/api/minion/setup-complete" -Method Post -Headers $headers -Body $body -ErrorAction Stop | Out-Null
-            if ($lanIp) {
-                Write-Detail "HQ notified successfully (LAN IP: $lanIp)"
-            } else {
-                Write-Detail "HQ notified successfully (LAN IP detection failed, hostname sent)"
-            }
-        }
-        catch {
-            Write-Detail "HQ notification skipped (HQ may not be reachable)"
-        }
+    # Grant minion service account access to npm global directory (for package access)
+    $npmGlobalDir = Split-Path $CliDir
+    if ($npmGlobalDir -and (Test-Path $npmGlobalDir)) {
+        $npmAcl = Get-Acl $npmGlobalDir
+        $npmRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
+            $MinionSvcUser, 'ReadAndExecute', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
+        $npmAcl.AddAccessRule($npmRule)
+        Set-Acl $npmGlobalDir $npmAcl
+        Write-Detail "Granted '$MinionSvcUser' read access to npm global"
     }
 
     Write-Host ""
@@ -909,13 +956,17 @@ Remove-Item `$PidFile -Force -ErrorAction SilentlyContinue
     Write-Host " Setup Complete!" -ForegroundColor Green
     Write-Host "=========================================" -ForegroundColor Green
     Write-Host ""
-    Write-Host "Useful commands:"
-    Write-Host "  minion-cli-win status    # Agent status"
-    Write-Host "  minion-cli-win health    # Health check"
-    Write-Host "  minion-cli-win daemons   # Daemon status"
-    Write-Host "  minion-cli-win restart   # Restart agent"
-    Write-Host "  minion-cli-win stop      # Stop agent"
-    Write-Host "  Get-Content $(Join-Path $LogDir 'service-stdout.log') -Tail 50  # View logs"
+    Write-Host "Services registered (not yet started):"
+    Write-Host "  minion-agent       - AI Agent (port 8080)"
+    Write-Host "  minion-vnc         - TightVNC Server (port 5900)"
+    Write-Host "  minion-websockify  - WebSocket proxy (port 6080)"
+    Write-Host ""
+    Write-Host "Next step: Connect to HQ (run as regular user):" -ForegroundColor Yellow
+    Write-Host "  minion-cli-win configure ``"
+    Write-Host "    --hq-url <HQ_URL> ``"
+    Write-Host "    --minion-id <MINION_ID> ``"
+    Write-Host "    --api-token <API_TOKEN>"
+    Write-Host ""
 }
 
 # ============================================================
@@ -923,12 +974,19 @@ Remove-Item `$PidFile -Force -ErrorAction SilentlyContinue
 # ============================================================
 
 function Invoke-Uninstall {
+    # Resolve target user profile from saved setup config
+    $TargetUserProfile = Resolve-TargetUserProfile
+    $DataDir = Join-Path $TargetUserProfile '.minion'
+    $EnvFile = Join-Path $DataDir '.env'
+    $LogDir = Join-Path $DataDir 'logs'
+
     Write-Host ""
     Write-Host "=========================================" -ForegroundColor Red
     Write-Host " @geekbeer/minion Uninstall" -ForegroundColor Red
     Write-Host "=========================================" -ForegroundColor Red
     Write-Host ""
-    Write-Host "This will remove the minion agent and all related configuration."
+    Write-Host "Target user: $TargetUserProfile"
+    Write-Host "This will remove the minion agent services and all related configuration."
     if ($KeepData) {
         Write-Host "  --keep-data: $EnvFile will be preserved."
     }
@@ -943,51 +1001,52 @@ function Invoke-Uninstall {
     }
     Write-Host ""
 
-    $totalSteps = 5
-
-    # Step 1: Stop agent and child processes
-    Write-Step 1 $totalSteps "Stopping agent and related processes..."
-    Stop-MinionProcess
-
-    # Stop VNC server
-    $vncProc = Get-Process -Name tvnserver -ErrorAction SilentlyContinue
-    if ($vncProc) {
-        Stop-Process -Name tvnserver -Force -ErrorAction SilentlyContinue
-        Write-Detail "TightVNC server stopped"
+    $totalSteps = 7
+
+    # Step 1: Stop and remove all NSSM services
+    Write-Step 1 $totalSteps "Stopping and removing services..."
+    if ($NssmPath -and (Test-Path $NssmPath)) {
+        foreach ($svc in @('minion-cloudflared', 'minion-websockify', 'minion-vnc', 'minion-agent')) {
+            $status = Invoke-Nssm status $svc
+            if ($status) {
+                Invoke-Nssm stop $svc
+                Invoke-Nssm remove $svc confirm
+                Write-Detail "Removed service: $svc"
+            }
+        }
     }
 
-    # Stop websockify
-    $wsProc = Get-Process -Name websockify -ErrorAction SilentlyContinue
-    if ($wsProc) {
-        Stop-Process -Name websockify -Force -ErrorAction SilentlyContinue
-        Write-Detail "websockify stopped"
-    }
+    # Also stop legacy processes
+    Stop-Process -Name tvnserver -Force -ErrorAction SilentlyContinue
+    Stop-Process -Name websockify -Force -ErrorAction SilentlyContinue
+    Stop-Process -Name cloudflared -Force -ErrorAction SilentlyContinue
+    Write-Detail "All services and processes stopped"
 
-    # Stop cloudflared
-    $cfProc = Get-Process -Name cloudflared -ErrorAction SilentlyContinue
-    if ($cfProc) {
-        Stop-Process -Name cloudflared -Force -ErrorAction SilentlyContinue
-        Write-Detail "cloudflared stopped"
+    # Step 2: Remove firewall rules
+    Write-Step 2 $totalSteps "Removing firewall rules..."
+    foreach ($ruleName in @('Minion Agent', 'Minion VNC')) {
+        $existing = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
+        if ($existing) {
+            Remove-NetFirewallRule -DisplayName $ruleName
+            Write-Detail "Removed firewall rule: $ruleName"
+        }
     }
 
-    Write-Detail "All processes stopped"
-
-    # Step 2: Remove startup shortcut
-    Write-Step 2 $totalSteps "Removing auto-start registration..."
+    # Step 3: Remove Startup folder shortcut (legacy migration)
+    Write-Step 3 $totalSteps "Removing auto-start registration..."
     $startupDir = [Environment]::GetFolderPath('Startup')
     $shortcutPath = Join-Path $startupDir 'MinionAgent.lnk'
     if (Test-Path $shortcutPath) {
         Remove-Item $shortcutPath -Force
-        Write-Detail "Removed $shortcutPath"
+        Write-Detail "Removed legacy Startup shortcut"
     }
     else {
-        Write-Detail "Startup shortcut not found, skipping"
+        Write-Detail "No legacy Startup shortcut found"
     }
 
-    # Step 3: Remove data directory (or keep .env)
-    Write-Step 3 $totalSteps "Removing data directory..."
+    # Step 4: Remove data directory (or keep .env)
+    Write-Step 4 $totalSteps "Removing data directory..."
     if ($KeepData) {
-        # Remove everything except .env
         if (Test-Path $DataDir) {
             Get-ChildItem -Path $DataDir -Recurse -File | Where-Object { $_.FullName -ne $EnvFile } | Remove-Item -Force -ErrorAction SilentlyContinue
             Get-ChildItem -Path $DataDir -Recurse -Directory | Sort-Object { $_.FullName.Length } -Descending | ForEach-Object {
@@ -1011,14 +1070,12 @@ function Invoke-Uninstall {
         }
     }
 
-    # Step 4: Remove deployed skills and rules
-    Write-Step 4 $totalSteps "Removing deployed skills and rules..."
-    $claudeSkillsDir = Join-Path $env:USERPROFILE '.claude\skills'
-    $claudeRulesDir = Join-Path $env:USERPROFILE '.claude\rules'
+    # Step 5: Remove deployed skills and rules
+    Write-Step 5 $totalSteps "Removing deployed skills and rules..."
+    $claudeSkillsDir = Join-Path $TargetUserProfile '.claude\skills'
+    $claudeRulesDir = Join-Path $TargetUserProfile '.claude\rules'
 
-    # Remove bundled skills (only skills that ship with the package)
-    $npmRoot = & npm root -g 2>$null
-    $bundledSkillsDir = Join-Path $npmRoot '@geekbeer\minion\skills'
+    $bundledSkillsDir = Join-Path $CliDir 'skills'
     if ((Test-Path $bundledSkillsDir) -and (Test-Path $claudeSkillsDir)) {
         Get-ChildItem -Path $bundledSkillsDir -Directory | ForEach-Object {
             $targetSkill = Join-Path $claudeSkillsDir $_.Name
@@ -1032,16 +1089,31 @@ function Invoke-Uninstall {
         Write-Detail "No bundled skills to remove"
     }
 
-    # Remove deployed rules
     $coreRule = Join-Path $claudeRulesDir 'core.md'
     if (Test-Path $coreRule) {
         Remove-Item $coreRule -Force
         Write-Detail "Removed rules: core.md"
     }
 
-    # Step 5: Remove Cloudflare Tunnel configuration
-    Write-Step 5 $totalSteps "Removing Cloudflare Tunnel configuration..."
-    $cfConfigDir = Join-Path $env:USERPROFILE '.cloudflared'
+    # Step 6: Remove minion service account
+    Write-Step 6 $totalSteps "Removing service account..."
+    $MinionSvcUser = 'minion'
+    if (Get-LocalUser -Name $MinionSvcUser -ErrorAction SilentlyContinue) {
+        Remove-LocalUser -Name $MinionSvcUser
+        Write-Detail "Removed local user '$MinionSvcUser'"
+    } else {
+        Write-Detail "Service account '$MinionSvcUser' not found, skipping"
+    }
+    # Remove stored service password
+    $svcPasswordFile = Join-Path $DataDir '.svc-password'
+    if (Test-Path $svcPasswordFile) {
+        Remove-Item $svcPasswordFile -Force
+        Write-Detail "Removed service credentials file"
+    }
+
+    # Step 7: Remove Cloudflare Tunnel configuration
+    Write-Step 7 $totalSteps "Removing Cloudflare Tunnel configuration..."
+    $cfConfigDir = Join-Path $TargetUserProfile '.cloudflared'
     if (Test-Path $cfConfigDir) {
         Remove-Item $cfConfigDir -Recurse -Force
         Write-Detail "Removed $cfConfigDir"
@@ -1065,204 +1137,339 @@ function Invoke-Uninstall {
 }
 
 # ============================================================
-# Reconfigure
+# Configure (HQ connection — no admin required)
 # ============================================================
 
-function Invoke-Reconfigure {
+function Invoke-Configure {
     if (-not $HqUrl -or -not $MinionId -or -not $ApiToken) {
         Write-Error "All three parameters are required: --hq-url, --minion-id, --api-token"
         exit 1
     }
-    if (-not (Test-Path $EnvFile)) {
-        Write-Error "$EnvFile not found. Run 'setup' first."
+
+    # Resolve target user profile from saved setup config
+    $TargetUserProfile = Resolve-TargetUserProfile
+    $DataDir = Join-Path $TargetUserProfile '.minion'
+    $EnvFile = Join-Path $DataDir '.env'
+    $LogDir = Join-Path $DataDir 'logs'
+
+    if (-not (Test-Path $DataDir)) {
+        Write-Error "Data directory not found. Run 'setup' as administrator first."
         exit 1
     }
 
+    $totalSteps = 5
+    if ($SetupTunnel) { $totalSteps = 6 }
+
     Write-Host "=========================================" -ForegroundColor Cyan
-    Write-Host " @geekbeer/minion Reconfigure" -ForegroundColor Cyan
+    Write-Host " @geekbeer/minion Configure" -ForegroundColor Cyan
     Write-Host "=========================================" -ForegroundColor Cyan
     Write-Host "HQ: $HqUrl"
     Write-Host "Minion ID: $MinionId"
+    if ($SetupTunnel) { Write-Host "Tunnel: Enabled" }
     Write-Host ""
 
-    # Step 1: Update .env
-    Write-Step 1 4 "Updating .env credentials..."
-    $existing = Read-EnvFile $EnvFile
-    $existing['HQ_URL'] = $HqUrl
-    $existing['API_TOKEN'] = $ApiToken
-    $existing['MINION_ID'] = $MinionId
-    Write-EnvFile $EnvFile $existing
+    # Step 1: Write/update .env (single source of truth for config)
+    Write-Step 1 $totalSteps "Writing .env credentials..."
+    if (Test-Path $EnvFile) {
+        $envValues = Read-EnvFile $EnvFile
+    } else {
+        $envValues = @{
+            'AGENT_PORT'         = '8080'
+            'MINION_USER'        = (Split-Path $TargetUserProfile -Leaf)
+            'REFLECTION_TIME'    = '03:00'
+        }
+    }
+    $envValues['HQ_URL'] = $HqUrl
+    $envValues['API_TOKEN'] = $ApiToken
+    $envValues['MINION_ID'] = $MinionId
+    Write-EnvFile $EnvFile $envValues
     Write-Detail "$EnvFile updated"
 
-    # Step 2: Restart agent process
-    Write-Step 2 4 "Restarting minion-agent..."
-    Restart-MinionProcess
+    # Step 2: Deploy bundled skills and rules
+    Write-Step 2 $totalSteps "Deploying bundled assets..."
+    $minionPkgDir = $CliDir
+    if (Test-Path $minionPkgDir) {
+        $claudeSkillsDir = Join-Path $TargetUserProfile '.claude\skills'
+        $bundledSkillsDir = Join-Path $minionPkgDir 'skills'
+        if (Test-Path $bundledSkillsDir) {
+            New-Item -Path $claudeSkillsDir -ItemType Directory -Force | Out-Null
+            Get-ChildItem -Path $bundledSkillsDir -Directory | ForEach-Object {
+                Copy-Item $_.FullName -Destination (Join-Path $claudeSkillsDir $_.Name) -Recurse -Force
+                Write-Detail "Deployed skill: $($_.Name)"
+            }
+        }
+        $claudeRulesDir = Join-Path $TargetUserProfile '.claude\rules'
+        $bundledRulesDir = Join-Path $minionPkgDir 'rules'
+        if (Test-Path $bundledRulesDir) {
+            New-Item -Path $claudeRulesDir -ItemType Directory -Force | Out-Null
+            $coreRule = Join-Path $bundledRulesDir 'core.md'
+            if (Test-Path $coreRule) {
+                Copy-Item $coreRule -Destination (Join-Path $claudeRulesDir 'core.md') -Force
+                Write-Detail "Deployed rules: core.md"
+            }
+        }
+    }
+
+    # Step 3: Cloudflare Tunnel (optional)
+    if ($SetupTunnel) {
+        Write-Step 3 $totalSteps "Setting up Cloudflare Tunnel..."
+
+        # Install cloudflared if needed
+        if (-not (Test-CommandExists 'cloudflared')) {
+            Write-Host "  Installing cloudflared..."
+            if (Test-CommandExists 'winget') {
+                & winget install --id Cloudflare.cloudflared --accept-package-agreements --accept-source-agreements
+                $env:PATH = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' + [System.Environment]::GetEnvironmentVariable('PATH', 'User')
+            }
+            elseif (Test-CommandExists 'choco') {
+                & choco install cloudflared -y
+            }
+            else {
+                Write-Host "  Downloading cloudflared..."
+                $cfUrl = 'https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.exe'
+                $cfPath = Join-Path $DataDir 'cloudflared.exe'
+                Invoke-WebRequest -Uri $cfUrl -OutFile $cfPath
+                Write-Detail "cloudflared downloaded to $cfPath"
+            }
+        }
+        else {
+            Write-Detail "cloudflared already installed"
+        }
+
+        # Fetch tunnel config from HQ
+        Write-Host "  Fetching tunnel configuration from HQ..."
+        try {
+            $headers = @{ 'Authorization' = "Bearer $ApiToken" }
+            $tunnelData = Invoke-RestMethod -Uri "$HqUrl/api/minion/tunnel-credentials?platform=windows" -Headers $headers
+
+            if ($tunnelData.tunnel_id) {
+                $cfConfigDir = Join-Path $TargetUserProfile '.cloudflared'
+                New-Item -Path $cfConfigDir -ItemType Directory -Force | Out-Null
+                [System.IO.File]::WriteAllText((Join-Path $cfConfigDir "$($tunnelData.tunnel_id).json"), $tunnelData.credentials_json, [System.Text.UTF8Encoding]::new($false))
+                Write-Detail "Tunnel credentials saved"
+                [System.IO.File]::WriteAllText((Join-Path $cfConfigDir 'config.yml'), $tunnelData.config_yml, [System.Text.UTF8Encoding]::new($false))
+                Write-Detail "Tunnel config saved"
+
+                # Register cloudflared as NSSM service (requires admin — will be skipped if non-admin)
+                $cfExe = $null
+                if (Get-Command cloudflared -ErrorAction SilentlyContinue) {
+                    $cfExe = (Get-Command cloudflared).Source
+                } elseif (Test-Path (Join-Path $DataDir 'cloudflared.exe')) {
+                    $cfExe = Join-Path $DataDir 'cloudflared.exe'
+                }
+                if ($cfExe) {
+                    # Check if cloudflared service already registered
+                    $cfState = Get-ServiceState 'minion-cloudflared'
+                    if (-not $cfState) {
+                        Write-Warn "minion-cloudflared service not registered. Run 'setup' as admin to register tunnel service."
+                    } else {
+                        sc.exe start minion-cloudflared 2>&1 | Out-Null
+                        Write-Detail "minion-cloudflared started"
+                    }
+                }
+            }
+            else {
+                Write-Warn "Tunnel not configured for this minion"
+            }
+        }
+        catch {
+            Write-Warn "Failed to fetch tunnel credentials: $_"
+        }
+    }
+
+    # Start services (uses sc.exe — works without admin via SDDL)
+    $startStep = if ($SetupTunnel) { $totalSteps - 2 } else { $totalSteps - 2 }
+    Write-Step ($totalSteps - 1) $totalSteps "Starting services..."
+    # Start VNC/websockify if registered
+    foreach ($svc in @('minion-vnc', 'minion-websockify')) {
+        $svcState = Get-ServiceState $svc
+        if ($svcState -and $svcState -ne 'RUNNING') {
+            sc.exe start $svc 2>&1 | Out-Null
+            Write-Detail "$svc started"
+        }
+    }
+    Start-MinionService
 
-    # Step 3: Health check
-    Write-Step 3 4 "Verifying agent health..."
+    # Health check
+    Write-Step $totalSteps $totalSteps "Health check..."
     if (Invoke-HealthCheck) {
-        Write-Detail "Agent is healthy"
+        Write-Detail "Health check passed"
     }
     else {
-        Write-Warn "Agent health check failed after 5 attempts"
+        Write-Warn "Health check failed"
+        Write-Host "  Check logs at: $LogDir"
     }
 
-    # Step 4: Notify HQ
-    Write-Step 4 4 "Notifying HQ..."
+    # Notify HQ
     try {
         $lanIp = Get-LanIPAddress
-        $headers = @{
-            'Authorization' = "Bearer $ApiToken"
-            'Content-Type'  = 'application/json'
-        }
+        $headers = @{ 'Authorization' = "Bearer $ApiToken"; 'Content-Type' = 'application/json' }
         $bodyHash = @{}
-        if ($lanIp) {
-            $bodyHash['ip_address'] = $lanIp
-            $bodyHash['internal_ip_address'] = $lanIp
-        } else {
-            $bodyHash['internal_ip_address'] = [System.Net.Dns]::GetHostName()
-        }
+        if ($lanIp) { $bodyHash['ip_address'] = $lanIp; $bodyHash['internal_ip_address'] = $lanIp }
+        else { $bodyHash['internal_ip_address'] = [System.Net.Dns]::GetHostName() }
         $body = $bodyHash | ConvertTo-Json
         Invoke-RestMethod -Uri "$HqUrl/api/minion/setup-complete" -Method Post -Headers $headers -Body $body -ErrorAction Stop | Out-Null
-        if ($lanIp) {
-            Write-Detail "HQ notified successfully (LAN IP: $lanIp)"
-        } else {
-            Write-Detail "HQ notified successfully (LAN IP detection failed, hostname sent)"
-        }
+        Write-Detail "HQ notified"
     }
     catch {
-        Write-Detail "Skipped (heartbeat will notify HQ within 30s)"
+        Write-Detail "HQ notification skipped"
     }
 
     Write-Host ""
     Write-Host "=========================================" -ForegroundColor Green
-    Write-Host " Reconfigure Complete!" -ForegroundColor Green
+    Write-Host " Configure Complete!" -ForegroundColor Green
     Write-Host "=========================================" -ForegroundColor Green
-    Write-Host "The minion should appear online in HQ shortly."
+    Write-Host ""
+    Write-Host "Useful commands:"
+    Write-Host "  minion-cli-win status    # Service status"
+    Write-Host "  minion-cli-win health    # Health check"
+    Write-Host "  minion-cli-win daemons   # All daemon status"
+    Write-Host "  minion-cli-win restart   # Restart agent"
+    Write-Host "  minion-cli-win stop      # Stop agent"
+    Write-Host "  Get-Content $(Join-Path $LogDir 'service-stdout.log') -Tail 50  # View logs"
 }
 
 # ============================================================
-# Main command dispatch
+# Status / Health / Daemons / Diagnose
 # ============================================================
 
-switch ($Command) {
-    'setup' {
-        Invoke-Setup
-    }
-    'uninstall' {
-        Invoke-Uninstall
-    }
-    'reconfigure' {
-        Invoke-Reconfigure
-    }
-    'start' {
-        Start-MinionProcess
-    }
-    'stop' {
-        Stop-MinionProcess
-    }
-    'restart' {
-        Restart-MinionProcess
+function Show-Status {
+    $state = Get-ServiceState 'minion-agent'
+    if ($state) {
+        Write-Host "minion-agent: $state"
+    } else {
+        Write-Host "minion-agent: not installed"
     }
-    'status' {
-        try {
-            $response = Invoke-RestMethod -Uri "$AgentUrl/api/status" -TimeoutSec 5
-            $response | ConvertTo-Json -Depth 5
-        }
-        catch {
-            Write-Error "Failed to get status. Is the agent running?"
+}
+
+function Show-Daemons {
+    foreach ($svc in @('minion-agent', 'minion-vnc', 'minion-websockify', 'minion-cloudflared')) {
+        $state = Get-ServiceState $svc
+        if ($state) {
+            Write-Host "${svc}: $state"
+        } else {
+            Write-Host "${svc}: not installed"
         }
     }
-    'health' {
-        try {
-            $response = Invoke-RestMethod -Uri "$AgentUrl/api/health" -TimeoutSec 5
-            $response | ConvertTo-Json -Depth 5
-        }
-        catch {
-            Write-Error "Health check failed. Is the agent running?"
-        }
+}
+
+function Show-Health {
+    if (Invoke-HealthCheck -Retries 1 -DelaySeconds 0) {
+        Write-Host "Agent is healthy" -ForegroundColor Green
     }
-    'daemons' {
-        try {
-            $response = Invoke-RestMethod -Uri "$AgentUrl/api/daemons/status" -TimeoutSec 5
-            $response | ConvertTo-Json -Depth 5
-        }
-        catch {
-            Write-Error "Failed to get daemon status. Is the agent running?"
-        }
+    else {
+        Write-Host "Agent is not responding" -ForegroundColor Red
     }
-    'diagnose' {
-        Write-Host "Running diagnostics..."
-        Write-Host ""
-        try {
-            $result = Invoke-RestMethod -Uri "$AgentUrl/api/diagnose" -TimeoutSec 15
-        }
-        catch {
-            Write-Host "FAIL: Cannot reach minion agent at $AgentUrl" -ForegroundColor Red
-            Write-Host "      Is the agent running? Try: minion-cli-win start"
-            exit 1
-        }
+}
 
-        $ver = if ($result.version) { $result.version } else { '?' }
-        $plat = if ($result.platform) { $result.platform } else { '?' }
-        Write-Host "=== Minion Diagnostics (v$ver, $plat) ==="
-        Write-Host ""
+function Show-Diagnose {
+    # Resolve target user profile for accurate diagnostics
+    $TargetUserProfile = Resolve-TargetUserProfile
+    $DataDir = Join-Path $TargetUserProfile '.minion'
+    $EnvFile = Join-Path $DataDir '.env'
+    $LogDir = Join-Path $DataDir 'logs'
 
-        $checkNames = @('agent', 'hq', 'tunnel', 'vnc', 'terminal', 'llm', 'env')
-        foreach ($check in $checkNames) {
-            $c = $result.checks.$check
-            $label = $check.ToUpper().PadRight(10)
-            if ($c.ok) {
-                Write-Host "  [PASS] $label $($c.details)" -ForegroundColor Green
-            }
-            else {
-                Write-Host "  [FAIL] $label $($c.details)" -ForegroundColor Red
-            }
-        }
+    Write-Host "=========================================" -ForegroundColor Cyan
+    Write-Host " Minion Diagnostics" -ForegroundColor Cyan
+    Write-Host "=========================================" -ForegroundColor Cyan
+    Write-Host ""
 
-        Write-Host ""
-        if ($result.summary -eq 'ALL OK') {
-            Write-Host $result.summary -ForegroundColor Green
-        }
-        else {
-            Write-Host $result.summary -ForegroundColor Yellow
-        }
+    Write-Host "System:" -ForegroundColor Yellow
+    Write-Host "  OS: $([System.Environment]::OSVersion.VersionString)"
+    Write-Host "  PowerShell: $($PSVersionTable.PSVersion)"
+    $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
+    Write-Host "  Administrator: $isAdmin"
+    Write-Host "  Target user: $TargetUserProfile"
+    Write-Host ""
+
+    Write-Host "Service Account:" -ForegroundColor Yellow
+    $MinionSvcUser = 'minion'
+    $svcUser = Get-LocalUser -Name $MinionSvcUser -ErrorAction SilentlyContinue
+    if ($svcUser) {
+        Write-Host "  User: $MinionSvcUser (Enabled: $($svcUser.Enabled))"
+    } else {
+        Write-Host "  User: NOT FOUND (services run as LocalSystem)" -ForegroundColor Yellow
     }
-    'version' {
-        Write-Host "@geekbeer/minion v$CliVersion (Windows)"
+    Write-Host ""
+
+    Write-Host "NSSM:" -ForegroundColor Yellow
+    if ($NssmPath -and (Test-Path $NssmPath)) {
+        Write-Host "  Path: $NssmPath"
+        $nssmVer = Invoke-Nssm version
+        Write-Host "  Version: $nssmVer"
+    } else {
+        Write-Host "  NOT FOUND"
     }
+    Write-Host ""
+
+    Write-Host "Services:" -ForegroundColor Yellow
+    Show-Daemons
+    Write-Host ""
+
+    Write-Host "Software:" -ForegroundColor Yellow
+    if (Test-CommandExists 'node') { Write-Host "  Node.js: $(& node --version 2>$null)" }
+    else { Write-Host "  Node.js: NOT FOUND" }
+    if (Test-CommandExists 'claude') { Write-Host "  Claude Code: $(& claude --version 2>$null)" }
+    else { Write-Host "  Claude Code: NOT FOUND" }
+    if (Test-CommandExists 'git') { Write-Host "  Git: $(& git --version 2>$null)" }
+    else { Write-Host "  Git: NOT FOUND" }
+    Write-Host ""
+
+    Write-Host "Config:" -ForegroundColor Yellow
+    Write-Host "  Data dir: $DataDir (exists: $(Test-Path $DataDir))"
+    Write-Host "  .env: $(Test-Path $EnvFile)"
+    Write-Host "  Log dir: $LogDir (exists: $(Test-Path $LogDir))"
+    Write-Host ""
+
+    Write-Host "Health:" -ForegroundColor Yellow
+    Show-Health
+}
+
+# ============================================================
+# Main dispatch
+# ============================================================
+
+switch ($Command) {
+    'setup' { Invoke-Setup }
+    'configure' { Invoke-Configure }
+    'reconfigure' { Invoke-Configure }  # alias for backwards compatibility
+    'uninstall' { Invoke-Uninstall }
+    'start' { Start-MinionService }
+    'stop' { Stop-MinionService }
+    'restart' { Restart-MinionService }
+    'status' { Show-Status }
+    'health' { Show-Health }
+    'daemons' { Show-Daemons }
+    'diagnose' { Show-Diagnose }
+    'version' { Write-Host "minion-cli-win v$CliVersion" }
     'help' {
-        Write-Host "Minion Agent CLI (@geekbeer/minion) v$CliVersion (Windows)" -ForegroundColor Cyan
+        Write-Host "Minion Agent CLI for Windows v$CliVersion"
         Write-Host ""
-        Write-Host "Usage (no admin required):"
-        Write-Host "  minion-cli-win setup [options]          # Set up agent (auto-start on login)"
-        Write-Host "  minion-cli-win reconfigure [options]    # Re-register with new HQ credentials"
-        Write-Host "  minion-cli-win uninstall [options]      # Remove agent and configuration"
-        Write-Host "  minion-cli-win start                    # Start agent process"
-        Write-Host "  minion-cli-win stop                     # Stop agent process"
-        Write-Host "  minion-cli-win restart                  # Restart agent process"
-        Write-Host "  minion-cli-win status                   # Get current status"
-        Write-Host "  minion-cli-win health                   # Health check"
-        Write-Host "  minion-cli-win diagnose                 # Run full service diagnostics"
-        Write-Host "  minion-cli-win version                  # Show version"
+        Write-Host "Usage: minion-cli-win <command> [options]"
         Write-Host ""
-        Write-Host "Setup options:"
-        Write-Host "  --hq-url <URL>        HQ server URL (optional, omit for standalone mode)"
-        Write-Host "  --minion-id <UUID>    Minion ID (optional)"
-        Write-Host "  --api-token <TOKEN>   API token (optional)"
-        Write-Host "  --setup-tunnel        Set up cloudflared tunnel (requires --hq-url and --api-token)"
+        Write-Host "Commands (require Administrator — first-time only):"
+        Write-Host "  setup         Install software, register services, configure firewall"
+        Write-Host "  uninstall     Remove minion agent and services"
         Write-Host ""
-        Write-Host "Reconfigure options:"
-        Write-Host "  --hq-url <URL>        HQ server URL (required)"
-        Write-Host "  --minion-id <UUID>    Minion ID (required)"
-        Write-Host "  --api-token <TOKEN>   API token (required)"
+        Write-Host "Commands (no admin required):"
+        Write-Host "  configure     Connect to HQ, deploy skills, start services"
+        Write-Host "  start         Start the minion-agent service"
+        Write-Host "  stop          Stop the minion-agent service"
+        Write-Host "  restart       Restart the minion-agent service"
+        Write-Host "  status        Show agent service status"
+        Write-Host "  health        Check agent health endpoint"
+        Write-Host "  daemons       Show all daemon service status"
+        Write-Host "  diagnose      Run diagnostics"
+        Write-Host "  version       Show version"
+        Write-Host "  help          Show this help"
         Write-Host ""
-        Write-Host "Uninstall options:"
-        Write-Host "  --keep-data           Keep .env file (preserve credentials)"
-        Write-Host ""
-        Write-Host "Data directory: $DataDir"
+        Write-Host "Configure options:"
+        Write-Host "  --hq-url <URL>       HQ server URL"
+        Write-Host "  --minion-id <UUID>   Minion ID"
+        Write-Host "  --api-token <TOKEN>  API token"
+        Write-Host "  --setup-tunnel       Enable Cloudflare Tunnel"
         Write-Host ""
-        Write-Host "Environment:"
-        Write-Host "  MINION_AGENT_URL  Agent URL (default: http://localhost:8080)"
+        Write-Host "Uninstall options:"
+        Write-Host "  --keep-data          Preserve .env file"
     }
 }