@geekbeer/minion 3.10.0 → 3.11.0

package/docs/environment-setup.md

@@ -162,6 +162,86 @@ URL ベースの MCP サーバーは `url` フィールドで指定する（`com
 
 ---
 
+## WSL セッション（Windows ミニオン限定）
+
+Windows ミニオンで WSL（Windows Subsystem for Linux）内の Docker やリポジトリ操作を行うための機能。
+
+### 概要
+
+minion-agent は LocalSystem (Session 0) で動作するため、ユーザー単位の WSL ディストリビューションに直接アクセスできない。WSL セッションサーバーがユーザーセッションで別プロセスとして動作し、minion-agent がリクエストをプロキシする。
+
+### 前提条件
+
+- WSL 2 がインストール済み（`wsl --install` で導入可能）
+- Linux ディストリビューション（Ubuntu 等）がセットアップ済み
+- Docker Desktop for Windows がインストール済み（WSL 2 バックエンド有効）
+- ターゲットユーザーがログイン中（schtasks ONLOGON でサーバーが起動するため）
+
+### セットアップ
+
+`minion-cli setup` を実行すると、WSL が検出された場合に自動で登録される。手動で確認・起動する場合:
+
+```powershell
+# WSL セッションサーバーの状態確認
+schtasks /Query /TN "MinionWSL" /FO LIST
+
+# 手動起動（テスト用）
+schtasks /Run /TN "MinionWSL"
+
+# ヘルスチェック
+curl http://localhost:7682/api/wsl/health
+```
+
+### 使い方
+
+#### ターミナルセッション
+
+```bash
+# WSL ターミナルセッション作成
+curl -X POST http://localhost:8080/api/terminal/create \
+  -H "Authorization: Bearer $API_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"name": "wsl-dev", "type": "wsl"}'
+
+# コマンド送信
+curl -X POST http://localhost:8080/api/terminal/send \
+  -H "Authorization: Bearer $API_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"session": "wsl-dev", "input": "docker compose up -d", "enter": true}'
+
+# WSL セッションサーバーの稼働状態確認
+curl http://localhost:8080/api/terminal/wsl/status \
+  -H "Authorization: Bearer $API_TOKEN"
+```
+
+#### チャット（WSL モード）
+
+チャット API に `wsl_mode: true` を追加すると、Claude Code CLI がユーザーセッションで実行され、`wsl` コマンドを直接使用できる。
+
+```bash
+curl -X POST http://localhost:8080/api/chat \
+  -H "Authorization: Bearer $API_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"message": "WSL内でリポジトリをクローンしてDockerを起動して", "wsl_mode": true}'
+```
+
+### ポート構成
+
+| ポート | サービス | 備考 |
+|--------|---------|------|
+| 7682 | WSL session server (HTTP API) | localhost のみ |
+| 7683 | WSL session server (WebSocket) | localhost のみ、ttyd プロトコル |
+
+### トラブルシューティング
+
+| 問題 | 原因 | 対処 |
+|------|------|------|
+| WSL session server is not running | ユーザーが未ログイン | RDP/コンソールでログイン |
+| WSL not detected during setup | WSL 未インストール | `wsl --install` を実行後 `minion-cli setup` を再実行 |
+| Connection refused on port 7682 | サーバー異常終了 | `schtasks /Run /TN "MinionWSL"` で再起動 |
+
+---
+
 ## パッケージのインストール
 
 スキルが `requires.packages` で宣言したパッケージは、対応するパッケージマネージャーの list コマンドで検出される。

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekbeer/minion",
-  "version": "3.10.0",
+  "version": "3.11.0",
   "description": "AI Agent runtime for Minion - manages status and skill deployment on VPS",
   "main": "linux/server.js",
   "bin": {

package/win/bin/wsl-session-entry.js

@@ -0,0 +1,89 @@
+#!/usr/bin/env node
+/**
+ * WSL Session Server Entry Point
+ *
+ * Designed to be launched via schtasks ONLOGON so it runs in the
+ * target user's interactive session (not LocalSystem/Session 0).
+ *
+ * Reads configuration from .minion/.env, sets up environment,
+ * then starts the WSL session server.
+ */
+
+const fs = require('fs')
+const path = require('path')
+
+// ---------------------------------------------------------------------------
+// Resolve HOME_DIR from .minion/.env or environment
+// ---------------------------------------------------------------------------
+
+function loadEnvFile(envPath) {
+  if (!fs.existsSync(envPath)) return {}
+  const env = {}
+  for (const line of fs.readFileSync(envPath, 'utf-8').split('\n')) {
+    const trimmed = line.trim()
+    if (!trimmed || trimmed.startsWith('#')) continue
+    const eqIdx = trimmed.indexOf('=')
+    if (eqIdx < 0) continue
+    const key = trimmed.slice(0, eqIdx).trim()
+    let value = trimmed.slice(eqIdx + 1).trim()
+    // Strip surrounding quotes
+    if ((value.startsWith('"') && value.endsWith('"')) ||
+        (value.startsWith("'") && value.endsWith("'"))) {
+      value = value.slice(1, -1)
+    }
+    env[key] = value
+  }
+  return env
+}
+
+// Determine HOME_DIR: prefer .minion/.env, fallback to env vars
+const homeDir = process.env.HOME || process.env.USERPROFILE || ''
+const dataDir = path.join(homeDir, '.minion')
+const envFile = path.join(dataDir, '.env')
+const envVars = loadEnvFile(envFile)
+
+// Apply env vars that aren't already set
+for (const [key, value] of Object.entries(envVars)) {
+  if (!(key in process.env)) process.env[key] = value
+}
+
+// Ensure HOME/USERPROFILE are set
+if (!process.env.HOME) process.env.HOME = homeDir
+if (!process.env.USERPROFILE) process.env.USERPROFILE = homeDir
+
+// ---------------------------------------------------------------------------
+// Extend PATH (same logic as server.js)
+// ---------------------------------------------------------------------------
+
+try {
+  const { buildExtendedPath } = require('../../core/lib/platform')
+  process.env.PATH = buildExtendedPath(homeDir)
+} catch (err) {
+  console.warn('[WSL-Entry] Could not extend PATH:', err.message)
+}
+
+// Load minion secrets into process.env
+try {
+  const variableStore = require('../../core/stores/variable-store')
+  const minionEnv = variableStore.buildEnv()
+  for (const [key, value] of Object.entries(minionEnv)) {
+    if (!(key in process.env)) process.env[key] = value
+  }
+  console.log(`[WSL-Entry] Loaded ${Object.keys(minionEnv).length} minion secrets`)
+} catch (err) {
+  console.warn('[WSL-Entry] Could not load minion secrets:', err.message)
+}
+
+// ---------------------------------------------------------------------------
+// Start the server
+// ---------------------------------------------------------------------------
+
+console.log(`[WSL-Entry] HOME_DIR: ${homeDir}`)
+console.log(`[WSL-Entry] PID: ${process.pid}`)
+
+const { startServer } = require('../wsl-session-server')
+
+startServer().catch((err) => {
+  console.error('[WSL-Entry] Failed to start WSL session server:', err)
+  process.exit(1)
+})

package/win/minion-cli.ps1

@@ -800,6 +800,35 @@ function Invoke-Setup {
         Write-Detail "TightVNC registered as logon task (user session, not service)"
     }
 
+    # Step 9b: Register WSL session server (runs in user session for WSL access)
+    $wslServerJs = Join-Path $minionPkgDir 'win\bin\wsl-session-entry.js'
+    if (Test-Path $wslServerJs) {
+        # Generate shared auth token for minion-agent <-> wsl-session-server communication
+        $wslTokenFile = Join-Path $DataDir '.wsl-session-token'
+        if (-not (Test-Path $wslTokenFile)) {
+            $wslToken = [System.Guid]::NewGuid().ToString('N')
+            [System.IO.File]::WriteAllText($wslTokenFile, $wslToken)
+            Write-Detail "WSL session token generated"
+        } else {
+            Write-Detail "WSL session token already exists"
+        }
+
+        $wslAvailable = $false
+        if (Get-Command wsl.exe -ErrorAction SilentlyContinue) {
+            $wslAvailable = $true
+        }
+
+        if ($wslAvailable) {
+            Remove-ScheduledTaskSilent "MinionWSL"
+            $wslTR = "'$nodePath' '$wslServerJs'"
+            schtasks /Create /TN "MinionWSL" /TR $wslTR /SC ONLOGON /RL HIGHEST /F | Out-Null
+            Write-Detail "WSL session server registered as logon task (user session)"
+        } else {
+            Write-Warn "WSL not detected. WSL session server not registered."
+            Write-Detail "Install WSL and re-run setup to enable WSL sessions."
+        }
+    }
+
     # Step 10: Setup websockify (runs as LocalSystem, paired with VNC)
     Write-Step 9 $totalSteps "Setting up websockify..."
     [array]$wsCmd = Get-WebsockifyCommand
@@ -949,6 +978,7 @@ function Invoke-Setup {
     $fwRules = @(
         @{ Name = 'Minion Agent'; Port = 8080 },
         @{ Name = 'Minion Terminal'; Port = 7681 },
+        @{ Name = 'Minion WSL Terminal'; Port = 7683 },
         @{ Name = 'Minion VNC'; Port = 6080 }
     )
     foreach ($rule in $fwRules) {
@@ -1096,6 +1126,10 @@ function Invoke-Uninstall {
         }
     }
 
+    # Remove WSL session server logon task
+    Remove-ScheduledTaskSilent "MinionWSL"
+    Write-Detail "WSL session server logon task removed"
+
     # Remove VNC logon task and legacy NSSM service
     Remove-ScheduledTaskSilent "MinionVNC"
     Invoke-Nssm stop minion-vnc

package/win/routes/chat.js

@@ -15,6 +15,7 @@
 const { spawn } = require('child_process')
 const fs = require('fs')
 const path = require('path')
+const http = require('http')
 const { verifyToken } = require('../../core/lib/auth')
 const { config } = require('../../core/config')
 const chatStore = require('../../core/stores/chat-store')
@@ -22,6 +23,91 @@ const { DATA_DIR } = require('../../core/lib/platform')
 const { runEndOfDay } = require('../../core/lib/end-of-day')
 
 let activeChatChild = null
+let wslModeActive = false
+
+// ---------------------------------------------------------------------------
+// WSL session server proxy helpers
+// ---------------------------------------------------------------------------
+
+const WSL_PORT = parseInt(process.env.WSL_SESSION_PORT, 10) || 7682
+
+function getWslToken() {
+  try {
+    const tokenPath = path.join(config.HOME_DIR, '.minion', '.wsl-session-token')
+    return fs.readFileSync(tokenPath, 'utf-8').trim()
+  } catch { return '' }
+}
+
+/**
+ * Proxy a chat request to the WSL session server's /api/wsl/chat endpoint.
+ * Pipes the SSE stream from the WSL server back to the client.
+ */
+function proxyWslChat(res, prompt, sessionId) {
+  return new Promise((resolve, reject) => {
+    const token = getWslToken()
+    const body = JSON.stringify({ prompt, session_id: sessionId })
+    const req = http.request({
+      hostname: '127.0.0.1',
+      port: WSL_PORT,
+      path: '/api/wsl/chat',
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+        'Content-Length': Buffer.byteLength(body),
+      },
+    }, (upstream) => {
+      if (upstream.statusCode !== 200) {
+        const errorEvent = JSON.stringify({ type: 'error', error: `WSL session server returned ${upstream.statusCode}` })
+        res.write(`data: ${errorEvent}\n\n`)
+        resolve()
+        return
+      }
+      upstream.on('data', (chunk) => { res.write(chunk) })
+      upstream.on('end', () => { resolve() })
+      upstream.on('error', (err) => {
+        res.write(`data: ${JSON.stringify({ type: 'error', error: err.message })}\n\n`)
+        resolve()
+      })
+    })
+    req.on('error', (err) => {
+      const errorMsg = err.code === 'ECONNREFUSED'
+        ? 'WSL session server is not running. The target user must be logged in for WSL sessions.'
+        : `WSL proxy error: ${err.message}`
+      res.write(`data: ${JSON.stringify({ type: 'error', error: errorMsg })}\n\n`)
+      resolve()
+    })
+    req.write(body)
+    req.end()
+
+    // If client disconnects, abort upstream request
+    res.on('close', () => { req.destroy() })
+  })
+}
+
+function proxyWslChatAbort() {
+  return new Promise((resolve) => {
+    const token = getWslToken()
+    const req = http.request({
+      hostname: '127.0.0.1',
+      port: WSL_PORT,
+      path: '/api/wsl/chat/abort',
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+    }, (res) => {
+      let body = ''
+      res.on('data', (c) => { body += c })
+      res.on('end', () => {
+        try { resolve(JSON.parse(body)) } catch { resolve({ success: false }) }
+      })
+    })
+    req.on('error', () => { resolve({ success: false, error: 'WSL session server unreachable' }) })
+    req.end('{}')
+  })
+}
 
 async function chatRoutes(fastify) {
   fastify.post('/api/chat', async (request, reply) => {
@@ -30,7 +116,7 @@ async function chatRoutes(fastify) {
       return { success: false, error: 'Unauthorized' }
     }
 
-    const { message, session_id, context } = request.body || {}
+    const { message, session_id, context, wsl_mode } = request.body || {}
     if (!message || typeof message !== 'string') {
       reply.code(400)
       return { success: false, error: 'message is required' }
@@ -52,8 +138,16 @@ async function chatRoutes(fastify) {
     reply.raw.flushHeaders()
 
     try {
-      await streamLlmResponse(reply.raw, prompt, currentSessionId)
+      if (wsl_mode) {
+        wslModeActive = true
+        console.log('[Chat] WSL mode enabled — proxying to WSL session server')
+        await proxyWslChat(reply.raw, prompt, currentSessionId)
+        wslModeActive = false
+      } else {
+        await streamLlmResponse(reply.raw, prompt, currentSessionId)
+      }
     } catch (err) {
+      wslModeActive = false
       console.error('[Chat] stream error:', err.message)
       const errorEvent = JSON.stringify({ type: 'error', error: err.message })
       reply.raw.write(`data: ${errorEvent}\n\n`)
@@ -122,6 +216,13 @@ async function chatRoutes(fastify) {
       reply.code(401)
       return { success: false, error: 'Unauthorized' }
     }
+
+    // If WSL mode chat is active, proxy abort to WSL session server
+    if (wslModeActive) {
+      console.log('[Chat] Aborting WSL mode chat — proxying to WSL session server')
+      return proxyWslChatAbort()
+    }
+
     if (!activeChatChild) {
       return { success: false, error: 'No active chat process' }
     }

package/win/routes/terminal.js

@@ -8,11 +8,65 @@
  */
 
 const path = require('path')
+const fs = require('fs')
+const http = require('http')
 const { verifyToken } = require('../../core/lib/auth')
 const { config } = require('../../core/config')
 const { activeSessions } = require('../workflow-runner')
 
 const homeDir = config.HOME_DIR
+const WSL_PORT = parseInt(process.env.WSL_SESSION_PORT, 10) || 7682
+
+// ---------------------------------------------------------------------------
+// WSL session server proxy helpers
+// ---------------------------------------------------------------------------
+
+function getWslToken() {
+  try {
+    const tokenPath = path.join(config.HOME_DIR, '.minion', '.wsl-session-token')
+    return fs.readFileSync(tokenPath, 'utf-8').trim()
+  } catch { return '' }
+}
+
+/**
+ * Proxy an HTTP request to the WSL session server.
+ * Returns parsed JSON response or null on failure.
+ */
+function proxyToWsl(method, urlPath, body) {
+  return new Promise((resolve) => {
+    const token = getWslToken()
+    const bodyStr = body ? JSON.stringify(body) : ''
+    const headers = {
+      'Authorization': `Bearer ${token}`,
+    }
+    if (body) {
+      headers['Content-Type'] = 'application/json'
+      headers['Content-Length'] = Buffer.byteLength(bodyStr)
+    }
+
+    const req = http.request({
+      hostname: '127.0.0.1',
+      port: WSL_PORT,
+      path: urlPath,
+      method,
+      headers,
+    }, (res) => {
+      let data = ''
+      res.on('data', (c) => { data += c })
+      res.on('end', () => {
+        try { resolve(JSON.parse(data)) } catch { resolve(null) }
+      })
+    })
+    req.on('error', () => { resolve(null) })
+    if (body) req.write(bodyStr)
+    req.end()
+  })
+}
+
+/** Check if a session name belongs to WSL (wsl- prefix). */
+function isWslSession(name) {
+  return name && name.startsWith('wsl-')
+}
 
 /**
  * Load node-pty dynamically.
@@ -100,7 +154,7 @@ function createPtySession(sessionName, command) {
  * @param {import('fastify').FastifyInstance} fastify
  */
 async function terminalRoutes(fastify) {
-  // List sessions
+  // List sessions (merges local CMD sessions + WSL sessions from wsl-session-server)
   fastify.get('/api/terminal/sessions', async (request, reply) => {
     if (!verifyToken(request)) {
       reply.code(401)
@@ -111,6 +165,7 @@ async function terminalRoutes(fastify) {
     for (const [name, session] of activeSessions) {
       sessions.push({
         name,
+        type: 'cmd',
         attached: false,
         completed: session.completed,
         exit_code: session.exitCode,
@@ -118,6 +173,14 @@ async function terminalRoutes(fastify) {
       })
     }
 
+    // Merge WSL sessions (best-effort, skip on failure)
+    const wslResult = await proxyToWsl('GET', '/api/wsl/sessions')
+    if (wslResult && wslResult.success && wslResult.sessions) {
+      for (const s of wslResult.sessions) {
+        sessions.push({ ...s, type: 'wsl' })
+      }
+    }
+
     console.log(`[Terminal] Found ${sessions.length} session(s): ${sessions.map(s => s.name).join(', ') || '(none)'}`)
     return { success: true, sessions }
   })
@@ -139,7 +202,15 @@ async function terminalRoutes(fastify) {
       return { success: false, error: 'Invalid session name' }
     }
 
+    // Proxy to WSL server if session is a WSL session not found locally
     const session = activeSessions.get(sessionName)
+    if (!session && isWslSession(sessionName)) {
+      const result = await proxyToWsl('GET', `/api/wsl/capture?session=${encodeURIComponent(sessionName)}&lines=${lines}`)
+      if (!result) { reply.code(503); return { success: false, error: 'WSL session server unreachable' } }
+      reply.code(result.success ? 200 : 404)
+      return result
+    }
+
     if (!session) {
       reply.code(404)
       return { success: false, error: `Session '${sessionName}' not found` }
@@ -179,7 +250,15 @@ async function terminalRoutes(fastify) {
       return { success: false, error: 'input or special key is required' }
     }
 
+    // Proxy to WSL server if session is a WSL session not found locally
     const session = activeSessions.get(sessionName)
+    if (!session && isWslSession(sessionName)) {
+      const result = await proxyToWsl('POST', '/api/wsl/send', { session: sessionName, input, enter, special })
+      if (!result) { reply.code(503); return { success: false, error: 'WSL session server unreachable' } }
+      reply.code(result.success ? 200 : 400)
+      return result
+    }
+
     if (!session || !session.pty) {
       reply.code(404)
       return { success: false, error: `Session '${sessionName}' not found` }
@@ -224,14 +303,29 @@ async function terminalRoutes(fastify) {
     }
   })
 
-  // Create a new session
+  // Create a new session (supports type: 'wsl' for WSL sessions)
   fastify.post('/api/terminal/create', async (request, reply) => {
     if (!verifyToken(request)) {
       reply.code(401)
       return { success: false, error: 'Unauthorized' }
     }
 
-    const { name, command } = request.body || {}
+    const { name, command, type } = request.body || {}
+
+    // WSL session: proxy to wsl-session-server
+    if (type === 'wsl') {
+      const sessionName = name || `wsl-session-${Date.now()}`
+      const wslName = sessionName.startsWith('wsl-') ? sessionName : `wsl-${sessionName}`
+      console.log(`[Terminal] Creating WSL session '${wslName}' — proxying to WSL server`)
+      const result = await proxyToWsl('POST', '/api/wsl/create', { name: wslName, command })
+      if (!result) {
+        reply.code(503)
+        return { success: false, error: 'WSL session server is not running. The target user must be logged in for WSL sessions.' }
+      }
+      reply.code(result.success ? 200 : 500)
+      return result
+    }
+
     const sessionName = name || `session-${Date.now()}`
 
     if (!/^[\w-]+$/.test(sessionName)) {
@@ -272,7 +366,15 @@ async function terminalRoutes(fastify) {
       return { success: false, error: 'Invalid session name' }
     }
 
+    // Proxy to WSL server if session is a WSL session not found locally
     const session = activeSessions.get(sessionName)
+    if (!session && isWslSession(sessionName)) {
+      const result = await proxyToWsl('POST', '/api/wsl/kill', { session: sessionName })
+      if (!result) { reply.code(503); return { success: false, error: 'WSL session server unreachable' } }
+      reply.code(result.success ? 200 : 404)
+      return result
+    }
+
     if (!session) {
       reply.code(404)
       return { success: false, error: `Session '${sessionName}' not found` }
@@ -315,6 +417,22 @@ async function terminalRoutes(fastify) {
       active_sessions: sessions,
     }
   })
+
+  // WSL session server status
+  fastify.get('/api/terminal/wsl/status', async (request, reply) => {
+    if (!verifyToken(request)) {
+      reply.code(401)
+      return { success: false, error: 'Unauthorized' }
+    }
+
+    const health = await proxyToWsl('GET', '/api/wsl/health')
+    return {
+      success: true,
+      available: !!getWslToken(), // token exists = WSL was configured during setup
+      running: !!(health && health.success),
+      server_pid: health?.pid || null,
+    }
+  })
 }
 
 function cleanupSessions() {

package/win/server.js

@@ -284,6 +284,28 @@ async function start() {
       console.error('[Server] Terminal WebSocket connections will not work')
     }
 
+    // Check WSL session server availability (best-effort)
+    try {
+      const http = require('http')
+      const wslPort = parseInt(process.env.WSL_SESSION_PORT, 10) || 7682
+      const wslCheck = await new Promise((resolve) => {
+        const req = http.get(`http://127.0.0.1:${wslPort}/api/wsl/health`, { timeout: 2000 }, (res) => {
+          let body = ''
+          res.on('data', (c) => { body += c })
+          res.on('end', () => { try { resolve(JSON.parse(body)) } catch { resolve(null) } })
+        })
+        req.on('error', () => resolve(null))
+        req.on('timeout', () => { req.destroy(); resolve(null) })
+      })
+      if (wslCheck && wslCheck.success) {
+        console.log(`[Server] WSL session server is running (PID: ${wslCheck.pid}, port: ${wslPort})`)
+      } else {
+        console.log('[Server] WSL session server is not running (user may not be logged in)')
+      }
+    } catch {
+      console.log('[Server] WSL session server check skipped')
+    }
+
     // Load cached workflows
     try {
       const cachedWorkflows = await workflowStore.load()

package/win/terminal-server.js

@@ -12,16 +12,24 @@
  * Listens on port 7681, URL: /ws/{sessionName}
  */
 
+const fs = require('fs')
 const http = require('http')
 const path = require('path')
 const { config } = require('../core/config')
 const { activeSessions } = require('./workflow-runner')
 
 const PROXY_PORT = 7681
+const WSL_WS_PORT = (parseInt(process.env.WSL_SESSION_PORT, 10) || 7682) + 1 // 7683
 
 let wss = null
 let httpServer = null
 
+function getWslToken() {
+  try {
+    return fs.readFileSync(path.join(config.HOME_DIR, '.minion', '.wsl-session-token'), 'utf-8').trim()
+  } catch { return '' }
+}
+
 // ttyd message types (ASCII character codes, matching ttyd wire protocol)
 const MSG_INPUT = 0x30   // '0'
 const MSG_RESIZE = 0x31  // '1'
@@ -151,6 +159,12 @@ function startTerminalServer() {
         return
       }
 
+      // WSL sessions: proxy to wsl-session-server's WebSocket
+      if (sessionName.startsWith('wsl-')) {
+        proxyToWslWebSocket(ws, sessionName, WebSocket)
+        return
+      }
+
       let session
       try {
         session = ensureSession(sessionName)
@@ -225,6 +239,54 @@ function startTerminalServer() {
   })
 }
 
+/**
+ * Proxy a WebSocket connection to the WSL session server.
+ * Bidirectional pipe: HQ client <-> minion-agent:7681 <-> wsl-session-server:7683
+ */
+function proxyToWslWebSocket(clientWs, sessionName, WebSocket) {
+  const token = getWslToken()
+  const upstreamUrl = `ws://127.0.0.1:${WSL_WS_PORT}/ws/${sessionName}?token=${encodeURIComponent(token)}`
+
+  console.log(`[TerminalServer] Proxying WSL session '${sessionName}' to ${upstreamUrl}`)
+
+  const upstream = new WebSocket(upstreamUrl)
+
+  upstream.on('open', () => {
+    console.log(`[TerminalServer] WSL proxy connected for '${sessionName}'`)
+  })
+
+  // Forward data from WSL server to HQ client
+  upstream.on('message', (data) => {
+    try { if (clientWs.readyState === 1) clientWs.send(data) } catch {}
+  })
+
+  // Forward data from HQ client to WSL server
+  clientWs.on('message', (data) => {
+    try { if (upstream.readyState === 1) upstream.send(data) } catch {}
+  })
+
+  // Close handling
+  upstream.on('close', () => {
+    console.log(`[TerminalServer] WSL proxy upstream closed for '${sessionName}'`)
+    try { clientWs.close() } catch {}
+  })
+
+  clientWs.on('close', () => {
+    console.log(`[TerminalServer] WSL proxy client disconnected for '${sessionName}'`)
+    try { upstream.close() } catch {}
+  })
+
+  upstream.on('error', (err) => {
+    console.error(`[TerminalServer] WSL proxy error for '${sessionName}': ${err.message}`)
+    try { clientWs.close(1011, 'WSL session server unreachable') } catch {}
+  })
+
+  clientWs.on('error', (err) => {
+    console.error(`[TerminalServer] WSL proxy client error for '${sessionName}': ${err.message}`)
+    try { upstream.close() } catch {}
+  })
+}
+
 /**
  * Stop the WebSocket terminal server.
  */

package/win/wsl-session-server.js

@@ -0,0 +1,503 @@
+/**
+ * WSL Session Server
+ *
+ * Standalone Fastify + WebSocket server that runs in the target user's
+ * interactive session (via schtasks ONLOGON). Because it runs under
+ * the real user account (not LocalSystem), WSL commands work natively.
+ *
+ * minion-agent (LocalSystem, Session 0) proxies requests here for:
+ *   - WSL terminal sessions (node-pty with wsl.exe)
+ *   - WSL-mode chat (Claude Code CLI spawned in user context)
+ *
+ * Port: 7682 (configurable via WSL_SESSION_PORT)
+ * Auth: shared Bearer token from .minion/.wsl-session-token
+ * Protocol: ttyd binary (WebSocket), SSE (chat), JSON (HTTP API)
+ */
+
+const fs = require('fs')
+const path = require('path')
+const http = require('http')
+const { spawn } = require('child_process')
+
+// ---------------------------------------------------------------------------
+// Configuration
+// ---------------------------------------------------------------------------
+
+const WSL_PORT = parseInt(process.env.WSL_SESSION_PORT, 10) || 7682
+const HOME_DIR = process.env.HOME || process.env.USERPROFILE || ''
+const DATA_DIR = path.join(HOME_DIR, '.minion')
+const TOKEN_FILE = path.join(DATA_DIR, '.wsl-session-token')
+const PID_FILE = path.join(DATA_DIR, '.wsl-session.pid')
+
+let AUTH_TOKEN = ''
+try {
+  AUTH_TOKEN = fs.readFileSync(TOKEN_FILE, 'utf-8').trim()
+} catch {
+  console.error('[WSL] WARNING: Could not read auth token from', TOKEN_FILE)
+}
+
+// ---------------------------------------------------------------------------
+// Auth helper
+// ---------------------------------------------------------------------------
+
+function verifyToken(request) {
+  if (!AUTH_TOKEN) return true // no token = open (development)
+  const header = request.headers.authorization || ''
+  const token = header.startsWith('Bearer ') ? header.slice(7) : ''
+  return token === AUTH_TOKEN
+}
+
+// ---------------------------------------------------------------------------
+// node-pty loader
+// ---------------------------------------------------------------------------
+
+function loadNodePty() {
+  try { return require('node-pty-prebuilt-multiarch') } catch {}
+  try { return require('node-pty') } catch {}
+  return null
+}
+
+// ---------------------------------------------------------------------------
+// Terminal sessions
+// ---------------------------------------------------------------------------
+
+const activeSessions = new Map()
+
+// ttyd message types (ASCII character codes)
+const MSG_INPUT = 0x30   // '0'
+const MSG_RESIZE = 0x31  // '1'
+const MSG_OUTPUT = 0x30  // '0'
+const MSG_SET_TITLE = 0x31 // '1'
+
+function createWslSession(sessionName, command) {
+  const pty = loadNodePty()
+  if (!pty) throw new Error('node-pty is not installed')
+
+  const shell = 'wsl.exe'
+  const shellArgs = command ? ['-e', 'bash', '-c', command] : []
+
+  const ptyProcess = pty.spawn(shell, shellArgs, {
+    name: 'xterm-256color',
+    cols: 120,
+    rows: 30,
+    cwd: HOME_DIR,
+    env: process.env,
+  })
+
+  const session = {
+    pty: ptyProcess,
+    buffer: '',
+    completed: false,
+    exitCode: null,
+    startedAt: new Date().toISOString(),
+    wsClients: new Set(),
+  }
+
+  ptyProcess.onData((data) => {
+    session.buffer += data
+    if (session.buffer.length > 1024 * 1024) {
+      session.buffer = session.buffer.slice(-512 * 1024)
+    }
+    const outBuf = Buffer.alloc(1 + Buffer.byteLength(data))
+    outBuf[0] = MSG_OUTPUT
+    outBuf.write(data, 1)
+    for (const ws of session.wsClients) {
+      try { if (ws.readyState === 1) ws.send(outBuf) } catch {}
+    }
+  })
+
+  ptyProcess.onExit(({ exitCode }) => {
+    session.completed = true
+    session.exitCode = exitCode
+    for (const ws of session.wsClients) {
+      try { ws.close() } catch {}
+    }
+  })
+
+  activeSessions.set(sessionName, session)
+  console.log(`[WSL] Created session '${sessionName}' (PID: ${ptyProcess.pid})`)
+  return session
+}
+
+const specialKeyMap = {
+  'Enter': '\r', 'Escape': '\x1b', 'Tab': '\t',
+  'C-c': '\x03', 'C-d': '\x04', 'C-z': '\x1a',
+  'Up': '\x1b[A', 'Down': '\x1b[B', 'Left': '\x1b[D', 'Right': '\x1b[C',
+}
+
+// ---------------------------------------------------------------------------
+// Chat (Claude Code CLI spawn in user context)
+// ---------------------------------------------------------------------------
+
+let activeChatChild = null
+
+function getLlmBinary() {
+  const cmd = process.env.LLM_COMMAND
+  if (!cmd) return null
+  return cmd.split(/\s+/)[0]
+}
+
+/**
+ * Stream LLM CLI output as SSE events.
+ * Same logic as win/routes/chat.js streamLlmResponse(), but runs in user session.
+ */
+function streamLlmResponse(res, prompt, sessionId) {
+  return new Promise((resolve, reject) => {
+    const binaryName = getLlmBinary()
+    if (!binaryName) {
+      reject(new Error('LLM_COMMAND is not configured'))
+      return
+    }
+    const binaryPath = path.join(HOME_DIR, '.local', 'bin', binaryName)
+    const binary = fs.existsSync(binaryPath) ? binaryPath : binaryName
+
+    const args = ['-p', '--verbose', '--model', 'sonnet', '--output-format', 'stream-json']
+    if (sessionId) args.push('--resume', sessionId)
+
+    console.log(`[WSL-Chat] spawning: ${binary} ${sessionId ? `--resume ${sessionId}` : '(new)'}`)
+
+    const child = spawn(binary, args, {
+      cwd: HOME_DIR,
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 600000,
+      shell: true,
+    })
+
+    activeChatChild = child
+    child.stdin.write(prompt)
+    child.stdin.end()
+
+    console.log(`[WSL-Chat] child PID: ${child.pid}`)
+
+    let lineBuffer = ''
+    let currentBlockType = null
+    let currentToolName = null
+    let toolInputBuffer = ''
+
+    child.stdout.on('data', (data) => {
+      lineBuffer += data.toString()
+      const parts = lineBuffer.split('\n')
+      lineBuffer = parts.pop() || ''
+
+      for (const line of parts) {
+        if (!line.trim()) continue
+        // Forward raw JSON lines as SSE — minion-agent handles parsing
+        res.write(`data: ${line}\n\n`)
+      }
+    })
+
+    child.stderr.on('data', (data) => {
+      console.error(`[WSL-Chat] stderr: ${data.toString()}`)
+    })
+
+    child.on('close', (code) => {
+      activeChatChild = null
+      // Flush remaining buffer
+      if (lineBuffer.trim()) {
+        res.write(`data: ${lineBuffer}\n\n`)
+      }
+      res.write(`data: ${JSON.stringify({ type: 'wsl_chat_done', exit_code: code })}\n\n`)
+      resolve()
+    })
+
+    child.on('error', (err) => {
+      activeChatChild = null
+      res.write(`data: ${JSON.stringify({ type: 'error', error: `Failed to start CLI: ${err.message}` })}\n\n`)
+      reject(err)
+    })
+
+    res.on('close', () => {
+      if (child && !child.killed) child.kill('SIGTERM')
+    })
+  })
+}
+
+// ---------------------------------------------------------------------------
+// Fastify HTTP server
+// ---------------------------------------------------------------------------
+
+async function startServer() {
+  const fastify = require('fastify')({ logger: true })
+
+  // --- Health (no auth) ---
+  fastify.get('/api/wsl/health', async () => {
+    return { success: true, service: 'wsl-session-server', pid: process.pid }
+  })
+
+  // --- Terminal: list sessions ---
+  fastify.get('/api/wsl/sessions', async (request, reply) => {
+    if (!verifyToken(request)) { reply.code(401); return { success: false, error: 'Unauthorized' } }
+    const sessions = []
+    for (const [name, session] of activeSessions) {
+      sessions.push({
+        name,
+        type: 'wsl',
+        completed: session.completed,
+        exit_code: session.exitCode,
+        started_at: session.startedAt,
+      })
+    }
+    return { success: true, sessions }
+  })
+
+  // --- Terminal: create session ---
+  fastify.post('/api/wsl/create', async (request, reply) => {
+    if (!verifyToken(request)) { reply.code(401); return { success: false, error: 'Unauthorized' } }
+    const { name, command } = request.body || {}
+    const sessionName = name || `wsl-session-${Date.now()}`
+
+    if (!/^[\w-]+$/.test(sessionName)) {
+      reply.code(400); return { success: false, error: 'Invalid session name' }
+    }
+    if (activeSessions.has(sessionName)) {
+      reply.code(409); return { success: false, error: `Session '${sessionName}' already exists` }
+    }
+
+    try {
+      createWslSession(sessionName, command)
+      return { success: true, session: sessionName, message: `WSL session '${sessionName}' created` }
+    } catch (err) {
+      reply.code(500); return { success: false, error: err.message }
+    }
+  })
+
+  // --- Terminal: send input ---
+  fastify.post('/api/wsl/send', async (request, reply) => {
+    if (!verifyToken(request)) { reply.code(401); return { success: false, error: 'Unauthorized' } }
+    const { session: sessionName, input, enter = false, special } = request.body || {}
+    if (!sessionName) { reply.code(400); return { success: false, error: 'session is required' } }
+    if (!input && !special) { reply.code(400); return { success: false, error: 'input or special key is required' } }
+
+    const session = activeSessions.get(sessionName)
+    if (!session || !session.pty) { reply.code(404); return { success: false, error: `Session '${sessionName}' not found` } }
+    if (session.completed) { reply.code(400); return { success: false, error: `Session '${sessionName}' has already exited` } }
+
+    try {
+      if (special) {
+        const key = specialKeyMap[special]
+        if (!key) { reply.code(400); return { success: false, error: `Invalid special key. Allowed: ${Object.keys(specialKeyMap).join(', ')}` } }
+        session.pty.write(key)
+      } else {
+        session.pty.write(input)
+        if (enter) session.pty.write('\r')
+      }
+      return { success: true, session: sessionName }
+    } catch (err) {
+      reply.code(500); return { success: false, error: err.message }
+    }
+  })
+
+  // --- Terminal: kill session ---
+  fastify.post('/api/wsl/kill', async (request, reply) => {
+    if (!verifyToken(request)) { reply.code(401); return { success: false, error: 'Unauthorized' } }
+    const { session: sessionName } = request.body || {}
+    if (!sessionName) { reply.code(400); return { success: false, error: 'session is required' } }
+
+    const session = activeSessions.get(sessionName)
+    if (!session) { reply.code(404); return { success: false, error: `Session '${sessionName}' not found` } }
+
+    try {
+      if (session.pty && !session.completed) session.pty.kill()
+      activeSessions.delete(sessionName)
+      return { success: true, session: sessionName, message: `Session '${sessionName}' terminated` }
+    } catch (err) {
+      reply.code(500); return { success: false, error: err.message }
+    }
+  })
+
+  // --- Terminal: capture buffer ---
+  fastify.get('/api/wsl/capture', async (request, reply) => {
+    if (!verifyToken(request)) { reply.code(401); return { success: false, error: 'Unauthorized' } }
+    const { session: sessionName, lines = '100' } = request.query || {}
+    if (!sessionName) { reply.code(400); return { success: false, error: 'session parameter is required' } }
+
+    const session = activeSessions.get(sessionName)
+    if (!session) { reply.code(404); return { success: false, error: `Session '${sessionName}' not found` } }
+
+    const lineCount = Math.min(Math.max(parseInt(lines) || 100, 1), 1000)
+    const allLines = session.buffer.split('\n')
+    const content = allLines.slice(-lineCount).join('\n')
+
+    return { success: true, session: sessionName, content, lines: lineCount, timestamp: Date.now() }
+  })
+
+  // --- Chat: SSE stream ---
+  fastify.post('/api/wsl/chat', async (request, reply) => {
+    if (!verifyToken(request)) { reply.code(401); return { success: false, error: 'Unauthorized' } }
+    const { prompt, session_id } = request.body || {}
+    if (!prompt) { reply.code(400); return { success: false, error: 'prompt is required' } }
+
+    reply.hijack()
+    reply.raw.writeHead(200, {
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache',
+      'Connection': 'keep-alive',
+    })
+    reply.raw.flushHeaders()
+
+    try {
+      await streamLlmResponse(reply.raw, prompt, session_id)
+    } catch (err) {
+      console.error('[WSL-Chat] stream error:', err.message)
+      reply.raw.write(`data: ${JSON.stringify({ type: 'error', error: err.message })}\n\n`)
+    }
+    reply.raw.end()
+  })
+
+  // --- Chat: abort ---
+  fastify.post('/api/wsl/chat/abort', async (request, reply) => {
+    if (!verifyToken(request)) { reply.code(401); return { success: false, error: 'Unauthorized' } }
+    if (!activeChatChild) {
+      return { success: false, error: 'No active WSL chat process' }
+    }
+    console.log(`[WSL-Chat] Aborting PID: ${activeChatChild.pid}`)
+    activeChatChild.kill('SIGTERM')
+    const pid = activeChatChild.pid
+    setTimeout(() => {
+      try {
+        if (activeChatChild && activeChatChild.pid === pid) activeChatChild.kill('SIGKILL')
+      } catch {}
+    }, 2000)
+    return { success: true }
+  })
+
+  // --- Start HTTP + WebSocket ---
+  await fastify.listen({ port: WSL_PORT, host: '127.0.0.1' })
+  console.log(`[WSL] HTTP server listening on 127.0.0.1:${WSL_PORT}`)
+
+  // WebSocket server on a separate HTTP server (same port pattern as terminal-server.js)
+  startWebSocketServer()
+
+  // Write PID file
+  try {
+    fs.writeFileSync(PID_FILE, String(process.pid))
+  } catch {}
+
+  return fastify
+}
+
+// ---------------------------------------------------------------------------
+// WebSocket terminal server (ttyd protocol)
+// ---------------------------------------------------------------------------
+
+function startWebSocketServer() {
+  let WebSocket
+  try { WebSocket = require('ws') } catch {
+    console.error('[WSL] ws module not installed, WebSocket terminal disabled')
+    return
+  }
+
+  // Use a secondary HTTP server for WebSocket on WSL_PORT + 1 (7683)
+  // to avoid conflicts with the Fastify server on WSL_PORT.
+  // Alternatively, minion-agent's terminal-server.js proxies to us on WSL_PORT WS.
+  // For simplicity, we attach WS to the same port via a raw HTTP server.
+  const wsPort = WSL_PORT + 1
+  const httpServer = http.createServer((req, res) => {
+    res.writeHead(426, { 'Content-Type': 'text/plain' })
+    res.end('WebSocket connections only')
+  })
+
+  const wss = new WebSocket.Server({ server: httpServer })
+
+  wss.on('connection', (ws, req) => {
+    // Verify token from query string
+    const url = new URL(req.url, `http://localhost:${wsPort}`)
+    const token = url.searchParams.get('token') || ''
+    if (AUTH_TOKEN && token !== AUTH_TOKEN) {
+      ws.close(1008, 'Unauthorized')
+      return
+    }
+
+    const sessionMatch = req.url?.match(/\/ws\/([^/?]+)/)
+    const sessionName = sessionMatch ? sessionMatch[1] : null
+
+    if (!sessionName || !/^[\w-]+$/.test(sessionName)) {
+      ws.close(1008, 'Invalid session name')
+      return
+    }
+
+    let session = activeSessions.get(sessionName)
+    if (!session || session.completed) {
+      // Auto-create WSL session
+      try {
+        session = createWslSession(sessionName)
+      } catch (err) {
+        ws.close(1011, err.message)
+        return
+      }
+    }
+
+    session.wsClients.add(ws)
+
+    // Send title
+    const titleMsg = Buffer.from([MSG_SET_TITLE, ...Buffer.from(JSON.stringify({ title: sessionName }))])
+    ws.send(titleMsg)
+
+    // Replay buffer
+    if (session.buffer.length > 0) {
+      const outBuf = Buffer.alloc(1 + Buffer.byteLength(session.buffer))
+      outBuf[0] = MSG_OUTPUT
+      outBuf.write(session.buffer, 1)
+      try { ws.send(outBuf) } catch {}
+    }
+
+    ws.on('message', (data) => {
+      if (!session.pty || session.completed) return
+      const buf = Buffer.isBuffer(data) ? data : Buffer.from(data)
+      if (buf.length < 1) return
+      const type = buf[0]
+      const payload = buf.slice(1)
+
+      if (type === MSG_INPUT) {
+        session.pty.write(payload.toString())
+      } else if (type === MSG_RESIZE) {
+        try {
+          const { columns, rows } = JSON.parse(payload.toString())
+          if (columns && rows) session.pty.resize(columns, rows)
+        } catch {}
+      }
+    })
+
+    ws.on('close', () => { session.wsClients.delete(ws) })
+    ws.on('error', () => { session.wsClients.delete(ws) })
+  })
+
+  httpServer.listen(wsPort, '127.0.0.1', () => {
+    console.log(`[WSL] WebSocket terminal server listening on 127.0.0.1:${wsPort}`)
+  })
+}
+
+// ---------------------------------------------------------------------------
+// Graceful shutdown
+// ---------------------------------------------------------------------------
+
+function shutdown(signal) {
+  console.log(`[WSL] Received ${signal}, shutting down...`)
+  for (const [name, session] of activeSessions) {
+    try {
+      if (session.pty && !session.completed) session.pty.kill()
+    } catch {}
+  }
+  activeSessions.clear()
+  if (activeChatChild) {
+    try { activeChatChild.kill('SIGTERM') } catch {}
+  }
+  try { fs.unlinkSync(PID_FILE) } catch {}
+  process.exit(0)
+}
+
+process.on('SIGTERM', () => shutdown('SIGTERM'))
+process.on('SIGINT', () => shutdown('SIGINT'))
+
+// ---------------------------------------------------------------------------
+// Entry
+// ---------------------------------------------------------------------------
+
+if (require.main === module) {
+  startServer().catch((err) => {
+    console.error('[WSL] Failed to start:', err)
+    process.exit(1)
+  })
+}
+
+module.exports = { startServer }