@geekbeer/minion 3.4.7 → 3.5.6

package/core/api.js

@@ -87,8 +87,8 @@ async function sendHeartbeat(data) {
 }
 
 /**
- * Create a project thread (help or discussion) on HQ.
- * @param {object} data - { project_id, title, content, thread_type?, mentions?, context? }
+ * Create a thread (project-scoped or workspace-scoped) on HQ.
+ * @param {object} data - { project_id?, scope?, category?, title, content, thread_type?, mentions?, context? }
  * @returns {Promise<{ thread: object }>}
  */
 async function createThread(data) {
@@ -99,11 +99,12 @@ async function createThread(data) {
 }
 
 /**
- * Get open threads in this minion's projects.
+ * Get open threads accessible to this minion.
+ * @param {'project' | 'workspace' | 'all'} [scope='all'] - Filter by scope
  * @returns {Promise<{ threads: object[] }>}
  */
-async function getOpenThreads() {
-  return request('/threads/open')
+async function getOpenThreads(scope = 'all') {
+  return request(`/threads/open?scope=${scope}`)
 }
 
 /**

package/core/lib/thread-watcher.js

@@ -130,9 +130,15 @@ async function pollOnce() {
  * Process a single thread: check for new activity and evaluate if needed.
  */
 async function processThread(thread, myProjects, now) {
-  // Find my role in this project
-  const myProject = myProjects.find(p => p.id === thread.project_id)
-  if (!myProject) return // Not a member
+  // For workspace threads, create a synthetic project context
+  // For project threads, find role via membership
+  let myProject
+  if (thread.scope === 'workspace') {
+    myProject = { id: null, name: 'Workspace', role: 'engineer' }
+  } else {
+    myProject = myProjects.find(p => p.id === thread.project_id)
+    if (!myProject) return // Not a member
+  }
 
   const state = readState.get(thread.id) || { lastMessageCount: 0, lastEvalAt: 0 }
 
@@ -212,7 +218,12 @@ async function evaluateWithLlm(threadSummary, threadDetail, allMessages, newMess
     ctx.attempted_resolution ? `試行済み: ${ctx.attempted_resolution}` : '',
   ].filter(Boolean).join('\n')
 
-  const prompt = `あなたはプロジェクト「${myProject.name}」のチームメンバー（ロール: ${myProject.role}、ID: ${config.MINION_ID}）です。
+  const isWorkspace = threadDetail.scope === 'workspace'
+  const scopeContext = isWorkspace
+    ? `あなたはワークスペースのメンバー（ID: ${config.MINION_ID}）です。\nこれはプロジェクトに属さないワークスペーススレッドです（カテゴリ: ${threadDetail.category || 'general'}）。`
+    : `あなたはプロジェクト「${myProject.name}」のチームメンバー（ロール: ${myProject.role}、ID: ${config.MINION_ID}）です。`
+
+  const prompt = `${scopeContext}
 以下のスレッドに対して、あなたが返信すべきかどうかを判断し、返信する場合はその内容を生成してください。
 
 スレッドタイプ: ${threadType}
@@ -235,7 +246,7 @@ ${messageHistory || '(メッセージなし)'}
 判断基準:
 - 自分が起票したスレッドの場合、他のメンバーの回答を待つべき（追加情報がある場合を除く）
 - メンション対象が特定のロールやミニオンに限定されている場合、自分が対象でなければ静観する
-- 自分のロール（${myProject.role}）に関連する話題か
+${isWorkspace ? '- ワークスペーススレッドではすべてのミニオンが参加可能。自分が貢献できる場合は積極的に参加する' : `- 自分のロール（${myProject.role}）に関連する話題か`}
 - 自分が貢献できる知見や意見があるか
 - 既に十分な回答がある場合は重複を避ける
 - 人間に聞くべき場合は @user メンションを含めて返信する`
@@ -281,6 +292,9 @@ ${messageHistory || '(メッセージなし)'}
  */
 async function fallbackMemoryMatch(thread) {
   try {
+    // Workspace threads have no project_id — skip memory matching
+    if (!thread.project_id) return
+
     const ctx = thread.context || {}
     const category = ctx.category || ''
     const searchParam = category ? `&category=${category}` : ''

package/docs/api-reference.md

@@ -274,26 +274,30 @@ GET `/api/daemons/status` response:
 |--------|------|
 | `step_poller` | ワークフローステップの取得・実行（30秒間隔） |
 | `revision_watcher` | リビジョン要求の検知（30秒間隔、PMのみ） |
-| `thread_watcher` | プロジェクトスレッドの監視・LLM評価（15秒間隔） |
+| `thread_watcher` | プロジェクト・ワークスペーススレッドの監視・LLM評価（15秒間隔） |
 | `reflection_scheduler` | 1日1回の振り返り（cron） |
 | `heartbeat` | HQへのハートビート（30秒間隔） |
 
-### Project Threads (プロジェクトスレッド)
+### Threads (スレッド)
 
-プロジェクト内のコミュニケーションチャネル。ブロッカー共有やチーム議論に使う。
+プロジェクト内またはワークスペースレベルのコミュニケーションチャネル。ブロッカー共有やチーム議論に使う。
 リクエストは HQ にプロキシされる。
 
+**2つのスコープ:**
+- **Project** (`scope: "project"`): プロジェクトに紐づくスレッド。`project_id` 必須。プロジェクトメンバーが参加。
+- **Workspace** (`scope: "workspace"`): プロジェクトに属さないスレッド。ルーティンのブロッカー、全体連絡等。オーナーの全ミニオンが参加。
+
 | Method | Endpoint | Description |
 |--------|----------|-------------|
-| GET | `/api/threads` | 参加プロジェクトのオープンスレッド一覧 |
+| GET | `/api/threads` | オープンスレッド一覧（プロジェクト+ワークスペース） |
 | POST | `/api/threads` | スレッドを起票（初回メッセージを同時作成） |
 | GET | `/api/threads/:id` | スレッド詳細 + メッセージ一覧 |
 | POST | `/api/threads/:id/messages` | スレッドにメッセージを投稿 |
 | POST | `/api/threads/:id/resolve` | スレッドを解決済みにする |
 | POST | `/api/threads/:id/cancel` | スレッドをキャンセル |
-| DELETE | `/api/threads/:id` | スレッドを完全削除（PMのみ） |
+| DELETE | `/api/threads/:id` | スレッドを完全削除（project: PMのみ、workspace: オーナーの全ミニオン） |
 
-POST `/api/threads` body (ヘルプスレッド起票):
+POST `/api/threads` body (プロジェクトスレッド — ヘルプ):
 ```json
 {
   "project_id": "uuid",
@@ -308,7 +312,23 @@ POST `/api/threads` body (ヘルプスレッド起票):
 }
 ```
 
-POST `/api/threads` body (ディスカッションスレッド起票):
+POST `/api/threads` body (ワークスペーススレッド — ルーティンのブロッカー):
+```json
+{
+  "scope": "workspace",
+  "category": "general",
+  "thread_type": "help",
+  "title": "朝作業ルーティン: APIキーの期限切れ",
+  "content": "外部サービスのAPIキーが期限切れでアクセスできない。更新が必要。",
+  "mentions": ["user"],
+  "context": {
+    "category": "auth",
+    "attempted_resolution": "既存のAPIキーで再試行済み、401エラー"
+  }
+}
+```
+
+POST `/api/threads` body (プロジェクトスレッド — ディスカッション):
 ```json
 {
   "project_id": "uuid",
@@ -321,13 +341,20 @@ POST `/api/threads` body (ディスカッションスレッド起票):
 
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
-| `project_id` | string | Yes | プロジェクト UUID |
+| `scope` | string | No | `project`（デフォルト）or `workspace` |
+| `project_id` | string | scope=project時 Yes | プロジェクト UUID |
+| `category` | string | No | ワークスペーススレッドのカテゴリ: `general`（デフォルト）, `ops`, `standup` |
 | `thread_type` | string | No | `help`（デフォルト）or `discussion` |
 | `title` | string | Yes | スレッドの要約 |
 | `content` | string | Yes | スレッド本文（thread_messagesの最初のメッセージとして保存） |
 | `mentions` | string[] | No | メンション対象。形式: `role:engineer`, `role:pm`, `minion:<minion_id>`, `user` |
 | `context` | object | No | 任意のメタデータ（category, urgency, workflow_execution_id等） |
 
+**scope の使い分け:**
+- ワークフロー実行中（プロジェクトあり）→ `scope: "project"` + `project_id`
+- ルーティン実行中（プロジェクトなし）→ `scope: "workspace"`
+- プロジェクト外の一般的な質問・報告 → `scope: "workspace"` + `category`
+
 **thread_type の違い:**
 - `help`: ブロッカー解決。`resolve` で解決
 - `discussion`: チーム内ディスカッション。`close` で完了
@@ -411,10 +438,10 @@ POST `/api/project-memories` body:
 | `source_thread_id` | string | No | 知見の出典ヘルプスレッド UUID |
 
 **推奨ワークフロー:**
-1. ブロッカー発生 → `GET /api/project-memories?project_id=...&category=auth&search=2fa` で既知の知見を検索
+1. ブロッカー発生 → プロジェクトコンテキストの場合は `GET /api/project-memories?project_id=...&category=auth&search=2fa` で既知の知見を検索
 2. 該当あり → 知見に基づいて自己解決 or 即エスカレーション
-3. 該当なし → `POST /api/threads` でブロッカー起票
-4. 解決後 → `POST /api/project-memories` で知見を蓄積
+3. 該当なし → `POST /api/threads` でブロッカー起票（プロジェクトなら `scope: "project"` + `project_id`、ルーティンなら `scope: "workspace"`）
+4. 解決後 → プロジェクトスレッドの場合は `POST /api/project-memories` で知見を蓄積
 
 ### Commands
 
@@ -774,20 +801,20 @@ Response:
 
 スキルはバージョン管理される。push ごとに新バージョンが作成され、ファイルは Supabase Storage に保存される。
 
-### Project Threads (HQ)
+### Threads (HQ)
 
 | Method | Endpoint | Description |
 |--------|----------|-------------|
-| POST | `/api/minion/threads` | スレッドを起票（初回メッセージを同時作成） |
-| GET | `/api/minion/threads/open` | 参加プロジェクトの未解決スレッド一覧 |
+| POST | `/api/minion/threads` | スレッドを起票（scope, category対応。初回メッセージを同時作成） |
+| GET | `/api/minion/threads/open` | 未解決スレッド一覧（`?scope=all\|project\|workspace`） |
 | GET | `/api/minion/threads/:id` | スレッド詳細 + メッセージ一覧 |
 | POST | `/api/minion/threads/:id/messages` | スレッドにメッセージを投稿 |
 | PATCH | `/api/minion/threads/:id/resolve` | スレッドを解決済みにする。Body: `{resolution}` |
 | PATCH | `/api/minion/threads/:id/cancel` | スレッドをキャンセル。Body: `{reason?}` |
-| DELETE | `/api/minion/threads/:id` | スレッドを完全削除（PMのみ）。メッセージもCASCADE削除 |
+| DELETE | `/api/minion/threads/:id` | スレッドを完全削除（project: PMのみ、workspace: オーナーの全ミニオン）。メッセージもCASCADE削除 |
 
 ローカルエージェントの `/api/threads` は上記 HQ API へのプロキシ。
-詳細なリクエスト/レスポンス仕様はローカル API セクションの「Project Threads」を参照。
+詳細なリクエスト/レスポンス仕様はローカル API セクションの「Threads」を参照。
 
 ### Project Memories (HQ)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekbeer/minion",
-  "version": "3.4.7",
+  "version": "3.5.6",
   "description": "AI Agent runtime for Minion - manages status and skill deployment on VPS",
   "main": "linux/server.js",
   "bin": {

package/rules/core.md

@@ -174,12 +174,15 @@ Routine 実行中は以下もtmuxセッション環境で利用可能:
 ### 対処フロー
 
 ```
-1. プロジェクトメモリーを検索（過去に同じ問題が解決済みか確認）
+1. プロジェクトコンテキストの場合:
+   プロジェクトメモリーを検索（過去に同じ問題が解決済みか確認）
    GET /api/project-memories?project_id=...&category=...&search=キーワード
 
 2-a. 該当する知見あり → 知見に基づいて自己解決を試みる
 
 2-b. 該当なし or 自己解決不可 → ヘルプスレッドを起票
+
+   ■ ワークフロー実行中（プロジェクトあり）→ プロジェクトスレッド:
    POST /api/threads
    {
      "project_id": "...",
@@ -193,9 +196,24 @@ Routine 実行中は以下もtmuxセッション環境で利用可能:
      }
    }
 
+   ■ ルーティン実行中（プロジェクトなし）→ ワークスペーススレッド:
+   POST /api/threads
+   {
+     "scope": "workspace",
+     "category": "general",
+     "thread_type": "help",
+     "title": "問題の要約（1行）",
+     "content": "状況の詳細説明",
+     "mentions": ["user"],
+     "context": {
+       "category": "auth|environment|external-service|information|approval",
+       "attempted_resolution": "試行した内容"
+     }
+   }
+
 3. スレッドの返信を待つ（thread_watcher が自動監視）
 
-4. 解決後 → プロジェクトメモリーに知見を保存
+4. 解決後 → プロジェクトスレッドの場合はプロジェクトメモリーに知見を保存
    POST /api/project-memories
    {
      "project_id": "...",
@@ -206,6 +224,14 @@ Routine 実行中は以下もtmuxセッション環境で利用可能:
    }
 ```
 
+### スレッドスコープの使い分け
+
+| 状況 | スコープ | 説明 |
+|------|---------|------|
+| ワークフロー実行中のブロッカー | `scope: "project"` (デフォルト) | `project_id` 必須。プロジェクトメンバーが参加 |
+| ルーティン実行中のブロッカー | `scope: "workspace"` | `project_id` 不要。オーナーの全ミニオンが参加 |
+| プロジェクト外の一般的な質問・報告 | `scope: "workspace"` | カテゴリ: `general`, `ops`, `standup` |
+
 ### メンションの使い分け
 
 | 状況 | メンション |

package/win/minion-cli.ps1

@@ -35,8 +35,6 @@ while ($i -lt $args.Count) {
 
 $ErrorActionPreference = 'Stop'
 
-# Load System.Web for password generation (used in setup)
-Add-Type -AssemblyName System.Web -ErrorAction SilentlyContinue
 
 # ============================================================
 # Require Administrator for service management commands
@@ -280,7 +278,7 @@ function Invoke-HealthCheck {
 function Assert-NssmAvailable {
     if (-not $NssmPath -or -not (Test-Path $NssmPath)) {
         Write-Error "NSSM not found. Expected at: $vendorNssm"
-        Write-Host "  Reinstall the package: npm install -g @geekbeer/minion" -ForegroundColor Yellow
+        Write-Host "  Reinstall the package (admin PowerShell): npm install -g @geekbeer/minion" -ForegroundColor Yellow
         exit 1
     }
 }
@@ -392,7 +390,7 @@ function Restart-MinionService {
 # ============================================================
 
 function Invoke-Setup {
-    $totalSteps = 10
+    $totalSteps = 11
 
     # Minionization warning
     Write-Host ""
@@ -403,7 +401,6 @@ function Invoke-Setup {
 
     Write-Host "  This setup will:" -ForegroundColor Yellow
     Write-Host "    - Install and configure software (Node.js, Claude Code, VNC)"
-    Write-Host "    - Create dedicated 'minion' service account"
     Write-Host "    - Register Windows Services via NSSM"
     Write-Host "    - Configure firewall rules"
     Write-Host ""
@@ -431,6 +428,14 @@ function Invoke-Setup {
 
     # Save setup user's SID for SDDL grants (so non-admin can control services later)
     $setupUserSid = ([System.Security.Principal.WindowsIdentity]::GetCurrent().User).Value
+    # Also resolve target user's SID (may differ from setup user when run from admin account)
+    $targetUserName = Split-Path $TargetUserProfile -Leaf
+    try {
+        $targetUserSid = (New-Object System.Security.Principal.NTAccount($targetUserName)).Translate(
+            [System.Security.Principal.SecurityIdentifier]).Value
+    } catch {
+        $targetUserSid = $null
+    }
     New-Item -Path $DataDir -ItemType Directory -Force | Out-Null
     [System.IO.File]::WriteAllText((Join-Path $DataDir '.setup-user-sid'), $setupUserSid)
     # Save target user profile so configure/uninstall can find it
@@ -571,74 +576,8 @@ function Invoke-Setup {
     Write-Host "  Please run 'claude' in a terminal to complete the authentication process." -ForegroundColor Yellow
     Write-Host ""
 
-    # Step 4: Create dedicated 'minion' service account
-    Write-Step 4 $totalSteps "Creating dedicated service account..."
-    $MinionSvcUser = 'minion'
-    $MinionSvcUserFull = ".\$MinionSvcUser"
-    $minionUserExists = [bool](Get-LocalUser -Name $MinionSvcUser -ErrorAction SilentlyContinue)
-    if ($minionUserExists) {
-        Write-Detail "Service account '$MinionSvcUser' already exists"
-    } else {
-        # Generate a random password (service account — not used interactively)
-        $svcPassword = [System.Web.Security.Membership]::GeneratePassword(24, 4)
-        $securePassword = ConvertTo-SecureString $svcPassword -AsPlainText -Force
-        New-LocalUser -Name $MinionSvcUser -Password $securePassword -Description 'Minion Agent Service Account' -PasswordNeverExpires -UserMayNotChangePassword -AccountNeverExpires | Out-Null
-        # Deny interactive/remote logon (service-only account)
-        & net localgroup "Users" $MinionSvcUser /delete 2>$null
-        Write-Detail "Service account '$MinionSvcUser' created (non-interactive)"
-    }
-    # Store password for NSSM ObjectName configuration
-    if (-not $minionUserExists) {
-        # Save password to a protected file for NSSM service registration
-        $svcPasswordFile = Join-Path $DataDir '.svc-password'
-        New-Item -Path (Split-Path $svcPasswordFile) -ItemType Directory -Force | Out-Null
-        [System.IO.File]::WriteAllText($svcPasswordFile, $svcPassword)
-        # Restrict file access to current user only
-        $acl = Get-Acl $svcPasswordFile
-        $acl.SetAccessRuleProtection($true, $false)
-        $adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
-            [System.Security.Principal.WindowsIdentity]::GetCurrent().Name, 'FullControl', 'Allow')
-        $acl.AddAccessRule($adminRule)
-        Set-Acl $svcPasswordFile $acl
-        Write-Detail "Service account credentials stored"
-    } else {
-        $svcPasswordFile = Join-Path $DataDir '.svc-password'
-        if (Test-Path $svcPasswordFile) {
-            $svcPassword = [System.IO.File]::ReadAllText($svcPasswordFile).Trim()
-        } else {
-            # Re-generate password for existing account (reset)
-            $svcPassword = [System.Web.Security.Membership]::GeneratePassword(24, 4)
-            $securePassword = ConvertTo-SecureString $svcPassword -AsPlainText -Force
-            Set-LocalUser -Name $MinionSvcUser -Password $securePassword
-            New-Item -Path (Split-Path $svcPasswordFile) -ItemType Directory -Force | Out-Null
-            [System.IO.File]::WriteAllText($svcPasswordFile, $svcPassword)
-            $acl = Get-Acl $svcPasswordFile
-            $acl.SetAccessRuleProtection($true, $false)
-            $adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
-                [System.Security.Principal.WindowsIdentity]::GetCurrent().Name, 'FullControl', 'Allow')
-            $acl.AddAccessRule($adminRule)
-            Set-Acl $svcPasswordFile $acl
-            Write-Detail "Service account password reset and stored"
-        }
-    }
-    # Grant 'Log on as a service' right to the minion user
-    $tempCfg = Join-Path $env:TEMP 'minion-secedit.cfg'
-    $tempDb = Join-Path $env:TEMP 'minion-secedit.sdb'
-    & secedit /export /cfg $tempCfg /areas USER_RIGHTS 2>$null
-    $cfgContent = Get-Content $tempCfg -Raw
-    if ($cfgContent -match 'SeServiceLogonRight\s*=\s*(.*)') {
-        $existing = $Matches[1]
-        if ($existing -notmatch $MinionSvcUser) {
-            $cfgContent = $cfgContent -replace "(SeServiceLogonRight\s*=\s*)(.*)", "`$1`$2,$MinionSvcUser"
-            [System.IO.File]::WriteAllText($tempCfg, $cfgContent)
-            & secedit /configure /db $tempDb /cfg $tempCfg /areas USER_RIGHTS 2>$null
-            Write-Detail "Granted 'Log on as a service' right to '$MinionSvcUser'"
-        }
-    }
-    Remove-Item $tempCfg, $tempDb -Force -ErrorAction SilentlyContinue
-
-    # Step 5: Create config directory and default .env
-    Write-Step 5 $totalSteps "Creating config directory..."
+    # Step 4: Create config directory and default .env
+    Write-Step 4 $totalSteps "Creating config directory..."
     New-Item -Path $DataDir -ItemType Directory -Force | Out-Null
     New-Item -Path $LogDir -ItemType Directory -Force | Out-Null
     if (-not (Test-Path $EnvFile)) {
@@ -653,16 +592,8 @@ function Invoke-Setup {
         Write-Detail "$EnvFile already exists, preserving"
     }
 
-    # Grant minion service account read/write access to data directory
-    $minionAcl = Get-Acl $DataDir
-    $minionRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
-        $MinionSvcUser, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
-    $minionAcl.AddAccessRule($minionRule)
-    Set-Acl $DataDir $minionAcl
-    Write-Detail "Granted '$MinionSvcUser' access to $DataDir"
-
-    # Step 6: Install node-pty (required for Windows terminal management)
-    Write-Step 6 $totalSteps "Installing terminal support (node-pty)..."
+    # Step 5: Install node-pty (required for Windows terminal management)
+    Write-Step 5 $totalSteps "Installing terminal support (node-pty)..."
     $minionPkgDir = $CliDir
     if (Test-Path $minionPkgDir) {
         Push-Location $minionPkgDir
@@ -696,22 +627,22 @@ function Invoke-Setup {
     }
     else {
         Write-Warn "Minion package not found at $minionPkgDir"
-        Write-Host "  Please run: npm install -g @geekbeer/minion"
+        Write-Host "  Please run (admin PowerShell): npm install -g @geekbeer/minion"
     }
 
     # Step 7: Verify NSSM
-    Write-Step 7 $totalSteps "Verifying NSSM..."
+    Write-Step 6 $totalSteps "Verifying NSSM..."
     Assert-NssmAvailable
     $nssmVersion = Invoke-Nssm version
     Write-Detail "NSSM available: $NssmPath ($nssmVersion)"
 
     # Step 8: Register Windows Services via NSSM
-    Write-Step 8 $totalSteps "Registering Windows Services..."
+    Write-Step 7 $totalSteps "Registering Windows Services..."
 
     $serverJs = Join-Path $minionPkgDir 'win\server.js'
     if (-not (Test-Path $serverJs)) {
         Write-Error "server.js not found at $serverJs"
-        Write-Host "  Please run: npm install -g @geekbeer/minion"
+        Write-Host "  Please run (admin PowerShell): npm install -g @geekbeer/minion"
         exit 1
     }
     $nodePath = (Get-Command node).Source
@@ -743,13 +674,15 @@ function Invoke-Setup {
     Invoke-Nssm set minion-agent Start SERVICE_AUTO_START
     Invoke-Nssm set minion-agent DisplayName "Minion Agent"
     Invoke-Nssm set minion-agent Description "GeekBeer Minion AI Agent Service"
-    # Run as dedicated minion service account (not LocalSystem)
-    Invoke-Nssm set minion-agent ObjectName $MinionSvcUserFull $svcPassword
+    # Runs as LocalSystem (NSSM default). USERPROFILE/HOME env vars point to target user's profile.
     Grant-ServiceControlToUser 'minion-agent' $setupUserSid
-    Write-Detail "minion-agent service registered (runs as '$MinionSvcUser')"
+    if ($targetUserSid -and $targetUserSid -ne $setupUserSid) {
+        Grant-ServiceControlToUser 'minion-agent' $targetUserSid
+    }
+    Write-Detail "minion-agent service registered (runs as LocalSystem)"
 
-    # Step 9: Install and configure TightVNC (runs as LocalSystem for desktop capture)
-    Write-Step 9 $totalSteps "Setting up TightVNC Server..."
+    # Step 9: Install and configure TightVNC (runs as logon task in user session for desktop capture)
+    Write-Step 8 $totalSteps "Setting up TightVNC Server..."
     $vncSystemPath = 'C:\Program Files\TightVNC\tvnserver.exe'
     $vncPortableDir = Join-Path $DataDir 'tightvnc'
     $vncPortablePath = Join-Path $vncPortableDir 'PFiles\TightVNC\tvnserver.exe'
@@ -798,31 +731,32 @@ function Invoke-Setup {
     }
 
     # Configure TightVNC registry (localhost-only, no VNC auth)
-    $vncRegPath = 'HKCU:\Software\TightVNC\Server'
+    # Write to both HKCU (for user-session -run mode) and HKLM (fallback)
     if ($vncExePath) {
-        if (-not (Test-Path $vncRegPath)) {
-            New-Item -Path $vncRegPath -Force | Out-Null
+        foreach ($vncRegPath in @('HKCU:\Software\TightVNC\Server', 'HKLM:\Software\TightVNC\Server')) {
+            if (-not (Test-Path $vncRegPath)) {
+                New-Item -Path $vncRegPath -Force | Out-Null
+            }
+            Set-ItemProperty -Path $vncRegPath -Name 'LoopbackOnly' -Value 1 -Type DWord
+            Set-ItemProperty -Path $vncRegPath -Name 'AllowLoopback' -Value 1 -Type DWord
+            Set-ItemProperty -Path $vncRegPath -Name 'UseVncAuthentication' -Value 0 -Type DWord
+            Set-ItemProperty -Path $vncRegPath -Name 'UseControlAuthentication' -Value 0 -Type DWord
+            Set-ItemProperty -Path $vncRegPath -Name 'RfbPort' -Value 5900 -Type DWord
         }
-        Set-ItemProperty -Path $vncRegPath -Name 'LoopbackOnly' -Value 1 -Type DWord
-        Set-ItemProperty -Path $vncRegPath -Name 'AllowLoopback' -Value 1 -Type DWord
-        Set-ItemProperty -Path $vncRegPath -Name 'UseVncAuthentication' -Value 0 -Type DWord
-        Set-ItemProperty -Path $vncRegPath -Name 'UseControlAuthentication' -Value 0 -Type DWord
-        Set-ItemProperty -Path $vncRegPath -Name 'RfbPort' -Value 5900 -Type DWord
+        Write-Detail "TightVNC registry configured (HKCU + HKLM)"
 
-        # Register VNC as NSSM service (application mode, not TightVNC's own service)
+        # Remove legacy NSSM service if present (VNC now runs as logon task)
         Invoke-Nssm stop minion-vnc
         Invoke-Nssm remove minion-vnc confirm
-        Invoke-Nssm install minion-vnc $vncExePath '-run'
-        Invoke-Nssm set minion-vnc Start SERVICE_AUTO_START
-        Invoke-Nssm set minion-vnc DisplayName "Minion VNC Server"
-        Invoke-Nssm set minion-vnc Description "TightVNC for Minion remote desktop"
-        Invoke-Nssm set minion-vnc AppRestartDelay 3000
-        Grant-ServiceControlToUser 'minion-vnc' $setupUserSid
-        Write-Detail "minion-vnc service registered"
+
+        # Register VNC as logon task (must run in user session for desktop capture)
+        schtasks /Delete /TN "MinionVNC" /F 2>$null
+        schtasks /Create /TN "MinionVNC" /TR "'$vncExePath' -run" /SC ONLOGON /RL HIGHEST /F | Out-Null
+        Write-Detail "TightVNC registered as logon task (user session, not service)"
     }
 
     # Step 10: Setup websockify (runs as LocalSystem, paired with VNC)
-    Write-Step 10 $totalSteps "Setting up websockify..."
+    Write-Step 9 $totalSteps "Setting up websockify..."
     [array]$wsCmd = Get-WebsockifyCommand
     if (-not $wsCmd) {
         # Ensure Python is installed
@@ -878,7 +812,7 @@ function Invoke-Setup {
     }
 
     if ($wsCmd -and $vncExePath) {
-        # Register websockify as NSSM service
+        # Register websockify as NSSM service (no dependency on minion-vnc — VNC runs as logon task)
         Invoke-Nssm stop minion-websockify
         Invoke-Nssm remove minion-websockify confirm
         if ($wsCmd.Count -eq 1) {
@@ -888,19 +822,21 @@ function Invoke-Setup {
             $wsArgs = ($wsCmd[1..($wsCmd.Count-1)] + @('6080', 'localhost:5900')) -join ' '
             Invoke-Nssm install minion-websockify $wsCmd[0] $wsArgs
         }
-        Invoke-Nssm set minion-websockify DependOnService minion-vnc
         Invoke-Nssm set minion-websockify Start SERVICE_AUTO_START
         Invoke-Nssm set minion-websockify DisplayName "Minion Websockify"
         Invoke-Nssm set minion-websockify Description "WebSocket proxy for VNC (6080 -> 5900)"
         Invoke-Nssm set minion-websockify AppRestartDelay 3000
         Grant-ServiceControlToUser 'minion-websockify' $setupUserSid
-        Write-Detail "minion-websockify service registered (depends on minion-vnc)"
+        if ($targetUserSid -and $targetUserSid -ne $setupUserSid) {
+            Grant-ServiceControlToUser 'minion-websockify' $targetUserSid
+        }
+        Write-Detail "minion-websockify service registered"
     } else {
         Write-Warn "websockify not available, VNC WebSocket proxy will not be registered"
     }
 
     # Step 11: Disable screensaver, lock screen, and sleep
-    Write-Step 11 $totalSteps "Disabling screensaver, lock screen, and sleep..."
+    Write-Step 10 $totalSteps "Disabling screensaver, lock screen, and sleep..."
     Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name ScreenSaveActive -Value '0'
     Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name ScreenSaveTimeOut -Value '0'
     Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name SCRNSAVE.EXE -Value ''
@@ -914,7 +850,7 @@ function Invoke-Setup {
     Write-Detail "Sleep and monitor timeout disabled"
 
     # Configure firewall rules
-    Write-Step 10 $totalSteps "Configuring firewall rules..."
+    Write-Step 11 $totalSteps "Configuring firewall rules..."
     $fwRules = @(
         @{ Name = 'Minion Agent'; Port = 8080 },
         @{ Name = 'Minion Terminal'; Port = 7681 },
@@ -930,25 +866,73 @@ function Invoke-Setup {
         }
     }
 
-    # Grant minion service account access to .claude directory (skills, rules, settings)
-    $claudeDir = Join-Path $TargetUserProfile '.claude'
-    New-Item -Path $claudeDir -ItemType Directory -Force | Out-Null
-    $claudeAcl = Get-Acl $claudeDir
-    $claudeRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
-        $MinionSvcUser, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
-    $claudeAcl.AddAccessRule($claudeRule)
-    Set-Acl $claudeDir $claudeAcl
-    Write-Detail "Granted '$MinionSvcUser' access to $claudeDir"
+    # Grant target user access to admin's minion package and bin links (so target user can run minion-cli-win)
+    $adminNpmBin = Split-Path (Get-Command minion-cli-win -ErrorAction SilentlyContinue).Source -ErrorAction SilentlyContinue
+    if (-not $adminNpmBin) {
+        $adminNpmBin = & npm config get prefix 2>$null
+    }
+    if ($adminNpmBin -and ($adminNpmBin -ne (Join-Path $TargetUserProfile 'AppData\Roaming\npm'))) {
+        $targetUserName = Split-Path $TargetUserProfile -Leaf
+
+        # Grant ReadAndExecute on bin links (minion-cli-win.cmd, hq-win.cmd, etc.)
+        $binFiles = Get-ChildItem -Path $adminNpmBin -Filter '*minion*' -ErrorAction SilentlyContinue
+        $binFiles += Get-ChildItem -Path $adminNpmBin -Filter '*hq-win*' -ErrorAction SilentlyContinue
+        foreach ($f in $binFiles) {
+            icacls $f.FullName /grant "${targetUserName}:(RX)" /Q 2>$null | Out-Null
+        }
+        # Grant ReadAndExecute on the @geekbeer/minion package directory (recursive)
+        $minionPkgDir = Join-Path (Join-Path $adminNpmBin 'node_modules') '@geekbeer\minion'
+        if (Test-Path $minionPkgDir) {
+            icacls $minionPkgDir /grant "${targetUserName}:(OI)(CI)RX" /T /Q 2>$null | Out-Null
+            Write-Detail "Granted target user read access to $minionPkgDir"
+        }
+        # Grant traverse access on ancestor directories so the path is reachable
+        # e.g., C:\Users\yunoda -> AppData -> Roaming -> npm -> node_modules -> @geekbeer
+        $traverseDirs = @(
+            $adminNpmBin,
+            (Join-Path $adminNpmBin 'node_modules'),
+            (Join-Path $adminNpmBin 'node_modules\@geekbeer')
+        )
+        # Walk up from npm bin dir to drive root to grant traverse (list+read) on each
+        $walkDir = $adminNpmBin
+        while ($walkDir) {
+            $parent = Split-Path $walkDir -Parent
+            if (-not $parent -or $parent -eq $walkDir) { break }
+            $traverseDirs += $parent
+            $walkDir = $parent
+            # Stop at drive root
+            if ($parent.Length -le 3) { break }
+        }
+        foreach ($dir in ($traverseDirs | Select-Object -Unique)) {
+            if (Test-Path $dir) {
+                # Grant only traverse + list (no recursive, no inherit)
+                icacls $dir /grant "${targetUserName}:(RX)" /Q 2>$null | Out-Null
+            }
+        }
 
-    # Grant minion service account access to npm global directory (for package access)
-    $npmGlobalDir = Split-Path $CliDir
-    if ($npmGlobalDir -and (Test-Path $npmGlobalDir)) {
-        $npmAcl = Get-Acl $npmGlobalDir
-        $npmRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
-            $MinionSvcUser, 'ReadAndExecute', 'ContainerInherit,ObjectInherit', 'None', 'Allow')
-        $npmAcl.AddAccessRule($npmRule)
-        Set-Acl $npmGlobalDir $npmAcl
-        Write-Detail "Granted '$MinionSvcUser' read access to npm global"
+        # Add admin's npm bin to target user's PATH
+        $targetUserSid = $null
+        try {
+            $targetUserSid = (New-Object System.Security.Principal.NTAccount($targetUserName)).Translate(
+                [System.Security.Principal.SecurityIdentifier]).Value
+        } catch {}
+        if ($targetUserSid) {
+            $regPath = "Registry::HKEY_USERS\$targetUserSid\Environment"
+            if (Test-Path $regPath) {
+                $currentPath = (Get-ItemProperty -Path $regPath -Name PATH -ErrorAction SilentlyContinue).PATH
+                if ($currentPath -and $currentPath -notlike "*$adminNpmBin*") {
+                    Set-ItemProperty -Path $regPath -Name PATH -Value "$currentPath;$adminNpmBin"
+                    Write-Detail "Added $adminNpmBin to target user's PATH"
+                } elseif (-not $currentPath) {
+                    Set-ItemProperty -Path $regPath -Name PATH -Value $adminNpmBin
+                    Write-Detail "Set target user's PATH to $adminNpmBin"
+                } else {
+                    Write-Detail "Target user's PATH already contains $adminNpmBin"
+                }
+            } else {
+                Write-Warn "Target user's registry not loaded. User must log in and re-run setup, or manually add $adminNpmBin to PATH."
+            }
+        }
     }
 
     Write-Host ""
@@ -958,8 +942,8 @@ function Invoke-Setup {
     Write-Host ""
     Write-Host "Services registered (not yet started):"
     Write-Host "  minion-agent       - AI Agent (port 8080)"
-    Write-Host "  minion-vnc         - TightVNC Server (port 5900)"
     Write-Host "  minion-websockify  - WebSocket proxy (port 6080)"
+    Write-Host "  MinionVNC (task)   - TightVNC (port 5900, starts at logon)"
     Write-Host ""
     Write-Host "Next step: Connect to HQ (run as regular user):" -ForegroundColor Yellow
     Write-Host "  minion-cli-win configure ``"
@@ -1001,12 +985,12 @@ function Invoke-Uninstall {
     }
     Write-Host ""
 
-    $totalSteps = 7
+    $totalSteps = 6
 
     # Step 1: Stop and remove all NSSM services
     Write-Step 1 $totalSteps "Stopping and removing services..."
     if ($NssmPath -and (Test-Path $NssmPath)) {
-        foreach ($svc in @('minion-cloudflared', 'minion-websockify', 'minion-vnc', 'minion-agent')) {
+        foreach ($svc in @('minion-cloudflared', 'minion-websockify', 'minion-agent')) {
             $status = Invoke-Nssm status $svc
             if ($status) {
                 Invoke-Nssm stop $svc
@@ -1016,6 +1000,12 @@ function Invoke-Uninstall {
         }
     }
 
+    # Remove VNC logon task and legacy NSSM service
+    schtasks /Delete /TN "MinionVNC" /F 2>$null
+    Invoke-Nssm stop minion-vnc
+    Invoke-Nssm remove minion-vnc confirm
+    Write-Detail "VNC logon task and legacy service removed"
+
     # Also stop legacy processes
     Stop-Process -Name tvnserver -Force -ErrorAction SilentlyContinue
     Stop-Process -Name websockify -Force -ErrorAction SilentlyContinue
@@ -1024,7 +1014,7 @@ function Invoke-Uninstall {
 
     # Step 2: Remove firewall rules
     Write-Step 2 $totalSteps "Removing firewall rules..."
-    foreach ($ruleName in @('Minion Agent', 'Minion VNC')) {
+    foreach ($ruleName in @('Minion Agent', 'Minion Terminal', 'Minion VNC')) {
         $existing = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
         if ($existing) {
             Remove-NetFirewallRule -DisplayName $ruleName
@@ -1095,24 +1085,15 @@ function Invoke-Uninstall {
         Write-Detail "Removed rules: core.md"
     }
 
-    # Step 6: Remove minion service account
-    Write-Step 6 $totalSteps "Removing service account..."
-    $MinionSvcUser = 'minion'
-    if (Get-LocalUser -Name $MinionSvcUser -ErrorAction SilentlyContinue) {
-        Remove-LocalUser -Name $MinionSvcUser
-        Write-Detail "Removed local user '$MinionSvcUser'"
-    } else {
-        Write-Detail "Service account '$MinionSvcUser' not found, skipping"
-    }
-    # Remove stored service password
+    # Clean up legacy service account and password file (from v3.1.0-v3.4.x)
     $svcPasswordFile = Join-Path $DataDir '.svc-password'
     if (Test-Path $svcPasswordFile) {
         Remove-Item $svcPasswordFile -Force
-        Write-Detail "Removed service credentials file"
+        Write-Detail "Removed legacy service credentials file"
     }
 
-    # Step 7: Remove Cloudflare Tunnel configuration
-    Write-Step 7 $totalSteps "Removing Cloudflare Tunnel configuration..."
+    # Step 6: Remove Cloudflare Tunnel configuration
+    Write-Step 6 $totalSteps "Removing Cloudflare Tunnel configuration..."
     $cfConfigDir = Join-Path $TargetUserProfile '.cloudflared'
     if (Test-Path $cfConfigDir) {
         Remove-Item $cfConfigDir -Recurse -Force
@@ -1280,13 +1261,24 @@ function Invoke-Configure {
     # Start services (uses sc.exe — works without admin via SDDL)
     $startStep = if ($SetupTunnel) { $totalSteps - 2 } else { $totalSteps - 2 }
     Write-Step ($totalSteps - 1) $totalSteps "Starting services..."
-    # Start VNC/websockify if registered
-    foreach ($svc in @('minion-vnc', 'minion-websockify')) {
-        $svcState = Get-ServiceState $svc
-        if ($svcState -and $svcState -ne 'RUNNING') {
-            sc.exe start $svc 2>&1 | Out-Null
-            Write-Detail "$svc started"
+    # Start VNC (logon task — runs in user session for desktop capture)
+    $vncProcess = Get-Process -Name tvnserver -ErrorAction SilentlyContinue
+    if (-not $vncProcess) {
+        $vncSystemPath = 'C:\Program Files\TightVNC\tvnserver.exe'
+        $vncPortablePath = Join-Path $DataDir 'tightvnc\PFiles\TightVNC\tvnserver.exe'
+        $vncExe = if (Test-Path $vncSystemPath) { $vncSystemPath } elseif (Test-Path $vncPortablePath) { $vncPortablePath } else { $null }
+        if ($vncExe) {
+            Start-Process -FilePath $vncExe -ArgumentList '-run'
+            Write-Detail "TightVNC started (user session)"
         }
+    } else {
+        Write-Detail "TightVNC already running"
+    }
+    # Start websockify service
+    $wsState = Get-ServiceState 'minion-websockify'
+    if ($wsState -and $wsState -ne 'RUNNING') {
+        sc.exe start minion-websockify 2>&1 | Out-Null
+        Write-Detail "minion-websockify started"
     }
     Start-MinionService
 
@@ -1343,7 +1335,7 @@ function Show-Status {
 }
 
 function Show-Daemons {
-    foreach ($svc in @('minion-agent', 'minion-vnc', 'minion-websockify', 'minion-cloudflared')) {
+    foreach ($svc in @('minion-agent', 'minion-websockify', 'minion-cloudflared')) {
         $state = Get-ServiceState $svc
         if ($state) {
             Write-Host "${svc}: $state"
@@ -1351,6 +1343,13 @@ function Show-Daemons {
             Write-Host "${svc}: not installed"
         }
     }
+    # VNC runs as logon task, not NSSM service
+    $vncProc = Get-Process -Name tvnserver -ErrorAction SilentlyContinue
+    if ($vncProc) {
+        Write-Host "vnc (task): RUNNING (PID $($vncProc[0].Id))"
+    } else {
+        Write-Host "vnc (task): not running"
+    }
 }
 
 function Show-Health {
@@ -1383,13 +1382,7 @@ function Show-Diagnose {
     Write-Host ""
 
     Write-Host "Service Account:" -ForegroundColor Yellow
-    $MinionSvcUser = 'minion'
-    $svcUser = Get-LocalUser -Name $MinionSvcUser -ErrorAction SilentlyContinue
-    if ($svcUser) {
-        Write-Host "  User: $MinionSvcUser (Enabled: $($svcUser.Enabled))"
-    } else {
-        Write-Host "  User: NOT FOUND (services run as LocalSystem)" -ForegroundColor Yellow
-    }
+    Write-Host "  Runs as: LocalSystem"
     Write-Host ""
 
     Write-Host "NSSM:" -ForegroundColor Yellow