@geekbeer/minion 3.5.34 → 3.6.1

package/core/lib/step-poller.js

@@ -20,6 +20,7 @@
 
 const { config, isHqConfigured } = require('../config')
 const api = require('../api')
+const variableStore = require('../stores/variable-store')
 
 // Polling interval: 30 seconds (matches heartbeat frequency)
 const POLL_INTERVAL_MS = 30_000
@@ -129,11 +130,14 @@ async function executeStep(step) {
     }
 
     // 2. Fetch the skill from HQ to ensure it's deployed locally
-    //    Pass template_vars as ?vars= so HQ expands {{VAR_NAME}} in SKILL.md
+    //    Merge minion variables into template_vars so HQ expands {{VAR_NAME}} in SKILL.md.
+    //    Merge order: minion vars < project vars < workflow vars (template_vars already merged by HQ)
     if (skill_name) {
       try {
-        const varsParam = template_vars
-          ? `?vars=${Buffer.from(JSON.stringify(template_vars)).toString('base64')}`
+        const minionVars = variableStore.getAll('variables')
+        const mergedVars = { ...minionVars, ...(template_vars || {}) }
+        const varsParam = Object.keys(mergedVars).length > 0
+          ? `?vars=${Buffer.from(JSON.stringify(mergedVars)).toString('base64')}`
           : ''
         const fetchUrl = `http://localhost:${config.AGENT_PORT || 8080}/api/skills/fetch/${encodeURIComponent(skill_name)}${varsParam}`
         const fetchResp = await fetch(fetchUrl, {

package/core/lib/template-expander.js

@@ -0,0 +1,85 @@
+/**
+ * Template Expander
+ *
+ * Expands {{VAR_NAME}} placeholders in SKILL.md files using minion variables.
+ * Same syntax as project/workflow variable expansion done on HQ side.
+ *
+ * Design:
+ * - Variables (non-sensitive config) use {{VAR}} template expansion in skill content
+ * - Secrets (sensitive credentials) remain as environment variables ($ENV_VAR)
+ * - Expand at execution time (not write time) so variable changes take effect immediately
+ * - Save/restore original SKILL.md to avoid persisting expanded content
+ */
+
+const fs = require('fs').promises
+const path = require('path')
+const { config } = require('../config')
+const variableStore = require('../stores/variable-store')
+
+/**
+ * Expand {{VAR_NAME}} template placeholders in content string.
+ * Unmatched placeholders are left as-is (same behavior as HQ-side expansion).
+ *
+ * @param {string} content - Skill content with {{VAR}} placeholders
+ * @param {Record<string, string>} vars - Key-value pairs for substitution
+ * @returns {string} Content with matched placeholders replaced
+ */
+function expandTemplateVars(content, vars) {
+  return content.replace(/\{\{(\w+)\}\}/g, (match, key) =>
+    vars[key] !== undefined ? vars[key] : match
+  )
+}
+
+/**
+ * Expand templates in SKILL.md files for the given skill names.
+ * Reads each SKILL.md, expands {{VAR}} with minion variables, writes back.
+ * Returns the original contents for restoration after execution.
+ *
+ * @param {string[]} skillNames - Skill slugs to expand
+ * @returns {Promise<Map<string, string>>} Map of skillName -> original content (for restoration)
+ */
+async function expandSkillTemplates(skillNames) {
+  const minionVars = variableStore.getAll('variables')
+
+  // If no variables defined, skip
+  if (Object.keys(minionVars).length === 0) return new Map()
+
+  const originals = new Map()
+  const skillsDir = path.join(config.HOME_DIR, '.claude', 'skills')
+
+  for (const name of skillNames) {
+    const skillMdPath = path.join(skillsDir, name, 'SKILL.md')
+    try {
+      const original = await fs.readFile(skillMdPath, 'utf-8')
+      const expanded = expandTemplateVars(original, minionVars)
+      if (expanded !== original) {
+        originals.set(name, original)
+        await fs.writeFile(skillMdPath, expanded, 'utf-8')
+        console.log(`[TemplateExpander] Expanded {{VAR}} in skill: ${name}`)
+      }
+    } catch (err) {
+      console.error(`[TemplateExpander] Failed to expand ${name}: ${err.message}`)
+    }
+  }
+
+  return originals
+}
+
+/**
+ * Restore original SKILL.md contents after execution.
+ *
+ * @param {Map<string, string>} originals - Map from expandSkillTemplates
+ */
+async function restoreSkillTemplates(originals) {
+  const skillsDir = path.join(config.HOME_DIR, '.claude', 'skills')
+  for (const [name, content] of originals) {
+    const skillMdPath = path.join(skillsDir, name, 'SKILL.md')
+    try {
+      await fs.writeFile(skillMdPath, content, 'utf-8')
+    } catch (err) {
+      console.error(`[TemplateExpander] Failed to restore ${name}: ${err.message}`)
+    }
+  }
+}
+
+module.exports = { expandTemplateVars, expandSkillTemplates, restoreSkillTemplates }

package/core/stores/variable-store.js

@@ -89,6 +89,8 @@ function get(type, key) {
 
 /**
  * Set a key-value pair (creates or updates).
+ * Only secrets are synced to process.env (for child process inheritance).
+ * Variables use {{VAR}} template expansion in skill content instead.
  * @param {'secrets' | 'variables'} type
  * @param {string} key
  * @param {string} value
@@ -98,8 +100,10 @@ function set(type, key, value) {
   const data = parseEnvFile(filePath)
   data[key] = value
   writeEnvFile(filePath, data)
-  // Sync to process.env so running child processes inherit the updated value
-  process.env[key] = value
+  // Only sync secrets to process.env; variables use template expansion instead
+  if (type === 'secrets') {
+    process.env[key] = value
+  }
   console.log(`[VariableStore] Set ${type} key: ${key}`)
 }
 
@@ -115,8 +119,10 @@ function remove(type, key) {
   if (!(key in data)) return false
   delete data[key]
   writeEnvFile(filePath, data)
-  // Sync to process.env so running child processes no longer inherit the removed value
-  delete process.env[key]
+  // Only sync secrets to process.env; variables use template expansion instead
+  if (type === 'secrets') {
+    delete process.env[key]
+  }
   console.log(`[VariableStore] Removed ${type} key: ${key}`)
   return true
 }
@@ -131,18 +137,14 @@ function listKeys(type) {
 }
 
 /**
- * Build a merged environment object from minion variables and secrets.
- * Used by workflow/routine runners to inject into execution environment.
- * Secrets override variables when keys collide.
+ * Build environment object from minion secrets only.
+ * Variables are no longer injected as env vars; they use {{VAR}} template
+ * expansion in skill content (same mechanism as project/workflow variables).
  *
- * @param {Record<string, string>} [extraVars] - Additional variables (e.g. project/workflow vars from HQ)
- * @returns {Record<string, string>} Merged key-value pairs
+ * @returns {Record<string, string>} Secret key-value pairs for process.env
  */
-function buildEnv(extraVars = {}) {
-  const variables = getAll('variables')
-  const secrets = getAll('secrets')
-  // Merge order: variables < secrets < extraVars (later wins)
-  return { ...variables, ...secrets, ...extraVars }
+function buildEnv() {
+  return getAll('secrets')
 }
 
 module.exports = {

package/docs/api-reference.md

@@ -544,11 +544,20 @@ Response:
 }
 ```
 
-ワークフロー変数はプロジェクト変数を上書きする（同名キーの場合）。実行時のマージ順序:
-1. ミニオンローカル変数
-2. ミニオンシークレット
-3. プロジェクト変数
-4. ワークフロー変数（最優先）
+ワークフロー変数はプロジェクト変数を上書きする（同名キーの場合）。
+
+#### 変数とシークレットの違い
+
+**変数**（ミニオン変数・プロジェクト変数・ワークフロー変数）はスキル本文の `{{VAR_NAME}}` テンプレートとして実行時に展開される。スキル作成時にパラメータ化したい値は `{{変数名}}` で記述する。
+
+**シークレット**（ミニオンシークレット）は環境変数 `$SECRET_NAME` としてプロセスに注入される。APIキーやパスワード等の機密情報に使用する。テンプレート展開は行われない。
+
+#### テンプレート変数の展開優先順位
+
+同名の変数が複数のスコープで定義されている場合、以下の順序で上書きされる:
+1. ミニオン変数（最低優先）
+2. プロジェクト変数
+3. ワークフロー変数（最優先）
 
 ### Workflows (project-scoped, versioned)
 

package/docs/task-guides.md

@@ -49,7 +49,7 @@ Use {{PROJECT_VAR}} to reference project/workflow variables.
 
 ### テンプレート変数
 
-スキル本文中で `{{VAR_NAME}}` と記述すると、ワークフロー実行時にHQ上のプロジェクト変数・ワークフロー変数の値で自動的に置換される。スキルを再利用しつつ、プロジェクトごとに異なるパラメータを渡したい場合に使う。
+スキル本文中で `{{VAR_NAME}}` と記述すると、実行時に変数の値で自動的に置換される。スキルを再利用しつつ、スコープごとに異なるパラメータを渡したい場合に使う。
 
 ```markdown
 ---
@@ -62,8 +62,19 @@ description: サイトをデプロイする
 
 - 変数名は英数字とアンダースコアのみ（`\w+`）
 - 未定義の変数は `{{VAR_NAME}}` のまま残る（エラーにはならない）
-- ワークフロー変数はプロジェクト変数を上書きする（同名キーの場合）
-- ミニオン変数・シークレットは `process.env` 経由で利用可能（テンプレートではなく環境変数として）
+- 展開優先順位: ミニオン変数 < プロジェクト変数 < ワークフロー変数（後者が上書き）
+- ルーティン実行時もミニオン変数による `{{VAR}}` 展開が行われる
+
+### 変数とシークレットの使い分け
+
+| 種別 | 構文 | 用途 | 例 |
+|------|------|------|-----|
+| 変数 | `{{VAR_NAME}}` | 設定・パラメータ（非機密） | デプロイ先、サイトURL、プロジェクト名 |
+| シークレット | `$SECRET_NAME`（環境変数） | 機密情報 | APIキー、パスワード、トークン |
+
+- **変数**はスキル本文のテンプレートとして展開される。全スコープ（ミニオン・プロジェクト・ワークフロー）で同じ `{{VAR}}` 構文を使用する
+- **シークレット**は環境変数としてプロセスに注入される。テンプレート展開は行われない
+- デイリーログやメモリーから変数・シークレットの値を推測して使用しないこと
 
 ### 2. HQ に反映する
 

package/linux/routine-runner.js

@@ -22,6 +22,7 @@ const executionStore = require('../core/stores/execution-store')
 const routineStore = require('../core/stores/routine-store')
 const logManager = require('../core/lib/log-manager')
 const runningTasks = require('../core/lib/running-tasks')
+const { expandSkillTemplates, restoreSkillTemplates } = require('../core/lib/template-expander')
 
 // Active cron jobs keyed by routine ID
 const activeJobs = new Map()
@@ -83,6 +84,17 @@ async function executeRoutineSession(routine, executionId, skillNames) {
   console.log(`[RoutineRunner] tmux session: ${sessionName}`)
   console.log(`[RoutineRunner] Log file: ${logFile}`)
 
+  // Expand {{VAR}} templates in SKILL.md files with minion variables
+  let expandedOriginals = new Map()
+  try {
+    expandedOriginals = await expandSkillTemplates(skillNames)
+    if (expandedOriginals.size > 0) {
+      console.log(`[RoutineRunner] Expanded templates in ${expandedOriginals.size} skill(s)`)
+    }
+  } catch (err) {
+    console.error(`[RoutineRunner] Template expansion failed: ${err.message}`)
+  }
+
   try {
     // Ensure log directory exists and prune old logs
     await logManager.ensureLogDir()
@@ -102,7 +114,7 @@ async function executeRoutineSession(routine, executionId, skillNames) {
     const llmCommand = config.LLM_COMMAND.replace(/\{prompt\}/g, escapedPrompt)
 
     // Create tmux session with the LLM command.
-    // PATH, HOME, DISPLAY, and minion variables/secrets are already set in
+    // PATH, HOME, DISPLAY, and minion secrets are already set in
     // process.env at server startup, so child processes inherit them automatically.
     // Per-execution identifiers are passed via -e flags for the session environment.
     const tmuxCommand = [
@@ -173,6 +185,11 @@ async function executeRoutineSession(routine, executionId, skillNames) {
   } catch (error) {
     console.error(`[RoutineRunner] Routine ${routine.name} failed: ${error.message}`)
     return { success: false, error: error.message, sessionName }
+  } finally {
+    // Restore original SKILL.md files after execution
+    if (expandedOriginals.size > 0) {
+      await restoreSkillTemplates(expandedOriginals)
+    }
   }
 }
 

package/linux/server.js

@@ -302,13 +302,14 @@ async function start() {
     process.env.HOME = config.HOME_DIR
     process.env.DISPLAY = process.env.DISPLAY || ':99'
 
-    // Load minion variables/secrets into process.env for child process inheritance
+    // Load minion secrets into process.env for child process inheritance.
+    // Variables are NOT loaded here — they use {{VAR}} template expansion in skill content.
     const variableStore = require('../core/stores/variable-store')
     const minionEnv = variableStore.buildEnv()
     for (const [key, value] of Object.entries(minionEnv)) {
       if (!(key in process.env)) process.env[key] = value
     }
-    console.log(`[Server] Loaded ${Object.keys(minionEnv).length} minion variables/secrets into process.env`)
+    console.log(`[Server] Loaded ${Object.keys(minionEnv).length} minion secrets into process.env`)
 
     // Sync bundled assets
     syncBundledRules()

package/linux/workflow-runner.js

@@ -21,6 +21,7 @@ const executionStore = require('../core/stores/execution-store')
 const workflowStore = require('../core/stores/workflow-store')
 const logManager = require('../core/lib/log-manager')
 const runningTasks = require('../core/lib/running-tasks')
+const { expandSkillTemplates, restoreSkillTemplates } = require('../core/lib/template-expander')
 
 // Active cron jobs keyed by workflow ID
 const activeJobs = new Map()
@@ -87,6 +88,17 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
   console.log(`[WorkflowRunner] Log file: ${logFile}`)
   console.log(`[WorkflowRunner] HOME: ${homeDir}`)
 
+  // Expand {{VAR}} templates in SKILL.md files with minion variables
+  let expandedOriginals = new Map()
+  try {
+    expandedOriginals = await expandSkillTemplates(skillNames)
+    if (expandedOriginals.size > 0) {
+      console.log(`[WorkflowRunner] Expanded templates in ${expandedOriginals.size} skill(s)`)
+    }
+  } catch (err) {
+    console.error(`[WorkflowRunner] Template expansion failed: ${err.message}`)
+  }
+
   try {
     // Ensure log directory exists and prune old logs
     await logManager.ensureLogDir()
@@ -106,7 +118,7 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
     const llmCommand = config.LLM_COMMAND.replace(/\{prompt\}/g, escapedPrompt)
 
     // Create tmux session with the LLM command.
-    // PATH, HOME, DISPLAY, and minion variables/secrets are already set in
+    // PATH, HOME, DISPLAY, and minion secrets are already set in
     // process.env at server startup, so child processes inherit them automatically.
     const tmuxCommand = [
       'tmux new-session -d',
@@ -173,6 +185,11 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
   } catch (error) {
     console.error(`[WorkflowRunner] Workflow ${workflow.name} failed: ${error.message}`)
     return { success: false, error: error.message, sessionName }
+  } finally {
+    // Restore original SKILL.md files after execution
+    if (expandedOriginals.size > 0) {
+      await restoreSkillTemplates(expandedOriginals)
+    }
   }
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekbeer/minion",
-  "version": "3.5.34",
+  "version": "3.6.1",
   "description": "AI Agent runtime for Minion - manages status and skill deployment on VPS",
   "main": "linux/server.js",
   "bin": {

package/rules/core.md

@@ -133,9 +133,11 @@ Routine 実行中は以下もtmuxセッション環境で利用可能:
 - `MINION_ROUTINE_ID` — ルーティンUUID
 - `MINION_ROUTINE_NAME` — ルーティン名
 
-ミニオン変数・シークレット（HQ UIまたはAPI経由で設定）はサーバー起動時に `process.env` にロードされ、全子プロセスで利用可能。
+**変数**（ミニオン変数・プロジェクト変数・ワークフロー変数）はスキル本文の `{{VAR_NAME}}` テンプレートとして実行時に展開される。スキル作成時にパラメータ化したい値は `{{変数名}}` で記述すること。展開優先順位: ミニオン変数 < プロジェクト変数 < ワークフロー変数（後者が優先）。
 
-プロジェクト変数・ワークフロー変数はスキル本文の `{{VAR_NAME}}` テンプレートとして展開される。スキル作成時にパラメータ化したい値は `{{変数名}}` で記述すること。
+**シークレット**（ミニオンシークレット）はサーバー起動時に `process.env` にロードされ、全子プロセスで環境変数 `$SECRET_NAME` として利用可能。APIキーやパスワード等の機密情報に使用する。シークレットは `{{VAR}}` テンプレートでは展開されない。
+
+デイリーログやメモリーから変数・シークレットの値を推測して使用してはならない。変数は `{{VAR_NAME}}` テンプレートとして定義し、シークレットは環境変数として参照すること。
 
 ## Skills Directory
 

package/win/minion-cli.ps1

@@ -114,25 +114,46 @@ function Test-CommandExists {
     $null -ne (Get-Command $Name -ErrorAction SilentlyContinue)
 }
 
-function Invoke-Winget {
-    # Wrapper for winget install that handles broken sources.
-    # winget's msstore source can fail with 0x8a15000f on fresh/misconfigured systems.
-    # This function tries: (1) --source winget, (2) winget source reset + retry, (3) fail.
-    param([string]$Id)
-
-    if (-not (Test-CommandExists 'winget')) { return $false }
-
-    # Attempt 1: install with --source winget (skip msstore)
-    $result = cmd /c "winget install --id $Id --source winget --accept-package-agreements --accept-source-agreements 2>&1"
-    if ($LASTEXITCODE -eq 0) { return $true }
-
-    # Attempt 2: reset sources and retry
-    Write-Host "  Retrying after winget source reset..."
-    cmd /c "winget source reset --force 2>&1" | Out-Null
-    $result = cmd /c "winget install --id $Id --source winget --accept-package-agreements --accept-source-agreements 2>&1"
-    if ($LASTEXITCODE -eq 0) { return $true }
+function Install-GitDirect {
+    # Download and install Git for Windows from GitHub Releases.
+    # Uses the GitHub API to resolve the latest 64-bit installer URL.
+    Write-Host "  Downloading Git for Windows..."
+    try {
+        $releaseApi = 'https://api.github.com/repos/git-for-windows/git/releases/latest'
+        $release = Invoke-RestMethod -Uri $releaseApi -UseBasicParsing
+        $asset = $release.assets | Where-Object { $_.name -match '64-bit\.exe$' -and $_.name -notmatch 'portable' } | Select-Object -First 1
+        if (-not $asset) { Write-Warn "Could not find Git installer from GitHub releases"; return $false }
+
+        $installerPath = Join-Path $env:TEMP $asset.name
+        Invoke-WebRequest -Uri $asset.browser_download_url -OutFile $installerPath -UseBasicParsing
+        Write-Host "  Running Git installer (silent)..."
+        $proc = Start-Process -FilePath $installerPath -ArgumentList '/VERYSILENT', '/NORESTART', '/SP-' -Wait -PassThru
+        Remove-Item $installerPath -Force -ErrorAction SilentlyContinue
+        return ($proc.ExitCode -eq 0)
+    }
+    catch {
+        Write-Warn "Git download failed: $_"
+        return $false
+    }
+}
 
-    return $false
+function Install-PythonDirect {
+    # Download and install Python from python.org.
+    # Installs for all users with PATH prepended.
+    Write-Host "  Downloading Python 3.12..."
+    try {
+        $pyUrl = 'https://www.python.org/ftp/python/3.12.8/python-3.12.8-amd64.exe'
+        $installerPath = Join-Path $env:TEMP 'python-installer.exe'
+        Invoke-WebRequest -Uri $pyUrl -OutFile $installerPath -UseBasicParsing
+        Write-Host "  Running Python installer (silent)..."
+        $proc = Start-Process -FilePath $installerPath -ArgumentList '/quiet', 'InstallAllUsers=1', 'PrependPath=1', 'Include_pip=1' -Wait -PassThru
+        Remove-Item $installerPath -Force -ErrorAction SilentlyContinue
+        return ($proc.ExitCode -eq 0)
+    }
+    catch {
+        Write-Warn "Python download failed: $_"
+        return $false
+    }
 }
 
 function Remove-ScheduledTaskSilent {
@@ -519,23 +540,8 @@ function Invoke-Setup {
         Write-Detail "Node.js $nodeVersion already installed"
     }
     else {
-        Write-Host "  Installing Node.js via winget..."
-        $installed = Invoke-Winget 'OpenJS.NodeJS.LTS'
-        if ($installed) {
-            # Refresh PATH
-            $env:PATH = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' + [System.Environment]::GetEnvironmentVariable('PATH', 'User')
-            if (Test-CommandExists 'node') {
-                Write-Detail "Node.js installed successfully"
-            }
-            else {
-                Write-Warn "Node.js installed but not in PATH. Please restart this terminal."
-                exit 1
-            }
-        }
-        else {
-            Write-Error "Failed to install Node.js. Please install manually from https://nodejs.org/"
-            exit 1
-        }
+        Write-Error "Node.js is required but not installed. Please install from https://nodejs.org/ and re-run setup."
+        exit 1
     }
 
     # Step 2: Install Git (required by Claude Code for git-bash)
@@ -551,8 +557,7 @@ function Invoke-Setup {
         if (Test-Path $candidateBash) { $gitBashPath = $candidateBash }
     }
     else {
-        Write-Host "  Installing Git via winget..."
-        $installed = Invoke-Winget 'Git.Git'
+        $installed = Install-GitDirect
         if ($installed) {
             # Refresh PATH
             $env:PATH = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' + [System.Environment]::GetEnvironmentVariable('PATH', 'User')
@@ -808,14 +813,13 @@ function Invoke-Setup {
             if ($pyVer -match '\d+\.\d+') { $pythonUsable = $true }
         }
         if (-not $pythonUsable) {
-            Write-Host "  Python not found. Installing via winget..."
-            $installed = Invoke-Winget 'Python.Python.3.12'
+            $installed = Install-PythonDirect
             if ($installed) {
                 $env:PATH = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' + [System.Environment]::GetEnvironmentVariable('PATH', 'User')
                 Write-Detail "Python installed"
             }
             else {
-                Write-Warn "Failed to install Python. Install manually: winget install --id Python.Python.3.12"
+                Write-Warn "Failed to install Python. Install manually from https://www.python.org/downloads/"
             }
         }
 
@@ -1270,23 +1274,16 @@ function Invoke-Configure {
 
         # Install cloudflared if needed
         if (-not (Test-CommandExists 'cloudflared')) {
-            Write-Host "  Installing cloudflared..."
-            if (Test-CommandExists 'winget') {
-                $installed = Invoke-Winget 'Cloudflare.cloudflared'
-                if ($installed) {
-                    $env:PATH = [System.Environment]::GetEnvironmentVariable('PATH', 'Machine') + ';' + [System.Environment]::GetEnvironmentVariable('PATH', 'User')
-                }
-            }
-            elseif (Test-CommandExists 'choco') {
-                & choco install cloudflared -y
-            }
-            else {
-                Write-Host "  Downloading cloudflared..."
+            Write-Host "  Downloading cloudflared..."
+            try {
                 $cfUrl = 'https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.exe'
                 $cfPath = Join-Path $DataDir 'cloudflared.exe'
-                Invoke-WebRequest -Uri $cfUrl -OutFile $cfPath
+                Invoke-WebRequest -Uri $cfUrl -OutFile $cfPath -UseBasicParsing
                 Write-Detail "cloudflared downloaded to $cfPath"
             }
+            catch {
+                Write-Warn "Failed to download cloudflared: $_"
+            }
         }
         else {
             Write-Detail "cloudflared already installed"
@@ -1314,10 +1311,33 @@ function Invoke-Configure {
                     $cfExe = Join-Path $DataDir 'cloudflared.exe'
                 }
                 if ($cfExe) {
-                    # Check if cloudflared service already registered
                     $cfState = Get-ServiceState 'minion-cloudflared'
                     if (-not $cfState) {
-                        Write-Warn "minion-cloudflared service not registered. Run 'setup' as admin to register tunnel service."
+                        # Service not registered — try to register via NSSM (requires admin)
+                        $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
+                        if ($isAdmin) {
+                            $cfConfigPath = Join-Path $cfConfigDir 'config.yml'
+                            Invoke-Nssm stop minion-cloudflared
+                            Invoke-Nssm remove minion-cloudflared confirm
+                            Invoke-Nssm install minion-cloudflared $cfExe "tunnel run --config `"$cfConfigPath`""
+                            Invoke-Nssm set minion-cloudflared Start SERVICE_AUTO_START
+                            Invoke-Nssm set minion-cloudflared DisplayName "Minion Cloudflared"
+                            Invoke-Nssm set minion-cloudflared Description "Cloudflare Tunnel for Minion"
+                            Invoke-Nssm set minion-cloudflared AppRestartDelay 5000
+                            Invoke-Nssm set minion-cloudflared AppStdout (Join-Path $LogDir 'cloudflared-stdout.log')
+                            Invoke-Nssm set minion-cloudflared AppStderr (Join-Path $LogDir 'cloudflared-stderr.log')
+                            Invoke-Nssm set minion-cloudflared AppStdoutCreationDisposition 4
+                            Invoke-Nssm set minion-cloudflared AppStderrCreationDisposition 4
+                            Invoke-Nssm set minion-cloudflared AppRotateFiles 1
+                            Invoke-Nssm set minion-cloudflared AppRotateBytes 10485760
+                            $setupUserSid = Get-SetupUserSid
+                            Grant-ServiceControlToUser 'minion-cloudflared' $setupUserSid
+                            Write-Detail "minion-cloudflared service registered"
+                            sc.exe start minion-cloudflared 2>&1 | Out-Null
+                            Write-Detail "minion-cloudflared started"
+                        } else {
+                            Write-Warn "minion-cloudflared service not registered. Run 'configure --setup-tunnel' as admin to register tunnel service."
+                        }
                     } else {
                         sc.exe start minion-cloudflared 2>&1 | Out-Null
                         Write-Detail "minion-cloudflared started"

package/win/routine-runner.js

@@ -17,6 +17,7 @@ const executionStore = require('../core/stores/execution-store')
 const routineStore = require('../core/stores/routine-store')
 const logManager = require('../core/lib/log-manager')
 const { activeSessions } = require('./workflow-runner')
+const { expandSkillTemplates, restoreSkillTemplates } = require('../core/lib/template-expander')
 
 const activeJobs = new Map()
 const runningExecutions = new Map()
@@ -60,6 +61,17 @@ async function executeRoutineSession(routine, executionId, skillNames) {
   console.log(`[RoutineRunner] Session: ${sessionName}`)
   console.log(`[RoutineRunner] Log file: ${logFile}`)
 
+  // Expand {{VAR}} templates in SKILL.md files with minion variables
+  let expandedOriginals = new Map()
+  try {
+    expandedOriginals = await expandSkillTemplates(skillNames)
+    if (expandedOriginals.size > 0) {
+      console.log(`[RoutineRunner] Expanded templates in ${expandedOriginals.size} skill(s)`)
+    }
+  } catch (err) {
+    console.error(`[RoutineRunner] Template expansion failed: ${err.message}`)
+  }
+
   try {
     await logManager.ensureLogDir()
     await logManager.pruneOldLogs()
@@ -76,7 +88,7 @@ async function executeRoutineSession(routine, executionId, skillNames) {
     const escapedPrompt = prompt.replace(/'/g, "''")
     const llmCommand = config.LLM_COMMAND.replace(/\{prompt\}/g, escapedPrompt)
 
-    // PATH, HOME, USERPROFILE, and minion variables/secrets are already set in
+    // PATH, HOME, USERPROFILE, and minion secrets are already set in
     // process.env at server startup. Per-execution identifiers are added here.
     const env = {
       ...process.env,
@@ -147,6 +159,11 @@ async function executeRoutineSession(routine, executionId, skillNames) {
   } catch (error) {
     console.error(`[RoutineRunner] Routine ${routine.name} failed: ${error.message}`)
     return { success: false, error: error.message, sessionName }
+  } finally {
+    // Restore original SKILL.md files after execution
+    if (expandedOriginals.size > 0) {
+      await restoreSkillTemplates(expandedOriginals)
+    }
   }
 }
 

package/win/server.js

@@ -249,13 +249,14 @@ async function start() {
     process.env.HOME = config.HOME_DIR
     process.env.USERPROFILE = config.HOME_DIR
 
-    // Load minion variables/secrets into process.env for child process inheritance
+    // Load minion secrets into process.env for child process inheritance.
+    // Variables are NOT loaded here — they use {{VAR}} template expansion in skill content.
     const variableStore = require('../core/stores/variable-store')
     const minionEnv = variableStore.buildEnv()
     for (const [key, value] of Object.entries(minionEnv)) {
       if (!(key in process.env)) process.env[key] = value
     }
-    console.log(`[Server] Loaded ${Object.keys(minionEnv).length} minion variables/secrets into process.env`)
+    console.log(`[Server] Loaded ${Object.keys(minionEnv).length} minion secrets into process.env`)
 
     // Sync bundled assets
     syncBundledRules()

package/win/workflow-runner.js

@@ -23,6 +23,7 @@ const { config } = require('../core/config')
 const executionStore = require('../core/stores/execution-store')
 const workflowStore = require('../core/stores/workflow-store')
 const logManager = require('../core/lib/log-manager')
+const { expandSkillTemplates, restoreSkillTemplates } = require('../core/lib/template-expander')
 
 // Active cron jobs keyed by workflow ID
 const activeJobs = new Map()
@@ -92,6 +93,17 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
   console.log(`[WorkflowRunner] Log file: ${logFile}`)
   console.log(`[WorkflowRunner] HOME: ${homeDir}`)
 
+  // Expand {{VAR}} templates in SKILL.md files with minion variables
+  let expandedOriginals = new Map()
+  try {
+    expandedOriginals = await expandSkillTemplates(skillNames)
+    if (expandedOriginals.size > 0) {
+      console.log(`[WorkflowRunner] Expanded templates in ${expandedOriginals.size} skill(s)`)
+    }
+  } catch (err) {
+    console.error(`[WorkflowRunner] Template expansion failed: ${err.message}`)
+  }
+
   try {
     await logManager.ensureLogDir()
     await logManager.pruneOldLogs()
@@ -110,7 +122,7 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
     const escapedPrompt = prompt.replace(/'/g, "''")
     const llmCommand = config.LLM_COMMAND.replace(/\{prompt\}/g, escapedPrompt)
 
-    // PATH, HOME, USERPROFILE, and minion variables/secrets are already set in
+    // PATH, HOME, USERPROFILE, and minion secrets are already set in
     // process.env at server startup, so child processes inherit them automatically.
 
     // Open log file for streaming writes
@@ -192,6 +204,11 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
   } catch (error) {
     console.error(`[WorkflowRunner] Workflow ${workflow.name} failed: ${error.message}`)
     return { success: false, error: error.message, sessionName }
+  } finally {
+    // Restore original SKILL.md files after execution
+    if (expandedOriginals.size > 0) {
+      await restoreSkillTemplates(expandedOriginals)
+    }
   }
 }