@geekbeer/minion 3.5.35 → 3.6.2

package/core/lib/step-poller.js

@@ -20,6 +20,7 @@
 
 const { config, isHqConfigured } = require('../config')
 const api = require('../api')
+const variableStore = require('../stores/variable-store')
 
 // Polling interval: 30 seconds (matches heartbeat frequency)
 const POLL_INTERVAL_MS = 30_000
@@ -129,11 +130,14 @@ async function executeStep(step) {
     }
 
     // 2. Fetch the skill from HQ to ensure it's deployed locally
-    //    Pass template_vars as ?vars= so HQ expands {{VAR_NAME}} in SKILL.md
+    //    Merge minion variables into template_vars so HQ expands {{VAR_NAME}} in SKILL.md.
+    //    Merge order: minion vars < project vars < workflow vars (template_vars already merged by HQ)
     if (skill_name) {
       try {
-        const varsParam = template_vars
-          ? `?vars=${Buffer.from(JSON.stringify(template_vars)).toString('base64')}`
+        const minionVars = variableStore.getAll('variables')
+        const mergedVars = { ...minionVars, ...(template_vars || {}) }
+        const varsParam = Object.keys(mergedVars).length > 0
+          ? `?vars=${Buffer.from(JSON.stringify(mergedVars)).toString('base64')}`
           : ''
         const fetchUrl = `http://localhost:${config.AGENT_PORT || 8080}/api/skills/fetch/${encodeURIComponent(skill_name)}${varsParam}`
         const fetchResp = await fetch(fetchUrl, {

package/core/lib/template-expander.js

@@ -0,0 +1,85 @@
+/**
+ * Template Expander
+ *
+ * Expands {{VAR_NAME}} placeholders in SKILL.md files using minion variables.
+ * Same syntax as project/workflow variable expansion done on HQ side.
+ *
+ * Design:
+ * - Variables (non-sensitive config) use {{VAR}} template expansion in skill content
+ * - Secrets (sensitive credentials) remain as environment variables ($ENV_VAR)
+ * - Expand at execution time (not write time) so variable changes take effect immediately
+ * - Save/restore original SKILL.md to avoid persisting expanded content
+ */
+
+const fs = require('fs').promises
+const path = require('path')
+const { config } = require('../config')
+const variableStore = require('../stores/variable-store')
+
+/**
+ * Expand {{VAR_NAME}} template placeholders in content string.
+ * Unmatched placeholders are left as-is (same behavior as HQ-side expansion).
+ *
+ * @param {string} content - Skill content with {{VAR}} placeholders
+ * @param {Record<string, string>} vars - Key-value pairs for substitution
+ * @returns {string} Content with matched placeholders replaced
+ */
+function expandTemplateVars(content, vars) {
+  return content.replace(/\{\{(\w+)\}\}/g, (match, key) =>
+    vars[key] !== undefined ? vars[key] : match
+  )
+}
+
+/**
+ * Expand templates in SKILL.md files for the given skill names.
+ * Reads each SKILL.md, expands {{VAR}} with minion variables, writes back.
+ * Returns the original contents for restoration after execution.
+ *
+ * @param {string[]} skillNames - Skill slugs to expand
+ * @returns {Promise<Map<string, string>>} Map of skillName -> original content (for restoration)
+ */
+async function expandSkillTemplates(skillNames) {
+  const minionVars = variableStore.getAll('variables')
+
+  // If no variables defined, skip
+  if (Object.keys(minionVars).length === 0) return new Map()
+
+  const originals = new Map()
+  const skillsDir = path.join(config.HOME_DIR, '.claude', 'skills')
+
+  for (const name of skillNames) {
+    const skillMdPath = path.join(skillsDir, name, 'SKILL.md')
+    try {
+      const original = await fs.readFile(skillMdPath, 'utf-8')
+      const expanded = expandTemplateVars(original, minionVars)
+      if (expanded !== original) {
+        originals.set(name, original)
+        await fs.writeFile(skillMdPath, expanded, 'utf-8')
+        console.log(`[TemplateExpander] Expanded {{VAR}} in skill: ${name}`)
+      }
+    } catch (err) {
+      console.error(`[TemplateExpander] Failed to expand ${name}: ${err.message}`)
+    }
+  }
+
+  return originals
+}
+
+/**
+ * Restore original SKILL.md contents after execution.
+ *
+ * @param {Map<string, string>} originals - Map from expandSkillTemplates
+ */
+async function restoreSkillTemplates(originals) {
+  const skillsDir = path.join(config.HOME_DIR, '.claude', 'skills')
+  for (const [name, content] of originals) {
+    const skillMdPath = path.join(skillsDir, name, 'SKILL.md')
+    try {
+      await fs.writeFile(skillMdPath, content, 'utf-8')
+    } catch (err) {
+      console.error(`[TemplateExpander] Failed to restore ${name}: ${err.message}`)
+    }
+  }
+}
+
+module.exports = { expandTemplateVars, expandSkillTemplates, restoreSkillTemplates }

package/core/stores/variable-store.js

@@ -89,6 +89,8 @@ function get(type, key) {
 
 /**
  * Set a key-value pair (creates or updates).
+ * Only secrets are synced to process.env (for child process inheritance).
+ * Variables use {{VAR}} template expansion in skill content instead.
  * @param {'secrets' | 'variables'} type
  * @param {string} key
  * @param {string} value
@@ -98,8 +100,10 @@ function set(type, key, value) {
   const data = parseEnvFile(filePath)
   data[key] = value
   writeEnvFile(filePath, data)
-  // Sync to process.env so running child processes inherit the updated value
-  process.env[key] = value
+  // Only sync secrets to process.env; variables use template expansion instead
+  if (type === 'secrets') {
+    process.env[key] = value
+  }
   console.log(`[VariableStore] Set ${type} key: ${key}`)
 }
 
@@ -115,8 +119,10 @@ function remove(type, key) {
   if (!(key in data)) return false
   delete data[key]
   writeEnvFile(filePath, data)
-  // Sync to process.env so running child processes no longer inherit the removed value
-  delete process.env[key]
+  // Only sync secrets to process.env; variables use template expansion instead
+  if (type === 'secrets') {
+    delete process.env[key]
+  }
   console.log(`[VariableStore] Removed ${type} key: ${key}`)
   return true
 }
@@ -131,18 +137,14 @@ function listKeys(type) {
 }
 
 /**
- * Build a merged environment object from minion variables and secrets.
- * Used by workflow/routine runners to inject into execution environment.
- * Secrets override variables when keys collide.
+ * Build environment object from minion secrets only.
+ * Variables are no longer injected as env vars; they use {{VAR}} template
+ * expansion in skill content (same mechanism as project/workflow variables).
  *
- * @param {Record<string, string>} [extraVars] - Additional variables (e.g. project/workflow vars from HQ)
- * @returns {Record<string, string>} Merged key-value pairs
+ * @returns {Record<string, string>} Secret key-value pairs for process.env
  */
-function buildEnv(extraVars = {}) {
-  const variables = getAll('variables')
-  const secrets = getAll('secrets')
-  // Merge order: variables < secrets < extraVars (later wins)
-  return { ...variables, ...secrets, ...extraVars }
+function buildEnv() {
+  return getAll('secrets')
 }
 
 module.exports = {

package/docs/api-reference.md

@@ -544,11 +544,20 @@ Response:
 }
 ```
 
-ワークフロー変数はプロジェクト変数を上書きする（同名キーの場合）。実行時のマージ順序:
-1. ミニオンローカル変数
-2. ミニオンシークレット
-3. プロジェクト変数
-4. ワークフロー変数（最優先）
+ワークフロー変数はプロジェクト変数を上書きする（同名キーの場合）。
+
+#### 変数とシークレットの違い
+
+**変数**（ミニオン変数・プロジェクト変数・ワークフロー変数）はスキル本文の `{{VAR_NAME}}` テンプレートとして実行時に展開される。スキル作成時にパラメータ化したい値は `{{変数名}}` で記述する。
+
+**シークレット**（ミニオンシークレット）は環境変数 `$SECRET_NAME` としてプロセスに注入される。APIキーやパスワード等の機密情報に使用する。テンプレート展開は行われない。
+
+#### テンプレート変数の展開優先順位
+
+同名の変数が複数のスコープで定義されている場合、以下の順序で上書きされる:
+1. ミニオン変数（最低優先）
+2. プロジェクト変数
+3. ワークフロー変数（最優先）
 
 ### Workflows (project-scoped, versioned)
 

package/docs/task-guides.md

@@ -49,7 +49,7 @@ Use {{PROJECT_VAR}} to reference project/workflow variables.
 
 ### テンプレート変数
 
-スキル本文中で `{{VAR_NAME}}` と記述すると、ワークフロー実行時にHQ上のプロジェクト変数・ワークフロー変数の値で自動的に置換される。スキルを再利用しつつ、プロジェクトごとに異なるパラメータを渡したい場合に使う。
+スキル本文中で `{{VAR_NAME}}` と記述すると、実行時に変数の値で自動的に置換される。スキルを再利用しつつ、スコープごとに異なるパラメータを渡したい場合に使う。
 
 ```markdown
 ---
@@ -62,8 +62,19 @@ description: サイトをデプロイする
 
 - 変数名は英数字とアンダースコアのみ（`\w+`）
 - 未定義の変数は `{{VAR_NAME}}` のまま残る（エラーにはならない）
-- ワークフロー変数はプロジェクト変数を上書きする（同名キーの場合）
-- ミニオン変数・シークレットは `process.env` 経由で利用可能（テンプレートではなく環境変数として）
+- 展開優先順位: ミニオン変数 < プロジェクト変数 < ワークフロー変数（後者が上書き）
+- ルーティン実行時もミニオン変数による `{{VAR}}` 展開が行われる
+
+### 変数とシークレットの使い分け
+
+| 種別 | 構文 | 用途 | 例 |
+|------|------|------|-----|
+| 変数 | `{{VAR_NAME}}` | 設定・パラメータ（非機密） | デプロイ先、サイトURL、プロジェクト名 |
+| シークレット | `$SECRET_NAME`（環境変数） | 機密情報 | APIキー、パスワード、トークン |
+
+- **変数**はスキル本文のテンプレートとして展開される。全スコープ（ミニオン・プロジェクト・ワークフロー）で同じ `{{VAR}}` 構文を使用する
+- **シークレット**は環境変数としてプロセスに注入される。テンプレート展開は行われない
+- デイリーログやメモリーから変数・シークレットの値を推測して使用しないこと
 
 ### 2. HQ に反映する
 

package/linux/routine-runner.js

@@ -22,6 +22,7 @@ const executionStore = require('../core/stores/execution-store')
 const routineStore = require('../core/stores/routine-store')
 const logManager = require('../core/lib/log-manager')
 const runningTasks = require('../core/lib/running-tasks')
+const { expandSkillTemplates, restoreSkillTemplates } = require('../core/lib/template-expander')
 
 // Active cron jobs keyed by routine ID
 const activeJobs = new Map()
@@ -83,6 +84,17 @@ async function executeRoutineSession(routine, executionId, skillNames) {
   console.log(`[RoutineRunner] tmux session: ${sessionName}`)
   console.log(`[RoutineRunner] Log file: ${logFile}`)
 
+  // Expand {{VAR}} templates in SKILL.md files with minion variables
+  let expandedOriginals = new Map()
+  try {
+    expandedOriginals = await expandSkillTemplates(skillNames)
+    if (expandedOriginals.size > 0) {
+      console.log(`[RoutineRunner] Expanded templates in ${expandedOriginals.size} skill(s)`)
+    }
+  } catch (err) {
+    console.error(`[RoutineRunner] Template expansion failed: ${err.message}`)
+  }
+
   try {
     // Ensure log directory exists and prune old logs
     await logManager.ensureLogDir()
@@ -102,7 +114,7 @@ async function executeRoutineSession(routine, executionId, skillNames) {
     const llmCommand = config.LLM_COMMAND.replace(/\{prompt\}/g, escapedPrompt)
 
     // Create tmux session with the LLM command.
-    // PATH, HOME, DISPLAY, and minion variables/secrets are already set in
+    // PATH, HOME, DISPLAY, and minion secrets are already set in
     // process.env at server startup, so child processes inherit them automatically.
     // Per-execution identifiers are passed via -e flags for the session environment.
     const tmuxCommand = [
@@ -173,6 +185,11 @@ async function executeRoutineSession(routine, executionId, skillNames) {
   } catch (error) {
     console.error(`[RoutineRunner] Routine ${routine.name} failed: ${error.message}`)
     return { success: false, error: error.message, sessionName }
+  } finally {
+    // Restore original SKILL.md files after execution
+    if (expandedOriginals.size > 0) {
+      await restoreSkillTemplates(expandedOriginals)
+    }
   }
 }
 

package/linux/server.js

@@ -302,13 +302,14 @@ async function start() {
     process.env.HOME = config.HOME_DIR
     process.env.DISPLAY = process.env.DISPLAY || ':99'
 
-    // Load minion variables/secrets into process.env for child process inheritance
+    // Load minion secrets into process.env for child process inheritance.
+    // Variables are NOT loaded here — they use {{VAR}} template expansion in skill content.
     const variableStore = require('../core/stores/variable-store')
     const minionEnv = variableStore.buildEnv()
     for (const [key, value] of Object.entries(minionEnv)) {
       if (!(key in process.env)) process.env[key] = value
     }
-    console.log(`[Server] Loaded ${Object.keys(minionEnv).length} minion variables/secrets into process.env`)
+    console.log(`[Server] Loaded ${Object.keys(minionEnv).length} minion secrets into process.env`)
 
     // Sync bundled assets
     syncBundledRules()

package/linux/workflow-runner.js

@@ -21,6 +21,7 @@ const executionStore = require('../core/stores/execution-store')
 const workflowStore = require('../core/stores/workflow-store')
 const logManager = require('../core/lib/log-manager')
 const runningTasks = require('../core/lib/running-tasks')
+const { expandSkillTemplates, restoreSkillTemplates } = require('../core/lib/template-expander')
 
 // Active cron jobs keyed by workflow ID
 const activeJobs = new Map()
@@ -87,6 +88,17 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
   console.log(`[WorkflowRunner] Log file: ${logFile}`)
   console.log(`[WorkflowRunner] HOME: ${homeDir}`)
 
+  // Expand {{VAR}} templates in SKILL.md files with minion variables
+  let expandedOriginals = new Map()
+  try {
+    expandedOriginals = await expandSkillTemplates(skillNames)
+    if (expandedOriginals.size > 0) {
+      console.log(`[WorkflowRunner] Expanded templates in ${expandedOriginals.size} skill(s)`)
+    }
+  } catch (err) {
+    console.error(`[WorkflowRunner] Template expansion failed: ${err.message}`)
+  }
+
   try {
     // Ensure log directory exists and prune old logs
     await logManager.ensureLogDir()
@@ -106,7 +118,7 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
     const llmCommand = config.LLM_COMMAND.replace(/\{prompt\}/g, escapedPrompt)
 
     // Create tmux session with the LLM command.
-    // PATH, HOME, DISPLAY, and minion variables/secrets are already set in
+    // PATH, HOME, DISPLAY, and minion secrets are already set in
     // process.env at server startup, so child processes inherit them automatically.
     const tmuxCommand = [
       'tmux new-session -d',
@@ -173,6 +185,11 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
   } catch (error) {
     console.error(`[WorkflowRunner] Workflow ${workflow.name} failed: ${error.message}`)
     return { success: false, error: error.message, sessionName }
+  } finally {
+    // Restore original SKILL.md files after execution
+    if (expandedOriginals.size > 0) {
+      await restoreSkillTemplates(expandedOriginals)
+    }
   }
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekbeer/minion",
-  "version": "3.5.35",
+  "version": "3.6.2",
   "description": "AI Agent runtime for Minion - manages status and skill deployment on VPS",
   "main": "linux/server.js",
   "bin": {

package/rules/core.md

@@ -133,9 +133,11 @@ Routine 実行中は以下もtmuxセッション環境で利用可能:
 - `MINION_ROUTINE_ID` — ルーティンUUID
 - `MINION_ROUTINE_NAME` — ルーティン名
 
-ミニオン変数・シークレット（HQ UIまたはAPI経由で設定）はサーバー起動時に `process.env` にロードされ、全子プロセスで利用可能。
+**変数**（ミニオン変数・プロジェクト変数・ワークフロー変数）はスキル本文の `{{VAR_NAME}}` テンプレートとして実行時に展開される。スキル作成時にパラメータ化したい値は `{{変数名}}` で記述すること。展開優先順位: ミニオン変数 < プロジェクト変数 < ワークフロー変数（後者が優先）。
 
-プロジェクト変数・ワークフロー変数はスキル本文の `{{VAR_NAME}}` テンプレートとして展開される。スキル作成時にパラメータ化したい値は `{{変数名}}` で記述すること。
+**シークレット**（ミニオンシークレット）はサーバー起動時に `process.env` にロードされ、全子プロセスで環境変数 `$SECRET_NAME` として利用可能。APIキーやパスワード等の機密情報に使用する。シークレットは `{{VAR}}` テンプレートでは展開されない。
+
+デイリーログやメモリーから変数・シークレットの値を推測して使用してはならない。変数は `{{VAR_NAME}}` テンプレートとして定義し、シークレットは環境変数として参照すること。
 
 ## Skills Directory
 

package/win/minion-cli.ps1

@@ -451,7 +451,7 @@ function Restart-MinionService {
 # ============================================================
 
 function Invoke-Setup {
-    $totalSteps = 11
+    $totalSteps = 12
 
     # Minionization warning
     Write-Host ""
@@ -877,8 +877,52 @@ function Invoke-Setup {
         Write-Warn "websockify not available, VNC WebSocket proxy will not be registered"
     }
 
+    # Step 10: Download and register cloudflared
+    Write-Step 10 $totalSteps "Setting up Cloudflare Tunnel (cloudflared)..."
+    $cfExe = $null
+    if (Get-Command cloudflared -ErrorAction SilentlyContinue) {
+        $cfExe = (Get-Command cloudflared).Source
+        Write-Detail "cloudflared already installed: $cfExe"
+    } else {
+        Write-Host "  Downloading cloudflared..."
+        try {
+            $cfUrl = 'https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.exe'
+            $cfPath = Join-Path $DataDir 'cloudflared.exe'
+            Invoke-WebRequest -Uri $cfUrl -OutFile $cfPath -UseBasicParsing
+            $cfExe = $cfPath
+            Write-Detail "cloudflared downloaded to $cfExe"
+        }
+        catch {
+            Write-Warn "Failed to download cloudflared: $_"
+            Write-Host "  You can install manually or re-run setup later." -ForegroundColor Gray
+        }
+    }
+    if ($cfExe) {
+        # Register cloudflared as NSSM service (config will be set by 'configure --setup-tunnel')
+        Invoke-Nssm stop minion-cloudflared
+        Invoke-Nssm remove minion-cloudflared confirm
+        $cfConfigDir = Join-Path $TargetUserProfile '.cloudflared'
+        $cfConfigPath = Join-Path $cfConfigDir 'config.yml'
+        Invoke-Nssm install minion-cloudflared $cfExe "tunnel run --config `"$cfConfigPath`""
+        Invoke-Nssm set minion-cloudflared Start SERVICE_DEMAND_START
+        Invoke-Nssm set minion-cloudflared DisplayName "Minion Cloudflared"
+        Invoke-Nssm set minion-cloudflared Description "Cloudflare Tunnel for Minion"
+        Invoke-Nssm set minion-cloudflared AppRestartDelay 5000
+        Invoke-Nssm set minion-cloudflared AppStdout (Join-Path $LogDir 'cloudflared-stdout.log')
+        Invoke-Nssm set minion-cloudflared AppStderr (Join-Path $LogDir 'cloudflared-stderr.log')
+        Invoke-Nssm set minion-cloudflared AppStdoutCreationDisposition 4
+        Invoke-Nssm set minion-cloudflared AppStderrCreationDisposition 4
+        Invoke-Nssm set minion-cloudflared AppRotateFiles 1
+        Invoke-Nssm set minion-cloudflared AppRotateBytes 10485760
+        Grant-ServiceControlToUser 'minion-cloudflared' $setupUserSid
+        if ($targetUserSid -and $targetUserSid -ne $setupUserSid) {
+            Grant-ServiceControlToUser 'minion-cloudflared' $targetUserSid
+        }
+        Write-Detail "minion-cloudflared service registered (starts via 'configure --setup-tunnel')"
+    }
+
     # Step 11: Disable screensaver, lock screen, and sleep
-    Write-Step 10 $totalSteps "Disabling screensaver, lock screen, and sleep..."
+    Write-Step 11 $totalSteps "Disabling screensaver, lock screen, and sleep..."
     Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name ScreenSaveActive -Value '0'
     Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name ScreenSaveTimeOut -Value '0'
     Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name SCRNSAVE.EXE -Value ''
@@ -892,7 +936,7 @@ function Invoke-Setup {
     Write-Detail "Sleep and monitor timeout disabled"
 
     # Configure firewall rules
-    Write-Step 11 $totalSteps "Configuring firewall rules..."
+    Write-Step 12 $totalSteps "Configuring firewall rules..."
     $fwRules = @(
         @{ Name = 'Minion Agent'; Port = 8080 },
         @{ Name = 'Minion Terminal'; Port = 7681 },
@@ -985,6 +1029,7 @@ function Invoke-Setup {
     Write-Host "Services registered (not yet started):"
     Write-Host "  minion-agent       - AI Agent (port 8080)"
     Write-Host "  minion-websockify  - WebSocket proxy (port 6080)"
+    Write-Host "  minion-cloudflared - Cloudflare Tunnel (starts via configure --setup-tunnel)"
     Write-Host "  MinionVNC (task)   - TightVNC (port 5900, starts at logon)"
     Write-Host ""
     Write-Host "Next step: Connect to HQ (run as regular user):" -ForegroundColor Yellow
@@ -1303,21 +1348,44 @@ function Invoke-Configure {
                 [System.IO.File]::WriteAllText((Join-Path $cfConfigDir 'config.yml'), $tunnelData.config_yml, [System.Text.UTF8Encoding]::new($false))
                 Write-Detail "Tunnel config saved"
 
-                # Register cloudflared as NSSM service (requires admin — will be skipped if non-admin)
-                $cfExe = $null
-                if (Get-Command cloudflared -ErrorAction SilentlyContinue) {
-                    $cfExe = (Get-Command cloudflared).Source
-                } elseif (Test-Path (Join-Path $DataDir 'cloudflared.exe')) {
-                    $cfExe = Join-Path $DataDir 'cloudflared.exe'
-                }
-                if ($cfExe) {
-                    # Check if cloudflared service already registered
-                    $cfState = Get-ServiceState 'minion-cloudflared'
-                    if (-not $cfState) {
-                        Write-Warn "minion-cloudflared service not registered. Run 'setup' as admin to register tunnel service."
-                    } else {
-                        sc.exe start minion-cloudflared 2>&1 | Out-Null
-                        Write-Detail "minion-cloudflared started"
+                # Start cloudflared service (registered during setup)
+                $cfState = Get-ServiceState 'minion-cloudflared'
+                if ($cfState) {
+                    # Enable auto-start now that tunnel config is in place
+                    Invoke-Nssm set minion-cloudflared Start SERVICE_AUTO_START 2>&1 | Out-Null
+                    sc.exe start minion-cloudflared 2>&1 | Out-Null
+                    Write-Detail "minion-cloudflared started"
+                } else {
+                    # Fallback: service not registered (e.g. setup was run before v3.6.2)
+                    $cfExe = $null
+                    if (Get-Command cloudflared -ErrorAction SilentlyContinue) {
+                        $cfExe = (Get-Command cloudflared).Source
+                    } elseif (Test-Path (Join-Path $DataDir 'cloudflared.exe')) {
+                        $cfExe = Join-Path $DataDir 'cloudflared.exe'
+                    }
+                    if ($cfExe) {
+                        $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
+                        if ($isAdmin) {
+                            $cfConfigPath = Join-Path $cfConfigDir 'config.yml'
+                            Invoke-Nssm install minion-cloudflared $cfExe "tunnel run --config `"$cfConfigPath`""
+                            Invoke-Nssm set minion-cloudflared Start SERVICE_AUTO_START
+                            Invoke-Nssm set minion-cloudflared DisplayName "Minion Cloudflared"
+                            Invoke-Nssm set minion-cloudflared Description "Cloudflare Tunnel for Minion"
+                            Invoke-Nssm set minion-cloudflared AppRestartDelay 5000
+                            Invoke-Nssm set minion-cloudflared AppStdout (Join-Path $LogDir 'cloudflared-stdout.log')
+                            Invoke-Nssm set minion-cloudflared AppStderr (Join-Path $LogDir 'cloudflared-stderr.log')
+                            Invoke-Nssm set minion-cloudflared AppStdoutCreationDisposition 4
+                            Invoke-Nssm set minion-cloudflared AppStderrCreationDisposition 4
+                            Invoke-Nssm set minion-cloudflared AppRotateFiles 1
+                            Invoke-Nssm set minion-cloudflared AppRotateBytes 10485760
+                            $setupUserSid = Get-SetupUserSid
+                            Grant-ServiceControlToUser 'minion-cloudflared' $setupUserSid
+                            Write-Detail "minion-cloudflared service registered (fallback)"
+                            sc.exe start minion-cloudflared 2>&1 | Out-Null
+                            Write-Detail "minion-cloudflared started"
+                        } else {
+                            Write-Warn "minion-cloudflared service not registered. Run 'setup' as admin to register, or run 'configure --setup-tunnel' as admin."
+                        }
                     }
                 }
             }

package/win/routine-runner.js

@@ -17,6 +17,7 @@ const executionStore = require('../core/stores/execution-store')
 const routineStore = require('../core/stores/routine-store')
 const logManager = require('../core/lib/log-manager')
 const { activeSessions } = require('./workflow-runner')
+const { expandSkillTemplates, restoreSkillTemplates } = require('../core/lib/template-expander')
 
 const activeJobs = new Map()
 const runningExecutions = new Map()
@@ -60,6 +61,17 @@ async function executeRoutineSession(routine, executionId, skillNames) {
   console.log(`[RoutineRunner] Session: ${sessionName}`)
   console.log(`[RoutineRunner] Log file: ${logFile}`)
 
+  // Expand {{VAR}} templates in SKILL.md files with minion variables
+  let expandedOriginals = new Map()
+  try {
+    expandedOriginals = await expandSkillTemplates(skillNames)
+    if (expandedOriginals.size > 0) {
+      console.log(`[RoutineRunner] Expanded templates in ${expandedOriginals.size} skill(s)`)
+    }
+  } catch (err) {
+    console.error(`[RoutineRunner] Template expansion failed: ${err.message}`)
+  }
+
   try {
     await logManager.ensureLogDir()
     await logManager.pruneOldLogs()
@@ -76,7 +88,7 @@ async function executeRoutineSession(routine, executionId, skillNames) {
     const escapedPrompt = prompt.replace(/'/g, "''")
     const llmCommand = config.LLM_COMMAND.replace(/\{prompt\}/g, escapedPrompt)
 
-    // PATH, HOME, USERPROFILE, and minion variables/secrets are already set in
+    // PATH, HOME, USERPROFILE, and minion secrets are already set in
     // process.env at server startup. Per-execution identifiers are added here.
     const env = {
       ...process.env,
@@ -147,6 +159,11 @@ async function executeRoutineSession(routine, executionId, skillNames) {
   } catch (error) {
     console.error(`[RoutineRunner] Routine ${routine.name} failed: ${error.message}`)
     return { success: false, error: error.message, sessionName }
+  } finally {
+    // Restore original SKILL.md files after execution
+    if (expandedOriginals.size > 0) {
+      await restoreSkillTemplates(expandedOriginals)
+    }
   }
 }
 

package/win/server.js

@@ -249,13 +249,14 @@ async function start() {
     process.env.HOME = config.HOME_DIR
     process.env.USERPROFILE = config.HOME_DIR
 
-    // Load minion variables/secrets into process.env for child process inheritance
+    // Load minion secrets into process.env for child process inheritance.
+    // Variables are NOT loaded here — they use {{VAR}} template expansion in skill content.
     const variableStore = require('../core/stores/variable-store')
     const minionEnv = variableStore.buildEnv()
     for (const [key, value] of Object.entries(minionEnv)) {
       if (!(key in process.env)) process.env[key] = value
     }
-    console.log(`[Server] Loaded ${Object.keys(minionEnv).length} minion variables/secrets into process.env`)
+    console.log(`[Server] Loaded ${Object.keys(minionEnv).length} minion secrets into process.env`)
 
     // Sync bundled assets
     syncBundledRules()

package/win/workflow-runner.js

@@ -23,6 +23,7 @@ const { config } = require('../core/config')
 const executionStore = require('../core/stores/execution-store')
 const workflowStore = require('../core/stores/workflow-store')
 const logManager = require('../core/lib/log-manager')
+const { expandSkillTemplates, restoreSkillTemplates } = require('../core/lib/template-expander')
 
 // Active cron jobs keyed by workflow ID
 const activeJobs = new Map()
@@ -92,6 +93,17 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
   console.log(`[WorkflowRunner] Log file: ${logFile}`)
   console.log(`[WorkflowRunner] HOME: ${homeDir}`)
 
+  // Expand {{VAR}} templates in SKILL.md files with minion variables
+  let expandedOriginals = new Map()
+  try {
+    expandedOriginals = await expandSkillTemplates(skillNames)
+    if (expandedOriginals.size > 0) {
+      console.log(`[WorkflowRunner] Expanded templates in ${expandedOriginals.size} skill(s)`)
+    }
+  } catch (err) {
+    console.error(`[WorkflowRunner] Template expansion failed: ${err.message}`)
+  }
+
   try {
     await logManager.ensureLogDir()
     await logManager.pruneOldLogs()
@@ -110,7 +122,7 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
     const escapedPrompt = prompt.replace(/'/g, "''")
     const llmCommand = config.LLM_COMMAND.replace(/\{prompt\}/g, escapedPrompt)
 
-    // PATH, HOME, USERPROFILE, and minion variables/secrets are already set in
+    // PATH, HOME, USERPROFILE, and minion secrets are already set in
     // process.env at server startup, so child processes inherit them automatically.
 
     // Open log file for streaming writes
@@ -192,6 +204,11 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
   } catch (error) {
     console.error(`[WorkflowRunner] Workflow ${workflow.name} failed: ${error.message}`)
     return { success: false, error: error.message, sessionName }
+  } finally {
+    // Restore original SKILL.md files after execution
+    if (expandedOriginals.size > 0) {
+      await restoreSkillTemplates(expandedOriginals)
+    }
   }
 }