@geekbeer/minion 3.55.1 → 3.58.0

package/core/db/migrations/20260510100000_secrets_workspace.js

@@ -0,0 +1,36 @@
+/**
+ * Move minion secrets from `.env.secrets` (flat file) into SQLite with
+ * workspace scoping.
+ *
+ * Design:
+ * - PRIMARY KEY (workspace_id, key); workspace_id='' is the minion-wide bucket.
+ * - Same key can exist at multiple scopes; at execution time the runner merges
+ *   minion-wide + current-workspace secrets, with the WS-scoped value winning.
+ * - The actual data migration from `.env.secrets` is performed by
+ *   variable-store at server start (it needs filesystem access which sits
+ *   outside the DB transaction). See `migrateLegacySecretsFile()`.
+ *
+ * Secrets stay minion-local — they are NEVER persisted in HQ DB, by design.
+ * HQ→minion APIs only pass values through to the minion's local store.
+ */
+
+module.exports = {
+  version: 9,
+  name: 'secrets_workspace',
+
+  up(db, { tableExists }) {
+    if (tableExists(db, 'secrets')) return
+
+    db.exec(`
+      CREATE TABLE secrets (
+        workspace_id TEXT NOT NULL DEFAULT '',
+        key TEXT NOT NULL,
+        value TEXT NOT NULL,
+        updated_at INTEGER NOT NULL,
+        PRIMARY KEY (workspace_id, key)
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_secrets_workspace ON secrets(workspace_id);
+    `)
+  },
+}

package/core/db/migrations/20260511100000_variables_workspace.js

@@ -0,0 +1,37 @@
+/**
+ * Move minion variables from `.env.variables` (flat file) into SQLite with
+ * workspace scoping — mirrors the secrets workspace migration.
+ *
+ * Design:
+ * - PRIMARY KEY (workspace_id, key); workspace_id='' is the minion-wide bucket.
+ * - Same key can exist at multiple scopes; at execution time the
+ *   template-expander merges minion-wide + current-workspace variables, with
+ *   the WS-scoped value winning.
+ * - Variables are non-sensitive — values are returned by the API (unlike
+ *   secrets) — but they still benefit from scoping so a single minion serving
+ *   multiple workspaces doesn't leak per-tenant config across runs.
+ * - Actual data migration from `.env.variables` is performed by variable-store
+ *   at first use (filesystem access lives outside this transaction). See
+ *   `migrateLegacyVariablesFile()`.
+ */
+
+module.exports = {
+  version: 10,
+  name: 'variables_workspace',
+
+  up(db, { tableExists }) {
+    if (tableExists(db, 'variables')) return
+
+    db.exec(`
+      CREATE TABLE variables (
+        workspace_id TEXT NOT NULL DEFAULT '',
+        key TEXT NOT NULL,
+        value TEXT NOT NULL,
+        updated_at INTEGER NOT NULL,
+        PRIMARY KEY (workspace_id, key)
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_variables_workspace ON variables(workspace_id);
+    `)
+  },
+}

package/core/lib/session-env.js

@@ -0,0 +1,96 @@
+/**
+ * Session environment builder
+ *
+ * Builds workspace-scoped environment variable injection for runners.
+ * Resolves minion-wide + workspace-scoped secrets, and exposes both
+ * `tmux -e` flags (Linux/macOS) and a node-pty env object (Windows).
+ *
+ * Why this exists:
+ *   Before this module, all secrets were loaded once into `process.env`
+ *   at server start and inherited by every child process — fine for a
+ *   single-workspace minion but a leakage path for multi-workspace
+ *   setups. Each runner now passes the effective env explicitly for the
+ *   workspace it is running on; workspace-scoped values override
+ *   minion-wide ones at this layer.
+ */
+
+const variableStore = require('../stores/variable-store')
+
+/**
+ * Shell-escape a value for a `KEY=VALUE` argument passed via `-e` to tmux.
+ * We use single-quote wrapping; the surrounding shell sees one literal arg.
+ * @param {string} s
+ * @returns {string}
+ */
+function singleQuote(s) {
+  return "'" + String(s).replace(/'/g, "'\\''") + "'"
+}
+
+/**
+ * Build an array of `-e 'KEY=VALUE'` shell-safe flags for tmux new-session.
+ *
+ * @param {string|null|undefined} workspaceId - The session's workspace scope
+ * @param {Record<string,string>} [extraEnv] - Per-execution identifiers (e.g.
+ *   MINION_EXECUTION_ID). Layered on top so they always win.
+ * @returns {string[]} List of `-e <quoted>` fragments to splice into a shell command
+ */
+function buildTmuxEnvFlags(workspaceId, extraEnv = {}) {
+  const merged = { ...variableStore.getEffectiveSecrets(workspaceId), ...extraEnv }
+  const flags = []
+  for (const [k, v] of Object.entries(merged)) {
+    if (v == null) continue
+    flags.push(`-e ${singleQuote(`${k}=${v}`)}`)
+  }
+  return flags
+}
+
+/**
+ * Build a `tmux new-session` invocation line including all secret env vars.
+ *
+ * Caller typically does:
+ *   `${buildTmuxNewSessionCommand({sessionName, workspaceId, extraEnv, width, height})}`
+ *
+ * The session is created detached (`-d`) with no command so we can configure
+ * `remain-on-exit` and `pipe-pane` before injecting the real workload via
+ * `send-keys`.
+ *
+ * @param {object} opts
+ * @param {string} opts.sessionName
+ * @param {string|null|undefined} opts.workspaceId
+ * @param {Record<string,string>} [opts.extraEnv]
+ * @param {number} [opts.width]
+ * @param {number} [opts.height]
+ * @returns {string}
+ */
+function buildTmuxNewSessionCommand({ sessionName, workspaceId, extraEnv = {}, width = 200, height = 50 }) {
+  const envFlags = buildTmuxEnvFlags(workspaceId, extraEnv)
+  return [
+    'tmux new-session -d',
+    `-s "${sessionName}"`,
+    `-x ${width} -y ${height}`,
+    ...envFlags,
+  ].join(' ')
+}
+
+/**
+ * Build an env object for node-pty / child_process.spawn that contains the
+ * caller's `process.env` plus the workspace-effective secrets and any extra
+ * per-execution identifiers (extraEnv wins last).
+ *
+ * @param {string|null|undefined} workspaceId
+ * @param {Record<string,string>} [extraEnv]
+ * @returns {Record<string,string>}
+ */
+function buildSpawnEnv(workspaceId, extraEnv = {}) {
+  return {
+    ...process.env,
+    ...variableStore.getEffectiveSecrets(workspaceId),
+    ...extraEnv,
+  }
+}
+
+module.exports = {
+  buildTmuxEnvFlags,
+  buildTmuxNewSessionCommand,
+  buildSpawnEnv,
+}

package/core/lib/step-poller.js

@@ -104,6 +104,7 @@ async function executeStep(step) {
     skill_name,
     revision_feedback,
     template_vars,
+    workspace_id,
   } = step
 
   console.log(
@@ -135,11 +136,15 @@ async function executeStep(step) {
 
     // 2. Fetch the skill from HQ to ensure it's deployed locally
     //    Merge minion variables into template_vars so HQ expands {{VAR_NAME}} in SKILL.md.
-    //    Merge order: minion vars < project vars < workflow vars (template_vars already merged by HQ)
+    //    Resolution order: workspace < project < workflow < minion (minion wins).
+    //    template_vars already merges workspace/project/workflow on HQ side; we
+    //    layer effective minion vars (minion-wide ∪ WS-scoped) on top so any
+    //    conflicting key resolves to the minion-local value before HQ rewrites
+    //    the SKILL.md.
     if (skill_name) {
       try {
-        const minionVars = variableStore.getAll('variables')
-        const mergedVars = { ...minionVars, ...(template_vars || {}) }
+        const minionVars = variableStore.getEffectiveVariables(workspace_id || '')
+        const mergedVars = { ...(template_vars || {}), ...minionVars }
         const varsParam = Object.keys(mergedVars).length > 0
           ? `?vars=${Buffer.from(JSON.stringify(mergedVars)).toString('base64')}`
           : ''

package/core/lib/template-expander.js

@@ -32,17 +32,31 @@ function expandTemplateVars(content, vars) {
 
 /**
  * Expand templates in SKILL.md files for the given skill names.
- * Reads each SKILL.md, expands {{VAR}} with minion variables, writes back.
+ * Reads each SKILL.md, expands {{VAR}} with the merged variable set, writes back.
  * Returns the original contents for restoration after execution.
  *
+ * Resolution order (later entries override earlier ones):
+ *   extraVars (e.g., HQ workspace vars passed by the caller)
+ *     < minion-wide variables
+ *     < workspace-scoped minion variables for the given workspaceId
+ *
+ * The minion-local layer always wins at this stage, which mirrors the
+ * cross-scope rule (workspace < project < workflow < minion). For workflow
+ * execution, project/workflow scopes are pre-expanded by HQ before the
+ * SKILL.md reaches the minion; for routine execution the caller can pass
+ * workspace-scoped HQ vars via `extraVars`.
+ *
  * @param {string[]} skillNames - Skill slugs to expand
+ * @param {Record<string, string>} [extraVars] - Additional vars (lowest priority of the three layers)
+ * @param {string|null|undefined} [workspaceId] - Workspace context for resolving minion variables (defaults to minion-wide only)
  * @returns {Promise<Map<string, string>>} Map of skillName -> original content (for restoration)
  */
-async function expandSkillTemplates(skillNames) {
-  const minionVars = variableStore.getAll('variables')
+async function expandSkillTemplates(skillNames, extraVars = {}, workspaceId = '') {
+  const minionVars = variableStore.getEffectiveVariables(workspaceId)
+  const mergedVars = { ...extraVars, ...minionVars }
 
-  // If no variables defined, skip
-  if (Object.keys(minionVars).length === 0) return new Map()
+  // If nothing to expand, skip
+  if (Object.keys(mergedVars).length === 0) return new Map()
 
   // originals key: `${root}::${name}` so we restore the right copy in each
   // plugin's skill dir (multi-plugin distribution).
@@ -55,7 +69,7 @@ async function expandSkillTemplates(skillNames) {
       const skillMdPath = path.join(root, name, 'SKILL.md')
       try {
         const original = await fs.readFile(skillMdPath, 'utf-8')
-        const expanded = expandTemplateVars(original, minionVars)
+        const expanded = expandTemplateVars(original, mergedVars)
         if (expanded !== original) {
           originals.set(`${root}::${name}`, { skillMdPath, original })
           await fs.writeFile(skillMdPath, expanded, 'utf-8')

package/core/routes/variables.js

@@ -32,14 +32,26 @@ function isValidValue(value) {
 }
 
 function variableRoutes(fastify, _opts, done) {
-  // ─── Variables (non-sensitive) ───────────────────────────────────────
+  function readWorkspaceId(request) {
+    const rawWs = request.query?.workspace_id
+    return (typeof rawWs === 'string') ? rawWs : ''
+  }
+
+  // ─── Variables (non-sensitive, workspace-scoped) ──────────────────────
+  //
+  // Variables are scoped per workspace just like secrets. Pass
+  // ?workspace_id=<uuid> to target a specific workspace's bucket; omit it
+  // (or pass '') for the minion-wide bucket. At skill execution time the
+  // template-expander merges minion-wide + current-workspace variables, with
+  // WS-scoped values overriding minion-wide ones.
 
   fastify.get('/api/variables', async (request, reply) => {
     if (!verifyToken(request)) {
       return reply.code(401).send({ error: 'Unauthorized' })
     }
-    const variables = variableStore.getAll('variables')
-    return { success: true, variables }
+    const workspaceId = readWorkspaceId(request)
+    const variables = variableStore.getVariablesForScope(workspaceId)
+    return { success: true, workspace_id: workspaceId, variables }
   })
 
   fastify.get('/api/variables/:key', async (request, reply) => {
@@ -47,11 +59,12 @@ function variableRoutes(fastify, _opts, done) {
       return reply.code(401).send({ error: 'Unauthorized' })
     }
     const { key } = request.params
-    const value = variableStore.get('variables', key)
+    const workspaceId = readWorkspaceId(request)
+    const value = variableStore.getVariable(workspaceId, key)
     if (value === null) {
       return reply.code(404).send({ error: `Variable not found: ${key}` })
     }
-    return { success: true, key, value }
+    return { success: true, key, value, workspace_id: workspaceId }
   })
 
   fastify.put('/api/variables/:key', async (request, reply) => {
@@ -60,6 +73,7 @@ function variableRoutes(fastify, _opts, done) {
     }
     const { key } = request.params
     const { value } = request.body || {}
+    const workspaceId = readWorkspaceId(request)
 
     if (!isValidKey(key)) {
       return reply.code(400).send({ error: 'Invalid key. Use alphanumeric characters and underscores (1-100 chars).' })
@@ -68,8 +82,8 @@ function variableRoutes(fastify, _opts, done) {
       return reply.code(400).send({ error: 'Invalid value. Must be a string, no newlines, max 2000 chars.' })
     }
 
-    variableStore.set('variables', key, value)
-    return { success: true, key, value }
+    variableStore.setVariable(workspaceId, key, value)
+    return { success: true, key, value, workspace_id: workspaceId }
   })
 
   fastify.delete('/api/variables/:key', async (request, reply) => {
@@ -77,22 +91,45 @@ function variableRoutes(fastify, _opts, done) {
       return reply.code(401).send({ error: 'Unauthorized' })
     }
     const { key } = request.params
-    const removed = variableStore.remove('variables', key)
+    const workspaceId = readWorkspaceId(request)
+    const removed = variableStore.removeVariable(workspaceId, key)
     if (!removed) {
       return reply.code(404).send({ error: `Variable not found: ${key}` })
     }
-    return { success: true, key }
+    return { success: true, key, workspace_id: workspaceId }
   })
 
-  // ─── Secrets (sensitive) ─────────────────────────────────────────────
+  // List the workspace scopes (workspace_ids) that currently hold any
+  // variable. '' represents the minion-wide bucket.
+  fastify.get('/api/variables/scopes', async (request, reply) => {
+    if (!verifyToken(request)) {
+      return reply.code(401).send({ error: 'Unauthorized' })
+    }
+    return { success: true, scopes: variableStore.listVariableScopes() }
+  })
+
+  // ─── Secrets (sensitive, workspace-scoped) ────────────────────────────
+  //
+  // Secrets are scoped per workspace. Pass ?workspace_id=<uuid> to target a
+  // specific workspace's bucket; omit it (or pass '') for the minion-wide
+  // bucket. At skill execution time, the runner merges minion-wide +
+  // current-workspace secrets, with WS-scoped values overriding.
+  //
+  // Values are never returned via the API by design — only key names. Secrets
+  // never leave the minion: the HQ proxy is a pure pass-through.
+
+  function readWorkspaceId(request) {
+    const rawWs = request.query?.workspace_id
+    return (typeof rawWs === 'string') ? rawWs : ''
+  }
 
   fastify.get('/api/secrets', async (request, reply) => {
     if (!verifyToken(request)) {
       return reply.code(401).send({ error: 'Unauthorized' })
     }
-    // Return keys only — never expose secret values via API
-    const keys = variableStore.listKeys('secrets')
-    return { success: true, keys }
+    const workspaceId = readWorkspaceId(request)
+    const keys = variableStore.listSecretKeys(workspaceId)
+    return { success: true, workspace_id: workspaceId, keys }
   })
 
   fastify.put('/api/secrets/:key', async (request, reply) => {
@@ -101,6 +138,7 @@ function variableRoutes(fastify, _opts, done) {
     }
     const { key } = request.params
     const { value } = request.body || {}
+    const workspaceId = readWorkspaceId(request)
 
     if (!isValidKey(key)) {
       return reply.code(400).send({ error: 'Invalid key. Use alphanumeric characters and underscores (1-100 chars).' })
@@ -109,8 +147,8 @@ function variableRoutes(fastify, _opts, done) {
       return reply.code(400).send({ error: 'Invalid value. Must be a string, no newlines, max 2000 chars.' })
     }
 
-    variableStore.set('secrets', key, value)
-    return { success: true, key }
+    variableStore.setSecret(workspaceId, key, value)
+    return { success: true, key, workspace_id: workspaceId }
   })
 
   fastify.delete('/api/secrets/:key', async (request, reply) => {
@@ -118,11 +156,23 @@ function variableRoutes(fastify, _opts, done) {
       return reply.code(401).send({ error: 'Unauthorized' })
     }
     const { key } = request.params
-    const removed = variableStore.remove('secrets', key)
+    const workspaceId = readWorkspaceId(request)
+    const removed = variableStore.removeSecret(workspaceId, key)
     if (!removed) {
       return reply.code(404).send({ error: `Secret not found: ${key}` })
     }
-    return { success: true, key }
+    return { success: true, key, workspace_id: workspaceId }
+  })
+
+  // List the scopes (workspace_ids) that currently hold any secret.
+  // '' represents the minion-wide bucket. Useful for the dashboard secrets
+  // editor to populate the workspace selector even when a workspace has no
+  // active minion membership yet.
+  fastify.get('/api/secrets/scopes', async (request, reply) => {
+    if (!verifyToken(request)) {
+      return reply.code(401).send({ error: 'Unauthorized' })
+    }
+    return { success: true, scopes: variableStore.listSecretScopes() }
   })
 
   done()