@geekbeer/minion 3.55.1 → 3.58.0

package/core/stores/variable-store.js

@@ -1,34 +1,69 @@
 /**
  * Variable Store
  *
- * Manages minion-local secrets and variables stored in .env-style files.
- * - Secrets: ~/.minion/.env.secrets (or DATA_DIR/.env.secrets)
- * - Variables: ~/.minion/.env.variables (or DATA_DIR/.env.variables)
+ * Manages minion-local variables and secrets — both workspace-scoped.
  *
- * Files use standard .env format: KEY=value (one per line, # for comments).
- * Secrets never leave the minion; variables are non-sensitive configuration.
+ * Storage: SQLite tables `variables(workspace_id, key, value, updated_at)`
+ * and `secrets(workspace_id, key, value, updated_at)`. `workspace_id=''` is
+ * the minion-wide bucket; any other value is a workspace-specific bucket.
+ *
+ * At skill execution time the runner / template-expander merges
+ * minion-wide + current-workspace entries for the relevant scope, with the
+ * WS-scoped value winning on conflict.
+ *
+ * Migration: on first read after the SQLite tables are created, any legacy
+ * `.env.variables` / `.env.secrets` flat files are imported into the
+ * minion-wide bucket and renamed to `.env.variables.migrated` /
+ * `.env.secrets.migrated` (kept as one-time backups).
+ *
+ * Secrets never leave the minion and are never persisted in HQ DB. Variables
+ * are non-sensitive and may also be defined at HQ scopes (workspace /
+ * project / workflow); see packages/docs-internal/src/content/docs/design/
+ * variables-and-secrets.md for the full resolution model.
  */
 
 const fs = require('fs')
 const path = require('path')
 const { DATA_DIR } = require('../lib/platform')
 const { config } = require('../config')
+const { getDb } = require('../db')
 
 /**
- * Resolve file path for a given store type.
- * @param {'secrets' | 'variables'} type
+ * Resolve the legacy `.env.variables` path (for one-time migration).
  * @returns {string}
  */
-function getFilePath(type) {
-  const filename = type === 'secrets' ? '.env.secrets' : '.env.variables'
+function getLegacyVariablesFilePath() {
   try {
     fs.accessSync(DATA_DIR, fs.constants.W_OK)
-    return path.join(DATA_DIR, filename)
+    return path.join(DATA_DIR, '.env.variables')
   } catch {
-    return path.join(config.HOME_DIR, '.minion', filename)
+    return path.join(config.HOME_DIR, '.minion', '.env.variables')
   }
 }
 
+/**
+ * Resolve the legacy `.env.secrets` path (for one-time migration).
+ * @returns {string}
+ */
+function getLegacySecretsFilePath() {
+  try {
+    fs.accessSync(DATA_DIR, fs.constants.W_OK)
+    return path.join(DATA_DIR, '.env.secrets')
+  } catch {
+    return path.join(config.HOME_DIR, '.minion', '.env.secrets')
+  }
+}
+
+/**
+ * Normalize a workspace identifier to its canonical string form.
+ * '' (empty string) represents the minion-wide bucket.
+ * @param {string|null|undefined} workspaceId
+ * @returns {string}
+ */
+function normalizeWorkspaceId(workspaceId) {
+  return workspaceId == null ? '' : String(workspaceId)
+}
+
 /**
  * Parse a .env file into a key-value object.
  * @param {string} filePath
@@ -54,105 +89,272 @@ function parseEnvFile(filePath) {
   return result
 }
 
+// ─── Legacy flat-file → SQLite migration ────────────────────────────────────
+
+let _legacyVariablesMigrationDone = false
+let _legacySecretsMigrationDone = false
+
+function migrateLegacyFile(legacyPath, table, doneFlagRef) {
+  if (doneFlagRef.done) return
+  doneFlagRef.done = true
+
+  let entries
+  try {
+    entries = parseEnvFile(legacyPath)
+  } catch {
+    return
+  }
+  const keys = Object.keys(entries)
+  if (keys.length === 0) return
+
+  const db = getDb()
+  const now = Date.now()
+  const insert = db.prepare(
+    `INSERT OR IGNORE INTO ${table} (workspace_id, key, value, updated_at) VALUES (?, ?, ?, ?)`
+  )
+  const tx = db.transaction(() => {
+    for (const k of keys) {
+      insert.run('', k, String(entries[k] ?? ''), now)
+    }
+  })
+  tx()
+
+  try {
+    fs.renameSync(legacyPath, `${legacyPath}.migrated`)
+    console.log(`[VariableStore] Migrated ${keys.length} legacy ${table} entry/ies from ${legacyPath} into SQLite (minion-wide scope)`)
+  } catch (err) {
+    console.error(`[VariableStore] Migrated ${table} to SQLite but failed to rename ${legacyPath}: ${err.message}`)
+  }
+}
+
+const _variablesFlag = { done: false }
+const _secretsFlag = { done: false }
+
+function migrateLegacyVariablesFile() {
+  migrateLegacyFile(getLegacyVariablesFilePath(), 'variables', _variablesFlag)
+}
+
+function migrateLegacySecretsFile() {
+  migrateLegacyFile(getLegacySecretsFilePath(), 'secrets', _secretsFlag)
+}
+
+// ─── Generic table operations (variables and secrets share the shape) ───────
+
+function getRowsForScope(table, workspaceId) {
+  const wsId = normalizeWorkspaceId(workspaceId)
+  const db = getDb()
+  return db.prepare(`SELECT key, value FROM ${table} WHERE workspace_id = ? ORDER BY key`).all(wsId)
+}
+
+function getScopeAsObject(table, workspaceId) {
+  const rows = getRowsForScope(table, workspaceId)
+  const out = {}
+  for (const r of rows) out[r.key] = r.value
+  return out
+}
+
+function getEffective(table, workspaceId) {
+  const wide = getScopeAsObject(table, '')
+  if (!workspaceId) return wide
+  const scoped = getScopeAsObject(table, workspaceId)
+  return { ...wide, ...scoped }
+}
+
+function upsertEntry(table, workspaceId, key, value) {
+  const wsId = normalizeWorkspaceId(workspaceId)
+  const db = getDb()
+  db.prepare(`
+    INSERT INTO ${table} (workspace_id, key, value, updated_at) VALUES (?, ?, ?, ?)
+    ON CONFLICT(workspace_id, key) DO UPDATE SET value = excluded.value, updated_at = excluded.updated_at
+  `).run(wsId, key, String(value ?? ''), Date.now())
+  return wsId
+}
+
+function deleteEntry(table, workspaceId, key) {
+  const wsId = normalizeWorkspaceId(workspaceId)
+  const db = getDb()
+  const info = db.prepare(`DELETE FROM ${table} WHERE workspace_id = ? AND key = ?`).run(wsId, key)
+  return { removed: info.changes > 0, wsId }
+}
+
+function listScopes(table) {
+  const db = getDb()
+  const rows = db.prepare(`SELECT DISTINCT workspace_id FROM ${table}`).all()
+  return rows.map(r => r.workspace_id)
+}
+
+// ─── Variables (workspace-scoped) ────────────────────────────────────────────
+
+function getVariablesForScope(workspaceId) {
+  migrateLegacyVariablesFile()
+  return getScopeAsObject('variables', workspaceId)
+}
+
 /**
- * Write a key-value object to a .env file.
- * @param {string} filePath
- * @param {Record<string, string>} data
+ * Merge minion-wide and workspace-scoped variables. Workspace-scoped values
+ * override minion-wide values when the key is the same.
  */
-function writeEnvFile(filePath, data) {
-  const dir = path.dirname(filePath)
-  fs.mkdirSync(dir, { recursive: true })
+function getEffectiveVariables(workspaceId) {
+  migrateLegacyVariablesFile()
+  return getEffective('variables', workspaceId)
+}
+
+function getVariable(workspaceId, key) {
+  const all = getVariablesForScope(workspaceId)
+  return all[key] ?? null
+}
 
-  const lines = Object.entries(data).map(([key, value]) => `${key}=${value}`)
-  fs.writeFileSync(filePath, lines.join('\n') + '\n', 'utf-8')
+function setVariable(workspaceId, key, value) {
+  migrateLegacyVariablesFile()
+  const wsId = upsertEntry('variables', workspaceId, key, value)
+  console.log(`[VariableStore] Set variable (scope=${wsId || 'minion-wide'}): ${key}`)
+}
+
+function removeVariable(workspaceId, key) {
+  migrateLegacyVariablesFile()
+  const { removed, wsId } = deleteEntry('variables', workspaceId, key)
+  if (removed) {
+    console.log(`[VariableStore] Removed variable (scope=${wsId || 'minion-wide'}): ${key}`)
+  }
+  return removed
+}
+
+function listVariableKeys(workspaceId) {
+  migrateLegacyVariablesFile()
+  const rows = getRowsForScope('variables', workspaceId)
+  return rows.map(r => r.key)
+}
+
+function listVariableScopes() {
+  migrateLegacyVariablesFile()
+  return listScopes('variables')
+}
+
+// ─── Secrets (workspace-scoped, sensitive) ───────────────────────────────────
+
+function getSecretsForScope(workspaceId) {
+  migrateLegacySecretsFile()
+  return getScopeAsObject('secrets', workspaceId)
+}
+
+function getEffectiveSecrets(workspaceId) {
+  migrateLegacySecretsFile()
+  return getEffective('secrets', workspaceId)
+}
+
+function listSecretKeys(workspaceId) {
+  migrateLegacySecretsFile()
+  const rows = getRowsForScope('secrets', workspaceId)
+  return rows.map(r => r.key)
 }
 
 /**
- * Get all key-value pairs for a store type.
- * @param {'secrets' | 'variables'} type
- * @returns {Record<string, string>}
+ * Set (insert or update) a secret value in the given scope.
+ *
+ * For minion-wide secrets (workspace_id=''), the value is also synced into
+ * `process.env` so in-process consumers (chat plugin sessions, ad-hoc Bash
+ * commands) see the change immediately without restarting the server.
+ *
+ * WS-scoped secrets are NEVER written to `process.env` to prevent cross-WS
+ * leakage; runners must call `getEffectiveSecrets(workspaceId)` and inject
+ * them explicitly into the session env.
  */
+function setSecret(workspaceId, key, value) {
+  migrateLegacySecretsFile()
+  const wsId = upsertEntry('secrets', workspaceId, key, value)
+  if (wsId === '') {
+    process.env[key] = String(value ?? '')
+  }
+  console.log(`[VariableStore] Set secret (scope=${wsId || 'minion-wide'}): ${key}`)
+}
+
+function removeSecret(workspaceId, key) {
+  migrateLegacySecretsFile()
+  const { removed, wsId } = deleteEntry('secrets', workspaceId, key)
+  if (removed) {
+    if (wsId === '') {
+      delete process.env[key]
+    }
+    console.log(`[VariableStore] Removed secret (scope=${wsId || 'minion-wide'}): ${key}`)
+  }
+  return removed
+}
+
+function listSecretScopes() {
+  migrateLegacySecretsFile()
+  return listScopes('secrets')
+}
+
+// ─── Generic / legacy dispatchers (back-compat) ─────────────────────────────
+//
+// The original API used `getAll('variables')` / `getAll('secrets')` etc. with
+// no workspace awareness. We retain the same names but route them to the
+// minion-wide bucket so any straggler caller keeps working.
+
 function getAll(type) {
-  return parseEnvFile(getFilePath(type))
+  if (type === 'secrets') return getSecretsForScope('')
+  return getVariablesForScope('')
 }
 
-/**
- * Get a single value by key.
- * @param {'secrets' | 'variables'} type
- * @param {string} key
- * @returns {string | null}
- */
 function get(type, key) {
-  const data = getAll(type)
-  return data[key] ?? null
+  if (type === 'secrets') {
+    const all = getSecretsForScope('')
+    return all[key] ?? null
+  }
+  return getVariable('', key)
 }
 
-/**
- * Set a key-value pair (creates or updates).
- * Only secrets are synced to process.env (for child process inheritance).
- * Variables use {{VAR}} template expansion in skill content instead.
- * @param {'secrets' | 'variables'} type
- * @param {string} key
- * @param {string} value
- */
 function set(type, key, value) {
-  const filePath = getFilePath(type)
-  const data = parseEnvFile(filePath)
-  data[key] = value
-  writeEnvFile(filePath, data)
-  // Only sync secrets to process.env; variables use template expansion instead
   if (type === 'secrets') {
-    process.env[key] = value
+    setSecret('', key, value)
+    return
   }
-  console.log(`[VariableStore] Set ${type} key: ${key}`)
+  setVariable('', key, value)
 }
 
-/**
- * Remove a key.
- * @param {'secrets' | 'variables'} type
- * @param {string} key
- * @returns {boolean} true if key existed
- */
 function remove(type, key) {
-  const filePath = getFilePath(type)
-  const data = parseEnvFile(filePath)
-  if (!(key in data)) return false
-  delete data[key]
-  writeEnvFile(filePath, data)
-  // Only sync secrets to process.env; variables use template expansion instead
-  if (type === 'secrets') {
-    delete process.env[key]
-  }
-  console.log(`[VariableStore] Removed ${type} key: ${key}`)
-  return true
+  if (type === 'secrets') return removeSecret('', key)
+  return removeVariable('', key)
 }
 
-/**
- * List all keys for a store type.
- * @param {'secrets' | 'variables'} type
- * @returns {string[]}
- */
 function listKeys(type) {
-  return Object.keys(getAll(type))
+  if (type === 'secrets') return listSecretKeys('')
+  return listVariableKeys('')
 }
 
 /**
- * Build environment object from minion secrets only.
- * Variables are no longer injected as env vars; they use {{VAR}} template
- * expansion in skill content (same mechanism as project/workflow variables).
- *
- * @returns {Record<string, string>} Secret key-value pairs for process.env
+ * @deprecated Use `getEffectiveSecrets(workspaceId)` instead. Retained so any
+ * stragglers continue compiling; returns minion-wide secrets only.
  */
 function buildEnv() {
-  return getAll('secrets')
+  return getSecretsForScope('')
 }
 
 module.exports = {
+  // Generic (back-compat)
   getAll,
   get,
   set,
   remove,
   listKeys,
   buildEnv,
-  getFilePath,
+
+  // Variables (workspace-scoped)
+  getVariablesForScope,
+  getEffectiveVariables,
+  getVariable,
+  setVariable,
+  removeVariable,
+  listVariableKeys,
+  listVariableScopes,
+  migrateLegacyVariablesFile,
+
+  // Secrets (workspace-scoped)
+  getSecretsForScope,
+  getEffectiveSecrets,
+  listSecretKeys,
+  setSecret,
+  removeSecret,
+  listSecretScopes,
+  migrateLegacySecretsFile,
 }

package/docs/api-reference.md

@@ -504,7 +504,7 @@ POST `/api/threads` body (プロジェクト紐づきディスカッション):
 | `thread_type` | string | No | `help`（デフォルト）or `discussion` |
 | `title` | string | Yes | スレッドの要約 |
 | `content` | string | Yes | スレッド本文（thread_messagesの最初のメッセージとして保存） |
-| `mentions` | string[] | No | メンション対象。形式: `role:engineer`, `role:pm`, `minion:<minion_id>`, `user` |
+| `mentions` | string[] | No | メンション対象。形式: `user:<auth_user_id>` (個別指名・推奨), `role:engineer`, `role:pm`, `role:accountant`, `minion:<minion_id>`, `user` (誰でも良い場合のフォールバック) |
 | `context` | object | No | 任意のメタデータ（category, urgency, dag_execution_id等） |
 
 **プロジェクト紐づけの使い分け:**
@@ -520,7 +520,11 @@ POST `/api/threads` body (プロジェクト紐づきディスカッション):
 - メンションされたミニオンは優先的にスレッドを評価する
 - メンションがない場合、全チームメンバーがLLMで関連性を判定してから参加
 - トークン消費を抑えるため、当事者が明確な場合はメンションを推奨
-- ミニオンが自力で解決できない場合、`@user` メンション付きで返信して人間に助けを求める
+
+**人間へのメンション (重要):**
+1. **個別指名 `user:<auth_user_id>`** を最優先で使う。`/api/minion/me/project/:id/members` または `/api/minion/workspaces/:id/members` で人間メンバーの `user_id` を引いてから指定する。同名 `display_name` が複数いるワークスペースでも誤通知しない
+2. **`role:pm` / `role:engineer` / `role:accountant`** はプロジェクトの該当ロール全員に届く（プロジェクト紐づきスレッドのみ）
+3. **`user` (generic)** はプロジェクトメンバーの人間全員に届く。プロジェクト紐づきでないワークスペーススレッドでは workspace_members 全員。「誰でも良い」場合のフォールバック扱いで、原則 1 か 2 を先に検討する
 
 POST `/api/threads/:id/messages` body:
 ```json
@@ -811,6 +815,46 @@ Response:
 
 `role` is one of `"pm"` (project manager), `"engineer"`, or `"accountant"`.
 
+### Project Members
+
+| Method | Endpoint | Description |
+|--------|----------|-------------|
+| GET | `/api/minion/me/project/[id]/members` | プロジェクトのメンバー一覧（ミニオン+人間） |
+
+Response:
+```json
+{
+  "minions": [
+    { "minion_id": "uuid", "name": "Mary", "status": "online", "role": "pm", "joined_at": "..." }
+  ],
+  "humans": [
+    { "user_id": "uuid", "display_name": "yunoda", "email": "yunoda@example.com", "role": "engineer", "joined_at": "..." }
+  ]
+}
+```
+
+スレッドに `user:<auth_user_id>` で個別指名する前に、このエンドポイントで `user_id` を引いてくる。`display_name` が重複するワークスペースで誤通知を避けるため、ミニオンは必ず `email` または既知の `user_id` で当人を特定すること。`role` はプロジェクトロール (`pm` / `engineer` / `accountant`)。
+
+### Workspace Members
+
+| Method | Endpoint | Description |
+|--------|----------|-------------|
+| GET | `/api/minion/workspaces/[id]/members` | ワークスペースのメンバー一覧（人間+ミニオン） |
+
+Response:
+```json
+{
+  "humans": [
+    { "user_id": "uuid", "display_name": "yunoda", "email": "yunoda@example.com", "role": "owner", "joined_at": "..." }
+  ],
+  "minions": [
+    { "minion_id": "uuid", "name": "Mary", "status": "online", "joined_at": "..." }
+  ]
+}
+```
+
+プロジェクト紐づきがないワークスペーススレッド（朝作業ルーティンのブロッカー報告など）でメンション先を引きたいときに使う。`role` はワークスペースロール (`owner` / `admin` / `member`)。
+
 ### Project Context
 
 | Method | Endpoint | Description |
@@ -849,15 +893,30 @@ Response:
 
 #### 変数とシークレットの違い
 
-**変数**（ミニオン変数・プロジェクト変数）はスキル本文の `{{VAR_NAME}}` テンプレートとして実行時に展開される。スキル作成時にパラメータ化したい値は `{{変数名}}` で記述する。
+**変数**（ワークスペース変数・プロジェクト変数・ワークフロー変数・ミニオン変数）はスキル本文の `{{VAR_NAME}}` テンプレートとして実行時に展開される。スキル作成時にパラメータ化したい値は `{{変数名}}` で記述する。
 
-**シークレット**（ミニオンシークレット）は環境変数 `$SECRET_NAME` としてプロセスに注入される。APIキーやパスワード等の機密情報に使用する。テンプレート展開は行われない。
+**シークレット**は環境変数 `$SECRET_NAME` としてプロセスに注入される。APIキーやパスワード等の機密情報に使用する。テンプレート展開は行われない。ワークスペース別にスコープ可能(後述)。
 
 #### テンプレート変数の展開優先順位
 
-同名の変数が複数のスコープで定義されている場合、以下の順序で上書きされる:
-1. ミニオン変数（最低優先）
-2. プロジェクト変数（最優先）
+同名の変数が複数のスコープで定義されている場合、以下の順序で上書きされる(後者が優先):
+1. ワークスペース変数（最低優先・全ワークスペース配下で共有）
+2. プロジェクト変数
+3. ワークフロー変数
+4. ミニオン変数（最優先・実行マシン固有の最終オーバーライド）
+
+ワークスペース／プロジェクト／ワークフロー変数はHQ側で展開された SKILL.md がミニオンに配信され、最後にミニオンローカルでミニオン変数が展開される。
+
+#### シークレットのワークスペーススコープ
+
+1つのミニオンが複数ワークスペースを担当する場合、シークレットはワークスペース別に管理される:
+
+| スコープ | 保存形式 | 注入先のセッション |
+|---------|---------|---------------------|
+| ミニオン全体 | SQLite `secrets` テーブル `workspace_id=''` | すべて（サーバー起動時 `process.env` にロード、子プロセスが継承） |
+| ワークスペース別 | SQLite `secrets` テーブル `workspace_id=<uuid>` | そのワークスペースのコンテキストで動くランナーのみ（実行時注入、`process.env` には載らない） |
+
+同名キーがある場合はワークスペース別が優先される。`/api/secrets/*` エンドポイントは `?workspace_id=<uuid>` クエリパラメータでスコープを指定する。省略または空文字でミニオン全体を操作する。シークレット値はHQ DBには保存されず、HQ APIはpass-throughとして中継するのみ。
 
 ### Project Tasks
 

package/linux/routine-runner.js

@@ -16,12 +16,14 @@ const crypto = require('crypto')
 const fs = require('fs').promises
 const execAsync = promisify(exec)
 
-const { config } = require('../core/config')
+const { config, isHqConfigured } = require('../core/config')
+const api = require('../core/api')
 const executionStore = require('../core/stores/execution-store')
 const routineStore = require('../core/stores/routine-store')
 const logManager = require('../core/lib/log-manager')
 const runningTasks = require('../core/lib/running-tasks')
 const { expandSkillTemplates, restoreSkillTemplates } = require('../core/lib/template-expander')
+const { buildTmuxNewSessionCommand } = require('../core/lib/session-env')
 const { getActivePrimary } = require('../core/llm-plugins/lib/active')
 const os = require('os')
 const path = require('path')
@@ -40,6 +42,32 @@ function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms))
 }
 
+/**
+ * Fetch workspace-scoped variables for a routine from HQ.
+ * Returns an empty object when the routine isn't bound to a workspace or HQ
+ * is unreachable; the runner continues with minion-local vars only.
+ *
+ * Workspace secrets are NOT fetched — secrets remain minion-local only (the
+ * HQ DB never stores secret values, by design).
+ *
+ * @param {string} workspaceId - Routine.workspace_id (may be falsy)
+ * @returns {Promise<Record<string, string>>}
+ */
+async function fetchWorkspaceVars(workspaceId) {
+  if (!workspaceId || !isHqConfigured()) return {}
+  try {
+    const result = await api.request(`/workspaces/${workspaceId}/variables`)
+    const vars = {}
+    for (const v of (result?.variables || [])) {
+      if (v && typeof v.key === 'string') vars[v.key] = String(v.value ?? '')
+    }
+    return vars
+  } catch (err) {
+    console.error(`[RoutineRunner] Failed to fetch workspace vars (${workspaceId}): ${err.message}`)
+    return {}
+  }
+}
+
 /**
  * Generate tmux session name from routine ID and execution ID
  * Format: rt-{routineId first 8}-{executionId first 4}
@@ -90,10 +118,15 @@ async function executeRoutineSession(routine, executionId, skillNames) {
   console.log(`[RoutineRunner] tmux session: ${sessionName}`)
   console.log(`[RoutineRunner] Log file: ${logFile}`)
 
-  // Expand {{VAR}} templates in SKILL.md files with minion variables
+  // Fetch HQ workspace variables when the routine is bound to a workspace.
+  // Minion variables (minion-wide ∪ WS-scoped, resolved inside the expander
+  // via workspaceId) override these as the final layer.
+  const workspaceVars = await fetchWorkspaceVars(routine.workspace_id)
+
+  // Expand {{VAR}} templates in SKILL.md files
   let expandedOriginals = new Map()
   try {
-    expandedOriginals = await expandSkillTemplates(skillNames)
+    expandedOriginals = await expandSkillTemplates(skillNames, workspaceVars, routine.workspace_id || '')
     if (expandedOriginals.size > 0) {
       console.log(`[RoutineRunner] Expanded templates in ${expandedOriginals.size} skill(s)`)
     }
@@ -142,14 +175,19 @@ async function executeRoutineSession(routine, executionId, skillNames) {
     )
     await execAsync(`chmod +x "${execScript}"`)
 
-    const tmuxCommand = [
-      'tmux new-session -d',
-      `-s "${sessionName}"`,
-      '-x 200 -y 50',
-      `-e "MINION_EXECUTION_ID=${executionId}"`,
-      `-e "MINION_ROUTINE_ID=${routine.id}"`,
-      `-e "MINION_ROUTINE_NAME=${routine.name.replace(/"/g, '\\"')}"`,
-    ].join(' ')
+    // Build tmux invocation with workspace-effective secrets + per-execution
+    // identifiers. Secrets come from variable-store (minion-wide ∪ WS-scoped,
+    // with WS values winning); identifiers always override on top.
+    const tmuxCommand = buildTmuxNewSessionCommand({
+      sessionName,
+      workspaceId: routine.workspace_id || '',
+      extraEnv: {
+        MINION_EXECUTION_ID: executionId,
+        MINION_ROUTINE_ID: routine.id,
+        MINION_ROUTINE_NAME: routine.name,
+        MINION_ROUTINE_WORKSPACE_ID: routine.workspace_id || '',
+      },
+    })
 
     await execAsync(tmuxCommand, { cwd: homeDir })
 

package/linux/workflow-runner.js

@@ -22,6 +22,7 @@ const workflowStore = require('../core/stores/workflow-store')
 const logManager = require('../core/lib/log-manager')
 const runningTasks = require('../core/lib/running-tasks')
 const { expandSkillTemplates, restoreSkillTemplates } = require('../core/lib/template-expander')
+const { buildTmuxNewSessionCommand } = require('../core/lib/session-env')
 const { getActivePrimary } = require('../core/llm-plugins/lib/active')
 const os = require('os')
 const path = require('path')
@@ -139,10 +140,13 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
   console.log(`[WorkflowRunner] Log file: ${logFile}`)
   console.log(`[WorkflowRunner] HOME: ${homeDir}`)
 
-  // Expand {{VAR}} templates in SKILL.md files with minion variables
+  // Expand {{VAR}} templates in SKILL.md files with minion variables effective
+  // for this workflow's workspace (minion-wide ∪ WS-scoped, WS wins). HQ has
+  // already expanded workspace/project/workflow scopes before delivering the
+  // SKILL.md, so this layer only resolves remaining placeholders.
   let expandedOriginals = new Map()
   try {
-    expandedOriginals = await expandSkillTemplates(skillNames)
+    expandedOriginals = await expandSkillTemplates(skillNames, {}, workflow.workspace_id || '')
     if (expandedOriginals.size > 0) {
       console.log(`[WorkflowRunner] Expanded templates in ${expandedOriginals.size} skill(s)`)
     }
@@ -200,12 +204,19 @@ async function executeWorkflowSession(workflow, executionId, skillNames, options
     )
     await execAsync(`chmod +x "${execScript}"`)
 
-    // PATH, HOME, DISPLAY, and minion secrets are already set in
-    // process.env at server startup, so child processes inherit them automatically.
-    await execAsync(
-      `tmux new-session -d -s "${sessionName}" -x 200 -y 50`,
-      { cwd: homeDir },
-    )
+    // PATH, HOME and DISPLAY are inherited from process.env (set at startup);
+    // workspace-scoped secrets are passed explicitly via `-e` here so each
+    // session only sees secrets relevant to its workspace context.
+    const tmuxCommand = buildTmuxNewSessionCommand({
+      sessionName,
+      workspaceId: workflow.workspace_id || '',
+      extraEnv: {
+        MINION_EXECUTION_ID: executionId,
+        MINION_WORKFLOW_ID: workflow.id || '',
+        MINION_WORKFLOW_WORKSPACE_ID: workflow.workspace_id || '',
+      },
+    })
+    await execAsync(tmuxCommand, { cwd: homeDir })
 
     // Keep session alive after command completes (for debugging via terminal mirror)
     await execAsync(`tmux set-option -t "${sessionName}" remain-on-exit on`)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekbeer/minion",
-  "version": "3.55.1",
+  "version": "3.58.0",
   "description": "AI Agent runtime for Minion - manages status and skill deployment on VPS",
   "main": "linux/server.js",
   "bin": {