mygensite 1.4.0 → 2.0.0

package/.claude-plugin/marketplace.json

@@ -0,0 +1,24 @@
+{
+  "name": "theconnectsoft-mygensite",
+  "owner": {
+    "name": "TheConnectSoft",
+    "email": "dev@theconnectsoft.com"
+  },
+  "metadata": {
+    "description": "Share your localhost or static sites via mygen.site with 2-layer access control",
+    "version": "2.0.0"
+  },
+  "plugins": [
+    {
+      "name": "mygensite",
+      "source": "./",
+      "description": "Share what you built via mygen.site — tunnels and static deploys with 2-layer access control (network: public/ip + auth: password/google/telegram)",
+      "version": "2.0.0",
+      "author": {
+        "name": "TheConnectSoft"
+      },
+      "homepage": "https://mygen.site",
+      "license": "MIT"
+    }
+  ]
+}

package/.claude-plugin/plugin.json

@@ -0,0 +1,14 @@
+{
+  "name": "mygensite",
+  "description": "Share your localhost or static sites via mygen.site with access control",
+  "version": "1.0.0",
+  "author": {
+    "name": "TheConnectSoft",
+    "email": "dev@theconnectsoft.com",
+    "url": "https://mygen.site"
+  },
+  "homepage": "https://mygen.site",
+  "repository": "https://github.com/theconnectsoft/mygensite",
+  "license": "MIT",
+  "keywords": ["tunnel", "deploy", "share", "mygen.site"]
+}

package/README.en.md

@@ -2,7 +2,7 @@
 
 Expose your localhost to the world via [mygen.site](https://mygen.site) with access control.
 
-A fork of [localtunnel](https://github.com/localtunnel/localtunnel) with extended features: password protection, IP whitelisting, TTL, owner management, and admin tokens.
+A fork of [localtunnel](https://github.com/localtunnel/localtunnel) with extended features: 2-layer access control (network + auth), Google OAuth, Telegram login, TTL, owner management, and admin tokens.
 
 ## Quickstart
 
@@ -40,13 +40,16 @@ Below are some common arguments. See `mygensite --help` for all options.
 - `--subdomain` request a named subdomain (default is random)
 - `--host` upstream server URL (default: `https://mygen.site`)
 - `--local-host` proxy to a hostname other than localhost
-- `--access` access control mode: `public`, `password`, `ip_only`, `both` (default: `both`)
-- `--password` password for access control (auto-generated if omitted)
+- `--access` network layer: `public`, `ip` (default: `public`)
+- `--auth-method` auth layer (CSV): `password`, `google`, `telegram`
+- `--password` password (when auth-method includes password)
+- `--google` allowed Google email(s)
+- `--telegram` allowed Telegram user ID(s)
 - `--owner-email` owner email for dashboard management
 - `--ttl` tunnel TTL in seconds, 60-86400 (default: 3600)
 
 ```
-mygensite --port 3000 --subdomain my-app --access password --password secret --ttl 7200
+mygensite --port 3000 --subdomain my-app --auth-method password --password secret --ttl 7200
 ```
 
 Output includes URL, password, and admin_token for runtime management.
@@ -70,7 +73,7 @@ const mygensite = require('mygensite');
   const tunnel = await mygensite({
     port: 3000,
     subdomain: 'my-app',
-    access: 'password',
+    auth_method: 'password',
     password: 'secret',
     owner_email: 'alice@company.com',
     ttl: 3600,
@@ -79,7 +82,7 @@ const mygensite = require('mygensite');
   console.log(tunnel.url);           // https://my-app.mygen.site
   console.log(tunnel.password);      // "secret"
   console.log(tunnel.admin_token);   // "tok_xxx"
-  console.log(tunnel.access);        // { mode: "password", ... }
+  console.log(tunnel.access);        // "public"
   console.log(tunnel.expires_at);    // "2025-06-01T13:00:00Z"
 
   tunnel.on('close', () => {
@@ -104,9 +107,12 @@ const mygensite = require('mygensite');
 
 ##### mygensite extensions
 
-- `access` (string) Access control mode: `public`, `password`, `ip_only`, `both`. Default: `both`.
-- `password` (string) Password for access control. Auto-generated if omitted.
-- `allowed_ips` (string[]) IP whitelist for `ip_only` or `both` mode. Supports CIDR notation.
+- `access` (string) Network access: `public`, `ip`. Default: `public`.
+- `auth_method` (string) Auth methods CSV: `password`, `google`, `telegram`. Default: none.
+- `password` (string) Password (when auth_method includes 'password'). Auto-generated if omitted.
+- `allowed_ips` (string[]) IP whitelist for `ip` access. Supports CIDR notation.
+- `google` (string|string[]) Allowed Google email(s) (when auth_method includes 'google').
+- `telegram` (string|string[]) Allowed Telegram user ID(s) (when auth_method includes 'telegram').
 - `owner_email` (string) Owner email for dashboard management.
 - `ttl` (number) Tunnel TTL in seconds (60-86400). Default: 3600.
 
@@ -135,20 +141,23 @@ const mygensite = require('mygensite');
 | method | args | description |
 | --- | --- | --- |
 | `close()` | | Close the tunnel |
-| `updateAccess(access)` | `{ mode, password, allowed_ips }` | Update access control at runtime. Returns a Promise. |
+| `updateAccess(access)` | `object` | Update access settings at runtime. Returns a Promise. |
 | `extendTTL(ttl)` | seconds (number) | Extend the tunnel TTL. Returns a Promise. |
 
 ### Runtime management
 
 ```js
-// Switch to public access
-await tunnel.updateAccess({ mode: 'public' });
+// Switch to public access (remove auth)
+await tunnel.updateAccess({ auth_method: '' });
 
 // Add password protection
-await tunnel.updateAccess({ mode: 'password', password: 'newpass' });
+await tunnel.updateAccess({ auth_method: 'password', password: 'newpass' });
+
+// Add Google OAuth
+await tunnel.updateAccess({ auth_method: 'password,google', google: 'alice@co.com' });
 
 // Restrict by IP
-await tunnel.updateAccess({ mode: 'ip_only', allowed_ips: ['1.2.3.0/24'] });
+await tunnel.updateAccess({ access: 'ip', allowed_ips: ['1.2.3.0/24'] });
 
 // Extend TTL by 1 hour
 await tunnel.extendTTL(3600);
@@ -227,7 +236,7 @@ validate.validateAccessMode('public');   // { valid: true }
 | 400 | `invalid_slug` | Slug must be 3-63 chars, lowercase alphanumeric and hyphens | Use a valid slug format, e.g. `my-app-1` |
 | 400 | `reserved_slug` | This slug is reserved and cannot be used | Choose a different slug. Reserved: www, api, dashboard, admin, etc. |
 | 400 | `invalid_ttl` | TTL must be between 60 and 86400 seconds | Use a value between 60 (1 min) and 86400 (24 hours) |
-| 400 | `invalid_access` | Access mode must be: public, password, ip_only, both | Use one of the four valid modes |
+| 400 | `invalid_access` | Access must be: public, ip | Use one of the valid access modes |
 | 409 | `slug_in_use` | This slug is already in use | Use a different slug, or omit `subdomain` for a random one |
 | 503 | — | Server is temporarily unavailable | Retry after a few seconds |
 
@@ -237,7 +246,7 @@ validate.validateAccessMode('public');   // { valid: true }
 | --- | --- | --- | --- |
 | 401 | `unauthorized` | Invalid or missing admin_token | Use the `admin_token` returned from tunnel creation |
 | 404 | `not_found` | Service not found | Check that the slug is correct and the tunnel is still active |
-| 400 | `invalid_access` | Invalid access mode | Use one of: public, password, ip_only, both |
+| 400 | `invalid_access` | Access must be: public, ip | Use one of the valid access modes |
 | 400 | `invalid_ttl` | TTL out of range | Use a value between 60 and 86400 |
 
 ### Gateway errors (when accessing the tunnel URL)
@@ -284,9 +293,12 @@ console.log(site.expires_at);    // "2025-06-02T12:00:00Z"
 | `files` | Array | * | — | Alternative to `directory`. Array of `{ name, content, contentType? }` objects. |
 | `subdomain` | string | | random | Request a specific subdomain. |
 | `host` | string | | `https://mygen.site` | Server URL. |
-| `access` | string | | `both` | Access control mode: `public`, `password`, `ip_only`, `both`. |
-| `password` | string | | auto | Password for access control. |
-| `allowed_ips` | string[] | | — | IP whitelist for `ip_only` or `both` mode. CIDR supported. |
+| `access` | string | | `public` | Network access: `public`, `ip`. |
+| `auth_method` | string | | — | Auth methods CSV: `password`, `google`, `telegram`. |
+| `password` | string | | auto | Password (when auth_method includes 'password'). |
+| `google` | string\|string[] | | — | Allowed Google email(s) (when auth_method includes 'google'). |
+| `telegram` | string\|string[] | | — | Allowed Telegram user ID(s) (when auth_method includes 'telegram'). |
+| `allowed_ips` | string[] | | — | IP whitelist for `ip` access. CIDR supported. |
 | `owner_email` | string | | — | Owner email for dashboard management. |
 | `ttl` | number | | 3600 | Site TTL in seconds (60-86400). |
 | `admin_token` | string | | — | Provide for redeployment to an existing slug. |
@@ -313,12 +325,12 @@ Multipart `filename` strips directory paths (e.g. `assets/style.css` becomes `st
 ```bash
 # Flat files (no subdirectories) — filepaths not needed
 curl -X POST https://mygen.site/api/deploy \
-  -F slug=demo -F access='{"mode":"public"}' \
+  -F slug=demo -F access=public \
   -F files=@index.html -F files=@style.css
 
 # With subdirectories — filepaths required
 curl -X POST https://mygen.site/api/deploy \
-  -F slug=demo -F access='{"mode":"public"}' \
+  -F slug=demo -F access=public \
   -F 'filepaths=["index.html","assets/style.css","assets/js/app.js"]' \
   -F files=@index.html \
   -F files=@assets/style.css \
@@ -345,7 +357,7 @@ The returned object contains the deployment result plus convenience methods:
 
 | method | args | description |
 | --- | --- | --- |
-| `updateAccess(access)` | `{ mode, password, allowed_ips }` | Update access control. Returns a Promise. |
+| `updateAccess(access)` | `object` | Update access settings. Returns a Promise. |
 | `extendTTL(ttl)` | seconds (number) | Extend the site TTL. Returns a Promise. |
 | `redeploy(directory)` | directory path (string) | Upload new files, replacing all existing files. Returns a Promise. |
 | `delete(purge?)` | purge (boolean) | Delete the site. `false` = soft delete (files kept), `true` = purge S3 files. Returns a Promise. |
@@ -364,7 +376,7 @@ const site = mygensite.manage({
 });
 
 // Same methods as deploy result
-await site.updateAccess({ mode: 'public' });
+await site.updateAccess({ access: 'public' });
 await site.extendTTL(86400);
 await site.redeploy('./dist-v2');
 await site.delete();
@@ -385,7 +397,7 @@ await site.delete();
 await site.redeploy('./dist-v2');
 
 // Add password protection after deployment
-await site.updateAccess({ mode: 'password', password: 'secret' });
+await site.updateAccess({ auth_method: 'password', password: 'secret' });
 
 // Extend TTL by 24 hours
 await site.extendTTL(86400);

package/README.ko.md

@@ -2,7 +2,7 @@
 
 [mygen.site](https://mygen.site)를 통해 로컬 서버를 접근 제어와 함께 외부에 노출합니다.
 
-[localtunnel](https://github.com/localtunnel/localtunnel) fork에 비밀번호 보호, IP 화이트리스트, TTL, 소유자 관리, admin token 기능을 추가했습니다.
+[localtunnel](https://github.com/localtunnel/localtunnel) fork에 2-레이어 접근 제어(네트워크 + 인증), Google OAuth, Telegram 로그인, TTL, 소유자 관리, admin token 기능을 추가했습니다.
 
 ## 빠른 시작
 
@@ -40,13 +40,16 @@ mygen.site에 연결하여 터널을 생성하고, 사용할 URL을 알려줍니
 - `--subdomain` 원하는 서브도메인 지정 (기본: 랜덤)
 - `--host` 업스트림 서버 URL (기본: `https://mygen.site`)
 - `--local-host` localhost 대신 프록시할 호스트명
-- `--access` 접근 제어 모드: `public`, `password`, `ip_only`, `both` (기본: `both`)
+- `--access` 네트워크 접근 제어: `public`, `ip` (기본: `public`)
+- `--auth-method` 인증 방식 (CSV): `password`, `google`, `telegram`
 - `--password` 접근 제어 비밀번호 (미지정 시 자동 생성)
+- `--google` Google OAuth 허용 이메일 (CSV)
+- `--telegram` Telegram 허용 사용자 ID (CSV)
 - `--owner-email` 대시보드 관리용 소유자 이메일
 - `--ttl` 터널 유효 시간(초), 60-86400 (기본: 3600)
 
 ```
-mygensite --port 3000 --subdomain my-app --access password --password secret --ttl 7200
+mygensite --port 3000 --subdomain my-app --auth-method password --password secret --ttl 7200
 ```
 
 출력에 URL, 비밀번호, admin_token이 포함됩니다.
@@ -70,7 +73,7 @@ const mygensite = require('mygensite');
   const tunnel = await mygensite({
     port: 3000,
     subdomain: 'my-app',
-    access: 'password',
+    auth_method: 'password',
     password: 'secret',
     owner_email: 'alice@company.com',
     ttl: 3600,
@@ -79,7 +82,7 @@ const mygensite = require('mygensite');
   console.log(tunnel.url);           // https://my-app.mygen.site
   console.log(tunnel.password);      // "secret"
   console.log(tunnel.admin_token);   // "tok_xxx"
-  console.log(tunnel.access);        // { mode: "password", ... }
+  console.log(tunnel.access);        // { access: "public", auth_methods: "password", ... }
   console.log(tunnel.expires_at);    // "2025-06-01T13:00:00Z"
 
   tunnel.on('close', () => {
@@ -104,9 +107,12 @@ const mygensite = require('mygensite');
 
 ##### mygensite 확장
 
-- `access` (string) 접근 제어 모드: `public`, `password`, `ip_only`, `both`. 기본값: `both`.
-- `password` (string) 접근 제어 비밀번호. 미지정 시 자동 생성.
-- `allowed_ips` (string[]) `ip_only` 또는 `both` 모드에서 허용할 IP 목록. CIDR 표기 지원.
+- `access` (string) 네트워크 접근 제어 (Layer 1): `public`, `ip`. 기본값: `public`.
+- `auth_method` (string) 인증 방식 (Layer 2, CSV): `password`, `google`, `telegram`. 복수 지정 시 콤마 구분 (예: `password,google`).
+- `password` (string) 접근 제어 비밀번호. `auth_method`에 `password` 포함 시 사용. 미지정 시 자동 생성.
+- `allowed_ips` (string[]) `access`가 `ip`일 때 허용할 IP 목록. CIDR 표기 지원.
+- `google` (string[]) `auth_method`에 `google` 포함 시 허용할 이메일 목록.
+- `telegram` (string[]) `auth_method`에 `telegram` 포함 시 허용할 Telegram 사용자 ID 목록.
 - `owner_email` (string) 대시보드 관리용 소유자 이메일.
 - `ttl` (number) 터널 유효 시간(초), 60-86400. 기본값: 3600.
 
@@ -135,20 +141,20 @@ const mygensite = require('mygensite');
 | 메서드 | 인자 | 설명 |
 | --- | --- | --- |
 | `close()` | | 터널 종료 |
-| `updateAccess(access)` | `{ mode, password, allowed_ips }` | 런타임에 접근 제어 변경. Promise 반환. |
+| `updateAccess(settings)` | object | 런타임에 접근 제어 변경. Promise 반환. |
 | `extendTTL(ttl)` | 초 (number) | 터널 TTL 연장. Promise 반환. |
 
 ### 런타임 관리
 
 ```js
-// 공개로 전환
-await tunnel.updateAccess({ mode: 'public' });
+// 공개로 전환 (인증 제거)
+await tunnel.updateAccess({ access: 'public', auth_method: '' });
 
 // 비밀번호 보호 추가
-await tunnel.updateAccess({ mode: 'password', password: 'newpass' });
+await tunnel.updateAccess({ auth_method: 'password', password: 'newpass' });
 
-// IP 제한
-await tunnel.updateAccess({ mode: 'ip_only', allowed_ips: ['1.2.3.0/24'] });
+// IP 제한 + Google OAuth
+await tunnel.updateAccess({ access: 'ip', allowed_ips: ['1.2.3.0/24'], auth_method: 'google', google: ['user@company.com'] });
 
 // TTL 1시간 연장
 await tunnel.extendTTL(3600);
@@ -227,7 +233,7 @@ validate.validateAccessMode('public');   // { valid: true }
 | 400 | `invalid_slug` | slug는 3-63자, 소문자 영숫자와 하이픈만 가능 | 올바른 형식 사용, 예: `my-app-1` |
 | 400 | `reserved_slug` | 예약된 slug로 사용 불가 | 다른 slug 사용. 예약어: www, api, dashboard, admin 등 |
 | 400 | `invalid_ttl` | TTL은 60-86400초 범위여야 함 | 60(1분) ~ 86400(24시간) 사이 값 사용 |
-| 400 | `invalid_access` | 접근 모드는 public, password, ip_only, both 중 하나 | 4가지 모드 중 하나를 지정 |
+| 400 | `invalid_access` | 접근 모드는 public, ip 중 하나 | `public` 또는 `ip` 중 하나를 지정 |
 | 409 | `slug_in_use` | 이미 사용 중인 slug | 다른 slug 사용, 또는 `subdomain` 생략하여 랜덤 할당 |
 | 503 | — | 서버 일시 장애 | 몇 초 후 재시도 |
 
@@ -237,7 +243,7 @@ validate.validateAccessMode('public');   // { valid: true }
 | --- | --- | --- | --- |
 | 401 | `unauthorized` | admin_token 없음 또는 불일치 | 터널 생성 시 반환된 `admin_token` 사용 |
 | 404 | `not_found` | 서비스 없음 | slug가 맞는지, 터널이 아직 활성 상태인지 확인 |
-| 400 | `invalid_access` | 잘못된 접근 모드 | public, password, ip_only, both 중 하나 사용 |
+| 400 | `invalid_access` | 잘못된 접근 모드 | `public` 또는 `ip` 중 하나 사용 |
 | 400 | `invalid_ttl` | TTL 범위 초과 | 60 ~ 86400 사이 값 사용 |
 
 ### Gateway 에러 (터널 URL 접속 시)
@@ -246,7 +252,7 @@ validate.validateAccessMode('public');   // { valid: true }
 | --- | --- | --- |
 | 404 | 서비스 없음 | slug가 존재하고 삭제되지 않았는지 확인 |
 | 410 | 서비스 만료 | `extendTTL()`로 연장하거나 새 터널 생성 |
-| 403 | IP 접근 거부 | `allowed_ips`에 IP 추가, 또는 `public` 모드로 변경 |
+| 403 | IP 접근 거부 | `allowed_ips`에 IP 추가, 또는 `access`를 `public`으로 변경 |
 | 401 | 비밀번호 틀림 | 올바른 비밀번호로 재시도 |
 | 502 | 서비스 오프라인 (터널 연결 끊김) | 터널 클라이언트 재시작 |
 | 504 | 서비스 응답 시간 초과 | 로컬 서버가 실행 중이고 응답 가능한지 확인 |
@@ -284,9 +290,12 @@ console.log(site.expires_at);    // "2025-06-02T12:00:00Z"
 | `files` | Array | * | — | `directory` 대신 사용. `{ name, content, contentType? }` 객체 배열. |
 | `subdomain` | string | | 랜덤 | 원하는 서브도메인 지정. |
 | `host` | string | | `https://mygen.site` | 서버 URL. |
-| `access` | string | | `both` | 접근 제어 모드: `public`, `password`, `ip_only`, `both`. |
-| `password` | string | | 자동 | 접근 제어 비밀번호. |
-| `allowed_ips` | string[] | | — | `ip_only` 또는 `both` 모드에서 허용할 IP. CIDR 지원. |
+| `access` | string | | `public` | 네트워크 접근 제어 (Layer 1): `public`, `ip`. |
+| `auth_method` | string | | — | 인증 방식 (Layer 2, CSV): `password`, `google`, `telegram`. |
+| `password` | string | | 자동 | 접근 제어 비밀번호. `auth_method`에 `password` 포함 시 사용. |
+| `allowed_ips` | string[] | | — | `access`가 `ip`일 때 허용할 IP. CIDR 지원. |
+| `google` | string[] | | — | `auth_method`에 `google` 포함 시 허용할 이메일 목록. |
+| `telegram` | string[] | | — | `auth_method`에 `telegram` 포함 시 허용할 Telegram 사용자 ID 목록. |
 | `owner_email` | string | | — | 대시보드 관리용 소유자 이메일. |
 | `ttl` | number | | 3600 | 사이트 유효 시간(초), 60-86400. |
 | `admin_token` | string | | — | 기존 slug에 재배포할 때 사용. |
@@ -313,12 +322,12 @@ Multipart의 `filename`은 디렉토리 경로를 제거합니다 (예: `assets/
 ```bash
 # 플랫 파일 (서브디렉토리 없음) - filepaths 불필요
 curl -X POST https://mygen.site/api/deploy \
-  -F slug=demo -F access='{"mode":"public"}' \
+  -F slug=demo -F access=public \
   -F files=@index.html -F files=@style.css
 
 # 서브디렉토리 있음 - filepaths 필수
 curl -X POST https://mygen.site/api/deploy \
-  -F slug=demo -F access='{"mode":"public"}' \
+  -F slug=demo -F access=public \
   -F 'filepaths=["index.html","assets/style.css","assets/js/app.js"]' \
   -F files=@index.html \
   -F files=@assets/style.css \
@@ -345,7 +354,7 @@ curl -X POST https://mygen.site/api/deploy \
 
 | 메서드 | 인자 | 설명 |
 | --- | --- | --- |
-| `updateAccess(access)` | `{ mode, password, allowed_ips }` | 접근 제어 변경. Promise 반환. |
+| `updateAccess(settings)` | object | 접근 제어 변경. Promise 반환. |
 | `extendTTL(ttl)` | 초 (number) | TTL 연장. Promise 반환. |
 | `redeploy(directory)` | 디렉토리 경로 (string) | 새 파일로 교체 업로드. Promise 반환. |
 | `delete(purge?)` | purge (boolean) | 사이트 삭제. `false` = 소프트 삭제 (파일 유지), `true` = S3 파일까지 삭제. Promise 반환. |
@@ -365,7 +374,7 @@ const site = mygensite.manage({
 });
 
 // deploy 결과와 동일한 메서드 사용 가능
-await site.updateAccess({ mode: 'public' });
+await site.updateAccess({ access: 'public' });
 await site.extendTTL(86400);
 await site.redeploy('./dist-v2');
 await site.delete();
@@ -386,7 +395,7 @@ await site.delete();
 await site.redeploy('./dist-v2');
 
 // 배포 후 비밀번호 보호 추가
-await site.updateAccess({ mode: 'password', password: 'secret' });
+await site.updateAccess({ auth_method: 'password', password: 'secret' });
 
 // TTL 24시간 연장
 await site.extendTTL(86400);

package/README.md

@@ -2,12 +2,30 @@
 
 Expose your localhost to the world via [mygen.site](https://mygen.site) with access control.
 
+Built for AI agents — works as a [Claude Code](https://claude.com/claude-code) plugin with a `/share` skill for natural language deployment.
+
 ## Install
 
 ```bash
 npm install mygensite
 ```
 
+## Claude Code Integration
+
+Install the `/share` skill as a plugin — then just say "share this" or "deploy this":
+
+```
+# In Claude Code (recommended):
+/plugin marketplace add theconnectsoft/mygensite
+/plugin install mygensite@theconnectsoft-mygensite
+
+# Or manually:
+mkdir -p .claude/skills/share
+curl -o .claude/skills/share/SKILL.md https://mygen.site/share-skill.md
+```
+
+The skill auto-detects tunnel vs static deploy, manages tokens, and handles settings changes — no manual API calls needed.
+
 ## Tunnel (expose local server)
 
 ```js
@@ -17,9 +35,17 @@ const tunnel = await mygensite({
   port: 3000,                          // required: local port
   subdomain: 'my-app',                 // optional: default random
   host: 'https://mygen.site',          // optional: default mygen.site
-  access: 'password',                  // optional: public | password | ip_only | both (default: both)
-  password: 'secret',                  // optional: auto-generated if omitted
-  allowed_ips: ['1.2.3.0/24'],         // optional: for ip_only or both
+
+  // Layer 1: Network access
+  access: 'public',                    // optional: 'public' | 'ip' (default: 'public')
+  allowed_ips: ['1.2.3.0/24'],         // required when access='ip'
+
+  // Layer 2: Auth method(s)
+  auth_method: 'password',             // optional: CSV of 'password', 'google', 'telegram'
+  password: 'secret',                  // required when auth_method includes 'password'
+  google: 'alice@company.com',         // required when auth_method includes 'google'
+  telegram: '123456',                  // required when auth_method includes 'telegram'
+
   owner_email: 'alice@company.com',    // optional: dashboard management
   ttl: 3600,                           // optional: seconds, 60-86400 (default: 3600)
 });
@@ -31,7 +57,7 @@ tunnel.admin_token  // "tok_xxx"
 tunnel.expires_at   // "2025-06-01T13:00:00Z"
 
 // Runtime management
-await tunnel.updateAccess({ mode: 'public' });
+await tunnel.updateAccess({ access: 'public' });
 await tunnel.extendTTL(3600);
 
 // Cleanup
@@ -47,7 +73,9 @@ const site = await mygensite.deploy({
   directory: './dist',                   // required: local directory to upload
   subdomain: 'demo',                     // optional: default random
   host: 'https://mygen.site',           // optional: default mygen.site
-  access: 'public',                      // optional: default both
+  access: 'public',                      // optional: 'public' | 'ip' (default: 'public')
+  auth_method: 'password',              // optional: CSV of 'password', 'google', 'telegram'
+  password: 'secret',                   // when auth_method includes 'password'
   owner_email: 'alice@company.com',      // optional: dashboard management
   ttl: 86400,                            // optional: seconds (default: 3600)
 });
@@ -59,7 +87,7 @@ site.slug           // "demo"
 site.expires_at     // "2025-06-02T12:00:00Z"
 
 // Management
-await site.updateAccess({ mode: 'password', password: 'secret' });
+await site.updateAccess({ auth_method: 'password', password: 'secret' });
 await site.extendTTL(86400);
 await site.redeploy('./dist-v2');   // upload new files
 await site.delete();                // soft delete
@@ -81,20 +109,30 @@ const site = mygensite.manage({
 });
 
 // Same methods as deploy result
-await site.updateAccess({ mode: 'public' });
+await site.updateAccess({ access: 'public' });
 await site.extendTTL(86400);
 await site.redeploy('./dist-v2');
 await site.delete();
 ```
 
-## Access Modes
+## Access Control (2-Layer Model)
+
+### Layer 1 — Network (`access`)
+| value | behavior |
+|-------|----------|
+| `public` | anyone can reach (default) |
+| `ip` | only `allowed_ips` can reach |
+
+### Layer 2 — Auth (`auth_method`)
+| value | behavior |
+|-------|----------|
+| _(empty)_ | no authentication (default) |
+| `password` | password form + cookie session |
+| `google` | Google OAuth → allowed emails only |
+| `telegram` | Telegram login → allowed user IDs only |
+| `password,google` | password OR Google (user picks) |
 
-| mode | behavior |
-|------|----------|
-| `public` | anyone can access |
-| `password` | password required |
-| `ip_only` | allowed_ips only |
-| `both` | allowed_ips + password (default) |
+Both layers apply sequentially: IP check → auth check.
 
 ## Constraints
 
@@ -145,7 +183,7 @@ validate.validateTTL(30);             // { valid: false, error: '...' }
 | 400 | `invalid_slug` | slug format invalid | use 3-63 chars, lowercase alphanum + hyphen (e.g. `my-app-1`) |
 | 400 | `reserved_slug` | slug is reserved | choose different slug. reserved: www, api, dashboard, admin, etc. |
 | 400 | `invalid_ttl` | TTL out of range | use 60-86400 (seconds) |
-| 400 | `invalid_access` | bad access mode | use: public, password, ip_only, both |
+| 400 | `invalid_access` | bad access mode | use: public, ip |
 | 401 | `unauthorized` | wrong admin_token | use the `admin_token` from tunnel creation response |
 | 404 | `not_found` | service not found | verify slug is correct and tunnel is active |
 | 409 | `slug_in_use` | slug already taken | use different slug, or omit `subdomain` for random |
@@ -155,14 +193,21 @@ validate.validateTTL(30);             // { valid: false, error: '...' }
 ## CLI
 
 ```bash
-# Tunnel
-mygensite --port 3000 --subdomain my-app --access password --password 'secret' --ttl 7200
+# Tunnel (public)
+mygensite --port 3000 --subdomain my-app --ttl 7200
 
-# Deploy
-mygensite deploy --directory ./dist --subdomain demo --access public --ttl 86400
+# Tunnel with password auth
+mygensite --port 3000 --subdomain my-app --auth-method password --password 'secret'
+
+# Tunnel with IP restriction + Google auth
+mygensite --port 3000 -s my-app --access ip --allowed-ips '1.2.3.0/24' \
+  --auth-method google --google 'alice@company.com'
+
+# Deploy (static)
+mygensite deploy --directory ./dist --subdomain demo --ttl 86400
 
 # Deploy with password
-mygensite deploy -d ./dist -s private-demo --access password --password 'mypass'
+mygensite deploy -d ./dist -s private-demo --auth-method password --password 'mypass'
 
 # Redeploy (reuse admin_token)
 mygensite deploy -d ./dist-v2 -s demo --admin-token tok_xxx
@@ -171,14 +216,19 @@ mygensite deploy -d ./dist-v2 -s demo --admin-token tok_xxx
 ## curl Deploy
 
 ```bash
-# Simple (flat files)
+# Simple (flat files, public)
 curl -X POST https://mygen.site/api/deploy \
-  -F slug=demo -F access='{"mode":"public"}' \
+  -F slug=demo -F access=public \
   -F files=@index.html -F files=@style.css
 
+# With password auth
+curl -X POST https://mygen.site/api/deploy \
+  -F slug=demo -F auth_method=password -F password=secret \
+  -F files=@index.html
+
 # With subdirectories — use filepaths to preserve directory structure
 curl -X POST https://mygen.site/api/deploy \
-  -F slug=demo -F access='{"mode":"public"}' \
+  -F slug=demo -F access=public \
   -F 'filepaths=["index.html","assets/style.css","assets/js/app.js"]' \
   -F files=@index.html \
   -F files=@assets/style.css \
@@ -225,6 +275,8 @@ const tunnel = await mygensite({ port: 3000, password: 'my!p@ss$word' });
 
 - [English (detailed)](./README.en.md) — full API reference, all options, events, methods
 - [한국어](./README.ko.md) — 한국어 상세 문서
+- [API docs](https://mygen.site/docs) — full endpoint reference
+- [llms.txt](https://mygen.site/llms.txt) — LLM-readable docs
 
 ## License
 

package/bin/lt.js

@@ -29,10 +29,19 @@ yargs
         describe: 'Subdomain (slug)',
       })
       .option('access', {
-        describe: 'Access mode: public, password, ip_only, both',
+        describe: 'Access mode: public, ip',
+      })
+      .option('auth-method', {
+        describe: 'Auth methods (CSV): password, google, telegram',
       })
       .option('password', {
-        describe: 'Password for access control',
+        describe: 'Password for password auth',
+      })
+      .option('google', {
+        describe: 'Allowed Google emails (CSV)',
+      })
+      .option('telegram', {
+        describe: 'Allowed Telegram user IDs (CSV)',
       })
       .option('owner-email', {
         describe: 'Owner email for dashboard',
@@ -51,7 +60,10 @@ yargs
         subdomain: argv.subdomain,
         directory: argv.directory,
         access: argv.access,
+        auth_method: argv.authMethod,
         password: argv.password,
+        google: argv.google,
+        telegram: argv.telegram,
         owner_email: argv.ownerEmail,
         ttl: argv.ttl,
         admin_token: argv.adminToken,
@@ -65,6 +77,9 @@ yargs
       if (result.password) {
         console.log('your password is: %s', result.password);
       }
+      if (result.auth_methods) {
+        console.log('auth methods: %s', result.auth_methods);
+      }
       if (result.expires_at) {
         console.log('expires at: %s', result.expires_at);
       }
@@ -115,10 +130,19 @@ yargs
         describe: 'Print basic request info',
       })
       .option('access', {
-        describe: 'Access control mode: public, password, ip_only, both',
+        describe: 'Access mode: public, ip',
+      })
+      .option('auth-method', {
+        describe: 'Auth methods (CSV): password, google, telegram',
       })
       .option('password', {
-        describe: 'Password for access control',
+        describe: 'Password for password auth',
+      })
+      .option('google', {
+        describe: 'Allowed Google emails (CSV)',
+      })
+      .option('telegram', {
+        describe: 'Allowed Telegram user IDs (CSV)',
       })
       .option('owner-email', {
         describe: 'Owner email for dashboard management',
@@ -153,7 +177,10 @@ yargs
         local_ca: argv.localCa,
         allow_invalid_cert: argv.allowInvalidCert,
         access: argv.access,
+        auth_method: argv.authMethod,
         password: argv.password,
+        google: argv.google,
+        telegram: argv.telegram,
         owner_email: argv.ownerEmail,
         ttl: argv.ttl,
         admin_token: argv.adminToken,
@@ -177,6 +204,10 @@ yargs
       console.log('your admin_token is: %s', tunnel.admin_token);
     }
 
+    if (tunnel.auth_methods) {
+      console.log('auth methods: %s', tunnel.auth_methods);
+    }
+
     if (tunnel.cachedUrl) {
       console.log('your cachedUrl is: %s', tunnel.cachedUrl);
     }

package/lib/Tunnel.js

@@ -6,7 +6,7 @@ const axios = require('axios');
 const debug = require('debug')('localtunnel:client');
 
 const TunnelCluster = require('./TunnelCluster');
-const { validateSlug, validateTTL, validateAccessMode } = require('./validate');
+const { validateSlug, validateTTL, validateAccessMode, validateAuthMethod, validateAccessParams } = require('./validate');
 
 module.exports = class Tunnel extends EventEmitter {
   constructor(opts = {}) {
@@ -36,6 +36,17 @@ module.exports = class Tunnel extends EventEmitter {
         throw new Error(accessCheck.error);
       }
     }
+    if (opts.auth_method) {
+      const authCheck = validateAuthMethod(opts.auth_method);
+      if (!authCheck.valid) {
+        throw new Error(authCheck.error);
+      }
+    }
+    // Validate param consistency (mismatched params)
+    const paramsCheck = validateAccessParams(opts);
+    if (!paramsCheck.valid) {
+      throw new Error(paramsCheck.error);
+    }
   }
 
   _getInfo(body) {
@@ -48,6 +59,10 @@ module.exports = class Tunnel extends EventEmitter {
     this.password = body.password || null;
     this.admin_token = body.admin_token || null;
     this.access = body.access || null;
+    this.auth_methods = body.auth_methods || null;
+    this.allowed_ips = body.allowed_ips || null;
+    this.allowed_emails = body.allowed_emails || null;
+    this.allowed_telegram_ids = body.allowed_telegram_ids || null;
     this.expires_at = body.expires_at || null;
 
     return {
@@ -82,12 +97,23 @@ module.exports = class Tunnel extends EventEmitter {
     // Build extended query params for mygensite server
     const queryParams = {};
     if (opt.access) queryParams.access = opt.access;
+    if (opt.auth_method) queryParams.auth_method = opt.auth_method;
     if (opt.password) queryParams.password = opt.password;
     if (opt.allowed_ips) {
       queryParams.allowed_ips = Array.isArray(opt.allowed_ips)
         ? opt.allowed_ips.join(',')
         : opt.allowed_ips;
     }
+    if (opt.google) {
+      queryParams.google = Array.isArray(opt.google)
+        ? opt.google.join(',')
+        : opt.google;
+    }
+    if (opt.telegram) {
+      queryParams.telegram = Array.isArray(opt.telegram)
+        ? opt.telegram.join(',')
+        : opt.telegram;
+    }
     if (opt.owner_email) queryParams.owner_email = opt.owner_email;
     if (opt.ttl) queryParams.ttl = String(opt.ttl);
     if (opt.admin_token) queryParams.admin_token = opt.admin_token;

package/lib/deploy.js

@@ -3,7 +3,7 @@ const path = require('path');
 const axios = require('axios');
 const FormData = require('form-data');
 const debug = require('debug')('mygensite:deploy');
-const { validateSlug, validateFilePath, validateTTL, validateAccessMode } = require('./validate');
+const { validateSlug, validateFilePath, validateTTL, validateAccessMode, validateAuthMethod, validateAccessParams } = require('./validate');
 
 const DEFAULT_HOST = 'https://mygen.site';
 
@@ -88,9 +88,12 @@ async function deploy(options) {
     directory,
     files,
     owner_email,
-    access = 'both',
+    access = 'public',
+    auth_method,
     password,
     allowed_ips,
+    google,
+    telegram,
     ttl,
     admin_token,
   } = options;
@@ -109,14 +112,22 @@ async function deploy(options) {
     }
   }
   if (access) {
-    const mode = typeof access === 'string' ? access : access.mode;
-    if (mode) {
-      const accessCheck = validateAccessMode(mode);
-      if (!accessCheck.valid) {
-        throw new Error(accessCheck.error);
-      }
+    const accessCheck = validateAccessMode(access);
+    if (!accessCheck.valid) {
+      throw new Error(accessCheck.error);
     }
   }
+  if (auth_method) {
+    const authCheck = validateAuthMethod(auth_method);
+    if (!authCheck.valid) {
+      throw new Error(authCheck.error);
+    }
+  }
+  // Validate param consistency
+  const paramsCheck = validateAccessParams({ access, auth_method, password, google, telegram, allowed_ips });
+  if (!paramsCheck.valid) {
+    throw new Error(paramsCheck.error);
+  }
 
   // Build file list
   let fileList;
@@ -156,19 +167,21 @@ async function deploy(options) {
   if (subdomain) form.append('slug', subdomain);
   if (owner_email) form.append('owner_email', owner_email);
   if (ttl) form.append('ttl', String(ttl));
+  if (access) form.append('access', access);
+  if (auth_method) form.append('auth_method', auth_method);
   if (password) form.append('password', password);
   if (allowed_ips) {
     const ips = Array.isArray(allowed_ips) ? allowed_ips.join(',') : allowed_ips;
     form.append('allowed_ips', ips);
   }
-
-  // Build access field
-  const accessObj = { mode: typeof access === 'string' ? access : access.mode || 'both' };
-  if (typeof access === 'object') {
-    if (access.password) accessObj.password = access.password;
-    if (access.allowed_ips) accessObj.allowed_ips = access.allowed_ips;
+  if (google) {
+    const emails = Array.isArray(google) ? google.join(',') : google;
+    form.append('google', emails);
+  }
+  if (telegram) {
+    const ids = Array.isArray(telegram) ? telegram.join(',') : telegram;
+    form.append('telegram', ids);
   }
-  form.append('access', JSON.stringify(accessObj));
 
   // Send file paths as separate JSON field (busboy strips directories from filename)
   form.append('filepaths', JSON.stringify(fileList.map(f => f.name)));
@@ -196,8 +209,8 @@ async function deploy(options) {
   const siteSlug = data.slug;
   const siteToken = data.admin_token || admin_token;
 
-  // Add convenience methods
-  data.updateAccess = (newAccess) => patchService(siteHost, siteSlug, siteToken, { access: newAccess });
+  // Add convenience methods (body is passed directly to PATCH /api/services/:slug)
+  data.updateAccess = (body) => patchService(siteHost, siteSlug, siteToken, body);
   data.extendTTL = (newTtl) => patchService(siteHost, siteSlug, siteToken, { ttl: newTtl });
   data.redeploy = (dir) => deploy({ ...options, directory: dir, admin_token: siteToken });
   data.delete = (purge) => deleteService(siteHost, siteSlug, siteToken, purge);
@@ -229,7 +242,7 @@ function manage(options) {
     slug,
     admin_token,
     url: `https://${slug}.${host.replace(/^https?:\/\//, '')}`,
-    updateAccess: (access) => patchService(host, slug, admin_token, { access }),
+    updateAccess: (body) => patchService(host, slug, admin_token, body),
     extendTTL: (ttl) => patchService(host, slug, admin_token, { ttl }),
     redeploy: (dir) => deploy({ host, subdomain: slug, directory: dir, admin_token }),
     delete: (purge) => deleteService(host, slug, admin_token, purge),

package/lib/validate.js

@@ -19,7 +19,8 @@ const RESERVED_SLUGS = new Set([
 // Must match: server/src/api/routes/deploy.ts SAFE_PATH_SEGMENT
 const SAFE_PATH_SEGMENT = /^[a-zA-Z0-9_\-. ]+$/;
 
-const VALID_ACCESS_MODES = ['public', 'password', 'ip_only', 'both'];
+const VALID_ACCESS_MODES = ['public', 'ip'];
+const VALID_AUTH_METHODS = ['password', 'google', 'telegram'];
 
 /**
  * Validate a slug (subdomain) name.
@@ -107,17 +108,75 @@ function validateTTL(ttl) {
  */
 function validateAccessMode(mode) {
   if (!VALID_ACCESS_MODES.includes(mode)) {
-    return { valid: false, error: `Access mode must be one of: ${VALID_ACCESS_MODES.join(', ')}` };
+    return { valid: false, error: `Access must be one of: ${VALID_ACCESS_MODES.join(', ')}` };
   }
   return { valid: true };
 }
 
+/**
+ * Validate auth_method CSV value.
+ * @param {string} method - CSV of auth methods (e.g. "password,google")
+ * @returns {{ valid: boolean, methods?: string[], error?: string }}
+ */
+function validateAuthMethod(method) {
+  if (!method) {
+    return { valid: true, methods: [] };
+  }
+  const methods = method.split(',').map(s => s.trim()).filter(Boolean);
+  for (const m of methods) {
+    if (!VALID_AUTH_METHODS.includes(m)) {
+      return { valid: false, error: `Invalid auth method: "${m}". Must be: ${VALID_AUTH_METHODS.join(', ')}` };
+    }
+  }
+  return { valid: true, methods };
+}
+
+/**
+ * Validate that access params are consistent (no mismatched params).
+ * Mirrors server-side validation in parseAccessParams.
+ * @param {object} opts
+ * @returns {{ valid: boolean, error?: string }}
+ */
+function validateAccessParams(opts) {
+  const access = opts.access || 'public';
+  const authMethod = opts.auth_method || null;
+  const methods = authMethod ? authMethod.split(',').map(s => s.trim()).filter(Boolean) : [];
+
+  // Reject allowed_ips when access is public
+  if (access === 'public' && opts.allowed_ips) {
+    return { valid: false, error: "allowed_ips not allowed when access is 'public'" };
+  }
+
+  // Reject auth params without auth_method
+  if (!authMethod && (opts.password || opts.google || opts.telegram)) {
+    return { valid: false, error: 'auth parameters (password/google/telegram) require auth_method to be specified' };
+  }
+
+  // Reject mismatched params
+  if (authMethod) {
+    if (!methods.includes('password') && opts.password) {
+      return { valid: false, error: "password not allowed when auth_method doesn't include 'password'" };
+    }
+    if (!methods.includes('google') && opts.google) {
+      return { valid: false, error: "google not allowed when auth_method doesn't include 'google'" };
+    }
+    if (!methods.includes('telegram') && opts.telegram) {
+      return { valid: false, error: "telegram not allowed when auth_method doesn't include 'telegram'" };
+    }
+  }
+
+  return { valid: true };
+}
+
 module.exports = {
   validateSlug,
   validateFilePath,
   validateTTL,
   validateAccessMode,
+  validateAuthMethod,
+  validateAccessParams,
   SLUG_REGEX,
   RESERVED_SLUGS,
   VALID_ACCESS_MODES,
+  VALID_AUTH_METHODS,
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "mygensite",
   "description": "Expose your localhost to mygen.site with access control",
-  "version": "1.4.0",
+  "version": "2.0.0",
   "license": "MIT",
   "repository": {
     "type": "git",

package/skills/share/SKILL.md

@@ -0,0 +1,266 @@
+---
+name: share
+description: Share what the user built with others. Triggers on "share this", "deploy this", "make this accessible", "show my team", "create a URL", "change password", "make it public", "extend TTL", "공유해줘", "배포해줘", "외부에서 접속하게 해줘", "URL 만들어줘", "비밀번호 바꿔줘", "공개로 바꿔줘", "TTL 연장해줘", "팀한테 보여주고 싶어".
+argument-hint: "[public or password]"
+allowed-tools: Bash, Read, Glob, Grep, Write, Edit, Agent
+---
+
+# Share (mygen.site)
+
+Share what the user built via a `{name}.mygen.site` URL.
+
+## Owner Email
+
+Deploys and tunnels require `--owner-email`. The email is used for dashboard management.
+
+### First use
+1. Check if `.claude/mygen.json` exists
+2. If not, ask the user **once**: "What email should I use for service management? (used for dashboard login)"
+3. Save it to `.claude/mygen.json`:
+```json
+{ "owner_email": "user@company.com" }
+```
+
+### Subsequent uses
+- Read email from `.claude/mygen.json` automatically
+- If the user says "change my email", update the file
+
+## Decision: Tunnel vs Static Deploy
+
+Decide **automatically** based on the criteria below. Do not ask the user.
+
+### Choose static deploy when
+- Project has only HTML/CSS/JS files (build output)
+- Build output directories exist: `dist/`, `build/`, `out/`, `public/`, `.next/`
+- No server process needed
+- SPA build output (React, Vue, Svelte, etc.)
+- Simple HTML files to share
+
+### Choose tunnel when
+- A local server is running or can be started
+- Uses a server framework (Express, FastAPI, Django, Rails, etc.)
+- Needs dynamic features: API server, WebSocket, SSR
+- Runs via `npm run dev`, `python manage.py runserver`, etc.
+- Requires database connections
+
+## Execution Steps
+
+### 0. Prerequisites
+
+Check if mygensite is installed:
+```bash
+npx mygensite --help 2>/dev/null || npm install -g mygensite
+```
+
+Load owner email:
+```bash
+cat .claude/mygen.json 2>/dev/null
+```
+If missing, ask the user and save it.
+
+### 1. Analyze the project
+
+Quickly assess the project structure:
+- Check package.json, requirements.txt, etc.
+- Check for build output directories
+- Check for server start scripts
+- Check for running local servers (lsof -i -P | grep LISTEN)
+
+### 2-A. Static deploy
+
+Build first if needed:
+```bash
+# Framework-specific (example)
+npm run build
+```
+
+Deploy:
+```bash
+npx mygensite deploy \
+  --directory ./dist \
+  --owner-email {email} \
+  --access ${ARGUMENTS:-public} \
+  --ttl 86400
+```
+
+- `--directory`: build output directory (auto-detect dist, build, out, etc.)
+- If no build directory exists and there are only HTML files, use current directory (`.`)
+- Default access is public
+- TTL is 24 hours
+
+### 2-B. Tunnel
+
+Check if a local server is running; if not, start it:
+```bash
+# Check running ports
+lsof -i -P | grep LISTEN | grep -E ':(3000|5173|8000|8080|4200|5000)'
+```
+
+If no server is running:
+```bash
+# Find dev/start script in package.json and run it
+npm run dev &
+# Or framework-appropriate command
+```
+
+Find the server port and create a tunnel:
+```bash
+npx mygensite \
+  --port {detected port} \
+  --owner-email {email} \
+  --access ${ARGUMENTS:-public} \
+  --ttl 3600
+```
+
+- Default access is public
+- TTL is 1 hour (shorter for tunnels)
+- **CRITICAL: The tunnel process must keep running.** The tunnel only works while the `npx mygensite` process is alive. If it exits, the tunnel closes immediately and users get 502. Run it in a way that stays alive (e.g. background with `&`, separate terminal, or keep the script running).
+
+### 3. Save results and inform the user
+
+**Always** save the result (slug, admin_token) to `.claude/mygen.json`:
+```json
+{
+  "owner_email": "user@company.com",
+  "services": {
+    "{slug}": {
+      "admin_token": "tok_xxx",
+      "type": "static",
+      "url": "https://{slug}.mygen.site",
+      "created_at": "2025-06-01T12:00:00Z"
+    }
+  }
+}
+```
+
+After deploy/tunnel completes, inform the user **concisely**:
+
+```
+URL: https://{slug}.mygen.site
+
+Share this link — anyone can access it.
+Auto-expires in 24 hours.
+```
+
+If password-protected:
+```
+URL: https://{slug}.mygen.site
+Password: {password}
+
+Share the link and password together.
+```
+
+If tunnel, add:
+```
+The tunnel stays open as long as this process is running.
+Do NOT close this terminal or kill the process — the tunnel will stop working.
+```
+
+## Settings Changes (PATCH)
+
+When the user wants to change settings on an already-shared service:
+- "change password", "make it public", "restrict by IP", "extend time", etc.
+
+**Never redeploy.** Change settings via PATCH on the existing service.
+
+### Method 1: Node.js (recommended)
+
+Read slug and admin_token from `.claude/mygen.json`, create a management handle with `manage()`:
+
+```js
+const mygensite = require('mygensite');
+const site = mygensite.manage({
+  slug: '{slug}',
+  admin_token: '{admin_token}',  // read from .claude/mygen.json
+});
+
+await site.updateAccess({ mode: 'public' });
+await site.updateAccess({ mode: 'password', password: 'new-password' });
+await site.extendTTL(86400);
+await site.redeploy('./dist');  // only when files changed
+await site.delete();
+```
+
+> **Important:** Do not redeploy just to change settings. Use `manage()`.
+
+### Method 2: curl
+
+Read the admin_token for the service from `.claude/mygen.json`:
+
+```bash
+# Change access mode (e.g. password -> public)
+curl -X PATCH https://mygen.site/api/services/{slug} \
+  -H "Authorization: Bearer {admin_token}" \
+  -H "Content-Type: application/json" \
+  -d '{"access": {"mode": "public"}}'
+
+# Change password
+curl -X PATCH https://mygen.site/api/services/{slug} \
+  -H "Authorization: Bearer {admin_token}" \
+  -H "Content-Type: application/json" \
+  -d '{"access": {"password": "new-password"}}'
+
+# Add IP restriction
+curl -X PATCH https://mygen.site/api/services/{slug} \
+  -H "Authorization: Bearer {admin_token}" \
+  -H "Content-Type: application/json" \
+  -d '{"access": {"mode": "ip_only", "allowed_ips": ["1.2.3.0/24"]}}'
+
+# Extend TTL (timer resets from now)
+curl -X PATCH https://mygen.site/api/services/{slug} \
+  -H "Authorization: Bearer {admin_token}" \
+  -H "Content-Type: application/json" \
+  -d '{"ttl": 86400}'
+
+# Change owner email
+curl -X PATCH https://mygen.site/api/services/{slug} \
+  -H "Authorization: Bearer {admin_token}" \
+  -H "Content-Type: application/json" \
+  -d '{"owner_email": "new@company.com"}'
+```
+
+### PATCH vs Redeploy
+
+| Request | Method |
+|---------|--------|
+| Change password | PATCH `access.password` |
+| Make it public | PATCH `access.mode` |
+| Restrict by IP | PATCH `access.allowed_ips` |
+| Extend time | PATCH `ttl` |
+| Change email | PATCH `owner_email` |
+| Update content (files changed) | Redeploy (`deploy --admin-token`) |
+| Upload new files | Redeploy (`deploy --admin-token`) |
+
+**If files haven't changed, use PATCH. Redeploying for settings changes is wasteful.**
+
+When redeployment is needed, always use the existing admin_token:
+```bash
+npx mygensite deploy \
+  --directory ./dist \
+  --subdomain {existing slug} \
+  --admin-token {existing admin_token}
+```
+
+## Delete Service
+
+```bash
+# Soft delete (recoverable)
+curl -X DELETE https://mygen.site/api/services/{slug} \
+  -H "Authorization: Bearer {admin_token}"
+
+# Full delete (files removed, unrecoverable)
+curl -X DELETE "https://mygen.site/api/services/{slug}?purge=true" \
+  -H "Authorization: Bearer {admin_token}"
+```
+
+After deleting, also remove the service entry from `.claude/mygen.json`.
+
+## Important Notes
+
+- Do not ask the user for technical choices. Decide automatically.
+- Let the slug (subdomain) be auto-generated unless the user specifies one.
+- Handle errors yourself (port conflicts, build failures, etc.).
+- If `$ARGUMENTS` is "password", deploy with password protection.
+- If `$ARGUMENTS` is empty, deploy as public.
+- admin_token is issued **only once**. If lost, it cannot be recovered. Always save to `.claude/mygen.json`.
+- Add `.claude/mygen.json` to `.gitignore` (contains tokens).