mygensite 2.1.0 → 2.2.0

package/.claude-plugin/marketplace.json

@@ -5,15 +5,15 @@
     "email": "dev@theconnectsoft.com"
   },
   "metadata": {
-    "description": "Share your localhost or static sites via mygen.site with 2-layer access control",
-    "version": "2.1.0"
+    "description": "Share your localhost or static sites via mygen.site with guided access control and 2-layer security",
+    "version": "2.2.0"
   },
   "plugins": [
     {
       "name": "mygensite",
       "source": "./",
-      "description": "Share what you built via mygen.site — tunnels and static deploys with 2-layer access control (network: public/ip + auth: password/google/telegram)",
-      "version": "2.1.0",
+      "description": "Share what you built via mygen.site — tunnels and static deploys with interactive access control setup on first deploy (public/IP + password/Google/Telegram auth), slug reuse, background tunnel keeper, and unlimited TTL for static sites",
+      "version": "2.2.0",
       "author": {
         "name": "TheConnectSoft"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "mygensite",
-  "description": "Share your localhost or static sites via mygen.site with access control",
-  "version": "2.1.0",
+  "description": "Share your localhost or static sites via mygen.site — guided access control setup, 2-layer security (network + auth), unlimited TTL for static deploys",
+  "version": "2.2.0",
   "author": {
     "name": "TheConnectSoft",
     "email": "dev@theconnectsoft.com",
@@ -10,5 +10,5 @@
   "homepage": "https://mygen.site",
   "repository": "https://github.com/theconnectsoft/mygensite",
   "license": "MIT",
-  "keywords": ["tunnel", "deploy", "share", "mygen.site"]
+  "keywords": ["tunnel", "deploy", "share", "mygen.site", "access-control"]
 }

package/README.md

@@ -47,7 +47,7 @@ const tunnel = await mygensite({
   telegram: '123456',                  // required when auth_method includes 'telegram'
 
   owner_email: 'alice@company.com',    // optional: email or Telegram username for dashboard
-  ttl: 3600,                           // optional: seconds, 60-86400 (default: 3600)
+  ttl: 3600,                           // optional: 60-86400 seconds (default: 3600)
 });
 
 // Result
@@ -77,7 +77,7 @@ const site = await mygensite.deploy({
   auth_method: 'password',              // optional: CSV of 'password', 'google', 'telegram'
   password: 'secret',                   // when auth_method includes 'password'
   owner_email: 'alice@company.com',      // optional: email or Telegram username for dashboard
-  ttl: 86400,                            // optional: seconds (default: 3600)
+  ttl: 86400,                            // optional: 0 (unlimited) or 60-259200 seconds (default: 3600)
 });
 
 // Result
@@ -134,6 +134,23 @@ await site.delete();
 
 Both layers apply sequentially: IP check → auth check.
 
+## TTL (Time to Live)
+
+| type | range | unlimited |
+|------|-------|-----------|
+| Tunnel | 60–86400 seconds (max 24h) | not supported |
+| Static | 60–259200 seconds (max 3 days) | `ttl: 0` — requires at least one auth method |
+
+Unlimited TTL (`ttl: 0`) is only available for static deploys and requires at least one auth method (password, google, or telegram). You cannot remove auth from a service with unlimited TTL without also setting a finite TTL.
+
+## Examples
+
+Full runnable examples in [`examples/`](https://github.com/theconnectsoft/mygensite/tree/main/examples):
+
+- **[tunnel-basic.mjs](https://github.com/theconnectsoft/mygensite/blob/main/examples/tunnel-basic.mjs)** — Tunnel with signal handling and heartbeat (background-friendly)
+- **[static-deploy.mjs](https://github.com/theconnectsoft/mygensite/blob/main/examples/static-deploy.mjs)** — Static deploy with unlimited TTL and auth
+- **[manage-service.mjs](https://github.com/theconnectsoft/mygensite/blob/main/examples/manage-service.mjs)** — Settings, TTL, redeploy, delete via manage()
+
 ## Constraints
 
 ### Slug (subdomain)
@@ -182,7 +199,7 @@ validate.validateTTL(30);             // { valid: false, error: '...' }
 |--------|-------|------|-----|
 | 400 | `invalid_slug` | slug format invalid | use 3-63 chars, lowercase alphanum + hyphen (e.g. `my-app-1`) |
 | 400 | `reserved_slug` | slug is reserved | choose different slug. reserved: www, api, dashboard, admin, etc. |
-| 400 | `invalid_ttl` | TTL out of range | use 60-86400 (seconds) |
+| 400 | `invalid_ttl` | TTL out of range | tunnels: 60-86400s, static: 0 (unlimited) or 60-259200s. Unlimited requires auth. |
 | 400 | `invalid_access` | bad access mode | use: public, ip |
 | 401 | `unauthorized` | wrong admin_token | use the `admin_token` from tunnel creation response |
 | 404 | `not_found` | service not found | verify slug is correct and tunnel is active |

package/examples/README.md

@@ -0,0 +1,31 @@
+# Examples
+
+## tunnel-basic.mjs
+
+Expose a local server to the internet. Stays alive in background with signal handling and heartbeat.
+
+```bash
+node examples/tunnel-basic.mjs 3000 my-app
+```
+
+## static-deploy.mjs
+
+Deploy a directory as a static site. Supports unlimited TTL (`ttl: 0`).
+
+```bash
+node examples/static-deploy.mjs ./dist my-site
+```
+
+## manage-service.mjs
+
+Manage an existing service — change settings, extend TTL, redeploy, delete.
+
+```bash
+node examples/manage-service.mjs my-site tok_xxx public
+node examples/manage-service.mjs my-site tok_xxx password
+node examples/manage-service.mjs my-site tok_xxx extend
+node examples/manage-service.mjs my-site tok_xxx redeploy
+node examples/manage-service.mjs my-site tok_xxx delete
+```
+
+Actions: `public`, `password`, `google`, `telegram`, `ip`, `extend`, `redeploy`, `delete`, `purge`

package/examples/manage-service.mjs

@@ -0,0 +1,88 @@
+/**
+ * Service management examples — settings changes, TTL, redeploy, delete.
+ *
+ * Usage:
+ *   node manage-service.mjs <slug> <admin_token> <action>
+ *
+ * Actions: public, password, google, telegram, ip, extend, redeploy, delete, purge
+ */
+import mygensite from '../localtunnel.js';
+
+const slug = process.argv[2];
+const admin_token = process.argv[3];
+const action = process.argv[4] || 'public';
+
+if (!slug || !admin_token) {
+  console.error('Usage: node manage-service.mjs <slug> <admin_token> <action>');
+  process.exit(1);
+}
+
+const site = mygensite.manage({ slug, admin_token });
+
+switch (action) {
+  // --- Make public (remove all auth) ---
+  case 'public':
+    await site.updateAccess({ access: 'public', auth_method: '' });
+    console.log('Made public');
+    break;
+
+  // --- Add password protection ---
+  case 'password':
+    await site.updateAccess({ auth_method: 'password', password: 'new-secret' });
+    console.log('Password set');
+    break;
+
+  // --- Add Google OAuth ---
+  case 'google':
+    await site.updateAccess({
+      auth_method: 'password,google',
+      password: 'backup-pass',
+      google: 'alice@company.com,bob@company.com',
+    });
+    console.log('Google + password auth set');
+    break;
+
+  // --- Add Telegram auth ---
+  case 'telegram':
+    await site.updateAccess({
+      auth_method: 'telegram',
+      telegram: '123456789',
+    });
+    console.log('Telegram auth set');
+    break;
+
+  // --- Restrict by IP ---
+  case 'ip':
+    await site.updateAccess({ access: 'ip', allowed_ips: '10.0.0.0/8,192.168.1.0/24' });
+    console.log('IP restriction set');
+    break;
+
+  // --- Extend TTL (0 = unlimited for static) ---
+  case 'extend':
+    await site.extendTTL(0); // unlimited
+    console.log('TTL set to unlimited');
+    break;
+
+  // --- Redeploy with new files ---
+  case 'redeploy':
+    await site.redeploy('./dist');
+    console.log('Redeployed');
+    break;
+
+  // --- Soft delete (recoverable) ---
+  case 'delete':
+    await site.delete();
+    console.log('Soft deleted');
+    break;
+
+  // --- Purge delete (S3 files removed, unrecoverable) ---
+  case 'purge':
+    await site.delete(true);
+    console.log('Purged');
+    break;
+
+  default:
+    console.error(`Unknown action: ${action}`);
+    console.error('Actions: public, password, google, telegram, ip, extend, redeploy, delete, purge');
+    process.exit(1);
+}

package/examples/static-deploy.mjs

@@ -0,0 +1,63 @@
+/**
+ * Static file deployment examples.
+ *
+ * Usage:
+ *   node static-deploy.mjs <directory> [subdomain]
+ *
+ * Deploys a directory to {subdomain}.mygen.site.
+ * TTL 0 = unlimited (no expiry).
+ */
+import mygensite from '../localtunnel.js';
+
+const directory = process.argv[2];
+const subdomain = process.argv[3] || undefined;
+
+if (!directory) {
+  console.error('Usage: node static-deploy.mjs <directory> [subdomain]');
+  process.exit(1);
+}
+
+// --- Example 1: Deploy a directory (public, unlimited) ---
+
+const site = await mygensite.deploy({
+  directory,
+  subdomain,
+  owner_email: 'you@example.com',
+  access: 'public',
+  ttl: 0, // unlimited — static only (max 259200 for timed)
+  // admin_token: 'tok_xxx',  // pass this to redeploy an existing site
+});
+
+console.log(JSON.stringify({
+  url: site.url,
+  slug: site.slug,
+  admin_token: site.admin_token,
+  password: site.password || null,
+  expires_at: site.expires_at || null, // null when unlimited
+}));
+
+
+// --- Example 2: Deploy with password protection ---
+/*
+const protectedSite = await mygensite.deploy({
+  directory: './dist',
+  subdomain: 'private-demo',
+  owner_email: 'you@example.com',
+  auth_method: 'password',
+  password: 'secret123',
+  ttl: 86400, // 1 day
+});
+*/
+
+
+// --- Example 3: Deploy from in-memory files ---
+/*
+const site = await mygensite.deploy({
+  files: [
+    { name: 'index.html', content: Buffer.from('<h1>Hello</h1>'), contentType: 'text/html' },
+    { name: 'style.css', content: Buffer.from('body { color: red; }'), contentType: 'text/css' },
+  ],
+  owner_email: 'you@example.com',
+  ttl: 0,
+});
+*/

package/examples/tunnel-basic.mjs

@@ -0,0 +1,49 @@
+/**
+ * Basic tunnel example — expose a local server to the internet.
+ *
+ * Usage:
+ *   node tunnel-basic.mjs [port] [subdomain]
+ *
+ * The tunnel stays alive in the background with signal handling and heartbeat.
+ * Ideal for AI agents that need to keep a tunnel running.
+ */
+import mygensite from '../localtunnel.js';
+
+const port = Number(process.argv[2]) || 3000;
+const subdomain = process.argv[3] || undefined;
+
+const tunnel = await mygensite({
+  port,
+  subdomain,
+  owner_email: 'you@example.com',
+  access: 'public',
+  ttl: 3600, // 1 hour (max 86400 for tunnels)
+  // admin_token: 'tok_xxx',  // pass this to reconnect to an existing tunnel
+});
+
+// First line: JSON for programmatic consumption
+console.log(JSON.stringify({
+  url: tunnel.url,
+  slug: tunnel.clientId,
+  admin_token: tunnel.admin_token,
+  password: tunnel.password || null,
+  expires_at: tunnel.expires_at || null,
+}));
+
+// Graceful shutdown
+process.on('SIGINT', () => { tunnel.close(); process.exit(0); });
+process.on('SIGTERM', () => { tunnel.close(); process.exit(0); });
+
+tunnel.on('close', () => {
+  console.error('[tunnel] closed');
+  process.exit(1);
+});
+
+tunnel.on('error', (err) => {
+  console.error('[tunnel] error:', err.message);
+});
+
+// Heartbeat every 5 minutes
+setInterval(() => {
+  console.error(`[tunnel] alive — ${tunnel.url}`);
+}, 5 * 60 * 1000);

package/lib/Tunnel.js

@@ -25,7 +25,7 @@ module.exports = class Tunnel extends EventEmitter {
       }
     }
     if (opts.ttl != null) {
-      const ttlCheck = validateTTL(Number(opts.ttl));
+      const ttlCheck = validateTTL(Number(opts.ttl), { allowUnlimited: false, max: 86400 });
       if (!ttlCheck.valid) {
         throw new Error(ttlCheck.error);
       }

package/lib/deploy.js

@@ -106,7 +106,7 @@ async function deploy(options) {
     }
   }
   if (ttl != null) {
-    const ttlCheck = validateTTL(Number(ttl));
+    const ttlCheck = validateTTL(Number(ttl), { allowUnlimited: true, max: 259200 });
     if (!ttlCheck.valid) {
       throw new Error(ttlCheck.error);
     }

package/lib/validate.js

@@ -88,15 +88,25 @@ function validateFilePath(name) {
 
 /**
  * Validate TTL value.
- * @param {number} ttl - TTL in seconds
+ * @param {number} ttl - TTL in seconds (0 = unlimited, for static deploys only)
+ * @param {object} [opts] - Options
+ * @param {boolean} [opts.allowUnlimited=true] - Whether to allow 0 (unlimited)
+ * @param {number} [opts.max=259200] - Maximum TTL in seconds
  * @returns {{ valid: boolean, error?: string }}
  */
-function validateTTL(ttl) {
+function validateTTL(ttl, opts) {
+  const allowUnlimited = opts?.allowUnlimited !== false;
+  const max = opts?.max || 259200;
   if (typeof ttl !== 'number' || !Number.isFinite(ttl)) {
     return { valid: false, error: 'TTL must be a number' };
   }
-  if (ttl < 60 || ttl > 86400) {
-    return { valid: false, error: 'TTL must be between 60 and 86400 seconds (1 min to 24 hours)' };
+  if (ttl === 0) {
+    return allowUnlimited
+      ? { valid: true }
+      : { valid: false, error: 'Unlimited TTL (0) is not allowed for tunnels' };
+  }
+  if (ttl < 60 || ttl > max) {
+    return { valid: false, error: `TTL must be ${allowUnlimited ? '0 (unlimited) or ' : ''}between 60 and ${max} seconds` };
   }
   return { valid: true };
 }
@@ -195,6 +205,11 @@ function validateAccessParams(opts) {
     }
   }
 
+  // Unlimited TTL requires auth
+  if (opts.ttl === 0 && !authMethod) {
+    return { valid: false, error: 'Unlimited TTL (0) requires at least one auth method (password, google, or telegram)' };
+  }
+
   return { valid: true };
 }
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "mygensite",
   "description": "Expose your localhost to mygen.site with access control",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "license": "MIT",
   "repository": {
     "type": "git",

package/skills/share/SKILL.md

@@ -8,6 +8,7 @@ allowed-tools: Bash, Read, Glob, Grep, Write, Edit, Agent
 # Share (mygen.site)
 
 Share what the user built via a `{name}.mygen.site` URL.
+Tunnel/deploy creation uses the **mygensite** Node.js library. Settings changes and deletion can use curl.
 
 ## Owner Identity
 
@@ -22,19 +23,38 @@ Ownership matching is case-insensitive.
 ### First use
 1. Check if `.claude/mygen.json` exists
 2. If not, ask the user **once**: "What email or Telegram username should I use for service management? (used for dashboard login)"
-3. Save it to `.claude/mygen.json`:
+3. **Do NOT validate the format as email-only.** The value can be a plain username without `@` — that's a valid Telegram username. Accept any non-empty string the user provides.
+4. Save it to `.claude/mygen.json`:
 ```json
 { "owner_email": "user@company.com" }
 ```
-or for Telegram users:
+or for Telegram users (no `@`, not an email — this is valid):
 ```json
-{ "owner_email": "telegram_username" }
+{ "owner_email": "mytelegramuser" }
 ```
 
 ### Subsequent uses
 - Read owner from `.claude/mygen.json` automatically
 - If the user says "change my email" or "change my owner", update the file
 
+## Slug (Domain) Management
+
+### Reuse by default
+- When `.claude/mygen.json` already has a service entry for the **same context** (same port for tunnels, same build directory for static), reuse that slug and `admin_token`.
+- This means running `/share` repeatedly for the same service always keeps the same URL.
+
+### When to ask for a new domain
+Ask the user what domain they want **only when** the context clearly requires a **different** share than what's already saved:
+- Sharing a **different port** than the existing tunnel
+- Sharing a **different directory** or a second static site
+- User explicitly says "share this on a different URL" or "new domain"
+
+Ask: "What subdomain would you like? (e.g. `my-api` → `my-api.mygen.site`, blank for auto-generated)"
+- If blank → let the server auto-generate.
+
+### Domain can be changed later
+Always inform the user (at least on first use): **"You can change the domain anytime by asking, e.g. 'change my domain to new-name'."**
+
 ## Decision: Tunnel vs Static Deploy
 
 Decide **automatically** based on the criteria below. Do not ask the user.
@@ -62,11 +82,7 @@ Check if mygensite is installed:
 npx mygensite --help 2>/dev/null || npm install -g mygensite
 ```
 
-Load owner email:
-```bash
-cat .claude/mygen.json 2>/dev/null
-```
-If missing, ask the user and save it.
+Load config from `.claude/mygen.json`. If missing, ask the user for owner identity.
 
 ### 1. Analyze the project
 
@@ -75,84 +91,190 @@ Quickly assess the project structure:
 - Check for build output directories
 - Check for server start scripts
 - Check for running local servers (lsof -i -P | grep LISTEN)
+- Check `.claude/mygen.json` for existing services matching current context
+
+### 1.5. Access Control Setup (first deploy only)
+
+**Skip this step** if reusing an existing service from `.claude/mygen.json` (same port/directory context). Settings are already saved.
+
+On the **first deploy** of a new service, ask the user these questions:
+
+#### Q1. Network access
+> **Who should be able to access this?**
+> 1. **Public** — anyone with the link (default)
+> 2. **IP-restricted** — only your current IP
+
+If IP-restricted, detect the user's public IP:
+```bash
+curl -s https://ifconfig.me
+```
+
+#### Q2. Authentication (recommended)
+> **Do you want to add authentication?** (recommended for security)
+> 1. **Password** — visitors enter a password to access
+> 2. **Google OAuth** — only specific Google accounts can access
+> 3. **Telegram** — only specific Telegram users can access
+> 4. **None** — no authentication
+
+If the user picks auth, ask for the details:
+- **Password**: "What password should visitors use?" (or auto-generate one)
+- **Google**: "Which email addresses should have access? (comma-separated)"
+- **Telegram**: "Which Telegram user IDs should have access? (comma-separated)"
+
+Multiple auth methods can be combined (e.g. password + Google — visitors can use either).
+
+#### Applying the choices
+
+Use the answers to set these parameters in the deploy/tunnel script:
+```js
+access: 'public',            // or 'ip'
+allowed_ips: ['1.2.3.4'],    // only when access='ip', user's detected IP
+auth_method: 'password',     // or 'google', 'telegram', 'password,google', or omit
+password: 'chosen-password',  // when auth_method includes 'password'
+google: 'alice@co.com',      // when auth_method includes 'google'
+telegram: '123456789',       // when auth_method includes 'telegram'
+```
+
+Save the chosen access settings in `.claude/mygen.json` alongside the service entry so they can be reused on redeploy.
+
+> **Tip**: If `$ARGUMENTS` explicitly says "public" or "password", skip the questions and use that directly.
 
 ### 2-A. Static deploy
 
 Build first if needed:
 ```bash
-# Framework-specific (example)
-npm run build
+npm run build  # or framework-appropriate command
+```
+
+Write a temporary deploy script `.claude/mygen-deploy.mjs` and run it:
+
+```js
+import localtunnel from 'mygensite';
+
+const site = await localtunnel.deploy({
+  directory: './dist',              // auto-detect: dist, build, out, .next, or '.'
+  subdomain: '{slug_or_undefined}', // from mygen.json or omit for auto
+  owner_email: '{owner_email}',
+  access: '{access}',              // from access control setup
+  auth_method: '{auth_method}',    // from access control setup, omit if none
+  password: '{password}',          // when auth_method includes 'password'
+  google: '{emails}',              // when auth_method includes 'google'
+  telegram: '{ids}',               // when auth_method includes 'telegram'
+  ttl: 86400,
+  admin_token: '{token_or_undefined}', // if redeploying existing service
+});
+
+console.log(JSON.stringify({
+  url: site.url, slug: site.slug,
+  admin_token: site.admin_token,
+  password: site.password || null,
+  expires_at: site.expires_at || null,
+}));
 ```
 
-Deploy:
 ```bash
-npx mygensite deploy \
-  --directory ./dist \
-  --owner-email {email} \
-  --access ${ARGUMENTS:-public} \
-  --ttl 86400
+node .claude/mygen-deploy.mjs && rm .claude/mygen-deploy.mjs
 ```
 
-- `--directory`: build output directory (auto-detect dist, build, out, etc.)
-- If no build directory exists and there are only HTML files, use current directory (`.`)
-- Default access is public
-- TTL is 24 hours
+Parse the JSON output, update `.claude/mygen.json`.
 
 ### 2-B. Tunnel
 
 Check if a local server is running; if not, start it:
 ```bash
-# Check running ports
 lsof -i -P | grep LISTEN | grep -E ':(3000|5173|8000|8080|4200|5000)'
 ```
 
-If no server is running:
-```bash
-# Find dev/start script in package.json and run it
-npm run dev &
-# Or framework-appropriate command
+If no server is running, start it in background first.
+
+Write a tunnel keeper script `.claude/mygen-tunnel.mjs`:
+
+```js
+import localtunnel from 'mygensite';
+
+const tunnel = await localtunnel({
+  port: {detected_port},
+  subdomain: '{slug_or_undefined}',
+  owner_email: '{owner_email}',
+  access: '{access}',
+  auth_method: '{auth_method}',    // from access control setup, omit if none
+  password: '{password}',          // when auth_method includes 'password'
+  google: '{emails}',              // when auth_method includes 'google'
+  telegram: '{ids}',               // when auth_method includes 'telegram'
+  ttl: 3600,
+  admin_token: '{token_or_undefined}',
+});
+
+// Output connection info as JSON (first line)
+console.log(JSON.stringify({
+  url: tunnel.url, slug: tunnel.clientId,
+  admin_token: tunnel.admin_token,
+  password: tunnel.password || null,
+  expires_at: tunnel.expires_at || null,
+}));
+
+// Keep alive — graceful shutdown on signals
+process.on('SIGINT', () => { tunnel.close(); process.exit(0); });
+process.on('SIGTERM', () => { tunnel.close(); process.exit(0); });
+tunnel.on('close', () => { console.error('Tunnel closed'); process.exit(1); });
+tunnel.on('error', (err) => { console.error('Tunnel error:', err.message); });
+
+// Heartbeat every 5 min
+setInterval(() => {
+  console.error(`[tunnel] alive — ${tunnel.url}`);
+}, 5 * 60 * 1000);
 ```
 
-Find the server port and create a tunnel:
+Run in background and capture output:
 ```bash
-npx mygensite \
-  --port {detected port} \
-  --owner-email {email} \
-  --access ${ARGUMENTS:-public} \
-  --ttl 3600
+node .claude/mygen-tunnel.mjs > .claude/mygen-tunnel-out.log 2>.claude/mygen-tunnel-err.log &
+TUNNEL_PID=$!
+echo $TUNNEL_PID > .claude/mygen-tunnel.pid
+
+# Wait for tunnel to initialize
+for i in $(seq 1 10); do
+  if [ -s .claude/mygen-tunnel-out.log ]; then break; fi
+  sleep 1
+done
+cat .claude/mygen-tunnel-out.log
 ```
 
-- Default access is public
-- TTL is 1 hour (shorter for tunnels)
-- **CRITICAL: The tunnel process must keep running.** The tunnel only works while the `npx mygensite` process is alive. If it exits, the tunnel closes immediately and users get 502. Run it in a way that stays alive (e.g. background with `&`, separate terminal, or keep the script running).
+- **CRITICAL**: The tunnel keeper script stays running in background. Do NOT delete it while active.
+- PID is saved to `.claude/mygen-tunnel.pid` for later management.
+- The script handles SIGINT/SIGTERM gracefully and logs heartbeats to stderr.
 
 ### 3. Save results and inform the user
 
-**Always** save the result (slug, admin_token) to `.claude/mygen.json`:
+**Always** save the result (slug, admin_token, access settings) to `.claude/mygen.json`:
 ```json
 {
   "owner_email": "user@company.com",
   "services": {
     "{slug}": {
       "admin_token": "tok_xxx",
-      "type": "static",
+      "type": "tunnel",
+      "port": 3000,
       "url": "https://{slug}.mygen.site",
+      "access": "public",
+      "auth_method": "password",
       "created_at": "2025-06-01T12:00:00Z"
     }
   }
 }
 ```
 
-After deploy/tunnel completes, inform the user **concisely**:
+After deploy/tunnel completes, inform the user **concisely** based on settings:
 
+**Public, no auth:**
 ```
 URL: https://{slug}.mygen.site
 
 Share this link — anyone can access it.
 Auto-expires in 24 hours.
+You can change the domain or access settings anytime — just ask.
 ```
 
-If password-protected:
+**With password auth:**
 ```
 URL: https://{slug}.mygen.site
 Password: {password}
@@ -160,10 +282,32 @@ Password: {password}
 Share the link and password together.
 ```
 
-If tunnel, add:
+**With Google auth:**
+```
+URL: https://{slug}.mygen.site
+Allowed: {emails}
+
+Only the listed Google accounts can access (via OAuth login).
+```
+
+**With IP restriction:**
+```
+URL: https://{slug}.mygen.site
+Restricted to: {ip}
+
+Only accessible from the allowed IP address.
+```
+
+If tunnel:
 ```
-The tunnel stays open as long as this process is running.
-Do NOT close this terminal or kill the process — the tunnel will stop working.
+Tunnel running in background (PID: {pid}).
+It stays open as long as the process is alive.
+```
+
+### 4. Add to .gitignore
+
+```bash
+grep -q '.claude/' .gitignore 2>/dev/null || echo '.claude/' >> .gitignore
 ```
 
 ## Settings Changes (PATCH)
@@ -184,8 +328,9 @@ const site = mygensite.manage({
   admin_token: '{admin_token}',  // read from .claude/mygen.json
 });
 
-await site.updateAccess({ mode: 'public' });
-await site.updateAccess({ mode: 'password', password: 'new-password' });
+await site.updateAccess({ access: 'public', auth_method: '' });
+await site.updateAccess({ auth_method: 'password', password: 'new-password' });
+await site.updateAccess({ auth_method: 'password,google', password: 'pw', google: 'a@co.com' });
 await site.extendTTL(86400);
 await site.redeploy('./dist');  // only when files changed
 await site.delete();
@@ -198,46 +343,47 @@ await site.delete();
 Read the admin_token for the service from `.claude/mygen.json`:
 
 ```bash
-# Change access mode (e.g. password -> public)
+# Make fully public (no auth)
 curl -X PATCH https://mygen.site/api/services/{slug} \
   -H "Authorization: Bearer {admin_token}" \
   -H "Content-Type: application/json" \
-  -d '{"access": {"mode": "public"}}'
+  -d '{"access": "public", "auth_method": ""}'
 
-# Change password
+# Add password auth
 curl -X PATCH https://mygen.site/api/services/{slug} \
   -H "Authorization: Bearer {admin_token}" \
   -H "Content-Type: application/json" \
-  -d '{"access": {"password": "new-password"}}'
+  -d '{"auth_method": "password", "password": "new-password"}'
 
-# Add IP restriction
+# Add Google OAuth + password
 curl -X PATCH https://mygen.site/api/services/{slug} \
   -H "Authorization: Bearer {admin_token}" \
   -H "Content-Type: application/json" \
-  -d '{"access": {"mode": "ip_only", "allowed_ips": ["1.2.3.0/24"]}}'
+  -d '{"auth_method": "password,google", "password": "pw", "google": "alice@co.com"}'
 
-# Extend TTL (timer resets from now)
+# Restrict by IP
 curl -X PATCH https://mygen.site/api/services/{slug} \
   -H "Authorization: Bearer {admin_token}" \
   -H "Content-Type: application/json" \
-  -d '{"ttl": 86400}'
+  -d '{"access": "ip", "allowed_ips": "1.2.3.0/24"}'
 
-# Change owner email
+# Extend TTL (timer resets from now)
 curl -X PATCH https://mygen.site/api/services/{slug} \
   -H "Authorization: Bearer {admin_token}" \
   -H "Content-Type: application/json" \
-  -d '{"owner_email": "new@company.com"}'
+  -d '{"ttl": 86400}'
 ```
 
 ### PATCH vs Redeploy
 
 | Request | Method |
 |---------|--------|
-| Change password | PATCH `access.password` |
-| Make it public | PATCH `access.mode` |
-| Restrict by IP | PATCH `access.allowed_ips` |
+| Change password | PATCH `auth_method` + `password` |
+| Make it public | PATCH `access` + `auth_method: ""` |
+| Add Google auth | PATCH `auth_method` + `google` |
+| Restrict by IP | PATCH `access: "ip"` + `allowed_ips` |
 | Extend time | PATCH `ttl` |
-| Change email | PATCH `owner_email` |
+| Change owner | PATCH `owner_email` (email or Telegram username) |
 | Update content (files changed) | Redeploy (`deploy --admin-token`) |
 | Upload new files | Redeploy (`deploy --admin-token`) |
 
@@ -265,12 +411,40 @@ curl -X DELETE "https://mygen.site/api/services/{slug}?purge=true" \
 
 After deleting, also remove the service entry from `.claude/mygen.json`.
 
+## Tunnel Management
+
+### Check if tunnel is running
+```bash
+if [ -f .claude/mygen-tunnel.pid ]; then
+  PID=$(cat .claude/mygen-tunnel.pid)
+  kill -0 $PID 2>/dev/null && echo "Running (PID $PID)" || echo "Stopped"
+fi
+```
+
+### Stop tunnel
+```bash
+if [ -f .claude/mygen-tunnel.pid ]; then
+  kill $(cat .claude/mygen-tunnel.pid) 2>/dev/null
+  rm -f .claude/mygen-tunnel.pid .claude/mygen-tunnel-out.log .claude/mygen-tunnel-err.log
+fi
+```
+
+### Restart tunnel
+Stop the old one, then run Step 2-B again. The same slug and admin_token will be reused from `.claude/mygen.json`.
+
+## Reference
+
+- API docs: https://mygen.site/docs (NOT /api/docs)
+- LLM-readable docs: https://mygen.site/llms.txt
+
 ## Important Notes
 
-- Do not ask the user for technical choices. Decide automatically.
-- Let the slug (subdomain) be auto-generated unless the user specifies one.
+- Do not ask the user for technical choices (tunnel vs static). Decide automatically.
+- **Reuse the same slug** for the same context. Only ask for a new domain when sharing something different (different port, different directory, etc.).
 - Handle errors yourself (port conflicts, build failures, etc.).
-- If `$ARGUMENTS` is "password", deploy with password protection.
-- If `$ARGUMENTS` is empty, deploy as public.
+- If `$ARGUMENTS` explicitly specifies access (e.g. "password", "public"), skip the access control questions and use that directly.
+- If `$ARGUMENTS` is empty, ask the access control questions on first deploy.
 - admin_token is issued **only once**. If lost, it cannot be recovered. Always save to `.claude/mygen.json`.
-- Add `.claude/mygen.json` to `.gitignore` (contains tokens).
+- **For tunnel/deploy creation, use the mygensite Node.js library** (not curl). For PATCH settings and DELETE, curl is fine.
+- Clean up temp scripts after use. Keep `.claude/mygen-tunnel.mjs` alive while tunnel is running.
+- Add `.claude/` to `.gitignore` (contains tokens).