mygensite 2.1.0 → 2.4.0

package/.claude-plugin/marketplace.json

@@ -5,15 +5,15 @@
     "email": "dev@theconnectsoft.com"
   },
   "metadata": {
-    "description": "Share your localhost or static sites via mygen.site with 2-layer access control",
-    "version": "2.1.0"
+    "description": "Share your localhost or static sites via mygen.site with guided access control, 2-layer security, rules, and hooks",
+    "version": "2.4.0"
   },
   "plugins": [
     {
       "name": "mygensite",
       "source": "./",
-      "description": "Share what you built via mygen.site — tunnels and static deploys with 2-layer access control (network: public/ip + auth: password/google/telegram)",
-      "version": "2.1.0",
+      "description": "Share what you built via mygen.site — tunnels and static deploys with interactive access control, rules for safe defaults and deployment awareness, hooks for git/tunnel safety, and multi-tunnel support",
+      "version": "2.4.0",
       "author": {
         "name": "TheConnectSoft"
       },
@@ -21,4 +21,4 @@
       "license": "MIT"
     }
   ]
-}
+}

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "mygensite",
-  "description": "Share your localhost or static sites via mygen.site with access control",
-  "version": "2.1.0",
+  "description": "Share your localhost or static sites via mygen.site — guided access control, 2-layer security, rules for safe defaults, hooks for git/tunnel safety, multi-tunnel support",
+  "version": "2.3.5",
   "author": {
     "name": "TheConnectSoft",
     "email": "dev@theconnectsoft.com",
@@ -10,5 +10,11 @@
   "homepage": "https://mygen.site",
   "repository": "https://github.com/theconnectsoft/mygensite",
   "license": "MIT",
-  "keywords": ["tunnel", "deploy", "share", "mygen.site"]
-}
+  "keywords": [
+    "tunnel",
+    "deploy",
+    "share",
+    "mygen.site",
+    "access-control"
+  ]
+}

package/README.en.md

@@ -43,7 +43,7 @@ Below are some common arguments. See `mygensite --help` for all options.
 - `--access` network layer: `public`, `ip` (default: `public`)
 - `--auth-method` auth layer (CSV): `password`, `google`, `telegram`
 - `--password` password (when auth-method includes password)
-- `--google` allowed Google email(s)
+- `--google` allowed Google email(s) or `@domain.com` patterns
 - `--telegram` allowed Telegram user ID(s)
 - `--owner-email` owner email for dashboard management
 - `--ttl` tunnel TTL in seconds, 60-86400 (default: 3600)
@@ -111,7 +111,7 @@ const mygensite = require('mygensite');
 - `auth_method` (string) Auth methods CSV: `password`, `google`, `telegram`. Default: none.
 - `password` (string) Password (when auth_method includes 'password'). Auto-generated if omitted.
 - `allowed_ips` (string[]) IP whitelist for `ip` access. Supports CIDR notation.
-- `google` (string|string[]) Allowed Google email(s) (when auth_method includes 'google').
+- `google` (string|string[]) Allowed Google email(s) or domain patterns like `@company.com` (when auth_method includes 'google').
 - `telegram` (string|string[]) Allowed Telegram user ID(s) (when auth_method includes 'telegram').
 - `owner_email` (string) Owner email for dashboard management.
 - `ttl` (number) Tunnel TTL in seconds (60-86400). Default: 3600.
@@ -296,7 +296,7 @@ console.log(site.expires_at);    // "2025-06-02T12:00:00Z"
 | `access` | string | | `public` | Network access: `public`, `ip`. |
 | `auth_method` | string | | — | Auth methods CSV: `password`, `google`, `telegram`. |
 | `password` | string | | auto | Password (when auth_method includes 'password'). |
-| `google` | string\|string[] | | — | Allowed Google email(s) (when auth_method includes 'google'). |
+| `google` | string\|string[] | | — | Allowed Google email(s) or `@domain.com` patterns (when auth_method includes 'google'). |
 | `telegram` | string\|string[] | | — | Allowed Telegram user ID(s) (when auth_method includes 'telegram'). |
 | `allowed_ips` | string[] | | — | IP whitelist for `ip` access. CIDR supported. |
 | `owner_email` | string | | — | Owner email for dashboard management. |

package/README.ko.md

@@ -43,7 +43,7 @@ mygen.site에 연결하여 터널을 생성하고, 사용할 URL을 알려줍니
 - `--access` 네트워크 접근 제어: `public`, `ip` (기본: `public`)
 - `--auth-method` 인증 방식 (CSV): `password`, `google`, `telegram`
 - `--password` 접근 제어 비밀번호 (미지정 시 자동 생성)
-- `--google` Google OAuth 허용 이메일 (CSV)
+- `--google` Google OAuth 허용 이메일 또는 `@domain.com` 패턴 (CSV)
 - `--telegram` Telegram 허용 사용자 ID (CSV)
 - `--owner-email` 대시보드 관리용 소유자 이메일
 - `--ttl` 터널 유효 시간(초), 60-86400 (기본: 3600)
@@ -111,7 +111,7 @@ const mygensite = require('mygensite');
 - `auth_method` (string) 인증 방식 (Layer 2, CSV): `password`, `google`, `telegram`. 복수 지정 시 콤마 구분 (예: `password,google`).
 - `password` (string) 접근 제어 비밀번호. `auth_method`에 `password` 포함 시 사용. 미지정 시 자동 생성.
 - `allowed_ips` (string[]) `access`가 `ip`일 때 허용할 IP 목록. CIDR 표기 지원.
-- `google` (string[]) `auth_method`에 `google` 포함 시 허용할 이메일 목록.
+- `google` (string[]) `auth_method`에 `google` 포함 시 허용할 이메일 또는 `@domain.com` 도메인 패턴 목록.
 - `telegram` (string[]) `auth_method`에 `telegram` 포함 시 허용할 Telegram 사용자 ID 목록.
 - `owner_email` (string) 대시보드 관리용 소유자 이메일.
 - `ttl` (number) 터널 유효 시간(초), 60-86400. 기본값: 3600.
@@ -294,7 +294,7 @@ console.log(site.expires_at);    // "2025-06-02T12:00:00Z"
 | `auth_method` | string | | — | 인증 방식 (Layer 2, CSV): `password`, `google`, `telegram`. |
 | `password` | string | | 자동 | 접근 제어 비밀번호. `auth_method`에 `password` 포함 시 사용. |
 | `allowed_ips` | string[] | | — | `access`가 `ip`일 때 허용할 IP. CIDR 지원. |
-| `google` | string[] | | — | `auth_method`에 `google` 포함 시 허용할 이메일 목록. |
+| `google` | string[] | | — | `auth_method`에 `google` 포함 시 허용할 이메일 또는 `@domain.com` 패턴 목록. |
 | `telegram` | string[] | | — | `auth_method`에 `telegram` 포함 시 허용할 Telegram 사용자 ID 목록. |
 | `owner_email` | string | | — | 대시보드 관리용 소유자 이메일. |
 | `ttl` | number | | 3600 | 사이트 유효 시간(초), 60-86400. |

package/README.md

@@ -43,11 +43,12 @@ const tunnel = await mygensite({
   // Layer 2: Auth method(s)
   auth_method: 'password',             // optional: CSV of 'password', 'google', 'telegram'
   password: 'secret',                  // required when auth_method includes 'password'
-  google: 'alice@company.com',         // required when auth_method includes 'google'
+  google: 'alice@company.com,@company.com', // required when auth_method includes 'google' (supports @domain.com patterns)
   telegram: '123456',                  // required when auth_method includes 'telegram'
 
   owner_email: 'alice@company.com',    // optional: email or Telegram username for dashboard
-  ttl: 3600,                           // optional: seconds, 60-86400 (default: 3600)
+  ttl: 3600,                           // optional: 60-86400 seconds (default: 3600)
+  token: 'mgs_xxx',                    // optional: API token (or set MYGENSITE_TOKEN env)
 });
 
 // Result
@@ -77,7 +78,8 @@ const site = await mygensite.deploy({
   auth_method: 'password',              // optional: CSV of 'password', 'google', 'telegram'
   password: 'secret',                   // when auth_method includes 'password'
   owner_email: 'alice@company.com',      // optional: email or Telegram username for dashboard
-  ttl: 86400,                            // optional: seconds (default: 3600)
+  ttl: 86400,                            // optional: 0 (unlimited) or 60-259200 seconds (default: 3600)
+  token: 'mgs_xxx',                      // optional: API token (or set MYGENSITE_TOKEN env)
 });
 
 // Result
@@ -128,12 +130,54 @@ await site.delete();
 |-------|----------|
 | _(empty)_ | no authentication (default) |
 | `password` | password form + cookie session |
-| `google` | Google OAuth → allowed emails only |
+| `google` | Google OAuth → allowed emails only (supports `@domain.com` patterns) |
 | `telegram` | Telegram login → allowed user IDs only |
 | `password,google` | password OR Google (user picks) |
 
 Both layers apply sequentially: IP check → auth check.
 
+## API Token Authentication
+
+By default, service creation (tunnel/deploy) is restricted to allowed IPs. To create from any IP, generate an API token from the [dashboard](https://mygen.site/dashboard/api).
+
+```js
+// Option 1: Pass token directly
+const tunnel = await mygensite({ port: 3000, token: 'mgs_xxx' });
+const site = await mygensite.deploy({ directory: './dist', token: 'mgs_xxx' });
+
+// Option 2: Set environment variable (auto-detected)
+// export MYGENSITE_TOKEN=mgs_xxx
+const tunnel = await mygensite({ port: 3000 });  // token picked up from env
+```
+
+```bash
+# CLI
+mygensite --port 3000 --token mgs_xxx
+mygensite deploy -d ./dist --token mgs_xxx
+
+# Or via environment variable
+MYGENSITE_TOKEN=mgs_xxx mygensite --port 3000
+```
+
+When using an API token, `owner_email` is automatically set to the token owner's account email.
+
+## TTL (Time to Live)
+
+| type | range | unlimited |
+|------|-------|-----------|
+| Tunnel | 60–86400 seconds (max 24h) | not supported |
+| Static | 60–259200 seconds (max 3 days) | `ttl: 0` — requires at least one auth method |
+
+Unlimited TTL (`ttl: 0`) is only available for static deploys and requires at least one auth method (password, google, or telegram). You cannot remove auth from a service with unlimited TTL without also setting a finite TTL.
+
+## Examples
+
+Full runnable examples in [`examples/`](https://github.com/theconnectsoft/mygensite/tree/main/examples):
+
+- **[tunnel-basic.mjs](https://github.com/theconnectsoft/mygensite/blob/main/examples/tunnel-basic.mjs)** — Tunnel with signal handling and heartbeat (background-friendly)
+- **[static-deploy.mjs](https://github.com/theconnectsoft/mygensite/blob/main/examples/static-deploy.mjs)** — Static deploy with unlimited TTL and auth
+- **[manage-service.mjs](https://github.com/theconnectsoft/mygensite/blob/main/examples/manage-service.mjs)** — Settings, TTL, redeploy, delete via manage()
+
 ## Constraints
 
 ### Slug (subdomain)
@@ -182,7 +226,7 @@ validate.validateTTL(30);             // { valid: false, error: '...' }
 |--------|-------|------|-----|
 | 400 | `invalid_slug` | slug format invalid | use 3-63 chars, lowercase alphanum + hyphen (e.g. `my-app-1`) |
 | 400 | `reserved_slug` | slug is reserved | choose different slug. reserved: www, api, dashboard, admin, etc. |
-| 400 | `invalid_ttl` | TTL out of range | use 60-86400 (seconds) |
+| 400 | `invalid_ttl` | TTL out of range | tunnels: 60-86400s, static: 0 (unlimited) or 60-259200s. Unlimited requires auth. |
 | 400 | `invalid_access` | bad access mode | use: public, ip |
 | 401 | `unauthorized` | wrong admin_token | use the `admin_token` from tunnel creation response |
 | 404 | `not_found` | service not found | verify slug is correct and tunnel is active |
@@ -211,6 +255,10 @@ mygensite deploy -d ./dist -s private-demo --auth-method password --password 'my
 
 # Redeploy (reuse admin_token)
 mygensite deploy -d ./dist-v2 -s demo --admin-token tok_xxx
+
+# With API token (skip IP restriction)
+mygensite --port 3000 -s my-app --token mgs_xxx
+MYGENSITE_TOKEN=mgs_xxx mygensite deploy -d ./dist -s demo
 ```
 
 ## curl Deploy

package/bin/lt.js

@@ -38,7 +38,7 @@ yargs
         describe: 'Password for password auth',
       })
       .option('google', {
-        describe: 'Allowed Google emails (CSV)',
+        describe: 'Allowed Google emails or @domain.com patterns (CSV)',
       })
       .option('telegram', {
         describe: 'Allowed Telegram user IDs (CSV)',
@@ -52,6 +52,9 @@ yargs
       })
       .option('admin-token', {
         describe: 'Admin token for redeployment',
+      })
+      .option('token', {
+        describe: 'API token (mgs_xxx) for authentication. Also reads MYGENSITE_TOKEN env.',
       });
   }, async (argv) => {
     try {
@@ -67,6 +70,7 @@ yargs
         owner_email: argv.ownerEmail,
         ttl: argv.ttl,
         admin_token: argv.adminToken,
+        token: argv.token,
       });
 
       console.log('your url is: %s', result.url);
@@ -139,7 +143,7 @@ yargs
         describe: 'Password for password auth',
       })
       .option('google', {
-        describe: 'Allowed Google emails (CSV)',
+        describe: 'Allowed Google emails or @domain.com patterns (CSV)',
       })
       .option('telegram', {
         describe: 'Allowed Telegram user IDs (CSV)',
@@ -154,6 +158,9 @@ yargs
       .option('admin-token', {
         describe: 'Admin token for reconnecting to an existing tunnel',
       })
+      .option('token', {
+        describe: 'API token (mgs_xxx) for authentication. Also reads MYGENSITE_TOKEN env.',
+      })
       .boolean('local-https')
       .boolean('allow-invalid-cert')
       .boolean('print-requests');
@@ -184,6 +191,7 @@ yargs
         owner_email: argv.ownerEmail,
         ttl: argv.ttl,
         admin_token: argv.adminToken,
+        token: argv.token,
       });
     } catch (err) {
       console.error('tunnel failed: %s', err.message);

package/examples/README.md

@@ -0,0 +1,31 @@
+# Examples
+
+## tunnel-basic.mjs
+
+Expose a local server to the internet. Stays alive in background with signal handling and heartbeat.
+
+```bash
+node examples/tunnel-basic.mjs 3000 my-app
+```
+
+## static-deploy.mjs
+
+Deploy a directory as a static site. Supports unlimited TTL (`ttl: 0`).
+
+```bash
+node examples/static-deploy.mjs ./dist my-site
+```
+
+## manage-service.mjs
+
+Manage an existing service — change settings, extend TTL, redeploy, delete.
+
+```bash
+node examples/manage-service.mjs my-site tok_xxx public
+node examples/manage-service.mjs my-site tok_xxx password
+node examples/manage-service.mjs my-site tok_xxx extend
+node examples/manage-service.mjs my-site tok_xxx redeploy
+node examples/manage-service.mjs my-site tok_xxx delete
+```
+
+Actions: `public`, `password`, `google`, `telegram`, `ip`, `extend`, `redeploy`, `delete`, `purge`

package/examples/manage-service.mjs

@@ -0,0 +1,88 @@
+/**
+ * Service management examples — settings changes, TTL, redeploy, delete.
+ *
+ * Usage:
+ *   node manage-service.mjs <slug> <admin_token> <action>
+ *
+ * Actions: public, password, google, telegram, ip, extend, redeploy, delete, purge
+ */
+import mygensite from '../localtunnel.js';
+
+const slug = process.argv[2];
+const admin_token = process.argv[3];
+const action = process.argv[4] || 'public';
+
+if (!slug || !admin_token) {
+  console.error('Usage: node manage-service.mjs <slug> <admin_token> <action>');
+  process.exit(1);
+}
+
+const site = mygensite.manage({ slug, admin_token });
+
+switch (action) {
+  // --- Make public (remove all auth) ---
+  case 'public':
+    await site.updateAccess({ access: 'public', auth_method: '' });
+    console.log('Made public');
+    break;
+
+  // --- Add password protection ---
+  case 'password':
+    await site.updateAccess({ auth_method: 'password', password: 'new-secret' });
+    console.log('Password set');
+    break;
+
+  // --- Add Google OAuth ---
+  case 'google':
+    await site.updateAccess({
+      auth_method: 'password,google',
+      password: 'backup-pass',
+      google: 'alice@company.com,bob@company.com',
+    });
+    console.log('Google + password auth set');
+    break;
+
+  // --- Add Telegram auth ---
+  case 'telegram':
+    await site.updateAccess({
+      auth_method: 'telegram',
+      telegram: '123456789',
+    });
+    console.log('Telegram auth set');
+    break;
+
+  // --- Restrict by IP ---
+  case 'ip':
+    await site.updateAccess({ access: 'ip', allowed_ips: '10.0.0.0/8,192.168.1.0/24' });
+    console.log('IP restriction set');
+    break;
+
+  // --- Extend TTL (0 = unlimited for static) ---
+  case 'extend':
+    await site.extendTTL(0); // unlimited
+    console.log('TTL set to unlimited');
+    break;
+
+  // --- Redeploy with new files ---
+  case 'redeploy':
+    await site.redeploy('./dist');
+    console.log('Redeployed');
+    break;
+
+  // --- Soft delete (recoverable) ---
+  case 'delete':
+    await site.delete();
+    console.log('Soft deleted');
+    break;
+
+  // --- Purge delete (S3 files removed, unrecoverable) ---
+  case 'purge':
+    await site.delete(true);
+    console.log('Purged');
+    break;
+
+  default:
+    console.error(`Unknown action: ${action}`);
+    console.error('Actions: public, password, google, telegram, ip, extend, redeploy, delete, purge');
+    process.exit(1);
+}

package/examples/static-deploy.mjs

@@ -0,0 +1,63 @@
+/**
+ * Static file deployment examples.
+ *
+ * Usage:
+ *   node static-deploy.mjs <directory> [subdomain]
+ *
+ * Deploys a directory to {subdomain}.mygen.site.
+ * TTL 0 = unlimited (no expiry).
+ */
+import mygensite from '../localtunnel.js';
+
+const directory = process.argv[2];
+const subdomain = process.argv[3] || undefined;
+
+if (!directory) {
+  console.error('Usage: node static-deploy.mjs <directory> [subdomain]');
+  process.exit(1);
+}
+
+// --- Example 1: Deploy a directory (public, unlimited) ---
+
+const site = await mygensite.deploy({
+  directory,
+  subdomain,
+  owner_email: 'you@example.com',
+  access: 'public',
+  ttl: 0, // unlimited — static only (max 259200 for timed)
+  // admin_token: 'tok_xxx',  // pass this to redeploy an existing site
+});
+
+console.log(JSON.stringify({
+  url: site.url,
+  slug: site.slug,
+  admin_token: site.admin_token,
+  password: site.password || null,
+  expires_at: site.expires_at || null, // null when unlimited
+}));
+
+
+// --- Example 2: Deploy with password protection ---
+/*
+const protectedSite = await mygensite.deploy({
+  directory: './dist',
+  subdomain: 'private-demo',
+  owner_email: 'you@example.com',
+  auth_method: 'password',
+  password: 'secret123',
+  ttl: 86400, // 1 day
+});
+*/
+
+
+// --- Example 3: Deploy from in-memory files ---
+/*
+const site = await mygensite.deploy({
+  files: [
+    { name: 'index.html', content: Buffer.from('<h1>Hello</h1>'), contentType: 'text/html' },
+    { name: 'style.css', content: Buffer.from('body { color: red; }'), contentType: 'text/css' },
+  ],
+  owner_email: 'you@example.com',
+  ttl: 0,
+});
+*/

package/examples/tunnel-basic.mjs

@@ -0,0 +1,49 @@
+/**
+ * Basic tunnel example — expose a local server to the internet.
+ *
+ * Usage:
+ *   node tunnel-basic.mjs [port] [subdomain]
+ *
+ * The tunnel stays alive in the background with signal handling and heartbeat.
+ * Ideal for AI agents that need to keep a tunnel running.
+ */
+import mygensite from '../localtunnel.js';
+
+const port = Number(process.argv[2]) || 3000;
+const subdomain = process.argv[3] || undefined;
+
+const tunnel = await mygensite({
+  port,
+  subdomain,
+  owner_email: 'you@example.com',
+  access: 'public',
+  ttl: 3600, // 1 hour (max 86400 for tunnels)
+  // admin_token: 'tok_xxx',  // pass this to reconnect to an existing tunnel
+});
+
+// First line: JSON for programmatic consumption
+console.log(JSON.stringify({
+  url: tunnel.url,
+  slug: tunnel.clientId,
+  admin_token: tunnel.admin_token,
+  password: tunnel.password || null,
+  expires_at: tunnel.expires_at || null,
+}));
+
+// Graceful shutdown
+process.on('SIGINT', () => { tunnel.close(); process.exit(0); });
+process.on('SIGTERM', () => { tunnel.close(); process.exit(0); });
+
+tunnel.on('close', () => {
+  console.error('[tunnel] closed');
+  process.exit(1);
+});
+
+tunnel.on('error', (err) => {
+  console.error('[tunnel] error:', err.message);
+});
+
+// Heartbeat every 5 minutes
+setInterval(() => {
+  console.error(`[tunnel] alive — ${tunnel.url}`);
+}, 5 * 60 * 1000);

package/hooks/git-guard.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# PreToolUse hook: block git staging of mygen secret files
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name')
+
+if [ "$TOOL" != "Bash" ]; then
+  echo '{"decision":"allow"}'
+  exit 0
+fi
+
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command')
+
+# Check for direct staging of mygen files
+if echo "$CMD" | grep -qE 'git add.*\.claude/mygen'; then
+  echo '{"decision":"block","reason":"Blocked: .claude/mygen.json contains admin tokens that should never be committed."}'
+  exit 0
+fi
+
+echo '{"decision":"allow"}'

package/hooks/hooks.json

@@ -0,0 +1,19 @@
+{
+  "hooks": [
+    {
+      "event": "PreToolUse",
+      "script": "hooks/git-guard.sh",
+      "description": "Prevent staging mygen secret files"
+    },
+    {
+      "event": "PostToolUse",
+      "script": "hooks/tunnel-cleanup.sh",
+      "description": "Clean stale tunnel PID files"
+    },
+    {
+      "event": "Stop",
+      "script": "hooks/tunnel-reminder.sh",
+      "description": "Remind about running tunnels on session end"
+    }
+  ]
+}

package/hooks/tunnel-cleanup.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# PostToolUse hook: clean stale tunnel PID files
+for pidfile in .claude/mygen-tunnel-*.pid; do
+  [ -f "$pidfile" ] || continue
+  PID=$(cat "$pidfile")
+  if ! kill -0 "$PID" 2>/dev/null; then
+    SLUG=$(basename "$pidfile" | sed 's/mygen-tunnel-//;s/\.pid//')
+    rm -f "$pidfile"
+    rm -f ".claude/mygen-tunnel-${SLUG}-out.log" ".claude/mygen-tunnel-${SLUG}-err.log"
+    rm -f ".claude/mygen-tunnel-${SLUG}.mjs"
+  fi
+done

package/hooks/tunnel-reminder.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Stop hook: remind about running tunnels
+RUNNING=""
+for pidfile in .claude/mygen-tunnel-*.pid; do
+  [ -f "$pidfile" ] || continue
+  PID=$(cat "$pidfile")
+  if kill -0 "$PID" 2>/dev/null; then
+    SLUG=$(basename "$pidfile" | sed 's/mygen-tunnel-//;s/\.pid//')
+    RUNNING="${RUNNING}  - ${SLUG}.mygen.site (PID $PID)\n"
+  fi
+done
+
+if [ -n "$RUNNING" ]; then
+  echo -e "Running tunnels:\n${RUNNING}To stop: kill <PID>" >&2
+fi

package/lib/Tunnel.js

@@ -25,7 +25,7 @@ module.exports = class Tunnel extends EventEmitter {
       }
     }
     if (opts.ttl != null) {
-      const ttlCheck = validateTTL(Number(opts.ttl));
+      const ttlCheck = validateTTL(Number(opts.ttl), { allowUnlimited: false, max: 86400 });
       if (!ttlCheck.valid) {
         throw new Error(ttlCheck.error);
       }
@@ -100,6 +100,12 @@ module.exports = class Tunnel extends EventEmitter {
       responseType: 'json',
     };
 
+    // API token authentication (token option or MYGENSITE_TOKEN env)
+    const token = opt.token || process.env.MYGENSITE_TOKEN;
+    if (token) {
+      params.headers = { Authorization: `Bearer ${token}` };
+    }
+
     // Build extended query params for mygensite server
     const queryParams = {};
     if (opt.access) queryParams.access = opt.access;

package/lib/deploy.js

@@ -96,8 +96,12 @@ async function deploy(options) {
     telegram,
     ttl,
     admin_token,
+    token,
   } = options;
 
+  // API token authentication (token option or MYGENSITE_TOKEN env)
+  const apiToken = token || process.env.MYGENSITE_TOKEN;
+
   // Client-side validation — fail fast before API call
   if (subdomain) {
     const slugCheck = validateSlug(subdomain);
@@ -106,7 +110,7 @@ async function deploy(options) {
     }
   }
   if (ttl != null) {
-    const ttlCheck = validateTTL(Number(ttl));
+    const ttlCheck = validateTTL(Number(ttl), { allowUnlimited: true, max: 259200 });
     if (!ttlCheck.valid) {
       throw new Error(ttlCheck.error);
     }
@@ -203,6 +207,8 @@ async function deploy(options) {
   const headers = { ...form.getHeaders() };
   if (admin_token) {
     headers.Authorization = `Bearer ${admin_token}`;
+  } else if (apiToken) {
+    headers.Authorization = `Bearer ${apiToken}`;
   }
 
   const res = await axios.post(`${host}/api/deploy`, form, { headers });

package/lib/validate.js

@@ -88,15 +88,25 @@ function validateFilePath(name) {
 
 /**
  * Validate TTL value.
- * @param {number} ttl - TTL in seconds
+ * @param {number} ttl - TTL in seconds (0 = unlimited, for static deploys only)
+ * @param {object} [opts] - Options
+ * @param {boolean} [opts.allowUnlimited=true] - Whether to allow 0 (unlimited)
+ * @param {number} [opts.max=259200] - Maximum TTL in seconds
  * @returns {{ valid: boolean, error?: string }}
  */
-function validateTTL(ttl) {
+function validateTTL(ttl, opts) {
+  const allowUnlimited = opts?.allowUnlimited !== false;
+  const max = opts?.max || 259200;
   if (typeof ttl !== 'number' || !Number.isFinite(ttl)) {
     return { valid: false, error: 'TTL must be a number' };
   }
-  if (ttl < 60 || ttl > 86400) {
-    return { valid: false, error: 'TTL must be between 60 and 86400 seconds (1 min to 24 hours)' };
+  if (ttl === 0) {
+    return allowUnlimited
+      ? { valid: true }
+      : { valid: false, error: 'Unlimited TTL (0) is not allowed for tunnels' };
+  }
+  if (ttl < 60 || ttl > max) {
+    return { valid: false, error: `TTL must be ${allowUnlimited ? '0 (unlimited) or ' : ''}between 60 and ${max} seconds` };
   }
   return { valid: true };
 }
@@ -133,9 +143,26 @@ function validateAuthMethod(method) {
 
 // Email: basic check — has @, local part, domain with dot
 const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+// Domain pattern: @domain.com (for allowed_emails — matches all emails from that domain)
+const DOMAIN_PATTERN_REGEX = /^@[^\s@]+\.[^\s@]+$/;
 // Telegram username: 5-32 chars, alphanumeric + underscores (per Telegram rules)
 const TELEGRAM_USERNAME_REGEX = /^[a-zA-Z][a-zA-Z0-9_]{4,31}$/;
 
+/**
+ * Validate an email or domain pattern for allowed_emails list.
+ * Accepts either a full email (alice@co.com) or a domain pattern (@co.com).
+ * Domain patterns match all emails from that domain.
+ * @param {string} value
+ * @returns {boolean}
+ */
+function isValidEmailOrDomain(value) {
+  if (!value || typeof value !== 'string') return false;
+  if (value.startsWith('@')) {
+    return value.length <= 255 && DOMAIN_PATTERN_REGEX.test(value);
+  }
+  return EMAIL_REGEX.test(value);
+}
+
 /**
  * Validate owner_email value (email address or Telegram username).
  * @param {string} value
@@ -195,6 +222,11 @@ function validateAccessParams(opts) {
     }
   }
 
+  // Unlimited TTL requires auth
+  if (opts.ttl === 0 && !authMethod) {
+    return { valid: false, error: 'Unlimited TTL (0) requires at least one auth method (password, google, or telegram)' };
+  }
+
   return { valid: true };
 }
 
@@ -206,10 +238,12 @@ module.exports = {
   validateAuthMethod,
   validateAccessParams,
   validateOwner,
+  isValidEmailOrDomain,
   SLUG_REGEX,
   RESERVED_SLUGS,
   VALID_ACCESS_MODES,
   VALID_AUTH_METHODS,
   EMAIL_REGEX,
+  DOMAIN_PATTERN_REGEX,
   TELEGRAM_USERNAME_REGEX,
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "mygensite",
   "description": "Expose your localhost to mygen.site with access control",
-  "version": "2.1.0",
+  "version": "2.4.0",
   "license": "MIT",
   "repository": {
     "type": "git",

package/rules/deployment-awareness.md

@@ -0,0 +1,10 @@
+---
+name: deployment-awareness
+description: Recognize active mygen.site deployments and suggest redeploy after file changes
+---
+
+- When a conversation starts with `.claude/mygen.json` present, acknowledge active services
+- If a static deploy exists and build output files are changed, suggest "Do you want to redeploy?"
+- If tunnel PID files (`.claude/mygen-tunnel-*.pid`) exist, be aware of running tunnel processes
+- Never auto-deploy or auto-redeploy. Only suggest
+- When the user says "update it", "reflect changes", "deploy changes", "업데이트 반영해줘", "변경사항 배포해줘", invoke the /share skill

package/rules/safe-defaults.md

@@ -0,0 +1,10 @@
+---
+name: safe-defaults
+description: Default to password protection unless user explicitly requests public access
+---
+
+- Unless the user explicitly says "public", "공개", "no password", "비밀번호 없이", default to IP-restricted + password authentication
+- When presenting network options, recommend IP-restricted as the default
+- When presenting auth options, recommend password as the default
+- If the project contains .env, credentials, secrets, or API key files, add a warning about exposure risk
+- Ambiguous requests like "just share it quickly" or "그냥 빨리 공유해줘" still get IP-restricted + password protection by default

package/rules/tunnel-keepalive.md

@@ -0,0 +1,36 @@
+---
+name: tunnel-keepalive
+description: Ensure tunnel scripts stay alive with proper keepalive patterns, not exit immediately
+---
+
+When writing tunnel scripts (`.claude/mygen-tunnel-*.mjs`), always follow these patterns:
+
+1. **setInterval required**: Keep the process alive after tunnel creation
+   ```js
+   setInterval(() => {
+     console.error(`[tunnel] alive — ${tunnel.url}`);
+   }, 5 * 60 * 1000);
+   ```
+
+2. **Signal handlers required**: Clean shutdown on SIGINT/SIGTERM
+   ```js
+   process.on('SIGINT', () => { tunnel.close(); process.exit(0); });
+   process.on('SIGTERM', () => { tunnel.close(); process.exit(0); });
+   ```
+
+3. **Event handlers required**: Log unexpected disconnects
+   ```js
+   tunnel.on('close', () => { console.error('Tunnel closed'); process.exit(1); });
+   tunnel.on('error', (err) => { console.error('Tunnel error:', err.message); });
+   ```
+
+4. **Never do these**:
+   - End the script after console.log without keepalive (process exits immediately)
+   - Use setTimeout instead of setInterval (runs only once)
+   - Call process.exit() outside of signal/event handlers
+
+5. **Background execution required**: Always run with `&` and save the PID
+   ```bash
+   node .claude/mygen-tunnel-{slug}.mjs > .claude/mygen-tunnel-{slug}-out.log 2>.claude/mygen-tunnel-{slug}-err.log &
+   echo $! > .claude/mygen-tunnel-{slug}.pid
+   ```

package/skills/share/SKILL.md

@@ -8,10 +8,12 @@ allowed-tools: Bash, Read, Glob, Grep, Write, Edit, Agent
 # Share (mygen.site)
 
 Share what the user built via a `{name}.mygen.site` URL.
+Tunnel/deploy creation uses the **mygensite** Node.js library. Settings changes and deletion can use curl.
 
 ## Owner Identity
 
-Deploys and tunnels require `--owner-email`. This identifies who owns the service on the dashboard.
+`--owner-email` links the service to a dashboard account for web-based management.
+The user can also skip this — management via `admin_token` (PATCH, DELETE, redeploy) always works.
 
 The value can be either:
 - **Email address** (for Google login users): `alice@company.com`
@@ -21,20 +23,70 @@ Ownership matching is case-insensitive.
 
 ### First use
 1. Check if `.claude/mygen.json` exists
-2. If not, ask the user **once**: "What email or Telegram username should I use for service management? (used for dashboard login)"
-3. Save it to `.claude/mygen.json`:
+2. If not, **you MUST ask the user**: "Email or Telegram username for dashboard management? (Enter to skip)"
+3. **Do NOT validate the format as email-only.** The value can be a plain username without `@` — that's a valid Telegram username. Accept any non-empty string the user provides.
+4. If the user provides a value, save it to `.claude/mygen.json`:
 ```json
 { "owner_email": "user@company.com" }
 ```
-or for Telegram users:
+or for Telegram users (no `@`, not an email — this is valid):
 ```json
-{ "owner_email": "telegram_username" }
+{ "owner_email": "mytelegramuser" }
+```
+5. If the user skips (empty), save without owner_email:
+```json
+{}
 ```
 
 ### Subsequent uses
 - Read owner from `.claude/mygen.json` automatically
 - If the user says "change my email" or "change my owner", update the file
 
+## API Token (optional)
+
+If the `MYGENSITE_TOKEN` env variable is set, or `token` option is passed, the mygensite client automatically uses it for authentication. This allows service creation from any IP address.
+
+The token can be generated from the dashboard: https://mygen.site/dashboard/api
+
+Usage:
+```bash
+# Environment variable (recommended — auto-detected)
+export MYGENSITE_TOKEN=mgs_xxx
+
+# Or pass directly in code
+const tunnel = await mygensite({ port: 3000, token: 'mgs_xxx' });
+const site = await mygensite.deploy({ directory: './dist', token: 'mgs_xxx' });
+
+# Or CLI flag
+mygensite --port 3000 --token mgs_xxx
+```
+
+When a token is used, `owner_email` is automatically set to the token owner's email. The `.claude/mygen.json` `owner_email` is still used for display purposes but won't override the token-based owner.
+
+## Slug (Domain) Management
+
+### Reuse by default
+- When `.claude/mygen.json` already has a service entry for the **same context** (same port for tunnels, same build directory for static), reuse that slug and `admin_token`.
+- This means running `/share` repeatedly for the same service always keeps the same URL.
+
+### New service — always ask for subdomain
+When there is **no matching service** in `.claude/mygen.json` for the current context, you MUST ask for a subdomain. This happens when:
+- First time running `/share` in a project (no `.claude/mygen.json` or empty services)
+- Sharing a **different port** than any existing tunnel entry
+- Sharing a **different build directory** than any existing static entry
+- User explicitly asks for a "new URL", "different domain", "새 도메인" etc.
+
+Ask:
+> **Subdomain?** (Enter for random: `auto-generated.mygen.site`)
+> e.g. `my-api` → `my-api.mygen.site`
+
+- Default (Enter/blank) → server auto-generates a random slug
+- If the user specifies a slug and it's **already taken** (409 error), inform them and ask again:
+  > `my-api.mygen.site` is already taken. Choose another subdomain? (Enter for random)
+
+### Domain cannot be changed after creation
+The subdomain (slug) is permanent once created. To use a different domain, create a new service and delete the old one. Inform the user on first use: **"The subdomain can't be changed later — choose carefully, or press Enter for a random one."**
+
 ## Decision: Tunnel vs Static Deploy
 
 Decide **automatically** based on the criteria below. Do not ask the user.
@@ -62,11 +114,7 @@ Check if mygensite is installed:
 npx mygensite --help 2>/dev/null || npm install -g mygensite
 ```
 
-Load owner email:
-```bash
-cat .claude/mygen.json 2>/dev/null
-```
-If missing, ask the user and save it.
+Load config from `.claude/mygen.json`. If missing, ask the user for owner identity.
 
 ### 1. Analyze the project
 
@@ -75,84 +123,191 @@ Quickly assess the project structure:
 - Check for build output directories
 - Check for server start scripts
 - Check for running local servers (lsof -i -P | grep LISTEN)
+- Check `.claude/mygen.json` for existing services matching current context
+
+### 1.5. Access Control Setup (first deploy only)
+
+**Skip this step** if reusing an existing service from `.claude/mygen.json` (same port/directory context). Settings are already saved.
+
+On the **first deploy** of a new service, ask the user these questions:
+
+#### Q1. Network access
+> **Who should be able to access this?**
+> 1. **Public** — anyone with the link
+> 2. **IP-restricted** — only your current IP (recommended)
+
+If IP-restricted, detect the user's public IP:
+```bash
+curl -s https://ifconfig.me
+```
+
+#### Q2. Authentication
+> **Password protection is enabled by default.** Choose an authentication method:
+> 1. **Password** — visitors enter a password to access (default)
+> 2. **Google OAuth** — only specific Google accounts can access
+> 3. **Telegram** — only specific Telegram users can access
+> 4. **None** — no authentication (not recommended)
+
+If the user picks auth, ask for the details:
+- **Password**: "What password should visitors use?" (or auto-generate one)
+- **Google**: "Which email addresses should have access? (comma-separated, use @domain.com to allow an entire domain)"
+- **Telegram**: "Which Telegram user IDs should have access? (comma-separated)"
+
+Multiple auth methods can be combined (e.g. password + Google — visitors can use either).
+
+#### Applying the choices
+
+Use the answers to set these parameters in the deploy/tunnel script:
+```js
+access: 'ip',                // 'ip' (recommended) or 'public'
+allowed_ips: ['1.2.3.4'],    // user's detected IP (auto-detect via curl ifconfig.me)
+auth_method: 'password',     // or 'google', 'telegram', 'password,google', or omit
+password: 'chosen-password',  // when auth_method includes 'password'
+google: 'alice@co.com,@co.com', // when auth_method includes 'google' (supports @domain.com)
+telegram: '123456789',       // when auth_method includes 'telegram'
+```
+
+Save the chosen access settings in `.claude/mygen.json` alongside the service entry so they can be reused on redeploy.
+
+> **Tip**: If `$ARGUMENTS` explicitly says "public" or "password", skip the questions and use that directly.
 
 ### 2-A. Static deploy
 
 Build first if needed:
 ```bash
-# Framework-specific (example)
-npm run build
+npm run build  # or framework-appropriate command
+```
+
+Write a temporary deploy script `.claude/mygen-deploy.mjs` and run it:
+
+```js
+import localtunnel from 'mygensite';
+
+const site = await localtunnel.deploy({
+  directory: './dist',              // auto-detect: dist, build, out, .next, or '.'
+  subdomain: '{slug_or_undefined}', // from mygen.json or omit for auto
+  owner_email: '{owner_email}',
+  access: '{access}',              // from access control setup
+  auth_method: '{auth_method}',    // from access control setup, omit if none
+  password: '{password}',          // when auth_method includes 'password'
+  google: '{emails}',              // when auth_method includes 'google'
+  telegram: '{ids}',               // when auth_method includes 'telegram'
+  ttl: 86400,
+  admin_token: '{token_or_undefined}', // if redeploying existing service
+});
+
+console.log(JSON.stringify({
+  url: site.url, slug: site.slug,
+  admin_token: site.admin_token,
+  password: site.password || null,
+  expires_at: site.expires_at || null,
+}));
 ```
 
-Deploy:
 ```bash
-npx mygensite deploy \
-  --directory ./dist \
-  --owner-email {email} \
-  --access ${ARGUMENTS:-public} \
-  --ttl 86400
+node .claude/mygen-deploy.mjs
 ```
 
-- `--directory`: build output directory (auto-detect dist, build, out, etc.)
-- If no build directory exists and there are only HTML files, use current directory (`.`)
-- Default access is public
-- TTL is 24 hours
+Parse the JSON output, update `.claude/mygen.json`.
 
 ### 2-B. Tunnel
 
 Check if a local server is running; if not, start it:
 ```bash
-# Check running ports
 lsof -i -P | grep LISTEN | grep -E ':(3000|5173|8000|8080|4200|5000)'
 ```
 
-If no server is running:
-```bash
-# Find dev/start script in package.json and run it
-npm run dev &
-# Or framework-appropriate command
+If no server is running, start it in background first.
+
+Write a tunnel keeper script `.claude/mygen-tunnel-{slug}.mjs` (slug-based filename for multi-tunnel support):
+
+```js
+import localtunnel from 'mygensite';
+
+const tunnel = await localtunnel({
+  port: {detected_port},
+  subdomain: '{slug_or_undefined}',
+  owner_email: '{owner_email}',
+  access: '{access}',
+  auth_method: '{auth_method}',    // from access control setup, omit if none
+  password: '{password}',          // when auth_method includes 'password'
+  google: '{emails}',              // when auth_method includes 'google'
+  telegram: '{ids}',               // when auth_method includes 'telegram'
+  ttl: 3600,
+  admin_token: '{token_or_undefined}',
+});
+
+// Output connection info as JSON (first line)
+console.log(JSON.stringify({
+  url: tunnel.url, slug: tunnel.clientId,
+  admin_token: tunnel.admin_token,
+  password: tunnel.password || null,
+  expires_at: tunnel.expires_at || null,
+}));
+
+// Keep alive — graceful shutdown on signals
+process.on('SIGINT', () => { tunnel.close(); process.exit(0); });
+process.on('SIGTERM', () => { tunnel.close(); process.exit(0); });
+tunnel.on('close', () => { console.error('Tunnel closed'); process.exit(1); });
+tunnel.on('error', (err) => { console.error('Tunnel error:', err.message); });
+
+// Heartbeat every 5 min
+setInterval(() => {
+  console.error(`[tunnel] alive — ${tunnel.url}`);
+}, 5 * 60 * 1000);
 ```
 
-Find the server port and create a tunnel:
+Run in background and capture output (use the slug in all filenames):
 ```bash
-npx mygensite \
-  --port {detected port} \
-  --owner-email {email} \
-  --access ${ARGUMENTS:-public} \
-  --ttl 3600
+node .claude/mygen-tunnel-{slug}.mjs > .claude/mygen-tunnel-{slug}-out.log 2>.claude/mygen-tunnel-{slug}-err.log &
+TUNNEL_PID=$!
+echo $TUNNEL_PID > .claude/mygen-tunnel-{slug}.pid
+
+# Wait for tunnel to initialize
+for i in $(seq 1 10); do
+  if [ -s .claude/mygen-tunnel-{slug}-out.log ]; then break; fi
+  sleep 1
+done
+cat .claude/mygen-tunnel-{slug}-out.log
 ```
 
-- Default access is public
-- TTL is 1 hour (shorter for tunnels)
-- **CRITICAL: The tunnel process must keep running.** The tunnel only works while the `npx mygensite` process is alive. If it exits, the tunnel closes immediately and users get 502. Run it in a way that stays alive (e.g. background with `&`, separate terminal, or keep the script running).
+- **CRITICAL**: The tunnel keeper script stays running in background. Do NOT delete it while active.
+- PID is saved to `.claude/mygen-tunnel-{slug}.pid` for later management (slug-based, supports multiple tunnels).
+- The script handles SIGINT/SIGTERM gracefully and logs heartbeats to stderr.
 
 ### 3. Save results and inform the user
 
-**Always** save the result (slug, admin_token) to `.claude/mygen.json`:
+**Always** save the result (slug, admin_token, access settings) to `.claude/mygen.json`:
 ```json
 {
   "owner_email": "user@company.com",
   "services": {
     "{slug}": {
       "admin_token": "tok_xxx",
-      "type": "static",
+      "type": "tunnel",
+      "port": 3000,
       "url": "https://{slug}.mygen.site",
+      "access": "ip",
+      "allowed_ips": ["1.2.3.4"],
+      "auth_method": "password",
       "created_at": "2025-06-01T12:00:00Z"
     }
   }
 }
 ```
 
-After deploy/tunnel completes, inform the user **concisely**:
+After deploy/tunnel completes, inform the user **concisely** based on settings:
 
+**Public, no auth:**
 ```
 URL: https://{slug}.mygen.site
 
 Share this link — anyone can access it.
 Auto-expires in 24 hours.
+You can change access settings anytime — just ask.
 ```
 
-If password-protected:
+**With password auth:**
 ```
 URL: https://{slug}.mygen.site
 Password: {password}
@@ -160,10 +315,26 @@ Password: {password}
 Share the link and password together.
 ```
 
-If tunnel, add:
+**With Google auth:**
+```
+URL: https://{slug}.mygen.site
+Allowed: {emails}
+
+Only the listed Google accounts can access (via OAuth login).
+```
+
+**With IP restriction:**
+```
+URL: https://{slug}.mygen.site
+Restricted to: {ip}
+
+Only accessible from the allowed IP address.
 ```
-The tunnel stays open as long as this process is running.
-Do NOT close this terminal or kill the process — the tunnel will stop working.
+
+If tunnel:
+```
+Tunnel running in background (PID: {pid}).
+It stays open as long as the process is alive.
 ```
 
 ## Settings Changes (PATCH)
@@ -184,8 +355,9 @@ const site = mygensite.manage({
   admin_token: '{admin_token}',  // read from .claude/mygen.json
 });
 
-await site.updateAccess({ mode: 'public' });
-await site.updateAccess({ mode: 'password', password: 'new-password' });
+await site.updateAccess({ access: 'public', auth_method: '' });
+await site.updateAccess({ auth_method: 'password', password: 'new-password' });
+await site.updateAccess({ auth_method: 'password,google', password: 'pw', google: 'a@co.com' });
 await site.extendTTL(86400);
 await site.redeploy('./dist');  // only when files changed
 await site.delete();
@@ -198,46 +370,47 @@ await site.delete();
 Read the admin_token for the service from `.claude/mygen.json`:
 
 ```bash
-# Change access mode (e.g. password -> public)
+# Make fully public (no auth)
 curl -X PATCH https://mygen.site/api/services/{slug} \
   -H "Authorization: Bearer {admin_token}" \
   -H "Content-Type: application/json" \
-  -d '{"access": {"mode": "public"}}'
+  -d '{"access": "public", "auth_method": ""}'
 
-# Change password
+# Add password auth
 curl -X PATCH https://mygen.site/api/services/{slug} \
   -H "Authorization: Bearer {admin_token}" \
   -H "Content-Type: application/json" \
-  -d '{"access": {"password": "new-password"}}'
+  -d '{"auth_method": "password", "password": "new-password"}'
 
-# Add IP restriction
+# Add Google OAuth + password
 curl -X PATCH https://mygen.site/api/services/{slug} \
   -H "Authorization: Bearer {admin_token}" \
   -H "Content-Type: application/json" \
-  -d '{"access": {"mode": "ip_only", "allowed_ips": ["1.2.3.0/24"]}}'
+  -d '{"auth_method": "password,google", "password": "pw", "google": "alice@co.com"}'
 
-# Extend TTL (timer resets from now)
+# Restrict by IP
 curl -X PATCH https://mygen.site/api/services/{slug} \
   -H "Authorization: Bearer {admin_token}" \
   -H "Content-Type: application/json" \
-  -d '{"ttl": 86400}'
+  -d '{"access": "ip", "allowed_ips": "1.2.3.0/24"}'
 
-# Change owner email
+# Extend TTL (timer resets from now)
 curl -X PATCH https://mygen.site/api/services/{slug} \
   -H "Authorization: Bearer {admin_token}" \
   -H "Content-Type: application/json" \
-  -d '{"owner_email": "new@company.com"}'
+  -d '{"ttl": 86400}'
 ```
 
 ### PATCH vs Redeploy
 
 | Request | Method |
 |---------|--------|
-| Change password | PATCH `access.password` |
-| Make it public | PATCH `access.mode` |
-| Restrict by IP | PATCH `access.allowed_ips` |
+| Change password | PATCH `auth_method` + `password` |
+| Make it public | PATCH `access` + `auth_method: ""` |
+| Add Google auth | PATCH `auth_method` + `google` |
+| Restrict by IP | PATCH `access: "ip"` + `allowed_ips` |
 | Extend time | PATCH `ttl` |
-| Change email | PATCH `owner_email` |
+| Change owner | PATCH `owner_email` (email or Telegram username) |
 | Update content (files changed) | Redeploy (`deploy --admin-token`) |
 | Upload new files | Redeploy (`deploy --admin-token`) |
 
@@ -265,12 +438,68 @@ curl -X DELETE "https://mygen.site/api/services/{slug}?purge=true" \
 
 After deleting, also remove the service entry from `.claude/mygen.json`.
 
+## Tunnel Management
+
+All tunnel files use slug-based names (`mygen-tunnel-{slug}.*`) to support multiple simultaneous tunnels.
+
+### Check if tunnel is running
+```bash
+if [ -f .claude/mygen-tunnel-{slug}.pid ]; then
+  PID=$(cat .claude/mygen-tunnel-{slug}.pid)
+  kill -0 $PID 2>/dev/null && echo "Running (PID $PID)" || echo "Stopped"
+fi
+```
+
+### Check all tunnels
+```bash
+for pidfile in .claude/mygen-tunnel-*.pid; do
+  [ -f "$pidfile" ] || continue
+  SLUG=$(basename "$pidfile" | sed 's/mygen-tunnel-//;s/\.pid//')
+  PID=$(cat "$pidfile")
+  if kill -0 "$PID" 2>/dev/null; then
+    echo "$SLUG: Running (PID $PID)"
+  else
+    echo "$SLUG: Stopped"
+  fi
+done
+```
+
+### Stop tunnel
+```bash
+if [ -f .claude/mygen-tunnel-{slug}.pid ]; then
+  kill $(cat .claude/mygen-tunnel-{slug}.pid) 2>/dev/null
+  rm -f .claude/mygen-tunnel-{slug}.pid .claude/mygen-tunnel-{slug}-out.log .claude/mygen-tunnel-{slug}-err.log .claude/mygen-tunnel-{slug}.mjs
+fi
+```
+
+### Stop all tunnels
+```bash
+for pidfile in .claude/mygen-tunnel-*.pid; do
+  [ -f "$pidfile" ] || continue
+  PID=$(cat "$pidfile")
+  SLUG=$(basename "$pidfile" | sed 's/mygen-tunnel-//;s/\.pid//')
+  kill "$PID" 2>/dev/null
+  rm -f "$pidfile" ".claude/mygen-tunnel-${SLUG}-out.log" ".claude/mygen-tunnel-${SLUG}-err.log" ".claude/mygen-tunnel-${SLUG}.mjs"
+done
+```
+
+### Restart tunnel
+Stop the old one, then run Step 2-B again. The same slug and admin_token will be reused from `.claude/mygen.json`.
+
+## Reference
+
+- API docs: https://mygen.site/docs (NOT /api/docs)
+- LLM-readable docs: https://mygen.site/llms.txt
+
 ## Important Notes
 
-- Do not ask the user for technical choices. Decide automatically.
-- Let the slug (subdomain) be auto-generated unless the user specifies one.
+- Do not ask the user for technical choices (tunnel vs static). Decide automatically.
+- **Reuse the same slug** for the same context. Ask for a subdomain on every new deploy (default: random).
 - Handle errors yourself (port conflicts, build failures, etc.).
-- If `$ARGUMENTS` is "password", deploy with password protection.
-- If `$ARGUMENTS` is empty, deploy as public.
+- If `$ARGUMENTS` explicitly specifies access (e.g. "password", "public"), skip the access control questions and use that directly.
+- If `$ARGUMENTS` is empty, ask the access control questions on first deploy.
 - admin_token is issued **only once**. If lost, it cannot be recovered. Always save to `.claude/mygen.json`.
-- Add `.claude/mygen.json` to `.gitignore` (contains tokens).
+- If service creation fails with `creator_ip_denied` (403), the user's IP is not in the server's allow-list. 
+- **For tunnel/deploy creation, use the mygensite Node.js library** (not curl). For PATCH settings and DELETE, curl is fine.
+- Clean up temp scripts after use. Keep `.claude/mygen-tunnel.mjs` alive while tunnel is running.
+- Add `.claude/` to `.gitignore` (contains tokens).