mygensite 2.2.0 → 2.5.1

package/.claude-plugin/marketplace.json

@@ -5,15 +5,15 @@
     "email": "dev@theconnectsoft.com"
   },
   "metadata": {
-    "description": "Share your localhost or static sites via mygen.site with guided access control and 2-layer security",
-    "version": "2.2.0"
+    "description": "Share your localhost or static sites via mygen.site with guided access control, 2-layer security, rules, and hooks",
+    "version": "2.5.1"
   },
   "plugins": [
     {
       "name": "mygensite",
       "source": "./",
-      "description": "Share what you built via mygen.site — tunnels and static deploys with interactive access control setup on first deploy (public/IP + password/Google/Telegram auth), slug reuse, background tunnel keeper, and unlimited TTL for static sites",
-      "version": "2.2.0",
+      "description": "Share what you built via mygen.site — tunnels and static deploys with interactive access control, rules for safe defaults and deployment awareness, hooks for git/tunnel safety, and multi-tunnel support",
+      "version": "2.5.1",
       "author": {
         "name": "TheConnectSoft"
       },
@@ -21,4 +21,4 @@
       "license": "MIT"
     }
   ]
-}
+}

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "mygensite",
-  "description": "Share your localhost or static sites via mygen.site — guided access control setup, 2-layer security (network + auth), unlimited TTL for static deploys",
-  "version": "2.2.0",
+  "description": "Share your localhost or static sites via mygen.site — guided access control, 2-layer security, rules for safe defaults, hooks for git/tunnel safety, multi-tunnel support",
+  "version": "2.5.1",
   "author": {
     "name": "TheConnectSoft",
     "email": "dev@theconnectsoft.com",
@@ -10,5 +10,11 @@
   "homepage": "https://mygen.site",
   "repository": "https://github.com/theconnectsoft/mygensite",
   "license": "MIT",
-  "keywords": ["tunnel", "deploy", "share", "mygen.site", "access-control"]
-}
+  "keywords": [
+    "tunnel",
+    "deploy",
+    "share",
+    "mygen.site",
+    "access-control"
+  ]
+}

package/README.en.md

@@ -43,7 +43,7 @@ Below are some common arguments. See `mygensite --help` for all options.
 - `--access` network layer: `public`, `ip` (default: `public`)
 - `--auth-method` auth layer (CSV): `password`, `google`, `telegram`
 - `--password` password (when auth-method includes password)
-- `--google` allowed Google email(s)
+- `--google` allowed Google email(s) or `@domain.com` patterns
 - `--telegram` allowed Telegram user ID(s)
 - `--owner-email` owner email for dashboard management
 - `--ttl` tunnel TTL in seconds, 60-86400 (default: 3600)
@@ -111,7 +111,7 @@ const mygensite = require('mygensite');
 - `auth_method` (string) Auth methods CSV: `password`, `google`, `telegram`. Default: none.
 - `password` (string) Password (when auth_method includes 'password'). Auto-generated if omitted.
 - `allowed_ips` (string[]) IP whitelist for `ip` access. Supports CIDR notation.
-- `google` (string|string[]) Allowed Google email(s) (when auth_method includes 'google').
+- `google` (string|string[]) Allowed Google email(s) or domain patterns like `@company.com` (when auth_method includes 'google').
 - `telegram` (string|string[]) Allowed Telegram user ID(s) (when auth_method includes 'telegram').
 - `owner_email` (string) Owner email for dashboard management.
 - `ttl` (number) Tunnel TTL in seconds (60-86400). Default: 3600.
@@ -167,7 +167,7 @@ await tunnel.extendTTL(3600);
 
 ### Slug (subdomain)
 
-- 3–63 characters, lowercase letters (`a-z`), numbers (`0-9`), and hyphens (`-`) only
+- 4–63 characters, lowercase letters (`a-z`), numbers (`0-9`), and hyphens (`-`) only
 - Must start and end with a letter or number (not a hyphen)
 - Reserved words cannot be used: `www`, `api`, `dashboard`, `admin`, `mail`, `ftp`, `static`, `docs`, `status`, `health`, `internal`, `tunnel`, `app`, `web`
 - A slug used as a tunnel cannot be reused for static deployment (and vice versa). Delete the existing service first.
@@ -220,7 +220,7 @@ const tunnel = await mygensite({ port: 3000, subdomain: 'INVALID' });
 const { validate } = require('mygensite');
 
 validate.validateSlug('my-app');         // { valid: true }
-validate.validateSlug('AB');             // { valid: false, error: 'Slug must be 3-63 characters' }
+validate.validateSlug('AB');             // { valid: false, error: 'Slug must be 4-63 characters' }
 validate.validateFilePath('assets/x.js');// { valid: true, cleaned: 'assets/x.js' }
 validate.validateFilePath('../etc');     // { valid: false, error: 'Path traversal...' }
 validate.validateTTL(30);               // { valid: false, error: 'TTL must be...' }
@@ -233,7 +233,7 @@ validate.validateAccessMode('public');   // { valid: true }
 
 | status | error | description | fix |
 | --- | --- | --- | --- |
-| 400 | `invalid_slug` | Slug must be 3-63 chars, lowercase alphanumeric and hyphens | Use a valid slug format, e.g. `my-app-1` |
+| 400 | `invalid_slug` | Slug must be 4-63 chars, lowercase alphanumeric and hyphens | Use a valid slug format, e.g. `my-app-1` |
 | 400 | `reserved_slug` | This slug is reserved and cannot be used | Choose a different slug. Reserved: www, api, dashboard, admin, etc. |
 | 400 | `invalid_ttl` | TTL must be between 60 and 86400 seconds | Use a value between 60 (1 min) and 86400 (24 hours) |
 | 400 | `invalid_access` | Access must be: public, ip | Use one of the valid access modes |
@@ -296,7 +296,7 @@ console.log(site.expires_at);    // "2025-06-02T12:00:00Z"
 | `access` | string | | `public` | Network access: `public`, `ip`. |
 | `auth_method` | string | | — | Auth methods CSV: `password`, `google`, `telegram`. |
 | `password` | string | | auto | Password (when auth_method includes 'password'). |
-| `google` | string\|string[] | | — | Allowed Google email(s) (when auth_method includes 'google'). |
+| `google` | string\|string[] | | — | Allowed Google email(s) or `@domain.com` patterns (when auth_method includes 'google'). |
 | `telegram` | string\|string[] | | — | Allowed Telegram user ID(s) (when auth_method includes 'telegram'). |
 | `allowed_ips` | string[] | | — | IP whitelist for `ip` access. CIDR supported. |
 | `owner_email` | string | | — | Owner email for dashboard management. |
@@ -414,7 +414,7 @@ await site.delete(true);
 | status | error | description | fix |
 | --- | --- | --- | --- |
 | 400 | `no_files` | At least one file is required | Provide `directory` or `files` option |
-| 400 | `invalid_slug` | Invalid slug format | Use 3-63 chars, lowercase alphanumeric and hyphens |
+| 400 | `invalid_slug` | Invalid slug format | Use 4-63 chars, lowercase alphanumeric and hyphens |
 | 400 | `reserved_slug` | Slug is reserved | Choose a different slug |
 | 409 | `slug_in_use` | Slug taken by another owner | Use a different slug |
 | 409 | `type_conflict` | Slug is in use as a tunnel | Use a different slug for static deployment |

package/README.ko.md

@@ -43,7 +43,7 @@ mygen.site에 연결하여 터널을 생성하고, 사용할 URL을 알려줍니
 - `--access` 네트워크 접근 제어: `public`, `ip` (기본: `public`)
 - `--auth-method` 인증 방식 (CSV): `password`, `google`, `telegram`
 - `--password` 접근 제어 비밀번호 (미지정 시 자동 생성)
-- `--google` Google OAuth 허용 이메일 (CSV)
+- `--google` Google OAuth 허용 이메일 또는 `@domain.com` 패턴 (CSV)
 - `--telegram` Telegram 허용 사용자 ID (CSV)
 - `--owner-email` 대시보드 관리용 소유자 이메일
 - `--ttl` 터널 유효 시간(초), 60-86400 (기본: 3600)
@@ -111,7 +111,7 @@ const mygensite = require('mygensite');
 - `auth_method` (string) 인증 방식 (Layer 2, CSV): `password`, `google`, `telegram`. 복수 지정 시 콤마 구분 (예: `password,google`).
 - `password` (string) 접근 제어 비밀번호. `auth_method`에 `password` 포함 시 사용. 미지정 시 자동 생성.
 - `allowed_ips` (string[]) `access`가 `ip`일 때 허용할 IP 목록. CIDR 표기 지원.
-- `google` (string[]) `auth_method`에 `google` 포함 시 허용할 이메일 목록.
+- `google` (string[]) `auth_method`에 `google` 포함 시 허용할 이메일 또는 `@domain.com` 도메인 패턴 목록.
 - `telegram` (string[]) `auth_method`에 `telegram` 포함 시 허용할 Telegram 사용자 ID 목록.
 - `owner_email` (string) 대시보드 관리용 소유자 이메일.
 - `ttl` (number) 터널 유효 시간(초), 60-86400. 기본값: 3600.
@@ -164,7 +164,7 @@ await tunnel.extendTTL(3600);
 
 ### Slug (서브도메인)
 
-- 3–63자, 소문자 영문(`a-z`), 숫자(`0-9`), 하이픈(`-`)만 허용
+- 4–63자, 소문자 영문(`a-z`), 숫자(`0-9`), 하이픈(`-`)만 허용
 - 영문자 또는 숫자로 시작/끝나야 함 (하이픈으로 시작/끝 불가)
 - 예약어 사용 불가: `www`, `api`, `dashboard`, `admin`, `mail`, `ftp`, `static`, `docs`, `status`, `health`, `internal`, `tunnel`, `app`, `web`
 - 터널로 사용 중인 slug에 정적 배포 불가 (반대도 동일). 기존 서비스를 먼저 삭제해야 함.
@@ -217,7 +217,7 @@ const tunnel = await mygensite({ port: 3000, subdomain: 'INVALID' });
 const { validate } = require('mygensite');
 
 validate.validateSlug('my-app');         // { valid: true }
-validate.validateSlug('AB');             // { valid: false, error: 'Slug must be 3-63 characters' }
+validate.validateSlug('AB');             // { valid: false, error: 'Slug must be 4-63 characters' }
 validate.validateFilePath('assets/x.js');// { valid: true, cleaned: 'assets/x.js' }
 validate.validateFilePath('../etc');     // { valid: false, error: '경로 탈출 불가...' }
 validate.validateTTL(30);               // { valid: false, error: 'TTL 범위 초과...' }
@@ -230,7 +230,7 @@ validate.validateAccessMode('public');   // { valid: true }
 
 | 상태 | 에러 | 설명 | 해결 |
 | --- | --- | --- | --- |
-| 400 | `invalid_slug` | slug는 3-63자, 소문자 영숫자와 하이픈만 가능 | 올바른 형식 사용, 예: `my-app-1` |
+| 400 | `invalid_slug` | slug는 4-63자, 소문자 영숫자와 하이픈만 가능 | 올바른 형식 사용, 예: `my-app-1` |
 | 400 | `reserved_slug` | 예약된 slug로 사용 불가 | 다른 slug 사용. 예약어: www, api, dashboard, admin 등 |
 | 400 | `invalid_ttl` | TTL은 60-86400초 범위여야 함 | 60(1분) ~ 86400(24시간) 사이 값 사용 |
 | 400 | `invalid_access` | 접근 모드는 public, ip 중 하나 | `public` 또는 `ip` 중 하나를 지정 |
@@ -294,7 +294,7 @@ console.log(site.expires_at);    // "2025-06-02T12:00:00Z"
 | `auth_method` | string | | — | 인증 방식 (Layer 2, CSV): `password`, `google`, `telegram`. |
 | `password` | string | | 자동 | 접근 제어 비밀번호. `auth_method`에 `password` 포함 시 사용. |
 | `allowed_ips` | string[] | | — | `access`가 `ip`일 때 허용할 IP. CIDR 지원. |
-| `google` | string[] | | — | `auth_method`에 `google` 포함 시 허용할 이메일 목록. |
+| `google` | string[] | | — | `auth_method`에 `google` 포함 시 허용할 이메일 또는 `@domain.com` 패턴 목록. |
 | `telegram` | string[] | | — | `auth_method`에 `telegram` 포함 시 허용할 Telegram 사용자 ID 목록. |
 | `owner_email` | string | | — | 대시보드 관리용 소유자 이메일. |
 | `ttl` | number | | 3600 | 사이트 유효 시간(초), 60-86400. |
@@ -412,7 +412,7 @@ await site.delete(true);
 | 상태 | 에러 | 설명 | 해결 |
 | --- | --- | --- | --- |
 | 400 | `no_files` | 최소 1개 파일 필요 | `directory` 또는 `files` 옵션 제공 |
-| 400 | `invalid_slug` | 잘못된 slug 형식 | 3-63자, 소문자 영숫자와 하이픈 사용 |
+| 400 | `invalid_slug` | 잘못된 slug 형식 | 4-63자, 소문자 영숫자와 하이픈 사용 |
 | 400 | `reserved_slug` | 예약된 slug | 다른 slug 사용 |
 | 409 | `slug_in_use` | 다른 소유자가 사용 중인 slug | 다른 slug 사용 |
 | 409 | `type_conflict` | 터널로 사용 중인 slug | 정적 배포용으로 다른 slug 사용 |

package/README.md

@@ -43,11 +43,12 @@ const tunnel = await mygensite({
   // Layer 2: Auth method(s)
   auth_method: 'password',             // optional: CSV of 'password', 'google', 'telegram'
   password: 'secret',                  // required when auth_method includes 'password'
-  google: 'alice@company.com',         // required when auth_method includes 'google'
+  google: 'alice@company.com,@company.com', // required when auth_method includes 'google' (supports @domain.com patterns)
   telegram: '123456',                  // required when auth_method includes 'telegram'
 
   owner_email: 'alice@company.com',    // optional: email or Telegram username for dashboard
   ttl: 3600,                           // optional: 60-86400 seconds (default: 3600)
+  token: 'mgs_xxx',                    // optional: API token (or set MYGENSITE_TOKEN env)
 });
 
 // Result
@@ -78,6 +79,7 @@ const site = await mygensite.deploy({
   password: 'secret',                   // when auth_method includes 'password'
   owner_email: 'alice@company.com',      // optional: email or Telegram username for dashboard
   ttl: 86400,                            // optional: 0 (unlimited) or 60-259200 seconds (default: 3600)
+  token: 'mgs_xxx',                      // optional: API token (or set MYGENSITE_TOKEN env)
 });
 
 // Result
@@ -128,12 +130,37 @@ await site.delete();
 |-------|----------|
 | _(empty)_ | no authentication (default) |
 | `password` | password form + cookie session |
-| `google` | Google OAuth → allowed emails only |
+| `google` | Google OAuth → allowed emails only (supports `@domain.com` patterns) |
 | `telegram` | Telegram login → allowed user IDs only |
 | `password,google` | password OR Google (user picks) |
 
 Both layers apply sequentially: IP check → auth check.
 
+## API Token Authentication
+
+By default, service creation (tunnel/deploy) is restricted to allowed IPs. To create from any IP, generate an API token from the [dashboard](https://mygen.site/dashboard/api).
+
+```js
+// Option 1: Pass token directly
+const tunnel = await mygensite({ port: 3000, token: 'mgs_xxx' });
+const site = await mygensite.deploy({ directory: './dist', token: 'mgs_xxx' });
+
+// Option 2: Set environment variable (auto-detected)
+// export MYGENSITE_TOKEN=mgs_xxx
+const tunnel = await mygensite({ port: 3000 });  // token picked up from env
+```
+
+```bash
+# CLI
+mygensite --port 3000 --token mgs_xxx
+mygensite deploy -d ./dist --token mgs_xxx
+
+# Or via environment variable
+MYGENSITE_TOKEN=mgs_xxx mygensite --port 3000
+```
+
+When using an API token, `owner_email` is automatically set to the token owner's account email.
+
 ## TTL (Time to Live)
 
 | type | range | unlimited |
@@ -155,7 +182,7 @@ Full runnable examples in [`examples/`](https://github.com/theconnectsoft/mygens
 
 ### Slug (subdomain)
 
-- 3–63 characters, lowercase letters, numbers, and hyphens only
+- 4–63 characters, lowercase letters, numbers, and hyphens only
 - Must start and end with a letter or number (not a hyphen)
 - Reserved: `www`, `api`, `dashboard`, `admin`, `docs`, `status`, `health`, etc.
 - A slug used as a tunnel cannot be reused for static deploy (and vice versa)
@@ -197,7 +224,7 @@ validate.validateTTL(30);             // { valid: false, error: '...' }
 
 | status | error | when | fix |
 |--------|-------|------|-----|
-| 400 | `invalid_slug` | slug format invalid | use 3-63 chars, lowercase alphanum + hyphen (e.g. `my-app-1`) |
+| 400 | `invalid_slug` | slug format invalid | use 4-63 chars, lowercase alphanum + hyphen (e.g. `my-app-1`) |
 | 400 | `reserved_slug` | slug is reserved | choose different slug. reserved: www, api, dashboard, admin, etc. |
 | 400 | `invalid_ttl` | TTL out of range | tunnels: 60-86400s, static: 0 (unlimited) or 60-259200s. Unlimited requires auth. |
 | 400 | `invalid_access` | bad access mode | use: public, ip |
@@ -228,6 +255,10 @@ mygensite deploy -d ./dist -s private-demo --auth-method password --password 'my
 
 # Redeploy (reuse admin_token)
 mygensite deploy -d ./dist-v2 -s demo --admin-token tok_xxx
+
+# With API token (skip IP restriction)
+mygensite --port 3000 -s my-app --token mgs_xxx
+MYGENSITE_TOKEN=mgs_xxx mygensite deploy -d ./dist -s demo
 ```
 
 ## curl Deploy

package/bin/lt.js

@@ -38,7 +38,7 @@ yargs
         describe: 'Password for password auth',
       })
       .option('google', {
-        describe: 'Allowed Google emails (CSV)',
+        describe: 'Allowed Google emails or @domain.com patterns (CSV)',
       })
       .option('telegram', {
         describe: 'Allowed Telegram user IDs (CSV)',
@@ -52,6 +52,9 @@ yargs
       })
       .option('admin-token', {
         describe: 'Admin token for redeployment',
+      })
+      .option('token', {
+        describe: 'API token (mgs_xxx) for authentication. Also reads MYGENSITE_TOKEN env.',
       });
   }, async (argv) => {
     try {
@@ -67,6 +70,7 @@ yargs
         owner_email: argv.ownerEmail,
         ttl: argv.ttl,
         admin_token: argv.adminToken,
+        token: argv.token,
       });
 
       console.log('your url is: %s', result.url);
@@ -139,7 +143,7 @@ yargs
         describe: 'Password for password auth',
       })
       .option('google', {
-        describe: 'Allowed Google emails (CSV)',
+        describe: 'Allowed Google emails or @domain.com patterns (CSV)',
       })
       .option('telegram', {
         describe: 'Allowed Telegram user IDs (CSV)',
@@ -154,6 +158,9 @@ yargs
       .option('admin-token', {
         describe: 'Admin token for reconnecting to an existing tunnel',
       })
+      .option('token', {
+        describe: 'API token (mgs_xxx) for authentication. Also reads MYGENSITE_TOKEN env.',
+      })
       .boolean('local-https')
       .boolean('allow-invalid-cert')
       .boolean('print-requests');
@@ -184,6 +191,7 @@ yargs
         owner_email: argv.ownerEmail,
         ttl: argv.ttl,
         admin_token: argv.adminToken,
+        token: argv.token,
       });
     } catch (err) {
       console.error('tunnel failed: %s', err.message);

package/hooks/git-guard.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# PreToolUse hook: block git staging of mygen secret files
+INPUT=$(cat)
+TOOL=$(echo "$INPUT" | jq -r '.tool_name')
+
+if [ "$TOOL" != "Bash" ]; then
+  echo '{"decision":"allow"}'
+  exit 0
+fi
+
+CMD=$(echo "$INPUT" | jq -r '.tool_input.command')
+
+# Check for direct staging of mygen files
+if echo "$CMD" | grep -qE 'git add.*\.claude/mygen'; then
+  echo '{"decision":"block","reason":"Blocked: .claude/mygen.json contains admin tokens that should never be committed."}'
+  exit 0
+fi
+
+echo '{"decision":"allow"}'

package/hooks/hooks.json

@@ -0,0 +1,19 @@
+{
+  "hooks": [
+    {
+      "event": "PreToolUse",
+      "script": "hooks/git-guard.sh",
+      "description": "Prevent staging mygen secret files"
+    },
+    {
+      "event": "PostToolUse",
+      "script": "hooks/tunnel-cleanup.sh",
+      "description": "Clean stale tunnel PID files"
+    },
+    {
+      "event": "Stop",
+      "script": "hooks/tunnel-reminder.sh",
+      "description": "Remind about running tunnels on session end"
+    }
+  ]
+}

package/hooks/tunnel-cleanup.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# PostToolUse hook: clean stale tunnel PID files
+for pidfile in .claude/mygen-tunnel-*.pid; do
+  [ -f "$pidfile" ] || continue
+  PID=$(cat "$pidfile")
+  if ! kill -0 "$PID" 2>/dev/null; then
+    SLUG=$(basename "$pidfile" | sed 's/mygen-tunnel-//;s/\.pid//')
+    rm -f "$pidfile"
+    rm -f ".claude/mygen-tunnel-${SLUG}-out.log" ".claude/mygen-tunnel-${SLUG}-err.log"
+    rm -f ".claude/mygen-tunnel-${SLUG}.mjs"
+  fi
+done

package/hooks/tunnel-reminder.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Stop hook: remind about running tunnels
+RUNNING=""
+for pidfile in .claude/mygen-tunnel-*.pid; do
+  [ -f "$pidfile" ] || continue
+  PID=$(cat "$pidfile")
+  if kill -0 "$PID" 2>/dev/null; then
+    SLUG=$(basename "$pidfile" | sed 's/mygen-tunnel-//;s/\.pid//')
+    RUNNING="${RUNNING}  - ${SLUG}.mygen.site (PID $PID)\n"
+  fi
+done
+
+if [ -n "$RUNNING" ]; then
+  echo -e "Running tunnels:\n${RUNNING}To stop: kill <PID>" >&2
+fi

package/lib/Tunnel.js

@@ -100,6 +100,12 @@ module.exports = class Tunnel extends EventEmitter {
       responseType: 'json',
     };
 
+    // API token authentication (token option or MYGENSITE_TOKEN env)
+    const token = opt.token || process.env.MYGENSITE_TOKEN;
+    if (token) {
+      params.headers = { Authorization: `Bearer ${token}` };
+    }
+
     // Build extended query params for mygensite server
     const queryParams = {};
     if (opt.access) queryParams.access = opt.access;

package/lib/deploy.js

@@ -96,8 +96,12 @@ async function deploy(options) {
     telegram,
     ttl,
     admin_token,
+    token,
   } = options;
 
+  // API token authentication (token option or MYGENSITE_TOKEN env)
+  const apiToken = token || process.env.MYGENSITE_TOKEN;
+
   // Client-side validation — fail fast before API call
   if (subdomain) {
     const slugCheck = validateSlug(subdomain);
@@ -203,9 +207,15 @@ async function deploy(options) {
   const headers = { ...form.getHeaders() };
   if (admin_token) {
     headers.Authorization = `Bearer ${admin_token}`;
+  } else if (apiToken) {
+    headers.Authorization = `Bearer ${apiToken}`;
   }
 
-  const res = await axios.post(`${host}/api/deploy`, form, { headers });
+  const res = await axios.post(`${host}/api/deploy`, form, {
+    headers,
+    maxBodyLength: 200 * 1024 * 1024,
+    maxContentLength: 200 * 1024 * 1024,
+  });
   const data = res.data;
 
   debug('deploy response: %j', data);

package/lib/validate.js

@@ -8,12 +8,12 @@
  */
 
 // Must match: server/src/api/routes/tunnels.ts SLUG_REGEX
-const SLUG_REGEX = /^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$/;
+const SLUG_REGEX = /^[a-z0-9][a-z0-9-]{2,61}[a-z0-9]$/;
 
 const RESERVED_SLUGS = new Set([
   'www', 'api', 'dashboard', 'admin', 'mail',
   'ftp', 'static', 'docs', 'status', 'health',
-  'internal', 'tunnel', 'app', 'web',
+  'internal', 'tunnel', 'app', 'web', 'mcp',
 ]);
 
 // Must match: server/src/api/routes/deploy.ts SAFE_PATH_SEGMENT
@@ -31,8 +31,8 @@ function validateSlug(slug) {
   if (!slug || typeof slug !== 'string') {
     return { valid: false, error: 'Slug is required' };
   }
-  if (slug.length < 3 || slug.length > 63) {
-    return { valid: false, error: 'Slug must be 3-63 characters' };
+  if (slug.length < 4 || slug.length > 63) {
+    return { valid: false, error: 'Slug must be 4-63 characters' };
   }
   if (!SLUG_REGEX.test(slug)) {
     return { valid: false, error: 'Slug must be lowercase alphanumeric and hyphens, starting and ending with alphanumeric' };
@@ -143,9 +143,26 @@ function validateAuthMethod(method) {
 
 // Email: basic check — has @, local part, domain with dot
 const EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+// Domain pattern: @domain.com (for allowed_emails — matches all emails from that domain)
+const DOMAIN_PATTERN_REGEX = /^@[^\s@]+\.[^\s@]+$/;
 // Telegram username: 5-32 chars, alphanumeric + underscores (per Telegram rules)
 const TELEGRAM_USERNAME_REGEX = /^[a-zA-Z][a-zA-Z0-9_]{4,31}$/;
 
+/**
+ * Validate an email or domain pattern for allowed_emails list.
+ * Accepts either a full email (alice@co.com) or a domain pattern (@co.com).
+ * Domain patterns match all emails from that domain.
+ * @param {string} value
+ * @returns {boolean}
+ */
+function isValidEmailOrDomain(value) {
+  if (!value || typeof value !== 'string') return false;
+  if (value.startsWith('@')) {
+    return value.length <= 255 && DOMAIN_PATTERN_REGEX.test(value);
+  }
+  return EMAIL_REGEX.test(value);
+}
+
 /**
  * Validate owner_email value (email address or Telegram username).
  * @param {string} value
@@ -221,10 +238,12 @@ module.exports = {
   validateAuthMethod,
   validateAccessParams,
   validateOwner,
+  isValidEmailOrDomain,
   SLUG_REGEX,
   RESERVED_SLUGS,
   VALID_ACCESS_MODES,
   VALID_AUTH_METHODS,
   EMAIL_REGEX,
+  DOMAIN_PATTERN_REGEX,
   TELEGRAM_USERNAME_REGEX,
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "mygensite",
   "description": "Expose your localhost to mygen.site with access control",
-  "version": "2.2.0",
+  "version": "2.5.1",
   "license": "MIT",
   "repository": {
     "type": "git",

package/rules/deployment-awareness.md

@@ -0,0 +1,10 @@
+---
+name: deployment-awareness
+description: Recognize active mygen.site deployments and suggest redeploy after file changes
+---
+
+- When a conversation starts with `.claude/mygen.json` present, acknowledge active services
+- If a static deploy exists and build output files are changed, suggest "Do you want to redeploy?"
+- If tunnel PID files (`.claude/mygen-tunnel-*.pid`) exist, be aware of running tunnel processes
+- Never auto-deploy or auto-redeploy. Only suggest
+- When the user says "update it", "reflect changes", "deploy changes", "업데이트 반영해줘", "변경사항 배포해줘", invoke the /share skill

package/rules/safe-defaults.md

@@ -0,0 +1,10 @@
+---
+name: safe-defaults
+description: Default to password protection unless user explicitly requests public access
+---
+
+- Unless the user explicitly says "public", "공개", "no password", "비밀번호 없이", default to IP-restricted + password authentication
+- When presenting network options, recommend IP-restricted as the default
+- When presenting auth options, recommend password as the default
+- If the project contains .env, credentials, secrets, or API key files, add a warning about exposure risk
+- Ambiguous requests like "just share it quickly" or "그냥 빨리 공유해줘" still get IP-restricted + password protection by default

package/rules/tunnel-keepalive.md

@@ -0,0 +1,36 @@
+---
+name: tunnel-keepalive
+description: Ensure tunnel scripts stay alive with proper keepalive patterns, not exit immediately
+---
+
+When writing tunnel scripts (`.claude/mygen-tunnel-*.mjs`), always follow these patterns:
+
+1. **setInterval required**: Keep the process alive after tunnel creation
+   ```js
+   setInterval(() => {
+     console.error(`[tunnel] alive — ${tunnel.url}`);
+   }, 5 * 60 * 1000);
+   ```
+
+2. **Signal handlers required**: Clean shutdown on SIGINT/SIGTERM
+   ```js
+   process.on('SIGINT', () => { tunnel.close(); process.exit(0); });
+   process.on('SIGTERM', () => { tunnel.close(); process.exit(0); });
+   ```
+
+3. **Event handlers required**: Log unexpected disconnects
+   ```js
+   tunnel.on('close', () => { console.error('Tunnel closed'); process.exit(1); });
+   tunnel.on('error', (err) => { console.error('Tunnel error:', err.message); });
+   ```
+
+4. **Never do these**:
+   - End the script after console.log without keepalive (process exits immediately)
+   - Use setTimeout instead of setInterval (runs only once)
+   - Call process.exit() outside of signal/event handlers
+
+5. **Background execution required**: Always run with `&` and save the PID
+   ```bash
+   node .claude/mygen-tunnel-{slug}.mjs > .claude/mygen-tunnel-{slug}-out.log 2>.claude/mygen-tunnel-{slug}-err.log &
+   echo $! > .claude/mygen-tunnel-{slug}.pid
+   ```

package/skills/share/SKILL.md

@@ -12,7 +12,8 @@ Tunnel/deploy creation uses the **mygensite** Node.js library. Settings changes
 
 ## Owner Identity
 
-Deploys and tunnels require `--owner-email`. This identifies who owns the service on the dashboard.
+`--owner-email` links the service to a dashboard account for web-based management.
+The user can also skip this — management via `admin_token` (PATCH, DELETE, redeploy) always works.
 
 The value can be either:
 - **Email address** (for Google login users): `alice@company.com`
@@ -22,9 +23,9 @@ Ownership matching is case-insensitive.
 
 ### First use
 1. Check if `.claude/mygen.json` exists
-2. If not, ask the user **once**: "What email or Telegram username should I use for service management? (used for dashboard login)"
+2. If not, **you MUST ask the user**: "Email or Telegram username for dashboard management? (Enter to skip)"
 3. **Do NOT validate the format as email-only.** The value can be a plain username without `@` — that's a valid Telegram username. Accept any non-empty string the user provides.
-4. Save it to `.claude/mygen.json`:
+4. If the user provides a value, save it to `.claude/mygen.json`:
 ```json
 { "owner_email": "user@company.com" }
 ```
@@ -32,28 +33,59 @@ or for Telegram users (no `@`, not an email — this is valid):
 ```json
 { "owner_email": "mytelegramuser" }
 ```
+5. If the user skips (empty), save without owner_email:
+```json
+{}
+```
 
 ### Subsequent uses
 - Read owner from `.claude/mygen.json` automatically
 - If the user says "change my email" or "change my owner", update the file
 
+## API Token (optional)
+
+If the `MYGENSITE_TOKEN` env variable is set, or `token` option is passed, the mygensite client automatically uses it for authentication. This allows service creation from any IP address.
+
+The token can be generated from the dashboard: https://mygen.site/dashboard/api
+
+Usage:
+```bash
+# Environment variable (recommended — auto-detected)
+export MYGENSITE_TOKEN=mgs_xxx
+
+# Or pass directly in code
+const tunnel = await mygensite({ port: 3000, token: 'mgs_xxx' });
+const site = await mygensite.deploy({ directory: './dist', token: 'mgs_xxx' });
+
+# Or CLI flag
+mygensite --port 3000 --token mgs_xxx
+```
+
+When a token is used, `owner_email` is automatically set to the token owner's email. The `.claude/mygen.json` `owner_email` is still used for display purposes but won't override the token-based owner.
+
 ## Slug (Domain) Management
 
 ### Reuse by default
 - When `.claude/mygen.json` already has a service entry for the **same context** (same port for tunnels, same build directory for static), reuse that slug and `admin_token`.
 - This means running `/share` repeatedly for the same service always keeps the same URL.
 
-### When to ask for a new domain
-Ask the user what domain they want **only when** the context clearly requires a **different** share than what's already saved:
-- Sharing a **different port** than the existing tunnel
-- Sharing a **different directory** or a second static site
-- User explicitly says "share this on a different URL" or "new domain"
+### New service — always ask for subdomain
+When there is **no matching service** in `.claude/mygen.json` for the current context, you MUST ask for a subdomain. This happens when:
+- First time running `/share` in a project (no `.claude/mygen.json` or empty services)
+- Sharing a **different port** than any existing tunnel entry
+- Sharing a **different build directory** than any existing static entry
+- User explicitly asks for a "new URL", "different domain", "새 도메인" etc.
+
+Ask:
+> **Subdomain?** (Enter for random: `auto-generated.mygen.site`)
+> e.g. `my-api` → `my-api.mygen.site`
 
-Ask: "What subdomain would you like? (e.g. `my-api` → `my-api.mygen.site`, blank for auto-generated)"
-- If blank → let the server auto-generate.
+- Default (Enter/blank) → server auto-generates a random slug
+- If the user specifies a slug and it's **already taken** (409 error), inform them and ask again:
+  > `my-api.mygen.site` is already taken. Choose another subdomain? (Enter for random)
 
-### Domain can be changed later
-Always inform the user (at least on first use): **"You can change the domain anytime by asking, e.g. 'change my domain to new-name'."**
+### Domain cannot be changed after creation
+The subdomain (slug) is permanent once created. To use a different domain, create a new service and delete the old one. Inform the user on first use: **"The subdomain can't be changed later — choose carefully, or press Enter for a random one."**
 
 ## Decision: Tunnel vs Static Deploy
 
@@ -101,24 +133,24 @@ On the **first deploy** of a new service, ask the user these questions:
 
 #### Q1. Network access
 > **Who should be able to access this?**
-> 1. **Public** — anyone with the link (default)
-> 2. **IP-restricted** — only your current IP
+> 1. **Public** — anyone with the link
+> 2. **IP-restricted** — only your current IP (recommended)
 
 If IP-restricted, detect the user's public IP:
 ```bash
 curl -s https://ifconfig.me
 ```
 
-#### Q2. Authentication (recommended)
-> **Do you want to add authentication?** (recommended for security)
-> 1. **Password** — visitors enter a password to access
+#### Q2. Authentication
+> **Password protection is enabled by default.** Choose an authentication method:
+> 1. **Password** — visitors enter a password to access (default)
 > 2. **Google OAuth** — only specific Google accounts can access
 > 3. **Telegram** — only specific Telegram users can access
-> 4. **None** — no authentication
+> 4. **None** — no authentication (not recommended)
 
 If the user picks auth, ask for the details:
 - **Password**: "What password should visitors use?" (or auto-generate one)
-- **Google**: "Which email addresses should have access? (comma-separated)"
+- **Google**: "Which email addresses should have access? (comma-separated, use @domain.com to allow an entire domain)"
 - **Telegram**: "Which Telegram user IDs should have access? (comma-separated)"
 
 Multiple auth methods can be combined (e.g. password + Google — visitors can use either).
@@ -127,11 +159,11 @@ Multiple auth methods can be combined (e.g. password + Google — visitors can u
 
 Use the answers to set these parameters in the deploy/tunnel script:
 ```js
-access: 'public',            // or 'ip'
-allowed_ips: ['1.2.3.4'],    // only when access='ip', user's detected IP
+access: 'ip',                // 'ip' (recommended) or 'public'
+allowed_ips: ['1.2.3.4'],    // user's detected IP (auto-detect via curl ifconfig.me)
 auth_method: 'password',     // or 'google', 'telegram', 'password,google', or omit
 password: 'chosen-password',  // when auth_method includes 'password'
-google: 'alice@co.com',      // when auth_method includes 'google'
+google: 'alice@co.com,@co.com', // when auth_method includes 'google' (supports @domain.com)
 telegram: '123456789',       // when auth_method includes 'telegram'
 ```
 
@@ -173,7 +205,7 @@ console.log(JSON.stringify({
 ```
 
 ```bash
-node .claude/mygen-deploy.mjs && rm .claude/mygen-deploy.mjs
+node .claude/mygen-deploy.mjs
 ```
 
 Parse the JSON output, update `.claude/mygen.json`.
@@ -187,7 +219,7 @@ lsof -i -P | grep LISTEN | grep -E ':(3000|5173|8000|8080|4200|5000)'
 
 If no server is running, start it in background first.
 
-Write a tunnel keeper script `.claude/mygen-tunnel.mjs`:
+Write a tunnel keeper script `.claude/mygen-tunnel-{slug}.mjs` (slug-based filename for multi-tunnel support):
 
 ```js
 import localtunnel from 'mygensite';
@@ -225,22 +257,22 @@ setInterval(() => {
 }, 5 * 60 * 1000);
 ```
 
-Run in background and capture output:
+Run in background and capture output (use the slug in all filenames):
 ```bash
-node .claude/mygen-tunnel.mjs > .claude/mygen-tunnel-out.log 2>.claude/mygen-tunnel-err.log &
+node .claude/mygen-tunnel-{slug}.mjs > .claude/mygen-tunnel-{slug}-out.log 2>.claude/mygen-tunnel-{slug}-err.log &
 TUNNEL_PID=$!
-echo $TUNNEL_PID > .claude/mygen-tunnel.pid
+echo $TUNNEL_PID > .claude/mygen-tunnel-{slug}.pid
 
 # Wait for tunnel to initialize
 for i in $(seq 1 10); do
-  if [ -s .claude/mygen-tunnel-out.log ]; then break; fi
+  if [ -s .claude/mygen-tunnel-{slug}-out.log ]; then break; fi
   sleep 1
 done
-cat .claude/mygen-tunnel-out.log
+cat .claude/mygen-tunnel-{slug}-out.log
 ```
 
 - **CRITICAL**: The tunnel keeper script stays running in background. Do NOT delete it while active.
-- PID is saved to `.claude/mygen-tunnel.pid` for later management.
+- PID is saved to `.claude/mygen-tunnel-{slug}.pid` for later management (slug-based, supports multiple tunnels).
 - The script handles SIGINT/SIGTERM gracefully and logs heartbeats to stderr.
 
 ### 3. Save results and inform the user
@@ -255,7 +287,8 @@ cat .claude/mygen-tunnel-out.log
       "type": "tunnel",
       "port": 3000,
       "url": "https://{slug}.mygen.site",
-      "access": "public",
+      "access": "ip",
+      "allowed_ips": ["1.2.3.4"],
       "auth_method": "password",
       "created_at": "2025-06-01T12:00:00Z"
     }
@@ -271,7 +304,7 @@ URL: https://{slug}.mygen.site
 
 Share this link — anyone can access it.
 Auto-expires in 24 hours.
-You can change the domain or access settings anytime — just ask.
+You can change access settings anytime — just ask.
 ```
 
 **With password auth:**
@@ -304,12 +337,6 @@ Tunnel running in background (PID: {pid}).
 It stays open as long as the process is alive.
 ```
 
-### 4. Add to .gitignore
-
-```bash
-grep -q '.claude/' .gitignore 2>/dev/null || echo '.claude/' >> .gitignore
-```
-
 ## Settings Changes (PATCH)
 
 When the user wants to change settings on an already-shared service:
@@ -413,22 +440,49 @@ After deleting, also remove the service entry from `.claude/mygen.json`.
 
 ## Tunnel Management
 
+All tunnel files use slug-based names (`mygen-tunnel-{slug}.*`) to support multiple simultaneous tunnels.
+
 ### Check if tunnel is running
 ```bash
-if [ -f .claude/mygen-tunnel.pid ]; then
-  PID=$(cat .claude/mygen-tunnel.pid)
+if [ -f .claude/mygen-tunnel-{slug}.pid ]; then
+  PID=$(cat .claude/mygen-tunnel-{slug}.pid)
   kill -0 $PID 2>/dev/null && echo "Running (PID $PID)" || echo "Stopped"
 fi
 ```
 
+### Check all tunnels
+```bash
+for pidfile in .claude/mygen-tunnel-*.pid; do
+  [ -f "$pidfile" ] || continue
+  SLUG=$(basename "$pidfile" | sed 's/mygen-tunnel-//;s/\.pid//')
+  PID=$(cat "$pidfile")
+  if kill -0 "$PID" 2>/dev/null; then
+    echo "$SLUG: Running (PID $PID)"
+  else
+    echo "$SLUG: Stopped"
+  fi
+done
+```
+
 ### Stop tunnel
 ```bash
-if [ -f .claude/mygen-tunnel.pid ]; then
-  kill $(cat .claude/mygen-tunnel.pid) 2>/dev/null
-  rm -f .claude/mygen-tunnel.pid .claude/mygen-tunnel-out.log .claude/mygen-tunnel-err.log
+if [ -f .claude/mygen-tunnel-{slug}.pid ]; then
+  kill $(cat .claude/mygen-tunnel-{slug}.pid) 2>/dev/null
+  rm -f .claude/mygen-tunnel-{slug}.pid .claude/mygen-tunnel-{slug}-out.log .claude/mygen-tunnel-{slug}-err.log .claude/mygen-tunnel-{slug}.mjs
 fi
 ```
 
+### Stop all tunnels
+```bash
+for pidfile in .claude/mygen-tunnel-*.pid; do
+  [ -f "$pidfile" ] || continue
+  PID=$(cat "$pidfile")
+  SLUG=$(basename "$pidfile" | sed 's/mygen-tunnel-//;s/\.pid//')
+  kill "$PID" 2>/dev/null
+  rm -f "$pidfile" ".claude/mygen-tunnel-${SLUG}-out.log" ".claude/mygen-tunnel-${SLUG}-err.log" ".claude/mygen-tunnel-${SLUG}.mjs"
+done
+```
+
 ### Restart tunnel
 Stop the old one, then run Step 2-B again. The same slug and admin_token will be reused from `.claude/mygen.json`.
 
@@ -440,11 +494,12 @@ Stop the old one, then run Step 2-B again. The same slug and admin_token will be
 ## Important Notes
 
 - Do not ask the user for technical choices (tunnel vs static). Decide automatically.
-- **Reuse the same slug** for the same context. Only ask for a new domain when sharing something different (different port, different directory, etc.).
+- **Reuse the same slug** for the same context. Ask for a subdomain on every new deploy (default: random).
 - Handle errors yourself (port conflicts, build failures, etc.).
 - If `$ARGUMENTS` explicitly specifies access (e.g. "password", "public"), skip the access control questions and use that directly.
 - If `$ARGUMENTS` is empty, ask the access control questions on first deploy.
 - admin_token is issued **only once**. If lost, it cannot be recovered. Always save to `.claude/mygen.json`.
+- If service creation fails with `creator_ip_denied` (403), the user's IP is not in the server's allow-list. 
 - **For tunnel/deploy creation, use the mygensite Node.js library** (not curl). For PATCH settings and DELETE, curl is fine.
 - Clean up temp scripts after use. Keep `.claude/mygen-tunnel.mjs` alive while tunnel is running.
 - Add `.claude/` to `.gitignore` (contains tokens).