add expose command (#633)

* add expose command

* Fix peer groups steo

* Update CLI documentation with examples and clarifications for flags

* update docs

---------

Co-authored-by: Brandon Hopkins <brandon@techhut.tv>

src/pages/get-started/cli.mdx

@@ -10,7 +10,7 @@ Use the following syntax to run `netbird` commands from your terminal window:
 ```shell
 netbird [command] [subcommand] [flags]
 ```
-* `command`: Specifies the operation that you want to perform or a top-level command: `up`, `login`, `down`, `status`, `ssh`, `version`, and `service`
+* `command`: Specifies the operation that you want to perform or a top-level command: `up`, `login`, `down`, `status`, `ssh`, `expose`, `version`, and `service`
 * `subcommand`: Specifies the operation to be executed for a top-level command like `service`: `install`, `uninstall`, `start`, and `stop`
 * `flags`:  Specifies optional flags. For example, you can use the `--setup-key` flag to specify the setup key to be used in the commands `login` and `up`
 
@@ -482,6 +482,60 @@ For SFTP and SCP, use native clients (`sftp` and `scp` commands) which work with
 </p>
 
 
+### expose
+Command to expose a local port to the public internet via the NetBird reverse proxy. The service remains active as long as the command is running and is automatically removed when you stop it.
+
+<Note>
+    Before using this command, make sure the NetBird client is connected (`netbird up`), and that the **Peer Expose** feature is enabled by your account administrator in **Settings** > **Clients**. See [Expose from CLI](/manage/reverse-proxy/expose-from-cli) for the complete guide.
+</Note>
+
+#### Flags
+```shell
+      --with-pin string             Protect the exposed service with a 6-digit PIN (e.g. --with-pin 123456)
+      --with-password string        Protect the exposed service with a password (e.g. --with-password my-secret)
+      --with-user-groups strings    Restrict access to specific user groups (e.g. --with-user-groups devops,Backend)
+      --with-custom-domain string   Custom domain for the exposed service, must be configured to your account (e.g. --with-custom-domain myapp.example.com)
+      --with-name-prefix string     Prefix for the generated service name (e.g. --with-name-prefix my-app)
+      --protocol string             Protocol to use: 'http' or 'https' (e.g. --protocol http) (default "http")
+```
+#### Usage
+Expose a local HTTP server running on port 8080:
+```shell
+netbird expose 8080
+```
+This will output:
+```shell
+Service exposed successfully!
+  Name:     my-service-abc123
+  URL:      https://my-service-abc123.proxy.example.com
+  Domain:   my-service-abc123.proxy.example.com
+  Protocol: http
+  Port:     8080
+
+Press Ctrl+C to stop exposing.
+```
+Expose with PIN protection (must be exactly 6 digits):
+```shell
+netbird expose 3000 --with-pin 123456
+```
+Expose with password protection and a custom name prefix:
+```shell
+netbird expose 8080 --with-password my-secret --with-name-prefix my-app
+```
+Expose with SSO user group restriction:
+```shell
+netbird expose 8080 --with-user-groups engineering,devops
+```
+Expose using a custom domain (must be pre-configured in your account):
+```shell
+netbird expose 8080 --with-custom-domain app.example.com
+```
+Press `Ctrl+C` to stop exposing the service. The service is automatically removed from the reverse proxy when the command exits.
+
+<Note>
+    Each peer can have up to 10 active expose sessions simultaneously. The session is kept alive with automatic renewals every 30 seconds and expires after 90 seconds if the client disconnects unexpectedly.
+</Note>
+
 ### version
 Outputs the `netbird` command version.
 #### Usage