@scadable/wizard 0.1.1 → 0.2.0

package/README.md

@@ -1,24 +1,65 @@
 # @scadable/wizard
 
-A one-time setup wizard that wires your published SCADABLE privacy policy into your
-codebase. Publish your policy in the SCADABLE app, copy the install command from
-Settings, and run it in your repo:
+The zero-friction setup wizard for SCADABLE. One command, one token, done: it
+detects your framework and wires your always-current legal documents (privacy
+policy, terms of use, and more) into your app, pulled live from SCADABLE. Publish
+a document in the SCADABLE app, copy the install command from Settings, and run it
+in your repo:
 
 ```bash
 npx @scadable/wizard@latest --token <TEMP_TOKEN>
 ```
 
-The wizard verifies your token, detects your web framework, asks the SCADABLE API for a
-tailored plan, then installs [`@scadable/privacy`](../next) and creates your privacy
-page. After this, your page always renders the version you last published, with no
-redeploy when you update it.
+The wizard verifies your token, detects your web framework, installs the matching
+`@scadable/*` plugin (or sets up the universal CDN embed for a static site), and
+creates your page(s). After this, every page always renders the version you last
+published, with no redeploy when you update it.
+
+## Frameworks
+
+The wizard detects your stack automatically and scaffolds the right package:
+
+| Stack | Package it installs | Where the page goes |
+| --- | --- | --- |
+| Next.js (App Router) | `@scadable/next` | `app/privacy/page.tsx` |
+| Next.js (Pages Router) | `@scadable/next` | `pages/privacy.tsx` |
+| Astro | `@scadable/astro` | `src/pages/privacy.astro` |
+| Vue (Vite) | `@scadable/vue` | `src/views/PrivacyPolicyView.vue` |
+| Nuxt | `@scadable/vue` | `pages/privacy.vue` |
+| Svelte (Vite) | `@scadable/svelte` | `src/lib/PrivacyPolicyPage.svelte` |
+| SvelteKit | `@scadable/svelte` | `src/routes/privacy/+page.svelte` |
+| React: Vite / CRA | `@scadable/react` | `src/PrivacyPolicyPage.tsx` |
+| React: Remix | `@scadable/react` | `app/routes/privacy.tsx` |
+| React: Gatsby | `@scadable/react` | `src/pages/privacy.tsx` |
+| Plain HTML / unknown | none (CDN embed) | `privacy.html` + a paste-anywhere snippet |
+
+For file-based routers (Next, Astro, Nuxt, SvelteKit, Remix, Gatsby) the page is
+live at `/privacy` (and `/terms`) right away. For the others the wizard tells you
+the one line to add to your router.
+
+## Document types
+
+Pick what you want to add with `--doc-type`, or let the wizard ask:
+
+```bash
+npx @scadable/wizard@latest --token <TEMP_TOKEN> --doc-type both
+```
+
+- `privacy` creates your privacy policy page (`/privacy`).
+- `terms` creates your terms of use page (`/terms`).
+- `both` creates both.
+
+New document types are a prop value, never a new package: the components are
+generic (`<PrivacyPolicy token=... />`, `<TermsOfUse token=... />`, or
+`<ScadablePolicy token=... docType=... />`).
 
 ## What it sends
 
-Your code stays private. The wizard reads only `./package.json` (dependency names) and a
-shallow yes/no listing of a few known folders (`app`, `src/app`, `pages`, ...). It never
-reads or transmits your source, and never touches `.env*` files. The one exception is
-opt-in `--patch <file>` mode, which reads exactly that one file, and refuses to upload it
+Your code stays private. The wizard reads only `./package.json` (dependency names)
+and a shallow yes/no listing of a few known folders and config files (`app`,
+`src/app`, `pages`, `astro.config.*`, ...). It never reads or transmits your
+source, and never touches `.env*` files. The one exception is opt-in
+`--patch <file>` mode, which reads exactly that one file, and refuses to upload it
 if it looks like it contains secrets.
 
 ## Options
@@ -26,10 +67,11 @@ if it looks like it contains secrets.
 | Flag | Default | What it does |
 | --- | --- | --- |
 | `--token <token>` | required | Install token from the SCADABLE app. |
+| `--doc-type <type>` | ask | `privacy`, `terms`, or `both` (privacy if non-interactive). |
 | `--api <url>` | `https://api.scadable.com` | API base. |
 | `--dry-run` | off | Show the plan, write nothing. |
 | `--yes`, `-y` | off | Skip confirmation prompts (non-interactive). |
-| `--patch <file>` | off | Patch an existing file instead of creating a new page. |
+| `--patch <file>` | off | Add the privacy policy to an existing page instead of creating one. |
 | `--help`, `-h` | | Show usage. |
 
 The package manager is detected from your lockfile (`pnpm-lock.yaml` -> pnpm,
@@ -39,3 +81,5 @@ The package manager is detected from your lockfile (`pnpm-lock.yaml` -> pnpm,
 
 - This package only talks to the public SCADABLE API. It stores no secrets.
 - It is meant to be run once, via `npx`, to connect a repo.
+- Using a strict Content-Security-Policy? Add `api.scadable.com` to `connect-src`
+  so the page can refresh live (it falls back to the baked copy if not).

package/dist/cli.js

@@ -3,7 +3,17 @@
 // src/cli.ts
 import { existsSync as existsSync3, readFileSync as readFileSync2 } from "fs";
 import { resolve } from "path";
-import { cancel, confirm, intro, isCancel, log, note, outro, spinner } from "@clack/prompts";
+import {
+  cancel,
+  confirm,
+  intro,
+  isCancel,
+  log,
+  note,
+  outro,
+  select,
+  spinner
+} from "@clack/prompts";
 import pc from "picocolors";
 
 // src/api.ts
@@ -82,7 +92,7 @@ var INSTALL_VERB = {
 function resolvePackages(install) {
   const noise = /^(?:npm|yarn|pnpm|install|add|i|--save|-S|-D|--save-dev|--dev)$/;
   const specs = install.flatMap((line) => line.split(/\s+/)).map((token) => token.trim()).filter((token) => token && !noise.test(token));
-  return [.../* @__PURE__ */ new Set(["@scadable/privacy", ...specs])];
+  return [...new Set(specs)];
 }
 function formatInstall(pm, packages) {
   return `${pm} ${INSTALL_VERB[pm]} ${packages.join(" ")}`;
@@ -104,12 +114,35 @@ function writeEdit(cwd, edit) {
 // src/detect.ts
 import { existsSync as existsSync2, readFileSync } from "fs";
 import { join as join2 } from "path";
-var KNOWN_PATHS = ["app", "src/app", "pages", "src/pages", "src", "app/layout.tsx"];
+var KNOWN_DIRS = ["app", "src/app", "pages", "src/pages", "src/routes", "src", "public"];
+var KNOWN_CONFIGS = [
+  "next.config",
+  "astro.config",
+  "nuxt.config",
+  "svelte.config",
+  "vite.config",
+  "remix.config",
+  "gatsby-config"
+];
+var KNOWN_FILES = ["app/layout.tsx", "index.html"];
+function hasConfig(cwd, base) {
+  return ["js", "mjs", "cjs", "ts"].some((ext) => existsSync2(join2(cwd, `${base}.${ext}`)));
+}
 function detectRepo(cwd) {
+  const has = (rel) => existsSync2(join2(cwd, rel));
   const pkgPath = join2(cwd, "package.json");
-  if (!existsSync2(pkgPath)) {
+  const hasPkg = existsSync2(pkgPath);
+  if (!hasPkg) {
+    if (has("index.html") || has("public/index.html")) {
+      return {
+        framework: "html",
+        deps: [],
+        paths: probePaths(cwd, has),
+        warning: "No package.json found; setting up the universal embed for a static site."
+      };
+    }
     throw new Error(
-      "No package.json found here. Run this inside your web app, next to its package.json."
+      "No package.json or index.html found here. Run this inside your web app, next to its package.json."
     );
   }
   let pkg;
@@ -119,24 +152,49 @@ function detectRepo(cwd) {
     throw new Error("Could not parse package.json. Is it valid JSON?");
   }
   const deps = Object.keys({ ...pkg.dependencies, ...pkg.devDependencies });
-  const has = (rel) => existsSync2(join2(cwd, rel));
-  const paths = KNOWN_PATHS.filter(has);
-  const hasNext = deps.includes("next");
-  const hasReact = deps.includes("react");
+  const dep = (name) => deps.includes(name);
+  const depPrefix = (prefix) => deps.some((d) => d.startsWith(prefix));
+  const paths = probePaths(cwd, has);
   let framework;
   let warning;
-  if (hasNext) {
+  if (dep("next")) {
     if (has("app") || has("src/app")) framework = "next-app";
     else if (has("pages") || has("src/pages")) framework = "next-pages";
     else framework = "next-app";
-  } else if (hasReact) {
-    framework = "react";
-  } else {
-    framework = "react";
-    warning = 'No "next" or "react" dependency found; assuming a generic React app.';
+  } else if (dep("astro")) {
+    framework = "astro";
+  } else if (dep("nuxt") || dep("nuxt3")) {
+    framework = "nuxt";
+  } else if (dep("vue")) {
+    framework = "vue";
+  } else if (dep("@sveltejs/kit")) {
+    framework = "sveltekit";
+  } else if (dep("svelte")) {
+    framework = "svelte";
+  } else if (depPrefix("@remix-run/")) {
+    framework = "remix";
+  } else if (dep("gatsby")) {
+    framework = "gatsby";
+  } else if (dep("react-scripts") || dep("vite") && dep("react") || dep("react")) {
+    framework = "vite-react";
+  }
+  if (!framework) {
+    if (has("index.html") || has("public/index.html")) {
+      framework = "html";
+      warning = "No known framework dependency found; using the universal embed for a static site.";
+    } else {
+      framework = "vite-react";
+      warning = "No known framework dependency found; assuming a generic React app.";
+    }
   }
   return { framework, deps, paths, warning };
 }
+function probePaths(cwd, has) {
+  const dirs = KNOWN_DIRS.filter(has);
+  const configs = KNOWN_CONFIGS.filter((base) => hasConfig(cwd, base)).map((base) => `${base}.*`);
+  const files = KNOWN_FILES.filter(has);
+  return [...dirs, ...configs, ...files];
+}
 var SECRET_PATTERNS = [
   /-----BEGIN (?:[A-Z0-9 ]+ )?PRIVATE KEY-----/,
   /\bapi[_-]?key\s*[:=]/i,
@@ -150,6 +208,203 @@ function looksLikeSecret(contents) {
   return SECRET_PATTERNS.some((re) => re.test(contents));
 }
 
+// src/scaffold.ts
+var DOC = {
+  privacy_policy: { title: "Privacy Policy", slug: "privacy", component: "PrivacyPolicy" },
+  terms_of_use: { title: "Terms of Use", slug: "terms", component: "TermsOfUse" }
+};
+var PACKAGE = {
+  "next-app": "@scadable/next",
+  "next-pages": "@scadable/next",
+  astro: "@scadable/astro",
+  vue: "@scadable/vue",
+  nuxt: "@scadable/vue",
+  svelte: "@scadable/svelte",
+  sveltekit: "@scadable/svelte",
+  "vite-react": "@scadable/react",
+  remix: "@scadable/react",
+  gatsby: "@scadable/react",
+  html: null
+};
+function packageFor(framework) {
+  return PACKAGE[framework];
+}
+var JSX_STYLE = "{{ maxWidth: 820, margin: '0 auto', padding: '40px 20px' }}";
+var CSS_STYLE = "max-width: 820px; margin: 0 auto; padding: 40px 20px;";
+var EMBED_SRC = "https://cdn.jsdelivr.net/npm/@scadable/embed/dist/embed.js";
+function scaffoldOne(framework, docType, publicId) {
+  const doc = DOC[docType];
+  const route = (hint) => ({ docType, hint });
+  switch (framework) {
+    // ── Next.js App Router: a Server Component page (SEO-baked + live). ──────
+    case "next-app": {
+      const contents = `import { ${doc.component} } from '@scadable/next';
+
+export const metadata = { title: '${doc.title}' };
+
+export default function ${doc.component}Page() {
+  return (
+    <main style=${JSX_STYLE}>
+      <${doc.component} token="${publicId}" />
+    </main>
+  );
+}
+`;
+      return { files: [{ path: `app/${doc.slug}/page.tsx`, contents }], route: route(`/${doc.slug}`) };
+    }
+    // ── Next.js Pages Router: fetch on the server, render the fragment. ──────
+    case "next-pages": {
+      const contents = `import { fetchPolicy, type Policy } from '@scadable/next';
+
+export async function getServerSideProps() {
+  const policy = await fetchPolicy('${publicId}', { docType: '${docType}' });
+  return { props: { policy } };
+}
+
+export default function ${doc.component}Page({ policy }: { policy: Policy }) {
+  return (
+    <main style=${JSX_STYLE}>
+      <div className="scadable-policy" dangerouslySetInnerHTML={{ __html: policy.html }} />
+    </main>
+  );
+}
+`;
+      return { files: [{ path: `pages/${doc.slug}.tsx`, contents }], route: route(`/${doc.slug}`) };
+    }
+    // ── Astro: file-based page importing the .astro component. ───────────────
+    case "astro": {
+      const contents = `---
+import ${doc.component} from '@scadable/astro/${doc.component}.astro';
+---
+<main style="${CSS_STYLE}">
+  <${doc.component} token="${publicId}" />
+</main>
+`;
+      return { files: [{ path: `src/pages/${doc.slug}.astro`, contents }], route: route(`/${doc.slug}`) };
+    }
+    // ── Nuxt: file-based page under pages/. ──────────────────────────────────
+    case "nuxt": {
+      const contents = vueSfc(doc.component, publicId);
+      return { files: [{ path: `pages/${doc.slug}.vue`, contents }], route: route(`/${doc.slug}`) };
+    }
+    // ── Vue (Vite SPA): a view the user adds to their router. ────────────────
+    case "vue": {
+      const contents = vueSfc(doc.component, publicId);
+      return {
+        files: [{ path: `src/views/${doc.component}View.vue`, contents }],
+        route: route(`add <${doc.component}View /> to your router (e.g. a /${doc.slug} route)`)
+      };
+    }
+    // ── SvelteKit: file-based route. ─────────────────────────────────────────
+    case "sveltekit": {
+      const contents = svelteComponent(doc.component, publicId);
+      return {
+        files: [{ path: `src/routes/${doc.slug}/+page.svelte`, contents }],
+        route: route(`/${doc.slug}`)
+      };
+    }
+    // ── Svelte (Vite SPA): a component the user adds to their router. ────────
+    case "svelte": {
+      const contents = svelteComponent(doc.component, publicId);
+      return {
+        files: [{ path: `src/lib/${doc.component}Page.svelte`, contents }],
+        route: route(`add <${doc.component}Page /> to your router (e.g. a /${doc.slug} route)`)
+      };
+    }
+    // ── Remix: file-based route under app/routes/. ───────────────────────────
+    case "remix": {
+      const contents = reactPage(doc.component, publicId, `${doc.component}Route`);
+      return { files: [{ path: `app/routes/${doc.slug}.tsx`, contents }], route: route(`/${doc.slug}`) };
+    }
+    // ── Gatsby: file-based page under src/pages/. ────────────────────────────
+    case "gatsby": {
+      const contents = reactPage(doc.component, publicId, `${doc.component}Page`);
+      return { files: [{ path: `src/pages/${doc.slug}.tsx`, contents }], route: route(`/${doc.slug}`) };
+    }
+    // ── Generic React (Vite, CRA): a page the user adds to their router. ─────
+    case "vite-react": {
+      const contents = reactPage(doc.component, publicId, `${doc.component}Page`);
+      return {
+        files: [{ path: `src/${doc.component}Page.tsx`, contents }],
+        route: route(`add <${doc.component}Page /> to your router (e.g. a /${doc.slug} route)`)
+      };
+    }
+    // ── Plain HTML / unknown: a standalone page + a paste-anywhere snippet. ──
+    case "html": {
+      const snippet = embedSnippet(docType, publicId);
+      const contents = `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>${doc.title}</title>
+  </head>
+  <body>
+    <main style="${CSS_STYLE}">
+      ${snippet.replace(/\n/g, "\n      ")}
+    </main>
+  </body>
+</html>
+`;
+      return {
+        files: [{ path: `${doc.slug}.html`, contents }],
+        route: route(`${doc.slug}.html (open it, or link to it from your nav)`),
+        snippet
+      };
+    }
+  }
+}
+function vueSfc(component, publicId) {
+  return `<script setup lang="ts">
+import { ${component} } from '@scadable/vue';
+</script>
+
+<template>
+  <main style="${CSS_STYLE}">
+    <${component} token="${publicId}" />
+  </main>
+</template>
+`;
+}
+function svelteComponent(component, publicId) {
+  return `<script lang="ts">
+  import { ${component} } from '@scadable/svelte';
+</script>
+
+<main style="${CSS_STYLE}">
+  <${component} token="${publicId}" />
+</main>
+`;
+}
+function reactPage(component, publicId, fnName) {
+  return `import { ${component} } from '@scadable/react';
+
+export default function ${fnName}() {
+  return (
+    <main style=${JSX_STYLE}>
+      <${component} token="${publicId}" />
+    </main>
+  );
+}
+`;
+}
+function embedSnippet(docType, publicId) {
+  return `<div class="scadable-policy" data-token="${publicId}" data-doc-type="${docType}"></div>
+<script src="${EMBED_SRC}" defer></script>`;
+}
+function buildScaffold(framework, docTypes, publicId) {
+  const files = [];
+  const routes = [];
+  const snippets = [];
+  for (const docType of docTypes) {
+    const one = scaffoldOne(framework, docType, publicId);
+    files.push(...one.files);
+    routes.push(one.route);
+    if (one.snippet) snippets.push(one.snippet);
+  }
+  return { install: packageFor(framework), files, routes, snippets };
+}
+
 // src/cli.ts
 function parseArgs(argv) {
   const args = { api: DEFAULT_API, dryRun: false, yes: false, help: false };
@@ -157,20 +412,23 @@ function parseArgs(argv) {
     const a = argv[i];
     if (a === "--token") args.token = argv[++i];
     else if (a === "--api") args.api = argv[++i];
+    else if (a === "--doc-type") args.docType = argv[++i];
     else if (a === "--patch") args.patch = argv[++i];
     else if (a === "--dry-run") args.dryRun = true;
     else if (a === "--yes" || a === "-y") args.yes = true;
     else if (a === "--help" || a === "-h") args.help = true;
     else if (a.startsWith("--token=")) args.token = a.slice("--token=".length);
     else if (a.startsWith("--api=")) args.api = a.slice("--api=".length);
+    else if (a.startsWith("--doc-type=")) args.docType = a.slice("--doc-type=".length);
     else if (a.startsWith("--patch=")) args.patch = a.slice("--patch=".length);
     else console.error(pc.yellow(`Ignoring unknown option: ${a}`));
   }
   return args;
 }
 var HELP = `
-${pc.bgCyan(pc.black(" SCADABLE "))} ${pc.bold("privacy wizard")}
-Add a live privacy page to your app in about 20 seconds. Commit, deploy, done.
+${pc.bgCyan(pc.black(" SCADABLE "))} ${pc.bold("setup wizard")}
+Add your always-current legal documents (privacy policy, terms of use) to any app
+in about 20 seconds. One command, one token, done. Commit, deploy, live.
 
 ${pc.bold("Usage")}
   npx @scadable/wizard@latest --token <TEMP_TOKEN> [options]
@@ -178,12 +436,17 @@ ${pc.bold("Usage")}
 ${pc.dim("Get your token from Settings in the SCADABLE app, then paste the whole command here.")}
 
 ${pc.bold("Options")}
-  --token <token>   Install token from the SCADABLE app (required).
-  --api <url>       API base. Default ${DEFAULT_API}.
-  --dry-run         Preview the plan without writing anything.
-  --yes, -y         Skip the prompts (non-interactive).
-  --patch <file>    Add the policy to an existing page instead of creating one.
-  --help, -h        Show this help.
+  --token <token>       Install token from the SCADABLE app (required).
+  --doc-type <type>     privacy | terms | both. Default: ask (privacy if non-interactive).
+  --api <url>           API base. Default ${DEFAULT_API}.
+  --dry-run             Preview the plan without writing anything.
+  --yes, -y             Skip the prompts (non-interactive).
+  --patch <file>        Add the privacy policy to an existing page instead of creating one.
+  --help, -h            Show this help.
+
+${pc.bold("Frameworks")}
+  ${pc.dim("Next.js, Astro, Vue/Nuxt, Svelte/SvelteKit, React (Vite, CRA, Remix, Gatsby),")}
+  ${pc.dim("and plain HTML (universal CDN embed). The wizard detects yours automatically.")}
 
 ${pc.dim("Your code stays private: only package.json and folder names are read.")}
 `;
@@ -214,7 +477,65 @@ function previewContents(contents, maxLines = 12) {
   }
   return shown.join("\n");
 }
-function showPlan(installCmd, edits, deterministic) {
+function docLabel(docType) {
+  return docType === "privacy_policy" ? "Privacy Policy" : "Terms of Use";
+}
+function liveUrl(api, publicId, docType) {
+  return docType === "privacy_policy" ? `${api}/policy/${publicId}` : `${api}/policy/${publicId}?doc_type=${docType}`;
+}
+function docTypesFromFlag(value) {
+  if (!value) return void 0;
+  switch (value.trim().toLowerCase()) {
+    case "privacy":
+    case "privacy_policy":
+      return ["privacy_policy"];
+    case "terms":
+    case "terms_of_use":
+      return ["terms_of_use"];
+    case "both":
+    case "all":
+      return ["privacy_policy", "terms_of_use"];
+    default:
+      return void 0;
+  }
+}
+async function chooseDocTypes(args) {
+  const fromFlag = docTypesFromFlag(args.docType);
+  if (fromFlag) return fromFlag;
+  if (args.docType) {
+    log.warn(`Unknown --doc-type "${args.docType}". Expected privacy, terms, or both.`);
+  }
+  if (args.yes || args.dryRun) return ["privacy_policy"];
+  const choice = await select({
+    message: "Which documents do you want to add?",
+    options: [
+      { value: "privacy", label: "Privacy Policy", hint: "/privacy" },
+      { value: "terms", label: "Terms of Use", hint: "/terms" },
+      { value: "both", label: "Both", hint: "/privacy and /terms" }
+    ],
+    initialValue: "privacy"
+  });
+  if (isCancel(choice)) {
+    cancel("No problem. Nothing was changed. Run this again whenever you are ready.");
+    process.exit(0);
+  }
+  return docTypesFromFlag(String(choice)) ?? ["privacy_policy"];
+}
+function showScaffoldPlan(plan, installCmd) {
+  const blocks = [];
+  blocks.push(
+    installCmd ? `${pc.bold("Install")}
+  ${pc.cyan(installCmd)}` : `${pc.bold("Install")}
+  ${pc.dim("Nothing to install. The embed loads from the CDN.")}`
+  );
+  for (const file of plan.files) {
+    blocks.push(`${pc.bold(`Create ${file.path}`)}
+${previewContents(file.contents)}`);
+  }
+  blocks.push(pc.dim("Built from a vetted template. Same result every time."));
+  note(blocks.join("\n\n"), "Here's the plan");
+}
+function showPlanEdits(installCmd, edits, deterministic) {
   const blocks = [`${pc.bold("Install")}
   ${pc.cyan(installCmd)}`];
   for (const edit of edits) {
@@ -225,6 +546,26 @@ ${previewContents(edit.contents)}`);
   const source = deterministic ? pc.dim("Built from a vetted template. Same result every time.") : pc.dim("Tailored to your project.");
   note(blocks.join("\n\n") + "\n\n" + source, "Here's the plan");
 }
+async function pickWritableEdits(cwd, edits, yes) {
+  const toWrite = [];
+  for (const edit of edits) {
+    const abs = resolve(cwd, edit.path);
+    if (edit.action === "create" && existsSync3(abs) && !yes) {
+      const overwrite = await confirm({
+        message: `${edit.path} already exists. Replace it?`,
+        active: "Replace it",
+        inactive: "Keep mine",
+        initialValue: false
+      });
+      if (isCancel(overwrite) || !overwrite) {
+        log.warn(`Kept your existing ${edit.path}`);
+        continue;
+      }
+    }
+    toWrite.push(edit);
+  }
+  return toWrite;
+}
 async function main() {
   const args = parseArgs(process.argv.slice(2));
   if (args.help) {
@@ -232,8 +573,8 @@ async function main() {
     return;
   }
   printBanner();
-  intro(`${pc.bgCyan(pc.black(" SCADABLE "))} ${pc.bold("privacy wizard")}`);
-  log.message(pc.dim("Setting up your privacy page. About 20 seconds."));
+  intro(`${pc.bgCyan(pc.black(" SCADABLE "))} ${pc.bold("setup wizard")}`);
+  log.message(pc.dim("Wiring your legal pages in, live from SCADABLE. About 20 seconds."));
   if (!args.token) {
     fail(
       "No install token yet. Open Settings in SCADABLE, then copy and paste the whole install command."
@@ -271,32 +612,107 @@ async function main() {
   spin.stop(`Found ${pc.bold(ctx.framework)}`);
   log.message(pc.dim("Only package.json and folder names were read. Your code stays on your machine."));
   if (ctx.warning) log.warn(ctx.warning);
-  let mode = "create";
-  let target;
   if (args.patch) {
-    const abs = resolve(cwd, args.patch);
-    if (!existsSync3(abs)) {
-      fail(`Could not find the file to patch: ${args.patch}`);
-    }
-    const contents = readFileSync2(abs, "utf8");
-    if (looksLikeSecret(contents)) {
-      fail(
-        `Not uploading ${args.patch}: it looks like it holds secrets. Drop --patch and the wizard will create a fresh privacy page instead.`
+    await runPatch(args, api, token, ctx.framework, ctx.deps, ctx.paths, cwd, spin);
+    return;
+  }
+  const docTypes = await chooseDocTypes(args);
+  const plan = buildScaffold(ctx.framework, docTypes, session.public_id);
+  const pm = detectPackageManager(cwd);
+  const packages = plan.install ? [plan.install] : [];
+  const installCmd = packages.length ? formatInstall(pm, packages) : null;
+  showScaffoldPlan(plan, installCmd);
+  if (args.dryRun) {
+    for (const r of plan.routes) {
+      log.message(
+        `${pc.dim(`${docLabel(r.docType)} would live at`)} ${pc.cyan(liveUrl(api, session.public_id, r.docType))}`
       );
     }
-    mode = "patch";
-    target = { path: args.patch, contents };
+    outro(pc.dim("Dry run. Nothing was written. Run again without --dry-run to set it up."));
+    return;
+  }
+  if (!args.yes) {
+    const ok = await confirm({
+      message: "Set up your pages?",
+      active: "Yes, do it",
+      inactive: "Not now",
+      initialValue: true
+    });
+    if (isCancel(ok) || !ok) {
+      cancel("No problem. Nothing was changed. Run this again whenever you are ready.");
+      process.exit(0);
+    }
+  }
+  if (packages.length) {
+    spin.start(`Installing ${plan.install}`);
+    try {
+      runInstall(cwd, pm, packages);
+      spin.stop(`Installed ${plan.install} ${pc.dim(`(${pm})`)}`);
+    } catch (err) {
+      spin.stop("Install failed", 2);
+      fail(`Could not run "${installCmd}": ${reason(err)}`);
+    }
+  }
+  const edits = plan.files.map((f) => ({ path: f.path, action: "create", contents: f.contents }));
+  const toWrite = await pickWritableEdits(cwd, edits, args.yes);
+  spin.start("Writing your pages");
+  for (const edit of toWrite) writeEdit(cwd, edit);
+  spin.stop(toWrite.length ? "Pages written" : "Nothing new to write");
+  spin.start("Finishing up");
+  try {
+    await postComplete(api, token);
+    spin.stop("Connected to SCADABLE");
+  } catch (err) {
+    spin.stop("Files are in place, but could not reach SCADABLE to finish", 1);
+    log.warn(`Your files are written. Marking the connection failed: ${reason(err)}`);
+  }
+  const where = [`${pc.bold("Where they live")}`];
+  for (const r of plan.routes) {
+    where.push(`  ${pc.dim(docLabel(r.docType).padEnd(15))} ${pc.cyan(r.hint)}`);
+    where.push(`  ${pc.dim("Live".padEnd(15))} ${pc.cyan(liveUrl(api, session.public_id, r.docType))}`);
   }
+  const payoff = [
+    `${pc.bold("Next:")} commit and deploy. That's it.`,
+    `  ${pc.cyan('git add -A && git commit -m "Add legal pages"')}`,
+    `  ${pc.dim("then push, or run your usual deploy")}`,
+    ``,
+    ...where,
+    ``,
+    pc.dim("They stay current. Update a document in SCADABLE and every page"),
+    pc.dim("updates automatically. No redeploy.")
+  ];
+  if (plan.snippets.length) {
+    payoff.push(
+      ``,
+      pc.dim("Prefer to drop it into an existing page? Paste this where you want it:"),
+      ...plan.snippets.flatMap((s) => s.split("\n").map((l) => `  ${pc.cyan(l)}`))
+    );
+  }
+  payoff.push(
+    ``,
+    pc.dim("Using a Content-Security-Policy? Add api.scadable.com to connect-src"),
+    pc.dim("so the page can refresh live (it falls back to the saved copy if not).")
+  );
+  note(payoff.join("\n"), pc.green("Your pages are ready"));
+  outro(`${pc.green("Done.")} ${pc.dim("Commit and deploy, and you are live.")}`);
+}
+async function runPatch(args, api, token, framework, deps, paths, cwd, spin) {
+  const patchPath = args.patch;
+  const abs = resolve(cwd, patchPath);
+  if (!existsSync3(abs)) {
+    fail(`Could not find the file to patch: ${patchPath}`);
+  }
+  const contents = readFileSync2(abs, "utf8");
+  if (looksLikeSecret(contents)) {
+    fail(
+      `Not uploading ${patchPath}: it looks like it holds secrets. Drop --patch and the wizard will create a fresh page instead.`
+    );
+  }
+  const target = { path: patchPath, contents };
   spin.start("Building your plan");
   let plan;
   try {
-    plan = await postPlan(api, token, {
-      framework: ctx.framework,
-      mode,
-      deps: ctx.deps,
-      paths: ctx.paths,
-      target
-    });
+    plan = await postPlan(api, token, { framework, mode: "patch", deps, paths, target });
   } catch (err) {
     spin.stop("Could not build a plan", 2);
     if (err instanceof WizardApiError && err.status === 503) {
@@ -311,16 +727,16 @@ async function main() {
   const pm = detectPackageManager(cwd);
   const packages = resolvePackages(plan.install);
   const installCmd = formatInstall(pm, packages);
-  const liveUrl = `${api}/policy/${plan.public_id}`;
-  showPlan(installCmd, plan.edits, plan.deterministic);
+  const liveLink = `${api}/policy/${plan.public_id}`;
+  showPlanEdits(installCmd, plan.edits, plan.deterministic);
   if (args.dryRun) {
-    log.message(`${pc.dim("Your page would live at")} ${pc.cyan(liveUrl)}`);
+    log.message(`${pc.dim("Your page would live at")} ${pc.cyan(liveLink)}`);
     outro(pc.dim("Dry run. Nothing was written. Run again without --dry-run to set it up."));
     return;
   }
   if (!args.yes) {
     const ok = await confirm({
-      message: "Set up your privacy page?",
+      message: "Add the privacy policy to this page?",
       active: "Yes, do it",
       inactive: "Not now",
       initialValue: true
@@ -330,36 +746,20 @@ async function main() {
       process.exit(0);
     }
   }
-  spin.start("Installing @scadable/privacy");
-  try {
-    runInstall(cwd, pm, packages);
-    spin.stop(`Installed @scadable/privacy ${pc.dim(`(${pm})`)}`);
-  } catch (err) {
-    spin.stop("Install failed", 2);
-    fail(`Could not run "${installCmd}": ${reason(err)}`);
-  }
-  const toWrite = [];
-  for (const edit of plan.edits) {
-    const abs = resolve(cwd, edit.path);
-    if (edit.action === "create" && existsSync3(abs) && !args.yes) {
-      const overwrite = await confirm({
-        message: `${edit.path} already exists. Replace it?`,
-        active: "Replace it",
-        inactive: "Keep mine",
-        initialValue: false
-      });
-      if (isCancel(overwrite) || !overwrite) {
-        log.warn(`Kept your existing ${edit.path}`);
-        continue;
-      }
+  if (packages.length) {
+    spin.start(`Installing ${packages.join(" ")}`);
+    try {
+      runInstall(cwd, pm, packages);
+      spin.stop(`Installed ${packages.join(" ")} ${pc.dim(`(${pm})`)}`);
+    } catch (err) {
+      spin.stop("Install failed", 2);
+      fail(`Could not run "${installCmd}": ${reason(err)}`);
     }
-    toWrite.push(edit);
-  }
-  spin.start("Writing your privacy page");
-  for (const edit of toWrite) {
-    writeEdit(cwd, edit);
   }
-  spin.stop(toWrite.length ? "Privacy page written" : "Nothing new to write");
+  const toWrite = await pickWritableEdits(cwd, plan.edits, args.yes);
+  spin.start("Writing your page");
+  for (const edit of toWrite) writeEdit(cwd, edit);
+  spin.stop(toWrite.length ? "Page written" : "Nothing new to write");
   spin.start("Finishing up");
   try {
     await postComplete(api, token);
@@ -375,10 +775,13 @@ async function main() {
     ``,
     `${pc.bold("Where it lives")}`,
     `  ${pc.dim("Page  ")} ${pc.cyan(plan.route_hint)}`,
-    `  ${pc.dim("Live  ")} ${pc.cyan(liveUrl)}`,
+    `  ${pc.dim("Live  ")} ${pc.cyan(liveLink)}`,
     ``,
     pc.dim("It stays current. Update your policy in SCADABLE and every page"),
-    pc.dim("updates automatically. No redeploy.")
+    pc.dim("updates automatically. No redeploy."),
+    ``,
+    pc.dim("Using a Content-Security-Policy? Add api.scadable.com to connect-src"),
+    pc.dim("so the page can refresh live (it falls back to the saved copy if not).")
   ].join("\n");
   note(payoff, pc.green("Your privacy page is ready"));
   outro(`${pc.green("Done.")} ${pc.dim("Commit and deploy, and you are live.")}`);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@scadable/wizard",
-  "version": "0.1.1",
-  "description": "The SCADABLE setup wizard. Wires SCADABLE into your codebase (privacy policy now, more to come).",
+  "version": "0.2.0",
+  "description": "The SCADABLE setup wizard. Detects your framework and wires your always-current legal documents (privacy policy, terms of use) into any app, live from SCADABLE.",
   "license": "MIT",
   "type": "module",
   "bin": {