Create accurate description of what WALNUT is

README.md

@@ -1,19 +1,47 @@
 walnut
 ======
 
-Small, light, and secure iot application framework.
+An opinionated, constrained, secure application framework with a hard shell - like iOS, but for a home server.
+
+Security Features
+
+* JSON-only APIs
+* JWT (not cookie*) authentication
+* no server-rendered html
+* disallows urlencoded forms, except for secured webhooks
+* disallows cookies, except for protected static assets
+* api.* subdomain for apis
+* assets.* subdomain for protected assets
+* *must* sit behind a trusted https proxy (such as [Goldilocks](https://git.daplie.com/Daplie/goldilocks.js)
+* HTTPS-only (checks for X-Forwarded-For)
+* AES, RSA, and ECDSA encryption and signing
+* Safe against CSRF, XSS, and SQL injection
+* Safe against Compression attacks
+
+\*Cookies are used only for GETs and only where using a token would be less secure -
+such as images which would otherwise require the token to be passed into the img src.
+They are also scoped such that CSRF attacks are not possible.
+
+Application Features
+
+* JSON-only expressjs APIs
+* Capability-based permissions system for (oauth3-discoverable) packages such as
+  * large file access (files@daplie.com)
+  * database access (data@daplie.com)
+  * scheduling (for background tasks, alerts, alarms, calendars, reminders, etc) (events@daplie.com)
+  * payments (credit card) (payments@daplie.com)
+  * email (email@daplie.com)
+  * SMS (texting) (tel@daplie.com)
+  * voice (calls and answering machine) (tel@daplie.com)
+  * lamba-style functions (functions@daplie.com)
+* Per-app, per-site, and per-user configurations
+* Multi-Tentated Application Management
+* Built-in OAuth2 & OAuth3 support
 
 ```bash
 curl https://daplie.me/install-scripts | bash
 
-daplie-install-cloud
+daplie-install-walnut
-```
-
-If the pretty url isn't working, for whatever reason, you also try the direct one
-
-```bash
-# curl https://git.daplie.com/Daplie/daplie-snippets/raw/master/install.sh | bash
-# daplie-install-cloud
 ```
 
 You could also, of course, try installing from the repository directly
@@ -25,36 +53,17 @@ git clone git@git.daplie.com:Daplie/walnut.js.git /srv/walnut/core
 pushd /srv/walnut/core
   git checkout v1
 popd
-bash /srv/walnut/core/install.sh
+bash /srv/walnut/core/install-helper.sh
 ```
 
-Features
+Initial Configuration
-------
+-------------
 
-* Works with Goldilocks for secure, Let's Encrypt maneged, https-only serving
+Once installed and started you can visit <https://localhost.daplie.me:3000>.
 
-* IOT Application server written in [Node.js](https://nodejs.org)
+```
-* Small memory footprint (for a node app)
+curl http://localhost.daplie.me:3000 -H 'X-Forwarded-Proto: https'
-* Secure
+```
-  * Uses JWT, not Cookies\*
-  * HTTPS-only (checks for X-Forwarded-For)
-  * AES, RSA, and ECDSA encryption and signing
-  * Safe against CSRF, XSS, and SQL injection
-  * Safe against Compression attacks
-* Multi-Tentated Application Management
-* Built-in OAuth2 & OAuth3 support
-
-\*Cookies are used only for GETs and only where using a token would be less secure
-such as images which would otherwise require the token to be passed into the img src.
-They are also scoped such that CSRF attacks are not possible.
-
-In Progress
------------
-
-* HTTPS Key Pinning
-* Heroku (pending completion of PostgreSQL support)
-* [GunDB](https://gundb.io) Support
-* OpenID support
 
 API
 ---
@@ -258,3 +267,11 @@ API
 ```
 req.apiUrlPrefix => https://api.example.com/api/tld.domain.pkg
 ```
+
+TODO
+----
+
+* HTTPS Key Pinning
+* Heroku (pending completion of PostgreSQL support)
+* [GunDB](https://gundb.io) Support
+* OpenID support