diff --git a/doc/design/assistant/configurators.mdwn b/doc/design/assistant/configurators.mdwn
index e0e938efdd..b6aaa1cb65 100644
--- a/doc/design/assistant/configurators.mdwn
+++ b/doc/design/assistant/configurators.mdwn
@@ -9,7 +9,7 @@ through setting up common use cases.
 
 * Create a repository (run when the web app is started without a configured
   repository too).
-* Clone this repo to a USB drive.
+* Clone this repo to a USB drive or other removable drive. **done**
 * Clone this repo to another host. (Needs [[pairing]])
 * Set up Amazon S3.
 * Set up rsync remote.
diff --git a/doc/design/assistant/leftovers.mdwn b/doc/design/assistant/leftovers.mdwn
index c322a27812..f6cb15c950 100644
--- a/doc/design/assistant/leftovers.mdwn
+++ b/doc/design/assistant/leftovers.mdwn
@@ -1,6 +1,6 @@
 Things that don't fit anywhere else:
 
-* Automatically start daemon on boot or when user logs in.
+* Automatically start daemon on boot or when user logs in. **done**
 * Somehow get content that is unavailable. This is problematic with inotify,
   since we only get an event once the user has tried (and failed) to read
   from the file. This is only needed if all the files in the directory 
diff --git a/doc/design/assistant/webapp.mdwn b/doc/design/assistant/webapp.mdwn
index ddcc661536..82d180af20 100644
--- a/doc/design/assistant/webapp.mdwn
+++ b/doc/design/assistant/webapp.mdwn
@@ -1,27 +1,14 @@
 The webapp is a web server that displays a shiny interface.
 
-## security
-
-* Listen only to localhost. **done**
-* Instruct the user's web browser to open an url that contains a secret
-  token. This guards against other users on the same system. **done**
-  (I would like to avoid passwords or other authentication methods,
-  it's your local system.)
-* Don't pass the url with secret token directly to the web browser,
-  as that exposes it to `ps`. Instead, write a html file only the user can read,
-  that redirects to the webapp. **done**
-* Alternative for Linux at least would be to write a small program using
-  GTK+ Webkit, that runs the webapp, and can know what user ran it, avoiding
-  needing authentication.
-
 ## interface
 
 * list of files uploading and downloading **done**
 * button to open file browser on repo (`xdg-open $DIR`) **done**
 * progress bars for each file (see [[progressbars]])
 * drag and drop to reorder
-* cancel and pause
-* keep it usable w/o javascript, and accessible to blind, etc
+* cancel, pause, and resume **done**
+* keep it usable w/o javascript **done**
+* keep it accessible to blind, etc
 
 ## other features
 
@@ -42,3 +29,17 @@ The webapp is a web server that displays a shiny interface.
 * record repository that was made, and use it next time run **done**
 * write a pid file, to prevent more than one first-start process running
   at once **done**
+
+## security **acceptable/done**
+
+* Listen only to localhost. **done**
+* Instruct the user's web browser to open an url that contains a secret
+  token. This guards against other users on the same system. **done**
+  (I would like to avoid passwords or other authentication methods,
+  it's your local system.)
+* Don't pass the url with secret token directly to the web browser,
+  as that exposes it to `ps`. Instead, write a html file only the user can read,
+  that redirects to the webapp. **done**
+* Alternative for Linux at least would be to write a small program using
+  GTK+ Webkit, that runs the webapp, and can know what user ran it, avoiding
+  needing authentication.