Sharpen README positioning based on competitor analysis

Targeted edits reflecting findings from docs/competitors.md:

- New "Recent signals" subsection under Landscape: Umbrel license
  complaints, Umbrel's 4+ year HTTPS refusal (#546), CasaOS
  maintenance mode
- "Where we differentiate" bullet 4 replaced: "Arch base (rolling
  release)" -> "HTTPS + AGPL from day one" — the actual counter-
  positioning shots vs Umbrel per the analysis
- "Gap we're targeting" tightened to include HTTPS-by-default
- Key Decisions table: added rows for locked tech picks (Caddy,
  Authentik, NS delegation, local CA) with link to wizard-flow.md
- Roadmap: marked competitor analysis + wizard flow spec complete,
  reordered so bootable image is clearly the next blocker, added
  Caddy/Authentik bootstrap and managed gateway infra items

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

README.md

@@ -49,7 +49,11 @@ Homebase aims to be:
 |----------|--------|-------|
 | Base OS | Leaning Arch | Robert already has Arch running on Proxmox and is building custom images. Debian remains fallback (FAI, Proxmox ecosystem). |
 | Containers | Docker | Lower overhead than VMs, easier default configs |
-| Installation | Web-based wizard | Robert's webapp prototype (device reader + form → JSON) is working |
+| Installation | Web-based wizard | Robert's webapp prototype (device reader + form → JSON) is working. Full spec: [wizard-flow.md](docs/wizard-flow.md) |
+| Reverse proxy | Caddy | Automatic Let's Encrypt, simplest config of any reverse proxy |
+| Identity provider | Authentik | Bundled SSO from day one — every app template auto-wires to it at install |
+| Managed gateway DNS | NS delegation to `ns1.homebase.cloud` | User delegates once at registrar; we handle wildcard cert + subdomain creation |
+| Local HTTPS | Local CA | One-click CA install → green padlock on every service, no browser warnings |
 | Gateway | Flexible | Own reverse proxy OR managed through our infrastructure |
 | UI approach | UI-first | Design the simplest possible UI, then build everything to match |
 
@@ -65,16 +69,22 @@ Homebase aims to be:
 | [YunoHost](https://yunohost.org) | Debian-based OS (since 2012) | 400+ | Most mature, biggest catalog |
 | [TurnKey Linux](https://www.turnkeylinux.org) | Pre-built system images | Hundreds | One image per use case |
 
+### Recent signals (from [competitors.md](docs/competitors.md))
+
+- **Umbrel's license is the #1 r/selfhosted complaint.** PolyForm Noncommercial 1.0.0 isn't OSI-approved; Citadel forked explicitly over this.
+- **Umbrel has refused HTTPS on its local UI for 4+ years.** [Issue #546](https://github.com/getumbrel/umbrel/issues/546) open since Feb 2021. Community quote: *"all it takes is one Umbrel vuln to bring down half of the lightning network."*
+- **CasaOS is in maintenance mode.** IceWhale pivoted focus to ZimaOS (paid hardware). Users are [openly asking](https://github.com/IceWhaleTech/CasaOS/discussions/2386) if the project is still alive.
+
 ### Where we differentiate
 
-1. **Full OS + device-aware installer wizard** — Boot USB, open `http://proksi.local`, wizard detects hardware and configures everything. No existing project does this — CasaOS/HomeDock are layers on existing Linux, Umbrel/YunoHost have basic installers without device detection.
+1. **Full OS + device-aware installer wizard** — Boot USB, open `https://proksi.local`, wizard detects hardware and configures everything. No existing project does this — CasaOS/HomeDock are layers on existing Linux, Umbrel's x86 installer asks you to type a drive number, YunoHost runs stock Debian partitioning.
 2. **Auto setup intelligence** — Tests drive speeds, auto-assigns boot/LVM storage. Competitors just ask you to pick a drive.
-3. **Gateway-as-a-service** — No competitor offers managed reverse proxy/DNS as a service. Cosmos has built-in reverse proxy but self-managed only.
-4. **Arch base (rolling release)** — Everyone else is Debian. Rolling releases mean faster updates, more control.
+3. **Gateway-as-a-service** — No competitor offers managed reverse proxy + DNS + SSL as a service. Even YunoHost (best SSL story of the three) punts DNS setup to the user's registrar — that's the UX cliff where newbies quit.
+4. **HTTPS + AGPL from day one** — HTTPS on the local UI via a one-click local CA install (no browser warnings, unlike YunoHost's self-signed model). Fully AGPL-3.0 — the exact counter-position to Umbrel's non-OSI license complaints.
 
 ### Gap we're targeting
 
-None of these nail the "your dad can set this up" experience. The installer wizard + managed gateway is the strongest angle.
+None of these nail the "your dad can set this up" experience. The installer wizard + managed gateway + HTTPS-by-default is the strongest angle.
 
 ## Resources
 
@@ -91,13 +101,15 @@ None of these nail the "your dad can set this up" experience. The installer wiza
 
 - [x] Installer webapp prototype — device reader + form → JSON (Robert)
 - [x] Arch running on Proxmox, custom image builds in progress (Robert)
-- [ ] **Competitor testing** — Daniel tests CasaOS, Umbrel, YunoHost on Proxmox, documents UX findings
-- [ ] **Base OS bootable image** — Robert gets a minimal Arch image that boots, runs Docker, serves the installer webapp
+- [x] Competitor analysis — see [docs/competitors.md](docs/competitors.md)
+- [x] Wizard flow spec — see [docs/wizard-flow.md](docs/wizard-flow.md)
+- [ ] **Base OS bootable image** — Robert gets a minimal Arch image that boots, runs Docker, serves the installer webapp at `https://proksi.local` *(next blocker)*
+- [ ] Installer wizard screens S5–S8 (domain, SSL, diagnostic, confirm)
+- [ ] Caddy + Authentik wired into first-boot bootstrap
+- [ ] Managed gateway infrastructure — `ns1/ns2.homebase.cloud` + DNS-01 wildcard automation
+- [ ] First containerized service (Nextcloud?) with auto-SSO + auto-subdomain
+- [ ] Competitor hands-on testing on Proxmox — validate findings from docs/competitors.md
 - [ ] UI mockups / drafts (Robert)
-- [ ] Base OS finalized (Arch vs Debian)
-- [ ] First containerized service (Nextcloud?)
-- [ ] Gateway / reverse proxy setup
-- [ ] Settings wrapper — generate Docker configs from user choices
 
 ## Business Model