6 files changed, 263 insertions, 1245 deletions
diff --git a/manpages/libeufin-bank.conf.5.rst b/manpages/libeufin-bank.conf.5.rst
index e00bab92..ce00f0fa 100644
--- a/manpages/libeufin-bank.conf.5.rst
+++ b/manpages/libeufin-bank.conf.5.rst
@@ -47,6 +47,9 @@ X_TALER_BANK_PAYTO_HOSTNAME
 NAME
   Bank display name, used in webui and TAN messages. Default to ``Taler Bank`` if not specified.
 
+BASE_URL
+  The advertised base URL
+
 DEFAULT_DEBT_LIMIT
   Default debt limit for newly created accounts. Defaults to ``CURRENCY:0`` if not specified.
 
diff --git a/manpages/libeufin-cli.1.rst b/manpages/libeufin-cli.1.rst
deleted file mode 100644
index 755c8b45..00000000
--- a/manpages/libeufin-cli.1.rst
+++ /dev/null
@@ -1,1006 +0,0 @@
-libeufin-cli(1)
-###############
-
-.. only:: html
-
-   Name
-   ====
-
-   **libeufin-cli** - Interact with LibEuFin Sandbox and Nexus
-
-
-Synopsis
-========
-
-**libeufin-cli**
-[**-h** | **--help**]
-[**--version**]
-COMMAND [ARGS...]
-
-Commands: accounts, connections, facades, permissions, sandbox, users
-
-
-Description
-===========
-
-**libeufin-cli** is the user interface program to interact
-with **libeufin-sandbox** and **libeufin-nexus** when they are
-operating as HTTP servers, listening on localhost ports.
-Normally, you invoke them with their respective ``serve`` commands,
-and in a separate shell, use **libeufin-cli** to send requests
-and receive responses from them.
-
-The interaction model is as follows:
-
-- (Optionally) Start the sandbox.
-
-- Start the nexus.
-
-- Use **libeufin-cli** to interact with them.
-  You can manage users and permissions, bank accounts, "facades",
-  transactions, and connections between the various systems.
-
-For **libeufin-cli** to be able to communicate with **libeufin-sandbox**,
-the following environment variables need to be set:
-
-``LIBEUFIN_SANDBOX_USERNAME``
-  This should normally be ``admin``.
-
-``LIBEUFIN_SANDBOX_PASSWORD``
-  This is the same password chosen when the sandbox was started.
-
-``LIBEUFIN_SANDBOX_URL``
-  This is ``http://localhost:PORT``, where ``PORT`` is the
-  same port chosen when the sandbox was started.
-  This URL can also be specified with the ``--sandbox-url URL``
-  option to the ``sandbox`` command (see below).
-  If both are given, the ``--sandbox-url`` option takes precedence.
-
-For **libeufin-cli** to be able to communicate with **libeufin-nexus**,
-the following environment variables need to be set:
-
-``LIBEUFIN_NEXUS_USERNAME``
-  For some operations (such as ``users create``), this must be the
-  same username chosen by the ``libeufin-nexus superuser`` command.
-
-``LIBEUFIN_NEXUS_PASSWORD``
-  This is the password associated with the username.
-
-``LIBEUFIN_NEXUS_URL``
-  This is ``http://localhost:PORT``, where ``PORT`` is the
-  same port chosen when the nexus was started.
-
-Of the six commands, the ``sandbox`` command talks to the sandbox,
-while the other five commands talk to the nexus.
-The following sections describe each command and their subcommands in detail.
-
-
-sandbox
--------
-
-The ``libeufin-cli sandbox`` command is for managing the sandbox process
-started by ``libeufin-sandbox serve``.
-It takes one option, ``--sandbox-url URL``, to be specified before
-the subcommands and their arguments.
-This URL can also be specified with the ``LIBEUFIN_SANDBOX_URL``
-environment variable (see above).
-If both are given, the ``--sandbox-url`` option takes precedence.
-
-The following subcommands are available: bankaccount, check, demobank,
-ebicsbankaccount, ebicshost, ebicssubscriber.
-
-The first command to use is ``check``,
-followed by ``ebicshost``, ``ebicssubscriber``,
-and ``ebicsbankaccount``, to configure the basic system.
-
-You can then use the ``bankaccount`` command to generate (simulated)
-transaction traffic.
-
-After that, the ``demobank`` command and its subcommands
-provide the same access to the API that Nexus itself uses.
-You normally do not need to use those commands directly.
-
-
-sandbox check
--------------
-
-The ``check`` command attempts a simple aliveness check by
-contacting the sandbox and displaying its returned message.
-If all goes well, you should see something like:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox check
-  Hello, this is the Sandbox
-
-
-sandbox ebicshost
------------------
-
-The ``ebicshost`` command manages EBICS hosts.
-It has two subcommands: create and list.
-
-sandbox ebicshost create
-^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``ebicshost create`` command creates a EBICS host.
-It takes one option, ``--host-id ID``, where ``ID`` is used to
-identify that host for all future commands.
-
-sandbox ebicshost list
-^^^^^^^^^^^^^^^^^^^^^^
-
-The ``ebicshost list`` command lists the hosts in the system.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox ebicshost create --host-id testhost
-  $ libeufin-cli sandbox ebicshost list
-  {
-    "ebicsHosts" : [ "testhost" ]
-  }
-
-Here, the ``ID`` is ``testhost``.
-
-
-sandbox ebicssubscriber
------------------------
-
-The ``ebicssubscriber`` command manages EBICS subscribers.
-It has two subcommands: create and list.
-
-sandbox ebicssubscriber create
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-NB: This command is deprecated and will be removed at some point.
-See ``sandbox demobank new-ebicssubscriber`` (below) for its replacement.
-
-The ``ebicssubscriber create`` command creates a EBICS subscriber.
-It takes three options, all of which are required:
-
-::
-
-  --host-id TEXT     Ebics host ID
-  --partner-id TEXT  Ebics partner ID
-  --user-id TEXT     Ebics user ID
-
-The host ID should be the same one specified in ``ebicshost create``
-(see above).
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox ebicssubscriber create \
-      --host-id testhost \
-      --partner-id partner01 \
-      --user-id user01
-
-Note that ``testhost`` is the same as in the ``ebicshost create``
-example (see above).
-
-sandbox ebicssubscriber list
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``ebicssubscriber list`` command lists the EBICS subscribers
-in the system.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox ebicssubscriber list
-  {
-    "subscribers" : [ {
-      "hostID" : "testhost",
-      "partnerID" : "partner01",
-      "userID" : "user01",
-      "systemID" : null,
-      "demobankAccountLabel" : "not associated yet"
-    } ]
-  }
-
-Note that the output reflects the subscriber created in
-the ``ebicssubscriber create`` example (see above).
-
-
-sandbox ebicsbankaccount
-------------------------
-
-The ``ebicsbankaccount`` command manages EBICS bank accounts.
-It has one subcommand: create.
-(To list accounts, see ``sandbox bankaccount`` below.)
-
-sandbox ebicsbankaccount
-^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``ebicsbankaccount create`` command takes several options, all required:
-
-::
-
-  --iban TEXT              IBAN
-  --bic TEXT               BIC
-  --person-name TEXT       bank account owner name
-  --account-name TEXT      label of this bank account
-  --ebics-user-id TEXT     user ID of the Ebics subscriber
-  --ebics-host-id TEXT     host ID of the Ebics subscriber
-  --ebics-partner-id TEXT  partner ID of the Ebics subscriber
-
-At this time, although the ``--person-name`` option is required,
-the sandbox does not remember the option value.
-(When queried, it displays "Bank account owner's name" instead.
-See ``sandbox bankaccount`` below.)
-For the sandbox, the important value is the ``--account-name`` option.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox ebicsbankaccount create \
-      --iban DE18500105172929531888 \
-      --bic INGDDEFFXXX \
-      --person-name "Jane Normal" \
-      --account-name testacct01 \
-      --ebics-host-id testhost \
-      --ebics-user-id user01 \
-      --ebics-partner-id partner01
-
-Note that ``testhost`` is the same as in the ``ebicshost create``
-example, and that ``user01`` and ``partner01`` are the same as in the
-``ebicssubscriber create`` example (see above).
-
-
-sandbox bankaccount
--------------------
-
-The ``bankaccount`` command manages bank accounts.
-It has several subcommands: list, generate-transactions,
-simulate-incoming-transaction, transactions.
-
-sandbox bankaccount list
-^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``bankaccount list`` command lists the bank accounts in the system.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox bankaccount list
-  [ {
-    "label" : "bank",
-    "name" : "Bank account owner's name",
-    "iban" : "DE370758",
-    "bic" : "SANDBOXX"
-  }, {
-    "label" : "testacct01",
-    "name" : "Bank account owner's name",
-    "iban" : "DE18500105172929531888",
-    "bic" : "INGDDEFFXXX"
-  } ]
-
-Note that ``testacct01``, ``DE18500105172929531888``, and ``INGDDEFFXXX``
-are the same as specified in the ``ebicsbankaccount create`` example
-(see above).
-
-sandbox bankaccount generate-transactions
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The remaining ``bankaccount`` commands deal with transactions
-to and from the bank accounts.
-
-The ``bankaccount generate-transactions`` command generates
-test transactions.
-It takes one arg, the account label.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox bankaccount generate-transactions testacct01
-
-Note that ``testacct01`` is the account label shown in the ``bankaccount
-list`` example (see above).
-
-sandbox bankaccount simulate-incoming-transaction
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``bankaccount simulate-incoming-transaction`` books an
-incoming payment in the sandbox.
-It takes one arg, the account label, and several options.
-
-::
-
-  --debtor-iban TEXT  IBAN sending the payment
-  --debtor-bic TEXT   BIC sending the payment
-  --debtor-name TEXT  name of the person who is sending the payment
-  --amount TEXT       amount, no currency
-  --subject TEXT      payment subject
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox bankaccount simulate-incoming-transaction
-      testacct01 \
-      --debtor-iban DE06500105174526623718 \
-      --debtor-bic INGDDEFFXXX \
-      --debtor-name "Joe Foo" \
-      --subject "Hello World" \
-      --amount 10.50
-
-Note that ``testacct01`` is the same as in previous examples (see above),
-and that ``10.50`` is in ``X.Y`` format.
-
-sandbox bankaccount transactions
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``bankaccount transactions`` command lists transactions.
-It takes one arg, the account label.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox bankaccount transactions testacct01
-  {
-    "payments" : [ {
-      "account_label" : "testacct01",
-      "creditor_iban" : "DE18500105172929531888",
-      "creditor_bic" : "INGDDEFFXXX",
-      "creditor_name" : "Creditor Name",
-      "debtor_iban" : "DE64500105178797276788",
-      "debtor_bic" : "DEUTDEBB101",
-      "debtor_name" : "Max Mustermann",
-      "amount" : "5",
-      "currency" : "EUR",
-      "subject" : "sample transaction DILWBJHL",
-      "date" : "Wed, 26 Jan 2022 09:03:44 GMT",
-      "credit_debit_indicator" : "credit",
-      "account_servicer_reference" : "DILWBJHL",
-      "paymentInformationId" : null
-    }, {
-      "account_label" : "testacct01",
-      "creditor_iban" : "DE64500105178797276788",
-      "creditor_bic" : "DEUTDEBB101",
-      "creditor_name" : "Max Mustermann",
-      "debtor_iban" : "DE18500105172929531888",
-      "debtor_bic" : "INGDDEFFXXX",
-      "debtor_name" : "Debitor Name",
-      "amount" : "12",
-      "currency" : "EUR",
-      "subject" : "sample transaction N7JSY17B",
-      "date" : "Wed, 26 Jan 2022 09:03:44 GMT",
-      "credit_debit_indicator" : "debit",
-      "account_servicer_reference" : "N7JSY17B",
-      "paymentInformationId" : null
-    }, {
-      "account_label" : "testacct01",
-      "creditor_iban" : "DE18500105172929531888",
-      "creditor_bic" : "INGDDEFFXXX",
-      "creditor_name" : "Creditor Name",
-      "debtor_iban" : "DE06500105174526623718",
-      "debtor_bic" : "INGDDEFFXXX",
-      "debtor_name" : "Joe Foo",
-      "amount" : "10.50",
-      "currency" : "EUR",
-      "subject" : "Hello World",
-      "date" : "Wed, 26 Jan 2022 09:04:31 GMT",
-      "credit_debit_indicator" : "credit",
-      "account_servicer_reference" : "sandbox-6UI2J3636J9EESXO",
-      "paymentInformationId" : null
-    } ]
-  }
-
-Note that ``testacct01`` is the same as in previous examples (see above),
-and that the generated transactions from previous examples are listed,
-as well.
-
-
-sandbox demobank
-----------------
-
-The ``demobank`` command provides an interface to the Access API,
-which includes three commands: register, info, new-transaction.
-There is also a fourth ``demobank`` command, new-ebicssubscriber,
-that does not use the Access API.
-
-For all ``demobank`` commands, the sandbox URL *must* specify which
-*one* bank the command applies to in the base URL.
-Note that this URL cannot be used with other sandbox commands.
-In other words:
-
-``--sandbox-url http://localhost:5016/demobanks/default``
-  This base URL can be used for commands:
-
-  - sandbox demobank register
-  - sandbox demobank info
-  - sandbox demobank new-ebicssubscriber
-  - sandbox demobank new-transaction
-
-  It specifies the ``default`` demobank.
-
-``--sandbox-url http://localhost:5016``
-  This base URL can be used for all other sandbox commands.
-
-In the following examples, the base URL will be explicitly shown with
-the ``--sandbox-url`` option for the ``demobank`` commands.
-
-sandbox demobank register
-^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``demobank register`` command registers a new bank account.
-Note that the username will be both the username to login at
-the bank and the bank account label.
-It takes the username and password from the
-``LIBEUFIN_SANDBOX_USERNAME`` and ``LIBEUFIN_SANDBOX_PASSWORD``
-environment variables.
-The username *need not be* ``admin``.
-
-For example:
-
-.. code-block:: console
-
-  $ export LIBEUFIN_SANDBOX_USERNAME=jrluser
-  $ export LIBEUFIN_SANDBOX_PASSWORD=easy
-  $ libeufin-cli sandbox \
-      --sandbox-url http://localhost:5016/demobanks/default \
-      demobank register
-
-sandbox demobank info
-^^^^^^^^^^^^^^^^^^^^^
-
-The ``demobank info`` command returns basic information on a bank account.
-It takes option ``--bank-account NAME``.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox \
-      --sandbox-url http://localhost:5016/demobanks/default \
-      demobank info --bank-account jrluser
-  {
-    "balance" : {
-      "amount" : "EUR:100",
-      "credit_debit_indicator" : "credit"
-    },
-    "paytoUri" : "payto://iban/SANDBOXX/DE948559?receiver-name=admin"
-  }
-
-Note that ``jrluser`` is the same username / bank account name
-as in the ``register`` example (see above).
-
-sandbox demobank new-ebicssubscriber
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``demobank new-ebicssubscriber`` command associates a new Ebics
-subscriber to an existing bank account.
-It takes several options, all required:
-
-::
-
-  --host-id TEXT       Ebics host ID
-  --partner-id TEXT    Ebics partner ID
-  --user-id TEXT       Ebics user ID
-  --bank-account TEXT  Label of the bank account to associate
-                       with this Ebics subscriber
-
-For example:
-
-.. code-block: console
-
-  $ libeufin-cli sandbox \
-      --sandbox-url http://localhost:5016/demobanks/default \
-      demobank new-ebicssubscriber \
-      --host-id testhost \
-      --partner-id partner01 \
-      --user-id user02 \
-      --bank-account jrluser
-
-Note that ``testhost`` is the same as in the ``ebicshost create``
-example, and that ``partner01`` is the same as in the
-``ebicssubscriber create`` example (see above).
-The ``user02`` is new.
-The ``--bank-account jrluser`` is the same as in the
-``info`` example (see above).
-You can see the effect of the ``new-ebicssubscriber`` command
-with the ``sandbox ebicssubscriber list``
-and ``sandbox bankaccount list`` commands.
-
-sandbox demobank new-transaction
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``demobank new-transaction`` command initiates a new transaction.
-It takes several options, all required:
-
-::
-
-  --bank-account TEXT        Label of the bank account to be
-                             debited for the transaction
-  --payto-with-subject TEXT  Payto address including the
-                             subject as a query parameter
-  --amount CUR:X.Y           Amount to transfer
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli sandbox \
-      --sandbox-url http://localhost:5016/demobanks/default \
-      demobank new-transaction \
-      --bank-account jrluser \
-      --payto-with-subject 'payto://FIXME/?message=1kg+coffee' \
-      --amount EUR:10.50
-  FIXME: Any output?
-
-Note that ``--bank-account jrluser`` is the same as in the
-``info`` and ``new-ebicssubscriber`` command examples (see above).
-
-
-connections
------------
-
-The ``connections`` set of commands handle connections between
-the bank(s) and Nexus.
-It has several subcommands:
-new-ebics-connection,
-list-connections,
-show-connection,
-delete-connection,
-export-backup,
-restore-backup,
-get-key-letter,
-connect,
-list-offered-bank-accounts,
-download-bank-accounts,
-import-bank-account.
-
-Generally, you will create a connection, save its critical key information
-to a safe location, then use the connection to find and import a bank
-account, for further use.
-
-Several commands take a ``CONNECTION_NAME`` argument.
-In the following examples, we use ``conn01`` for that.
-Also, for demonstration purposes, we use the sandbox EBICS services,
-so the ``EBICS_URL`` follows the previous examples in the ``sandbox``
-command, as the value of environment variable ``LIBEUFIN_SANDBOX_URL``
-suffixed with ``/ebicsweb``, i.e., ``http://localhost:5016/ebicsweb``.
-
-connections new-ebics-connection
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``connections new-ebics-connection`` command creates a new connection
-between an EBICS service and the Nexus.
-It takes one arg, the ``CONNECTION_NAME``, and four required options:
-
-::
-
-  --ebics-url TEXT      EBICS URL
-  --host-id TEXT        Host ID
-  --partner-id TEXT     Partner ID
-  --ebics-user-id TEXT  Ebics user ID
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli connections new-ebics-connection \
-      --ebics-url http://localhost:5016/ebicsweb \
-      --host-id testhost \
-      --partner-id partner01 \
-      --ebics-user-id user02 \
-      conn01
-
-Note that the ``testhost``, ``partner01``, and ``user02`` are the same as
-in the ``sandbox demobank new-ebicssubscriber`` command (see above).
-
-connections list-connections
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``connections list-connections`` command lists connections in Nexus.
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli connections list-connections
-  {
-    "bankConnections" : [ {
-      "name" : "conn01",
-      "type" : "ebics"
-    } ]
-  }
-
-The name of the connection is ``conn01`` as in the
-``connections new-ebics-connection`` example (see above).
-
-connections show-connection
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``connections show-connection`` command displays information
-about a specific connection.
-It takes one argument, the ``CONNECTION_NAME``.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli connections show-connection conn01
-  {
-    "type" : "ebics",
-    "owner" : "foo",
-    "ready" : true,
-    "details" : {
-      "ebicsUrl" : "http://localhost:5016/ebicsweb",
-      "ebicsHostId" : "testhost",
-      "partnerId" : "partner01",
-      "userId" : "user02"
-    }
-  }
-
-The details are the same as in the ``connections new-ebics-connections``
-example (see above).
-
-connections delete-connection
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``connections delete-connection`` command deletes a bank connection.
-It takes one argument, the ``CONNECTION_NAME``.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli connections delete-connection conn01
-
-connections export-backup
-^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``connections export-backup`` command writes key and signature
-information to a backup file (which you should take care to store
-in a secure location).
-It takes one argument, the ``CONNECTION_NAME`` and two required options:
-
-::
-
-  --passphrase TEXT   Passphrase for locking the backup
-  --output-file TEXT  Where to store the backup
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli connections export-backup \
-      --passphrase secret \
-      --output-file sig-and-key-info \
-      conn01
-  FIXME: Output?
-
-See:  https://bugs.gnunet.org/view.php?id=7180
-
-connections restore-backup
-^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-connections get-key-letter
-^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The ``connections get-key-letter`` command creates a PDF file
-that contains key information.
-It takes two arguments, ``CONNECTION_NAME`` and ``OUTPUT_FILE``.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli connections get-key-letter conn01 key-letter.pdf
-
-This creates file ``key-letter.pdf`` in the current working directory.
-
-connections connect
-^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-connections list-offered-bank-accounts
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-connections download-bank-accounts
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-connections import-bank-account
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-
-users
------
-
-The ``libeufin-cli users`` command manages users authorized to
-operate Nexus.
-It has several subcommands: self, list, create, change-password.
-The ``create`` and ``change-password`` commands can only be issued
-by the superuser
-(as configured by the ``libeufin-nexus superuser`` command),
-while the ``self`` and ``list`` commands can be issued by any user.
-
-In the following ``users`` examples, we assume that previously
-the command ``libeufin-nexus superuser foo`` was issued, and
-that the current username and password are for that user
-(via environment variables ``LIBEUFIN_NEXUS_USERNAME`` and
-``LIBEUFIN_NEXUS_PASSWORD``, see above).
-
-users self
-^^^^^^^^^^
-
-The ``users self`` command displays information for the current user.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli users self
-  {
-    "username" : "foo",
-    "superuser" : true
-  }
-
-users list
-^^^^^^^^^^
-
-The ``users list`` command displays information for all the
-users authorized to operate Nexus.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli users list
-  {
-    "users" : [ {
-      "username" : "foo",
-      "superuser" : true
-    } ]
-  }
-
-In this example, there is only one user, the superuser ``foo``.
-
-users create
-^^^^^^^^^^^^
-
-The ``users create`` command creates a normal (non-superuser) user.
-It takes one argument, the ``USERNAME`` and one option,
-``--password TEXT``.
-If you omit the option, **libeufin-cli** will prompt you for the password.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli users create --password easy jrluser
-  {
-    "message" : "New user 'jrluser' registered"
-  }
-  $ libeufin-cli users list
-  {
-    "users" : [ {
-      "username" : "foo",
-      "superuser" : true
-    }, {
-      "username" : "jrluser",
-      "superuser" : false
-    } ]
-  }
-
-In this example, we create the same user as for the sandbox examples
-(see above).
-Note that the system now includes two users.
-
-users change-password
-^^^^^^^^^^^^^^^^^^^^^
-
-The ``users change-password`` command changes the password for a user.
-It takes one argument, the ``USERNAME`` and one option,
-``--new-password TEXT``.
-If you omit the option, **libeufin-cli** will prompt you for the password.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli users change-password --new-password hard jrluser
-  {
-    "message" : "Password successfully changed"
-  }
-
-
-permissions
------------
-
-The ``libeufin-cli permissions`` command manages permissions
-for operations on Nexus.
-It has three subcommands: list, grant, revoke.
-All three commands can only be issued by the superuser.
-
-permissions list
-^^^^^^^^^^^^^^^^
-
-The ``permissions list`` command lists the granted permissions.
-At the beginning of a session, there are none:
-
-.. code-block:: console
-
-  $ libeufin-cli permissions list
-  {
-    "permissions" : [ ]
-  }
-
-
-permissions grant
-^^^^^^^^^^^^^^^^^
-
-The ``permissions grant`` command adds a permission to the list
-of granted permissions.
-It takes five arguments: ``SUBJECT_TYPE``, ``SUBJECT_ID``,
-``RESOURCE_TYPE``, ``RESOURCE_ID``, ``PERMISSION_NAME``.
-
-FIXME: The subject type and id, resource type and id, are ...
-
-The ``PERMISSION_NAME`` is one of the following:
-
-- ``facade.talerwiregateway.history``
-- ``facade.talerwiregateway.transfer``
-- ``facade.anastasis.history``
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli permissions grant \
-      some-subject-type some-subject-id \
-      some-resource-type some-resource-id \
-      facade.anastasis.history
-  { }
-  $ libeufin-cli permissions list
-  {
-    "permissions" : [ {
-      "subject_type" : "some-subject-type",
-      "subject_id" : "some-subject-id",
-      "resource_type" : "some-resource-type",
-      "resource_id" : "some-resource-id",
-      "permission_name" : "facade.anastasis.history"
-    } ]
-  }
-
-permissions revoke
-^^^^^^^^^^^^^^^^^^
-
-The ``permissions revoke`` command does the opposite of the
-``permissions grant`` command.
-It takes the same arguments as the ``permissions grant`` command:
-``SUBJECT_TYPE``, ``SUBJECT_ID``, ``RESOURCE_TYPE``, ``RESOURCE_ID``,
-``PERMISSION_NAME``.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-cli permissions revoke \
-      some-subject-type some-subject-id \
-      some-resource-type some-resource-id \
-      facade.anastasis.history
-  { }
-  $ libeufin-cli permissions list
-  {
-    "permissions" : [ ]
-  }
-
-This example undoes the effect of the previous (``permissions grant``) example.
-
-
-accounts
---------
-
-WRITEME
-
-accounts transactions
-^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-accounts task-status
-^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-accounts task-schedule
-^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-accounts task-delete
-^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-accounts submit-payments
-^^^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-accounts show-payment
-^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-accounts show
-^^^^^^^^^^^^^
-
-WRITEME
-
-accounts prepare-payment
-^^^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-accounts list-tasks
-^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-accounts list-payments
-^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-accounts fetch-transactions
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-accounts delete-payment
-^^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-
-facades
--------
-
-WRITEME
-
-facades new-taler-wire-gateway-facade
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-facades new-anastasis-facade
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-WRITEME
-
-facades list
-^^^^^^^^^^^^
-
-WRITEME
-
-
-See Also
-========
-
-.. TODO: libeufin-sandbox(1), libeufin-cli(1).
-
-
-Bugs
-====
-
-Report bugs by using https://bugs.taler.net or by sending electronic
-mail to <taler@gnu.org>.
diff --git a/manpages/libeufin-nexus.1.rst b/manpages/libeufin-nexus.1.rst
index a0ed99ff..5eb42cab 100644
--- a/manpages/libeufin-nexus.1.rst
+++ b/manpages/libeufin-nexus.1.rst
@@ -93,7 +93,7 @@ Its options are as follows:
    Configure logging to use LOGLEVEL.
    Uploaded documents will be stored *before* being submitted to the bank. This directory would contain several directories, each named after the ``YYYY-MM-DD/submit`` format. The pain.001 file would then be named in the following schema: ``$microseconds_pain.001.xml``.
 **--transient**
-   This flag, enabled by default, causes the command to check the database and submit only once, and then return.
+   This flag causes the command to check the database and submit only once, and then return.
 
 
 ebics-fetch
@@ -105,6 +105,8 @@ The files type can be given as an argument to select what will be fetched. If no
 
 * ``acknowledgement``: EBICS acknowledgement, retrieves the status of EBICS orders.
 * ``status``: Payment status, retrieves status of pending debits.
+* ``report``: Account intraday reports, retrieves the history of confirmed debits and credits.
+* ``statement``: Account statements, retrieves the history of confirmed debits and credits.
 * ``notification``: Debit & credit notifications, retrieves the history of confirmed debits and credits.
 
 **-h** \| **--help**
@@ -117,10 +119,26 @@ The files type can be given as an argument to select what will be fetched. If no
    Log EBICS content at SAVEDIR.
    Downloaded documents will be stored *before* being ingested in the database. This directory would contain several directories, each named after the ``YYYY-MM-DD/fetch`` format. The stored files would then be named after the following schema: ``$microseconds_$filename``. Exception to this naming scheme are the HAC responses, since they do not get any filename assigned by the ZIP archive (they are sent unzipped). Their naming scheme is: ``$microseconds_HAC_response.pain.002.xml``.
 **--transient**
-   This flag, enabled by default, causes the command to perform one download and return.
+   This flag causes the command to perform one download and return.
 **--pinned-start**
   Only supported in --transient mode, this option lets specify the earliest timestamp of the downloaded documents.  The latest timestamp is always the current time.
 
+serve
+-----
+
+This command starts the HTTP server.
+
+Its options are as follows:
+
+**-h** \| **--help**
+   Print short help on options.
+**-c** \| **--config** *FILENAME*
+   Specifies the configuration file.
+**-L** \| **--log** *LOGLEVEL*
+   Configure logging to use LOGLEVEL. 
+**--check**
+   This flag causes the command to check whether an API is in use (if it's useful to start the HTTP server) and to output 0 if at least one API is enabled, otherwise 1. 
+
 initiate-payment
 ----------------
 
diff --git a/manpages/libeufin-nexus.conf.5.rst b/manpages/libeufin-nexus.conf.5.rst
index e70ff7b3..8aabe883 100644
--- a/manpages/libeufin-nexus.conf.5.rst
+++ b/manpages/libeufin-nexus.conf.5.rst
@@ -116,8 +116,8 @@ HOST_BASE_URL
 
 BANK_DIALECT
   Name of the following combination: EBICS version and ISO20022 recommendations
-  that Nexus would honor in the communication with the bank.  Currently only the
-  'postfinance' value is supported.
+  that Nexus would honor in the communication with the bank. Currently only the
+  ``postfinance`` or ``gls`` value is supported.
 
 HOST_ID
   EBICS specific: name of the EBICS host
@@ -164,6 +164,63 @@ FREQUENCY
   Duration value to instruct the ``ebics-fetch`` subcommand how often it should
   download from the bank.
 
+IGNORE_TRANSACTIONS_BEFORE
+  Ignore all transactions before a certain YYYY-MM-DD date, useful when you want to use an existing account with old transactions that should not be bounced.
+
+HTTP SERVER OPTIONS
+-------------------
+
+The following configuration value(s) belong to the “[nexus-httpd]” section.
+
+SERVE
+  This can either be ``tcp`` or ``unix``.
+
+PORT
+  Port on which the HTTP server listens, e.g. 9967.
+  Only used if ``SERVE`` is ``tcp``.
+
+BIND_TO
+  Which IP address should we bind to?  E.g. ``127.0.0.1`` or ``::1``for loopback.  Can also be given as a hostname.
+  Only used if ``SERVE`` is ``tcp``.
+
+UNIXPATH
+  Which unix domain path should we bind to?
+  Only used if ``SERVE`` is ``unix``.
+
+UNIXPATH_MODE
+  What should be the file access permissions for ``UNIXPATH``?
+  Only used if ``SERVE`` is ``unix``.
+
+HTTP WIRE GATEWAY API OPTIONS
+-----------------------------
+
+The following configuration value(s) belong to the “[nexus-httpd-wire-gateway-api]” section.
+
+ENABLED
+  Whether to serve the Wire Gateway API.
+
+AUTH_METHOD
+  How to authenticate this API. This can either be ``none`` or ``bearer-token``.
+
+AUTH_BEARER_TOKEN
+  The expected token.
+  Only used if ``AUTH_METHOD`` is ``bearer-token``.
+
+HTTP REVENUE API OPTIONS
+------------------------
+
+The following configuration value(s) belong to the “[nexus-httpd-revenue-api]” section.
+
+ENABLED
+  Whether to serve the Revenue API.
+
+AUTH_METHOD
+  How to authenticate this API. This can either be ``none`` or ``bearer-token``.
+
+AUTH_BEARER_TOKEN
+  The expected token.
+  Only used if ``AUTH_METHOD`` is ``bearer-token``.
+
 DATABASE OPTIONS
 ----------------
 
diff --git a/manpages/libeufin-sandbox.1.rst b/manpages/libeufin-sandbox.1.rst
deleted file mode 100644
index 6f0948d0..00000000
--- a/manpages/libeufin-sandbox.1.rst
+++ /dev/null
@@ -1,227 +0,0 @@
-libeufin-sandbox(1)
-###################
-
-.. only:: html
-
-   Name
-   ====
-
-   **libeufin-sandbox** - Simulate a banking system core
-   with EBICS access to bank accounts
-
-
-Synopsis
-========
-
-**libeufin-sandbox**
-[**-h** | **--help**]
-[**--version**]
-COMMAND [ARGS...]
-
-Commands: serve, reset-tables, config, make-transaction, camt053tick
-default-exchange
-
-
-Description
-===========
-
-**libeufin-sandbox** is a program to simulate a banking system core
-with EBICS access to bank accounts.
-It maintains state in its own private database.
-You interact with it through HTTP
-requests either over the network or via a Unix domain socket.
-Related program **libeufin-cli** is the preferred front end
-for that mode of operation.
-There is also a mode where **libeufin-sandbox** accepts commands directly,
-useful for configuring one or more "demobank" (simulated bank) instances.
-
-Its options are as follows:
-
-**-h** \| **--help**
-   Print short help on options.
-
-**–version**
-   Print version information.
-
-The interaction model is as follows:
-
-.. @MS Is the order of the first two steps correct?
-   Or are some of the commands to be used AFTER ‘serve’ starts?
-   Or is it a mix?  (I believe it is a mix, but am not sure.)
-
-- Configure the sandbox with commands ``config``, ``default-exchange``,
-  ``make-transaction``, and ``camt053tick``.
-
-- Start the HTTP server with command ``serve``.
-  Let this run in a shell, writing logs to stderr.
-
-- Point program **libeufin-nexus** at the sandbox.
-
-- Interact with **libeufin-nexus**.
-
-- When finished, interrupt the ``serve`` process and clean up with command
-  ``reset-tables``.
-
-The following sections describe each command in detail.
-
-
-config
-------
-
-This command takes argument ``NAME`` and creates a demobank with that name.
-
-Option ``--currency CUR`` (default: ``EUR``) specifies another currency.
-Option ``--captcha-url $URL`` specifies where the wallet user is going
-to be redirected to confirm the withdrawal operation. This $URL should
-point to the bank frontend. More precisely to the UI that let the user
-finish a withdrawal operation that needs to be confirmed. Example of
-this value may be "https://bank.domain/#/operation/{wopid}" where
-"https://bank.domain" returns the demobank SPA and the demobank view under
-the route "/operation/{wopid}" will show the status of the operation id {wopid}.
-Note that "{wopid}" is literally in the --captcha-url config and replaced at
-runtime by the sandbox server.
-Option ``--bank-debt-limit N`` (default: 1000000) specifies that
-the bank debt limit should be N (units of currency).
-Similarly, option ``--users-debt-limit N`` (default: 1000) specifies
-that the users debt limit should be N (units of currency).
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-sandbox config default
-
-This creates the demobank ``default`` with currency ``EUR``,
-bank debt limit 1000000, users debt limit 1000,
-and allows registrations.
-
-
-default-exchange
-----------------
-
-This command sets the exchange that a demobank will suggest to wallets.
-(Wallets are of course free to disregard the suggestion and choose
-another exchange.)
-It requires two arguments, ``EXCHANGE-BASEURL`` and ``EXCHANGE-PAYTO``.
-The option ``--demobank NAME`` (default: ``default``) specifies
-which demobank this setting affects.
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-sandbox default-exchange \
-      --demobank bank01 \
-      https://exchange.example.com/ \
-      payto://iban/CH9300762011623852957
-
-This sets the default exchange for demobank ``bank01``.
-It is an error if the demobank does not exist.
-
-
-make-transaction
-----------------
-
-This is a "legacy" command, useful in a previous iteration of LibEuFin
-and for internal testing.
-It creates and records a wire transfer transaction in the database.
-
-It takes two arguments and several required options.
-The arguments are ``AMOUNT``, in ``CUR:X.Y`` format;
-and ``SUBJECT``, a short textual description of the transaction.
-The options are: ``--credit-account LABEL`` and ``--debit-account LABEL``,
-where each LABEL names a bank account for receiving and issuing,
-respectively, the wire transfer.
-The option ``--demobank NAME`` (default: ``default``) specifies
-in which demobank the wire transfer occurs.
-
-.. note::
-
-   If you have not yet called ``config``, this command creates
-   a demobank named ``default`` on its first use.  The currency,
-   and bank debt limit have the same defaults as for the ``config``
-   command.  The users debt limit, however, defaults to 10000.
-
-FIXME: How to achieve the same result with **libeufin-cli**?
-
-
-camt053tick
------------
-
-This command advances the internal time step that the demobank
-uses to group transactions for reporting.
-(Successive transactions will be inserted in a new Camt.053 report.)
-
-For example:
-
-.. code-block:: console
-
-  $ libeufin-sandbox camt053tick
-
-FIXME: How to achieve the same result with **libeufin-cli**?
-
-
-serve
------
-
-This command starts the HTTP server, listening on port 5000.
-To use a different port, use option ``--port INT``.
-To listen, instead, on a Unix domain socket,
-use option ``--with-unix-socket PATH``.
-When both ``--port`` and ``--with-unix-socket`` are given,
-``--with-unix-socket`` takes precedence.
-
-.. note::
-
-   If you have not yet called ``config``, this command creates
-   a demobank named ``default`` on its first use.  The currency,
-   and bank debt limit have the same defaults as for the ``config``
-   command.  The users debt limit, however, defaults to 10000.
-
-The process runs in the foreground, writing its logs to standard error.
-The normal log level is ``DEBUG``.
-To change it, use ``--log-level LEVEL``, where ``LEVEL`` is one of:
-``ERROR``, ``WARN``, ``INFO``, ``DEBUG``, ``TRACE``.
-
-Before invoking ``serve``, the following environment variables need to be set:
-
-``LIBEUFIN_SANDBOX_ADMIN_PASSWORD``
-   The password required for later use by **libeufin-cli**.
-   For testing purposes, you can use option ``--no-auth`` to disable
-   this requirement.
-   (In that case, this environment variable need not be set.)
-
-``LIBEUFIN_SANDBOX_DB_CONNECTION``
-   This specifies the database **libeufin-sandbox** uses to maintain state.
-   Currently, both Sqlite and PostgreSQL are supported.
-   (Only one needs to be specified.)
-   Examples:
-
-   - ``jdbc:sqlite:/tmp/libeufin-sandbox.db``
-   - ``jdbc:postgresql://localhost:5432/libeufindb?user=Foo&password=secret``
-
-Normally, the ``serve`` command runs until interrupted.
-When run in a shell, you can use ``Control-C`` for that.
-
-
-reset-tables
-------------
-
-This command drops all the tables in the internal database.
-(The next time the tables are needed, **libeufin-sandbox** creates them
-again, automatically.)
-
-It should only be used when the sandbox is quiescent.
-
-
-See Also
-========
-
-.. TODO: libeufin-nexus(1), libeufin-cli(1).
-
-
-Bugs
-====
-
-Report bugs by using https://bugs.taler.net or by sending electronic
-mail to <taler@gnu.org>.
diff --git a/manpages/taler.conf.5.rst b/manpages/taler.conf.5.rst
index 3074f68b..ee5d3cd1 100644
--- a/manpages/taler.conf.5.rst
+++ b/manpages/taler.conf.5.rst
@@ -254,19 +254,29 @@ PRIVACY_ETAG
 EXCHANGE KYC PROVIDER OPTIONS
 -----------------------------
 
-The following options must be in the section "[kyc-provider-XXX]" sections.
-
-COST
-  Relative cost of the KYC provider, non-negative number.
+The following options must be in the section "[kyc-provider-$PROVIDER_NAME]" sections.
 
 LOGIC
   API type of the KYC provider.
 
-USER_TYPE
-  Type of user this provider is for, either INDIVIDUAL or BUSINESS.
+CONVERTER
+  Name of a program to run on the output of the plugin
+  to convert the result into the desired set of attributes.
+  The converter must create a log for the system administrator
+  if the provided inputs do not match expectations.
+  Note that the converter will be expected to output the
+  set of attributes listed under the respective ``[kyc-check-*]``
+  sections. Calling the converter with ``--list-outputs``
+  should generate a (newline-separated) list of attributes
+  the converter promises to generate in its JSON output
+  (when run regularly).
+
+COST
+  Optional cost, useful if clients want to voluntarily
+  trigger authentication procedures for attestation.
 
-PROVIDED_CHECKS
-  List of checks performed by this provider. Space-separated names of checks, must match check names in legitimization rules.
+Additional logic-specific options may be given in the
+section.
 
 
 EXCHANGE KYC OAUTH2 OPTIONS
@@ -362,6 +372,169 @@ WEBHOOK_AUTH_TOKEN
   Authentication token Persona must supply to our webhook. This is an optional setting.
 
 
+EXCHANGE KYC CHECK OPTIONS
+--------------------------
+
+The following options must be in "[kyc-check-$CHECK_NAME]" sections.
+
+TYPE
+  Which type of check is this? Also determines
+  the SPA form to show to the user for this check.
+
+  * INFO: wait for staff or contact staff out-of band
+    (only information shown, no SPA action)
+  * FORM: SPA should show an inline (HTML) form
+  * LINK: SPA may start external KYC process or upload
+
+VOLUNTARY
+  Optional. Set to YES to allow this check be
+  done voluntarily by a client (they may then
+  still have to pay for it). Used to offer the
+  SPA to display checks even if they are
+  not required. Default is NO.
+
+PROVIDER_ID
+  Provider id, present only if type is LINK.
+  Refers to a ``kyc-provider-$PROVIDER_ID`` section.
+
+FORM_NAME
+  Name of the SPA form, if type is FORM
+  "INFO" and "LINK" are reserved and must not be used.
+  The exchange server and the SPA must agree on a list
+  of supported forms and the resulting attributes.
+  The SPA should include a JSON resource file
+  "forms.json" mapping form names to arrays of
+  attribute names each form provides.
+  The list of possible FORM names is fixed in the SPA
+  for a particular exchange release.
+
+DESCRIPTION
+  Descriptions to use in the SPA to display the check.
+  
+DESCRIPTION_I18N
+  JSON with internationalized descriptions to use
+  in the SPA to display the check.
+
+REQUIRES
+  ';'-separated list of fields that the CONTEXT must
+  provide as inputs to this check. For example,
+  for a FORM of type CHOICE, this might state
+  ``choices: string[];``. The type after the ":"
+  is for now purely for documentation and is
+  not checked. However, it may be shown to AML staff
+  when they configure measures.
+
+OUTPUTS = business_name street city country registration
+  Description of the outputs provided by the check.
+  Basically, the check's output is expected to
+  provide the following fields as attribute inputs into
+  a subsequent AML program.
+  Only given for type FORM; INFO never has any outputs,
+  and for type LINK we can obtain the same information
+  from the CONVERTER via ``--list-outputs``.
+
+FALLBACK
+  Name of an **original** measure to take if the check fails
+  (for any reason, e.g. provider or form fail to
+  satisfy constraints or provider signals user error)
+  Usually should point to a measure that requests
+  AML staff to investigate.  The fallback measure
+  context always includes the reasons for the
+  failure.
+
+EXCHANGE KYC RULES
+------------------
+
+The following options must be in "[kyc-rule-$RULE_NAME]" sections.
+
+OPERATION_TYPE = WITHDRAW
+  Operation that triggers this rule.
+  Must be one of WITHDRAW, DEPOSIT, P2P-RECEIVE
+  or WALLET-BALANCE.
+
+NEXT_MEASURES
+  Space-separated list of next measures to be performed.
+  The SPA should display *all* of these measures to the user.
+  (They have a choice of either which ones, or in
+  which order they are to be performed.)
+  A special measure name "verboten" is used if the
+  specified threshold may never be crossed
+  (under this set of rules).
+
+IS_AND_COMBINATOR
+  "YES" if all NEXT_MEASURES will eventually need
+  to be satisfied, "NO" the user has a choice between
+  them. Not actually enforced by the exchange, but
+  primarily used to inform the user whether this is
+  an "and" or "or". YES for "and".
+
+EXPOSED
+  YES if the rule (specifically, operation type,
+  threshold, timeframe) and the general nature of
+  the next measure (verboten or approval required)
+  should be exposed to the client.
+  Defaults to NO if not set.
+
+THRESHOLD
+  Threshold amount above which the rule is
+  triggered.  The total must be exceeded in the given
+  timeframe.
+
+TIMEFRAME
+  Timeframe over which the amount to be compared to
+  the THRESHOLD is calculated (for example, "30 days").
+  Ignored for WALLET-BALANCE.  Can be 'forever'.
+
+ENABLED = NO
+  Set to YES to enable the rule (default is NO).
+
+
+EXCHANGE AML PROGRAMS
+---------------------
+
+The following options must be in "[aml-program-$PROG_NAME]" sections.
+
+COMMAND
+  Name of the program to run. Must match a binary
+  on the local machine where the exchange is running.
+
+DESCRIPTION
+  Human-readable description of what this
+  AML helper program will do. Used to show
+  to the AML staff.
+
+ENABLED
+  True if this AML program is enabled (and thus can be
+  used in measures and exposed to AML staff).
+  Optional, default is NO.
+
+FALLBACK
+  Name of an **original** measure to take if COMMAND fails
+  Usually points to a measure that asks AML staff
+  to contact the systems administrator. The fallback measure
+  context always includes the reasons for the
+  failure.
+
+EXCHANGE KYC MEASURES
+---------------------
+
+The following options must be in "[kyc-measure-$MEASURE_NAME]" sections.  These sections define the **original** measures.
+
+CHECK_NAME
+  Name of a possible check for this measure.  Optional.
+  If not given, PROGRAM should be run immediately
+  (on an empty set of attributes).
+
+CONTEXT = {"choices":["individual","business"]}
+  Context for the check. The context can be
+  just an empty JSON object if there is none.
+
+PROGRAM
+  Program to run on the context and check data to
+  determine the outcome and next measure.
+  Refers to a ``[aml-program-$PROG_NAME]`` section name.
+
+
 EXCHANGE EXTENSIONS OPTIONS
 ---------------------------