I see a discussion from @dmurph in https://docs.google.com/document/d/19dad0LnqdvEhK-3GmSaffSGHYLeM0kHQ_v4ZRNBFgWM/edit that sites should be installable without a manifest, and therefore the install() API should require an app ID. I think that interacts badly with the cross-origin install API, where the other origin shouldn't be able to assign an arbitrary ID without the installed site's consent.
I see a discussion from @dmurph in https://docs.google.com/document/d/19dad0LnqdvEhK-3GmSaffSGHYLeM0kHQ_v4ZRNBFgWM/edit that sites should be installable without a manifest, and therefore the install() API should require an app ID. I think that interacts badly with the cross-origin install API, where the other origin shouldn't be able to assign an arbitrary ID without the installed site's consent.