use well-formed xrpc error + clean up readme

README.md

@@ -4,9 +4,11 @@ the application comprises a video CDN and a client that fetches a record and dis
 the appview does not ingest from any event stream, but rather fetches videos on-demand.
 
 there is an allowlist of trusted users whose videos can be proxied,
-since re-serving arbitrary user content can be a big liability.
+since rehosting arbitrary user content can be a big liability.
 
 ## to-do list
 
+- loading indicator when we're fetching from PDS / CDN
+- better validation / rpc via lexicon.ts
 - video cdn garbage collection (so that disk usage doesn't grow unbounded)
 - etc

appview/main.ts

@@ -49,8 +49,12 @@ async function fetchVideo(req: Request): Promise<Response> {
 
   if (!db.inAllowlist(body.repo)) {
     return new Response(
-      JSON.stringify({ error: "repo is not allowlisted on AppView" }),
+      JSON.stringify({
+        error: "Denied",
+        message: "repo is not allowlisted on AppView",
+      }),
       {
+        status: 400,
         headers: {
           "content-type": "application/json",
           "access-control-allow-origin": "*",

lexicon/fetchVideo.json

@@ -32,7 +32,8 @@
             }
           }
         }
-      }
+      },
+      "errors": [{ "name": "Denied" }]
     }
   }
 }