Thank you, Nate - I have a much better idea what to expect, now. Thank you for your patience.
In step # 4, are there other parameters along with "code" and "signature" (i.e. "shop", "timestamp")? The OAuth documentation seems to imply this (in section 6, verification).
http://docs.shopify.com/api/tutorials/oauth
Last question: let's say someone installs my app, uses it, etc. Later on (enough that all sessions, cookies, etc are expired), they come back to it. Does Shopify hit a URL like # 1, but with a "signature" parameter? Or do I need to just look up the "shop" parameter in my own database to determine if they're already fully installed?
In such a situation, is the permanent token included as the "code" parameter? Or, do I never use the permanent token for that purpose, and only use that token for the times I use the Shopify API to get info about the store?