Estimate v2 — Auth Update for bahalaka.com

Supersedes

Replaces Estimate v1 (3 boards, 50 pts). Updated to account for the one-level reply threading feature added to the comment engine.

What Changed

Reply Feature Impact

Comments now have one-level replies stored at comments/{section}/entries/{id}/replies/{replyId}
The comments proxy function must handle both top-level comments AND replies
Comment guard must protect reply forms in addition to comment forms
Firestore rules update must lock down both entries and replies subcollections
End-to-end testing scope expanded: comment + reply + edit, all session-gated

Board Overview

Board	Name	Items	Points	Delta
2	Auth Infrastructure — Wire + Functions	4	16	—
3	Auth UI — Login + Session + Comment Guard	4	20	+2
4	Comment Backend — Server-Side Writes + Replies	5	22	+6

Total: 13 items, 58 pts across 3 boards. (was 12 items, 50 pts)

Board 2 — Auth Infrastructure (16 pts)

No changes from v1

Item	Command	Pts
{wire.js + nous.js, add to, js}	~a	3
{wrangler.toml, add to, project root}	~a	3
{wire proxy function, add to, functions/api}	~a	5
{NOUS_PSK secret, add to, Cloudflare Pages}	~a	5

Board 3 — Auth UI (20 pts) +2 from v1

Item	Command	Pts
{login.html + auth-gate.css, add to, project root}	~a	5
{login-gate.js, add to, js}	~a	5
{session timer + auth nav + reply guard, update with, index.html}changed	~u	7
{deploy.json, update with, auth config}	~u	3

Session/nav item bumped from 5→7 pts: comment guard must now show/hide both the comment form AND inline reply forms + reply buttons based on session state. Reply forms are dynamically created per-comment, requiring event delegation or render-time checks.

Board 4 — Comment Backend + Replies (22 pts) +6 from v1

Item	Command	Pts
{comments + replies proxy function, add to, functions/api}changed	~a	7
{comment engine, update with, session-aware posting + editing}changed	~u	5
{reply engine, update with, session-aware reply posting}new	~u	3
{Firestore security rules, update with, server-write-only for entries + replies}changed	~u	3
{auth + comments + replies end-to-end, plan tests for, bahalaka.com}changed	~t	4

Key changes: proxy function now routes two paths (/api/comments for entries, /api/comments/reply for replies). New work item for session-aware reply posting. Testing scope expanded to cover reply threading with auth. Firestore rules must lock both entries/{entry} and entries/{entry}/replies/{reply} to server-write-only.

Firestore Paths (Post-Auth)

Current (Public)

Path	Read	Create
`comments/{section}/entries/{entry}`	public	public
`comments/{section}/entries/{entry}/replies/{reply}`	public	public

After Auth (Server-Write-Only)

Path	Read	Write
`comments/{section}/entries/{entry}`	public	deny (server only via Pages Function)
`comments/{section}/entries/{entry}/replies/{reply}`	public	deny (server only via Pages Function)

Client reads stay direct (Firestore REST + API key). All writes routed through /api/comments Pages Function which verifies session with relay before writing.

Dependencies

Board 2 → Board 3 → Board 4 (linear, unchanged). Auth infra must exist before UI can use it. UI must exist before comment/reply backend can integrate with sessions.

Value Rationale

Board 2 is foundation — wire protocol and proxy unblock everything. Board 3 gives users login. Board 4 hardens both comments and replies with server-side writes + auth enforcement. The +8 pt increase (50→58) is the cost of reply threading complexity through the auth stack — well worth it since replies are already live and users expect them.