Plan — Auth Update: Register & Sign-In for Comments

Intent

Add user registration and sign-in to bahalaka.com so only authenticated users can post and edit comments. Follow the exact auth pattern proven on lakemedical.org — NTRP wire protocol, Cloudflare Pages Functions as proxy, Pantheon C auth server via relay.

Scope

What Changes

Auth gate on comments: Users must register (TOTP via authenticator app) and sign in before commenting
Site stays public: All content remains visible without login — only the comment form requires auth
Comments tied to identity: Username comes from the authenticated session, not a free-text input. Edit rights verified server-side via session, not name matching
Wire protocol: NTRP binary frames — same pattern as lakemedical.org
Firestore integration preserved: Comments still stored in Firestore, but posted with authenticated username

Approach — Following the lakemedical.org Pattern

Phase 1 — Auth Infrastructure

Copy and configure the proven auth stack from lakemedical.org:

Copy wire.js (NTRP pack/unpack, 173 lines) → site/js/
Copy nous.js (auth client, 162 lines) → site/js/
Copy login-gate.js (login page controller) → site/js/
Copy auth-gate.css → site/css/
Create site/login.html — standalone login page with register + sign-in

Phase 2 — Cloudflare Pages Functions

Wire proxy that routes auth requests to the relay:

Copy functions/api/wire.js from lakemedical.org → functions/api/wire.js
Update relay target configuration for bahalaka
Create wrangler.toml with Pages config
Set NOUS_PSK secret on the Pages project

Phase 3 — Comment System Update

Integrate auth into the existing Firestore comment engine:

Comment form shows only when user has active session
Unauthenticated users see comments (read) + "Sign in to comment" prompt
Username auto-filled from session — no free-text name input
Edit button only visible on comments owned by current session user
Session timer in nav bar with auto-logout
Firestore security rules updated — write requires session-verified username passed through a Pages Function

Phase 4 — Comment Backend Migration

Move Firestore writes server-side to enforce auth:

Create functions/api/comments.js — Pages Function that verifies session with relay, then writes to Firestore on behalf of the user
Client no longer writes directly to Firestore — all writes go through the authenticated Pages Function
Client still reads directly from Firestore (public reads remain)
Service account key for Firestore stored as Pages secret

Auth Flow (same as lakemedical.org)

Step	Action	Components
1	User clicks "Sign in to comment"	Comment form → login.html redirect
2	User registers: enters username	login-gate.js → wire.js → /api/wire → relay → C auth server
3	Server returns QR code (TOTP secret)	C auth server (totp.c + qr.c) → NTRP response
4	User scans QR with authenticator app	Google Authenticator / Authy / 1Password
5	User enters 6-digit TOTP code	login-gate.js → nous_auth() → /api/wire → relay → verify
6	Server returns session token (32 bytes)	C auth server → sessionStorage['nous-session']
7	Redirect back to site with session active	Session timer starts (15 min), comment forms enabled

Architecture Diagram

Request Flow

Browser (wire.js)
   │ NTRP binary frame
   ▼
Cloudflare Pages Function (/api/wire)
   │ HTTP POST (JSON)
   ▼
relay.3-nous.net:8080
   │ internal
   ▼
C Auth Server (gate.c → auth.c → totp.c → crypt.c)
   │
   ├── /register → generate TOTP secret + QR (qr.c)
   ├── /auth → verify TOTP code, mint session token
   └── /session → validate existing session

Browser (comment engine)
   │ Firestore REST API (reads)
   ▼
Firestore (bahalaka-website)

Browser (comment post/edit)
   │ authenticated request
   ▼
Cloudflare Pages Function (/api/comments)
   │ verify session with relay, then write
   ▼
Firestore (bahalaka-website)

Files to Copy from lakemedical.org

Source	Destination	Changes Needed
alumni/js/wire.js	site/js/wire.js	None — generic NTRP
alumni/js/nous.js	site/js/nous.js	None — generic auth client
alumni/js/login-gate.js	site/js/login-gate.js	Update redirect URL, styling references
alumni/css/auth-gate.css	site/css/auth-gate.css	Adapt to bahalaka color scheme
functions/api/wire.js	functions/api/wire.js	Update rate limits, CORS origins

New Files

File	Purpose
site/login.html	Standalone login page (register + sign-in)
site/js/comment-guard.js	Shows/hides comment forms based on session state
functions/api/comments.js	Authenticated comment write proxy to Firestore
wrangler.toml	Cloudflare Pages config

Constraints

Relay server at relay.3-nous.net:8080 must be running and accessible
NOUS_PSK must be set as Pages secret
GCP service account key for Firestore must be set as Pages secret
C auth server handles user persistence in users.dat on the relay
Session TTL: 900 seconds (15 min) — same as lakemedical.org
No Firebase SDK — Firestore REST API only
Zero frameworks — vanilla JS only