RewriteEngine On

# Deny direct access to sensitive directories if docroot is repo root
RewriteRule ^(app|scripts|sql|storage)/ - [F,L]

# Serve everything from public/ if not already there
RewriteCond %{REQUEST_URI} !^/public/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ public/$1 [L]

# Block hidden files (e.g., .env)
<FilesMatch "^\.">
  Require all denied
</FilesMatch>

