# ============================================================================
# TIMOPDF — ROOT HARDENING
#
# The app's real entry point is public/index.php. The PROPER fix is to point
# the domain's document root at the public/ folder. Until that's done, this
# file (which sits in the exposed project root) locks down everything that
# must never be web-served: source code, config with DB credentials, SQL
# dumps, the vendor tree, and deployment archives.
# ============================================================================

# No directory listings anywhere under the root.
Options -Indexes

DirectoryIndex index.php

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block dotfiles (.git, .env, .htpasswd, ...)
    RewriteRule "(^|/)\." - [F]

    # Deny the entire source/config/data/vendor tree. These directories should
    # never be reachable over HTTP regardless of doc-root.
    RewriteRule ^(app|config|database|storage|vendor|\.composer-home)(/|$) - [F,L]
</IfModule>

# Deny sensitive file types anywhere in the tree (SQL dumps, lockfiles,
# archives, the bundled composer binaries, env/ini/log/backups, docs).
<FilesMatch "\.(sql|lock|zip|phar|env|ini|log|sh|bak|md)$">
    Require all denied
</FilesMatch>

# Deny the composer manifests and the local composer binary by name.
<FilesMatch "^(composer\.json|composer\.lock|composer\.phar|composer)$">
    Require all denied
</FilesMatch>

# ----------------------------------------------------------------------------
# OPTIONAL: serve the app at the bare domain without moving the doc-root.
# Uncomment to route all non-file requests through public/index.php so the
# site works at https://your-domain/ instead of /public/. Test before relying
# on it — moving the doc-root to public/ is still the cleaner solution.
#
# <IfModule mod_rewrite.c>
#     RewriteCond %{REQUEST_URI} !^/public/
#     RewriteCond %{REQUEST_FILENAME} !-f
#     RewriteCond %{REQUEST_FILENAME} !-d
#     RewriteRule ^(.*)$ public/index.php [L,QSA]
# </IfModule>
# ----------------------------------------------------------------------------
