<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # ── Block sensitive root-level files and directories ──
    # These should never be web-accessible
    RewriteRule ^\.ai/ - [F,L]
    RewriteRule ^\.git/ - [F,L]
    RewriteRule ^scripts/ - [F,L]
    RewriteRule ^vendor/ - [F,L]
    RewriteRule ^node_modules/ - [F,L]
    RewriteRule ^promptsite-app/ - [F,L]
    RewriteRule ^docs/ - [F,L]

    # Block sensitive root files by name
    RewriteRule ^composer\.(json|lock)$ - [F,L]
    RewriteRule ^package(-lock)?\.json$ - [F,L]
    RewriteRule ^CLAUDE\.md$ - [F,L]

    # Block form definition files (expose spam protection config)
    RewriteRule ^assets/forms/.*\.json$ - [F,L]

    # Block asset data JSON (site config) — uncomment if needed
    # RewriteRule ^assets/data/.*\.json$ - [F,L]

    # ── Redirect /_studio/ requests to Studio entry ──
    # The Studio has its own .htaccess for internal routing

    # ── Serve existing files and directories directly ──
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]

    # ── Clean URLs for PHP pages ──
    # /about -> /about.php (when that file exists)
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME}.php -f
    RewriteRule ^(.+?)/?$ $1.php [L]

    # ── Fallback to index.php when present ──
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{DOCUMENT_ROOT}/index.php -f
    RewriteRule ^ index.php [L]

    # ── No index.php? Show the default placeholder ──
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ _studio/data/default-index.php [L]
</IfModule>

# ── Security headers ──
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# ── Compression ──
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json image/svg+xml
</IfModule>

# ── Caching for static assets ──
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 year"
    ExpiresByType application/javascript "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
</IfModule>

# ── Block dotfiles (except .htaccess and .well-known) ──
<FilesMatch "^\.(?!htaccess|well-known)">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# ── Block sensitive file types at root level ──
<FilesMatch "\.(db|sqlite|sqlite3|sql|sh|env|bak|log)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>
