# =============================================================================
# Parent .htaccess
#
# This file sits at the root of the BlackRed application directory.
# Its job is to deny direct browsing of source code, secrets, and config
# files while allowing the public/ subdirectory to be reached.
#
# Apache walks .htaccess files from outer to inner, so rules here apply
# to every URL underneath unless overridden. We explicitly do NOT use a
# blanket "Require all denied" because that would also block public/.
# =============================================================================

# Disable directory listing
Options -Indexes

# -----------------------------------------------------------------------------
# Block access to sensitive directories.
# Anything under these paths returns 404 — we use 404 rather than 403 so that
# a probe gets the same response as a non-existent path (no information leak).
# -----------------------------------------------------------------------------
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block source code and operational directories
    RewriteRule ^src(/|$)         - [R=404,L]
    RewriteRule ^migrations(/|$)  - [R=404,L]
    RewriteRule ^tests(/|$)       - [R=404,L]
    RewriteRule ^workers(/|$)     - [R=404,L]
    RewriteRule ^config(/|$)      - [R=404,L]
    RewriteRule ^vendor(/|$)      - [R=404,L]
    RewriteRule ^logs(/|$)        - [R=404,L]
</IfModule>

# -----------------------------------------------------------------------------
# Block access to dotfiles and root-level config files.
# These rules use FilesMatch so they fire even if mod_rewrite is unavailable.
# -----------------------------------------------------------------------------
<FilesMatch "^\.">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

<FilesMatch "^(composer\.json|composer\.lock|README\.md|NOTICE\.txt)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# Disable PHP execution at this level (defense in depth — only public/ should run PHP)
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|php8|phps)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
</FilesMatch>
