# =============================================================================
# BlackRed USSD — Apache/LiteSpeed config
#
# Two web-accessible entrypoints:
#   - index.php             (Nalo USSD webhook)
#   - callbacks/momo.php    (ANM MoMo settlement callback)
#
# Everything else (lib/, states/, logs/, config.php, migrations/, workers/)
# is denied at the .htaccess level. Defence in depth — even if a deploy
# mistake places these under a web-accessible directory, the server refuses.
# =============================================================================

# Disable directory listing
Options -Indexes

# Deny access to any PHP file by default; we re-allow the two entrypoints below
<FilesMatch "\.(php|sql|log|md|env|ini|conf)$">
    Require all denied
</FilesMatch>

# Deny entire sensitive directories
<DirectoryMatch "^.*/(lib|states|workers|migrations|logs)/?$">
    Require all denied
</DirectoryMatch>

# Allow the Nalo USSD webhook
<Files "index.php">
    Require all granted
</Files>

# Allow the ANM callback endpoint. Its directory (callbacks/) is itself
# permitted — only lib/states/workers/migrations/logs are blocked above.
<Files "momo.php">
    Require all granted
</Files>

# Block hidden files (.env, .git, etc.)
<FilesMatch "^\.">
    Require all denied
</FilesMatch>
