Options -Indexes

<IfModule mod_rewrite.c>
RewriteEngine On

# Block hidden files/folders (e.g. .env, .git)
RewriteRule "(^|/)\." - [F,L]

# Block internal directories from public access
RewriteRule "^(config|src|storage|docs|lib)(/|$)" - [F,L,NC]

# Block admin-internal scripts (CLI tools + auth class file)
RewriteRule "^admin/(auth|cleanup|test-mail)\.php$" - [F,L,NC]

# Keep direct file-based endpoints, fallback unknown routes to index
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]
</IfModule>

<FilesMatch "(^\.|\.(md|log)$)">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</FilesMatch>
