Options -Indexes

# ── Block sensitive files ─────────────────────────────────────
<FilesMatch "^(config\.php|lib\.php|composer\.json|composer\.lock|README\.md)$">
  Order allow,deny
  Deny from all
</FilesMatch>

# ── Block data/ except public uploads and generated PDFs ───────
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule ^data/(?!(uploads|pdfs)(/|$)) - [F,L]

  # api/auth.php is a direct file — let it serve itself, no rewrite
  RewriteRule ^api/auth\.php$ - [L]

  # Route all other /api/* to api/index.php (only when not a real file/dir)
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^api/(.*)$ api/index.php [L,QSA]
</IfModule>

<IfModule mod_php.c>
  php_value upload_max_filesize 20M
  php_value post_max_size 25M
  php_value max_execution_time 60
  php_value memory_limit 128M
</IfModule>
