# Enable rewrite engine
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Allow direct access to install.php
    RewriteCond %{REQUEST_URI} ^/install\.php
    RewriteRule ^ - [L]

    # Allow direct access to setup.php
    RewriteCond %{REQUEST_URI} ^/setup\.php
    RewriteRule ^ - [L]

    # Redirect to installer ONLY if not installed AND not accessing static files
    RewriteCond %{REQUEST_URI} !^/install\.php
    RewriteCond %{REQUEST_URI} !^/setup\.php
    RewriteCond %{REQUEST_URI} !\.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf)$
    RewriteCond %{DOCUMENT_ROOT}/../storage/app/installed.lock !-f
    RewriteRule ^.*$ install.php?redirect=1 [L,QSA]

    # Redirect trailing slashes (only for directories)
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Front controller (skip if file or directory exists)
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [L,QSA]
</IfModule>

# Prevent directory listing
Options -Indexes

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# PHP settings
<IfModule mod_php.c>
    php_value upload_max_filesize 50M
    php_value post_max_size 50M
    php_value max_execution_time 300
    php_value memory_limit 256M
</IfModule>

# Disable access to sensitive files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "(composer\.(json|lock)|package\.json|\.env)$">
    Order allow,deny
    Deny from all
</FilesMatch>
