# NV ETOS Workspace — PROJECT ROOT hardening (defense in depth).
#
# The correct setup points your (sub)domain's document root at the public/
# sub-folder, so this project root is NOT web-served at all and these rules
# never run. They exist only as a safety net in case the document root is ever
# mistakenly pointed at the project root: they block direct access to every
# non-public folder (config, source, database scripts, storage, dev tooling).

Options -Indexes

# Block direct browser access to everything except the public/ folder.
RedirectMatch 403 ^/?(config|src|database|storage|dev|templates)(/|$)
RedirectMatch 403 ^/?(README|DEPLOYMENT|deployment)\.md$
RedirectMatch 403 ^/?\.gitignore$

# Deny dotfiles
<FilesMatch "^\.">
    Require all denied
</FilesMatch>
