Options -Indexes -MultiViews

# Block access to hidden files such as .env and other dotfiles.
<FilesMatch "^\.">
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
</FilesMatch>

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Never serve application internals or planning files if the project root is web reachable.
    RewriteRule ^(?:app|bootstrap|config|database|resources|routes|tests|vendor)(?:/|$) - [F,L,NC]
    RewriteRule ^(?:README-FIRST-DEPLOY\.md|NAMECHEAP-SHARED-HOSTING-CHECKLIST\.md|Website Build Requirements for Codex\.txt|deep-research-report-[0-9]+\.md)$ - [F,L,NC]

    # Canonical production host and HTTPS for the main domain, while preserving other subdomains such as go.
    RewriteCond %{HTTP_HOST} ^consultmosaic\.com$ [NC]
    RewriteRule ^ https://www.consultmosaic.com%{REQUEST_URI} [R=301,L,NE]

    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]

    # If the request already points inside /public, do not rewrite again.
    RewriteRule ^public/ - [L]

    # Fallback for shared hosting setups where the domain points at the project root instead of /public.
    RewriteRule ^(.*)$ public/$1 [L]
</IfModule>