# LifeOS API — route everything through index.php
RewriteEngine On
RewriteBase /
# Block direct access to lib/, config/, sql/
RewriteRule ^(config|lib|sql)/ - [F,L]
# Pass through real files (avatars, etc)
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ - [L]
# Everything else → index.php
RewriteRule ^ index.php [QSA,L]

# CORS — adjust origin in production
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
Header always set Access-Control-Allow-Headers "Content-Type, Authorization"
Header always set Access-Control-Max-Age "86400"

# Hide PHP
ServerSignature Off
