# The Wooden Spoon - .htaccess
# Based on V2 live implementation with clean URLs enhancement

# Enable URL rewriting
RewriteEngine On

# Base path for rewrites
RewriteBase /

# Legacy static URLs → canonical clean URLs (PHP stack)
RewriteRule ^index\.html$ / [R=301,L]
RewriteRule ^([a-zA-Z0-9_-]+)\.html$ /$1? [R=301,L]

# Handle root (/) FIRST - before other checks
RewriteCond %{REQUEST_URI} ^(/|/index|/index\.php)$
RewriteCond %{DOCUMENT_ROOT}/dynamic/index.php -f
RewriteRule ^(|index|index\.php)$ dynamic/index.php [L]

# Skip rewriting if file/directory exists (for assets, etc.)
# BUT exclude root directory from this check
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_URI} !^/$
RewriteRule ^ - [L]

# Customer portal (catering / bread accounts)
RewriteRule ^customer/(login|register|dashboard|logout|settings|reorder-bread|reorder-catering|forgot-password|reset-password)(\.php)?/?$ dynamic/customer/$1.php [L]

# Handle other PHP files (e.g., menus.php, about.php) - route to dynamic/
RewriteRule ^([a-zA-Z0-9_-]+)\.php$ dynamic/$1.php [L]

# Clean URLs → dynamic PHP (single segment)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/assets/
RewriteRule ^([a-zA-Z0-9_-]+)$ dynamic/$1.php [L]

# Hard failures when PHP cannot run — minimal static page (not a full site duplicate)
ErrorDocument 500 /public/service-unavailable.html
ErrorDocument 503 /public/service-unavailable.html

DirectoryIndex index.php

# Enable compression (if supported)
# Gzip compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/json
</IfModule>

# Brotli compression (better than gzip if supported)
<IfModule mod_brotli.c>
    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css
    AddOutputFilterByType BROTLI_COMPRESS application/javascript application/json
    AddOutputFilterByType BROTLI_COMPRESS application/xml application/xhtml+xml application/rss+xml
</IfModule>

# Browser caching (if supported)
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType image/avif "access plus 1 month"
</IfModule>

# Security headers (if supported)
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-XSS-Protection "1; mode=block"
    # Content Security Policy - Allow Font Awesome from CDN, Chart.js, and Google Maps iframes
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data: https:; connect-src 'self' https://maps.googleapis.com https://maps.gstatic.com https://cdnjs.cloudflare.com; frame-src 'self' https://www.google.com https://maps.googleapis.com https://maps.gstatic.com;"
</IfModule>

# Allow embedding PDFs on same-origin pages (override frame options for PDFs)
<IfModule mod_headers.c>
  <FilesMatch "\.(?i:pdf)$">
    Header unset X-Frame-Options
    Header set X-Frame-Options SAMEORIGIN
  </FilesMatch>
</IfModule>

# Serve next-gen image formats with correct MIME types
AddType image/avif avif
AddType image/webp webp

# Prevent access to sensitive files
<Files "*.log">
    Order allow,deny
    Deny from all
</Files>

<Files ".htaccess">
    Order allow,deny
    Deny from all
</Files>