Options -Indexes

# Block direct access to sensitive directories
<IfModule mod_authz_core.c>
  <FilesMatch "^(config\.php|gitlib\.php|setup\.php)$">
    Require all denied
  </FilesMatch>
</IfModule>

# Route everything through index.php
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /

  # /admin and /admin?tab=... → admin.php directly (avoids function redeclaration)
  RewriteRule ^admin$ admin.php [QSA,L]

  # Allow real files and directories (avatars, etc.)
  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]

  # Everything else → index.php
  RewriteRule ^ index.php [QSA,L]
</IfModule>
