<IfModule mod_rewrite.c>
  RewriteEngine On

  # Allow /api/endpoint (without .php)
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^api/([a-zA-Z0-9_-]+)$ api/$1.php [L]

  # Allow /checkout/success and /checkout/cancel (without .html)
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^checkout/(success|cancel)$ checkout/$1.html [L]
</IfModule>

# Block direct access to sensitive files and folders
<FilesMatch "^(config\.php|db\.php|migrate\.php)$">
  Order allow,deny
  Deny from all
</FilesMatch>

<DirectoryMatch "/(lib|migrations|tools|data)/">
  Order allow,deny
  Deny from all
</DirectoryMatch>
