# Force HTTPS
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Redirect HTTP to HTTPS
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Redirect www to non-www (optional, remove if you want www)
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    # Force HTTPS for 1 year
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # Prevent MIME type sniffing
    Header always set X-Content-Type-Options "nosniff"
    
    # Enable XSS protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Permissions policy
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

# Compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# MIME Types for APK/IPA files
<IfModule mod_mime.c>
    AddType application/vnd.android.package-archive .apk
    AddType application/octet-stream .ipa
</IfModule>

# Prevent caching for version.json (CRITICAL for version check)
<FilesMatch "version\.json$">
    <IfModule mod_headers.c>
        Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
        Header set Pragma "no-cache"
        Header set Expires "0"
    </IfModule>
    <IfModule mod_expires.c>
        ExpiresActive Off
    </IfModule>
</FilesMatch>

# Browser Caching
<IfModule mod_expires.c>
    ExpiresActive On
    
    # Images
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/x-icon "access plus 1 year"
    
    # CSS and JavaScript
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    
    # Fonts
    ExpiresByType font/woff "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType application/font-woff "access plus 1 year"
    ExpiresByType application/font-woff2 "access plus 1 year"
    
    # HTML
    ExpiresByType text/html "access plus 0 seconds"
    
    # Manifest
    ExpiresByType application/manifest+json "access plus 1 week"
    
    # APK/IPA files - no cache (always download fresh)
    ExpiresByType application/vnd.android.package-archive "access plus 0 seconds"
    ExpiresByType application/octet-stream "access plus 0 seconds"
</IfModule>

# SPA Routing - Redirect all requests to index.html
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    
    # Allow assetlinks verification for Android App Links
    RewriteRule ^\.well-known/ - [L]
    
    # Route /oauth to SPA (OAuthBridge)
    RewriteRule ^oauth/?$ /index.html [L]
    
    # Allow blog endpoint to be processed by PHP
    RewriteRule ^blog(/.*)?$ - [L]
    
    # CRITICAL: Allow direct access to /files/ directory (for APK/IPA downloads)
    RewriteCond %{REQUEST_URI} ^/files/ [OR]
    RewriteCond %{REQUEST_URI} \.(apk|ipa)$ [NC]
    RewriteRule ^ - [L]
    
    # CRITICAL: Allow OAuth callback page (legacy)
    RewriteCond %{REQUEST_URI} ^/oauth-callback\.html$ [NC]
    RewriteRule ^ - [L]
    
    # Do not rewrite static files
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    
    # SPA fallback
    RewriteRule ^ index.html [L]
</IfModule>

# Serve assetlinks.json with correct MIME type
<FilesMatch "assetlinks\.json$">
    <IfModule mod_headers.c>
        Header set Content-Type "application/json"
        Header set Access-Control-Allow-Origin "*"
    </IfModule>
</FilesMatch>

# Serve apple-app-site-association with correct MIME type (iOS Universal Links)
<FilesMatch "apple-app-site-association$">
    <IfModule mod_headers.c>
        Header set Content-Type "application/json"
        Header set Access-Control-Allow-Origin "*"
    </IfModule>
</FilesMatch>

# Disable directory browsing
Options -Indexes

# Protect sensitive files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect package files
<FilesMatch "(package\.json|package-lock\.json|\.env|\.git)">
    Order allow,deny
    Deny from all
</FilesMatch>
