commit basic

public/.htaccess

@@ -0,0 +1,32 @@
+# -------------------------------------------------
+# Apache Front Controller Setup (public/.htaccess)
+# -------------------------------------------------
+
+RewriteEngine On
+
+# Sicherheit: keine Directory Listings
+Options -Indexes
+
+# -------------------------------------------------
+# 1) Assets DIREKT ausliefern
+# -------------------------------------------------
+RewriteRule ^assets/ - [L]
+
+# -------------------------------------------------
+# 2) page/ von außen sperren (nur intern per require nutzbar)
+# -------------------------------------------------
+RewriteRule ^page/ - [F,L]
+
+# -------------------------------------------------
+# 3) Alles andere an den Front Controller
+# -------------------------------------------------
+RewriteRule ^ index.php [L]
+
+# -------------------------------------------------
+# 4) (Optional) Zusätzliche Sicherheits-Header
+# -------------------------------------------------
+<IfModule mod_headers.c>
+    Header set X-Frame-Options "SAMEORIGIN"
+    Header set X-Content-Type-Options "nosniff"
+    Header set Referrer-Policy "strict-origin-when-cross-origin"
+</IfModule>

public/assets/app.css

@@ -0,0 +1 @@
+/* minimal css placeholder */

public/assets/app.js

@@ -0,0 +1 @@
+console.log('mini example loaded');

public/index.php

@@ -0,0 +1,88 @@
+<?php
+declare(strict_types=1);
+
+// boot application (config, autoload, services)
+require_once __DIR__ . '/../config/fileload.php';
+
+// Staging-Access-Protection (Basic Auth)
+$uriPath = parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH) ?: '/';
+$uriPath = preg_replace('~/{2,}~', '/', $uriPath);
+$uriPath = trim($uriPath, '/');
+$isRetoolPath = ($uriPath === 'retool' || str_starts_with($uriPath, 'retool/'));
+if (defined('APP_ENV') && APP_ENV === 'staging' && !$isRetoolPath) {
+    $authUser = getenv('STAGING_AUTH_USER') ?: 'staging';
+    $authPass = getenv('STAGING_AUTH_PASS') ?: 'staging123';
+    $user = $_SERVER['PHP_AUTH_USER'] ?? null;
+    $pass = $_SERVER['PHP_AUTH_PW'] ?? null;
+    if ($user !== $authUser || $pass !== $authPass) {
+        header('WWW-Authenticate: Basic realm="Staging"');
+        header('HTTP/1.0 401 Unauthorized');
+        echo 'Unauthorized';
+        exit;
+    }
+}
+
+// Sicherheitscheck
+if (str_contains($uriPath, '..')) {
+    http_response_code(400);
+    exit('Bad request');
+}
+
+// Root → page/index.php
+if ($uriPath === '' || $uriPath === 'index' || $uriPath === 'index.php') {
+    $target = __DIR__ . '/page/index.php';
+} else {
+    $base = __DIR__ . '/page/' . $uriPath;
+    // 1) Verzeichnis mit index.php
+    if (is_dir($base) && is_file($base . '/index.php')) {
+        $target = $base . '/index.php';
+    }
+    // 2) Datei
+    elseif (is_file($base . '.php')) {
+
+        $target = $base . '.php';
+    }
+    // 3) 404
+    elseif (is_file($base)) {
+
+        $target = $base;
+    }
+    // 3) 404
+    else {
+        http_response_code(404);
+        $target = __DIR__ . '/page/404.php';
+    }
+}
+// ------------------------------------
+// Layout-Regel
+// ------------------------------------
+$skipLayout = false;
+$targetReal = realpath($target);
+
+// Beispiel: alles unter /page/raw/* ohne Layout
+if ($targetReal && str_starts_with($targetReal, realpath(__DIR__ . '/page/retool'))) {
+    $skipLayout = true;
+}
+
+// ------------------------------------
+// Ausgabe
+// ------------------------------------
+// Erst Inhalt laden (ohne Ausgabe), damit Header/Redirects vor HTML funktionieren
+ob_start();
+require $target;
+$content = ob_get_clean();
+
+// Wenn bereits Header gesendet wurden (z. B. eigener Redirect/Content-Type), Layout überspringen
+if (headers_sent()) {
+    $skipLayout = true;
+}
+
+if (!$skipLayout) {
+    tpl('layout_start', 'structure');
+}
+
+echo $content;
+
+if (!$skipLayout) {
+    tpl('layout_end', 'structure');
+}

public/page/index.php

@@ -0,0 +1,3 @@
+<?php
+
+echo "test";