# Protect secret/internal files first (wins over any Satisfy Any below).
<Files "tokens.php">
    Require all denied
</Files>
<Files "new-token.php">
    Require all denied
</Files>
<Files "_wormhole-access.md">
    Require all denied
</Files>

# The MCP endpoint. If this folder sits under HTTP Basic Auth, this exempts it
# (uses the wormhole's own bearer token instead). Harmless if there's no Basic Auth.
<Files "mcp.php">
    Satisfy Any
    Require all granted
</Files>

# Forward the Authorization header to PHP (Apache eats it otherwise).
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
