fix(envlite): block .ht* paths in router so SQLite DB is not downloadable

php -S does not honor Apache .ht* deny rules, so a request for
/wp-content/database/.ht.sqlite would be served as a static binary by
the existing-file passthrough.

Author: sirreal

tools/local-env/router.php

@@ -1,5 +1,13 @@
 <?php
 $path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
+
+// php -S does not honor Apache .ht* deny rules. Block any segment so the
+// SQLite DB at wp-content/database/.ht.sqlite is not downloadable.
+if (preg_match('#(^|/)\.ht#', $path)) {
+    http_response_code(403);
+    return true;
+}
+
 $file = dirname(__DIR__, 2) . '/src' . $path;
 if ($path !== '/' && file_exists($file) && !is_dir($file)) {
     return false;