env exposure

Laravel apps' .env was readable by the whole world — the most common shared-hosting mistake

The cause: the whole app sat under the web root; only public/ should be visible. Fix in three steps — .htaccess first aid, rotate keys, restructure — then prevent it with process.