diff --git a/internal/api/router.go b/internal/api/router.go
index dcbcb26..280d735 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -55,21 +55,10 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFi
 	dashH       := handlers.NewDashboardHandler(engine)
 
 	// ── Git smart-HTTP transport ───────────────────────────────────────────────
-	// These routes MUST be registered before the SPA catch-all and outside CSRF.
-	// Git clients use HTTP Basic Auth, not the cookie/CSRF flow.
-	r.Route("/{owner}/{repoGit}", func(r chi.Router) {
-		// Only activate for paths ending in .git
-		r.Use(func(next http.Handler) http.Handler {
-			return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-				rg := chi.URLParam(req, "repoGit")
-				if len(rg) < 5 || rg[len(rg)-4:] != ".git" {
-					// Not a git URL — skip to the next router
-					http.NotFound(w, req)
-					return
-				}
-				next.ServeHTTP(w, req)
-			})
-		})
+	// Regex constraint ensures only *.git paths match, so asset/SPA URLs
+	// with two path segments (e.g. /assets/main.js) fall through to the
+	// SPA catch-all instead of being swallowed here.
+	r.Route("/{owner}/{repoGit:.*\\.git}", func(r chi.Router) {
 		r.Get("/info/refs", gitH.ServeGit)
 		r.Post("/git-upload-pack", gitH.ServeGit)
 		r.Post("/git-receive-pack", gitH.ServeGit)