1 files changed, 20 insertions, 2 deletions

diff --git a/cmd/dashboard/main.go b/cmd/dashboard/main.go
index 68d3484..437420d 100644
--- a/cmd/dashboard/main.go
+++ b/cmd/dashboard/main.go
@@ -156,8 +156,10 @@ func main() {
 	r.Use(middleware.Recoverer)
 	r.Use(middleware.Timeout(config.RequestTimeout))
 	r.Use(appmiddleware.SecurityHeaders(cfg.Debug)) // Security headers
-	r.Use(sessionManager.LoadAndSave)               // Session middleware must be applied globally
-	r.Use(authHandlers.Middleware().CSRFProtect)    // CSRF protection
+	r.Use(sessionManager.LoadAndSave) // Session middleware must be applied globally
+
+	// Initialize Claudomator reverse proxy
+	claudomatorProxy := handlers.NewClaudomatorProxy(cfg.ClaudomatorURL)
 
 	// Rate limiter for auth endpoints
 	authRateLimiter := appmiddleware.NewRateLimiter(config.AuthRateLimitRequests, config.AuthRateLimitWindow)
@@ -218,8 +220,24 @@ func main() {
 		})
 	})
 
+	// Claudomator proxy routes
+	// /claudomator (no trailing slash) -> 301 redirect
+	r.Get("/claudomator", func(w http.ResponseWriter, r *http.Request) {
+		http.Redirect(w, r, "/claudomator/", http.StatusMovedPermanently)
+	})
+
+	// GitHub webhook: no auth (GitHub POSTs with HMAC, no session)
+	r.Post("/claudomator/api/webhooks/github", claudomatorProxy.ServeHTTP)
+
+	// All other Claudomator routes: RequireAuth only, no CSRF
+	r.Group(func(r chi.Router) {
+		r.Use(authHandlers.Middleware().RequireAuth)
+		r.Handle("/claudomator/*", claudomatorProxy)
+	})
+
 	// Protected routes (auth required)
 	r.Group(func(r chi.Router) {
+		r.Use(authHandlers.Middleware().CSRFProtect)
 		r.Use(authHandlers.Middleware().RequireAuth)
 
 		// Dashboard