@agent-native/dispatch 0.6.0 → 0.7.0

package/src/actions/index.ts

@@ -3,6 +3,7 @@ import approveDispatchChange from "./approve-dispatch-change.js";
 import approveVaultRequest from "./approve-vault-request.js";
 import archiveWorkspaceApp from "./archive-workspace-app.js";
 import createLinkToken from "./create-link-token.js";
+import createPylonTicket from "./create-pylon-ticket.js";
 import createVaultGrant from "./create-vault-grant.js";
 import createVaultSecret from "./create-vault-secret.js";
 import createWorkspaceResourceGrant from "./create-workspace-resource-grant.js";
@@ -14,6 +15,7 @@ import denyVaultRequest from "./deny-vault-request.js";
 import getAppCreationSettings from "./get-app-creation-settings.js";
 import getAgentThreadDebug from "./get-agent-thread-debug.js";
 import getDispatchSettings from "./get-dispatch-settings.js";
+import getVaultAccessSettings from "./get-vault-access-settings.js";
 import getWorkspaceInfo from "./get-workspace-info.js";
 import grantWorkspaceResourcesToApp from "./grant-workspace-resources-to-app.js";
 import grantVaultSecretsToApp from "./grant-vault-secrets-to-app.js";
@@ -47,11 +49,13 @@ import searchAgentThreads from "./search-agent-threads.js";
 import sendPlatformMessage from "./send-platform-message.js";
 import setAppCreationSettings from "./set-app-creation-settings.js";
 import setDispatchApprovalPolicy from "./set-dispatch-approval-policy.js";
+import setVaultAccessSettings from "./set-vault-access-settings.js";
 import startWorkspaceAppCreation from "./start-workspace-app-creation.js";
 import syncVaultToApp from "./sync-vault-to-app.js";
 import syncWorkspaceResourcesToAll from "./sync-workspace-resources-to-all.js";
 import syncWorkspaceResourcesToApp from "./sync-workspace-resources-to-app.js";
 import unarchiveWorkspaceApp from "./unarchive-workspace-app.js";
+import updateWorkspaceAppMetadata from "./update-workspace-app-metadata.js";
 import updateVaultSecret from "./update-vault-secret.js";
 import updateWorkspaceResource from "./update-workspace-resource.js";
 import upsertDestination from "./upsert-destination.js";
@@ -68,6 +72,7 @@ export const dispatchActions: Record<string, ActionEntry> = {
   "approve-vault-request": approveVaultRequest,
   "archive-workspace-app": archiveWorkspaceApp,
   "create-link-token": createLinkToken,
+  "create-pylon-ticket": createPylonTicket,
   "create-vault-grant": createVaultGrant,
   "create-vault-secret": createVaultSecret,
   "create-workspace-resource-grant": createWorkspaceResourceGrant,
@@ -79,6 +84,7 @@ export const dispatchActions: Record<string, ActionEntry> = {
   "get-app-creation-settings": getAppCreationSettings,
   "get-agent-thread-debug": getAgentThreadDebug,
   "get-dispatch-settings": getDispatchSettings,
+  "get-vault-access-settings": getVaultAccessSettings,
   "get-workspace-info": getWorkspaceInfo,
   "grant-workspace-resources-to-app": grantWorkspaceResourcesToApp,
   "grant-vault-secrets-to-app": grantVaultSecretsToApp,
@@ -112,11 +118,13 @@ export const dispatchActions: Record<string, ActionEntry> = {
   "send-platform-message": sendPlatformMessage,
   "set-app-creation-settings": setAppCreationSettings,
   "set-dispatch-approval-policy": setDispatchApprovalPolicy,
+  "set-vault-access-settings": setVaultAccessSettings,
   "start-workspace-app-creation": startWorkspaceAppCreation,
   "sync-vault-to-app": syncVaultToApp,
   "sync-workspace-resources-to-all": syncWorkspaceResourcesToAll,
   "sync-workspace-resources-to-app": syncWorkspaceResourcesToApp,
   "unarchive-workspace-app": unarchiveWorkspaceApp,
+  "update-workspace-app-metadata": updateWorkspaceAppMetadata,
   "update-vault-secret": updateVaultSecret,
   "update-workspace-resource": updateWorkspaceResource,
   "upsert-destination": upsertDestination,

package/src/actions/list-integrations-catalog.ts

@@ -4,7 +4,7 @@ import { listIntegrationsCatalog } from "../server/lib/vault-store.js";
 
 export default defineAction({
   description:
-    "List all workspace apps and their credential/integration requirements. Shows which credentials are configured, which are granted from the vault, and which are missing.",
+    "List all workspace apps and their credential/integration requirements. Shows configured credentials and effective Dispatch vault access.",
   schema: z.object({}),
   http: { method: "GET" },
   run: async () => listIntegrationsCatalog(),

package/src/actions/list-vault-grants.ts

@@ -4,7 +4,7 @@ import { listGrants } from "../server/lib/vault-store.js";
 
 export default defineAction({
   description:
-    "List vault grants — which apps have access to which secrets. Optionally filter by app or secret.",
+    "List explicit vault grants used by manual vault access mode. Optionally filter by app or secret.",
   schema: z.object({
     appId: z.string().optional().describe("Filter by app ID"),
     secretId: z.string().optional().describe("Filter by secret ID"),

package/src/actions/list-workspace-apps.ts

@@ -12,13 +12,17 @@ const httpBoolean = z.preprocess((value) => {
 
 export default defineAction({
   description:
-    "List apps installed in this workspace, including mounted paths, absolute URLs, and agent-card/A2A metadata for ready apps by default. UI polling callers can pass includeAgentCards=false to skip network probes.",
+    "List apps installed in this workspace, including mounted paths, absolute URLs, audience (internal/public), page route access overrides, and agent-card/A2A metadata for ready apps by default. UI polling callers can pass includeAgentCards=false to skip network probes.",
   schema: z.object({
     includeAgentCards: httpBoolean
       .default(true)
       .describe(
         "Fetch each ready app's /.well-known/agent-card.json with a short non-throwing timeout and include agentCardUrl, agentCardReachable, a2aEndpointUrl, agentName, and agentSkillsCount. Defaults to true for agent calls; UI polling should pass false. Pending Builder apps are not probed.",
       ),
+    audience: z
+      .enum(["all", "internal", "public"])
+      .default("all")
+      .describe("Filter by workspace app audience."),
   }),
   http: { method: "GET" },
   run: async (input) => listWorkspaceApps(input),

package/src/actions/set-vault-access-settings.ts

@@ -0,0 +1,16 @@
+import { defineAction } from "@agent-native/core";
+import { z } from "zod";
+import { setVaultAccessSettings } from "../server/lib/vault-store.js";
+
+export default defineAction({
+  description:
+    "Set the Dispatch vault access mode. Use all-apps for the default workspace-wide mode or manual to require explicit per-app grants.",
+  schema: z.object({
+    mode: z
+      .enum(["all-apps", "manual"])
+      .describe(
+        "all-apps shares every vault key with every app; manual requires grants",
+      ),
+  }),
+  run: async (args) => setVaultAccessSettings(args),
+});

package/src/actions/start-workspace-app-creation.ts

@@ -23,6 +23,14 @@ export default defineAction({
       .optional()
       .nullable()
       .describe("Template to start from"),
+    description: z
+      .string()
+      .max(500)
+      .optional()
+      .nullable()
+      .describe(
+        "Concise AI-generated description of the app based on the user's prompt. Dispatch saves this while the app is being created.",
+      ),
     secretIds: z
       .array(z.string())
       .max(100)

package/src/actions/sync-vault-to-app.ts

@@ -4,7 +4,7 @@ import { syncGrantsToApp } from "../server/lib/vault-store.js";
 
 export default defineAction({
   description:
-    "Push all granted secrets to an app by calling its env-vars endpoint. Returns the list of synced credential keys.",
+    "Push vault secrets to an app by calling its env-vars endpoint. In all-apps mode this syncs every vault key; in manual mode it syncs active grants.",
   schema: z.object({
     appId: z
       .string()

package/src/actions/update-workspace-app-metadata.ts

@@ -0,0 +1,32 @@
+import { defineAction } from "@agent-native/core";
+import { getWorkspaceAppIdValidationError } from "@agent-native/core/shared";
+import { z } from "zod";
+import { updateWorkspaceAppMetadata } from "../server/lib/app-creation-store.js";
+
+export default defineAction({
+  description:
+    "Update the human-editable display name and description Dispatch uses for a workspace app. These details are also used as connected-agent/A2A context.",
+  schema: z.object({
+    appId: z
+      .string()
+      .max(64)
+      .refine((appId) => !getWorkspaceAppIdValidationError(appId), {
+        message:
+          "Use a non-reserved app id with lowercase letters, numbers, and hyphens.",
+      })
+      .describe("Workspace app id, matching the apps/<id> folder"),
+    name: z
+      .string()
+      .max(120)
+      .optional()
+      .nullable()
+      .describe("Human-readable app name"),
+    description: z
+      .string()
+      .max(500)
+      .optional()
+      .nullable()
+      .describe("Human-readable app description"),
+  }),
+  run: async (args) => updateWorkspaceAppMetadata(args),
+});

package/src/actions/view-screen.ts

@@ -16,6 +16,7 @@ import {
   listSecrets,
   listGrants,
   listRequests,
+  getVaultAccessSettings,
 } from "../server/lib/vault-store.js";
 import { listWorkspaceApps } from "../server/lib/app-creation-store.js";
 import { listDispatchUsageMetrics } from "../server/lib/usage-metrics-store.js";
@@ -78,11 +79,13 @@ export default defineAction({
       }
     }
     if (navigation?.view === "vault" || navigation?.view === "new-app") {
-      const [secrets, grants, requests] = await Promise.all([
+      const [secrets, grants, requests, access] = await Promise.all([
         listSecrets(),
         listGrants(),
         listRequests({ status: "pending" }),
+        getVaultAccessSettings(),
       ]);
+      screen.vaultAccessMode = access.mode;
       screen.vaultSecrets = secrets.map((s) => ({
         id: s.id,
         name: s.name,

package/src/components/app-keys-popover.tsx

@@ -13,6 +13,7 @@ import {
   PopoverTrigger,
 } from "@/components/ui/popover";
 import { Button } from "@/components/ui/button";
+import { Skeleton } from "@/components/ui/skeleton";
 
 interface VaultSecret {
   id: string;
@@ -88,6 +89,12 @@ function AppKeysPanel({ appId, appName }: { appId: string; appName: string }) {
     isLoading: grantsLoading,
     refetch: refetchGrants,
   } = useActionQuery("list-vault-grants", { appId });
+  const { data: accessSettings, isLoading: accessLoading } = useActionQuery(
+    "get-vault-access-settings",
+    {},
+  );
+  const accessMode =
+    (accessSettings as any)?.mode === "manual" ? "manual" : "all-apps";
 
   const grantBySecretId = useMemo(() => {
     const map = new Map<string, VaultGrant>();
@@ -134,11 +141,13 @@ function AppKeysPanel({ appId, appName }: { appId: string; appName: string }) {
     onError: (err) => toast.error(`Sync failed: ${String(err)}`),
   });
 
-  const isLoading = secretsLoading || grantsLoading;
+  const isLoading = secretsLoading || grantsLoading || accessLoading;
   const grantedCount = grantBySecretId.size;
   const typedSecrets = secrets as VaultSecret[];
+  const allApps = accessMode !== "manual";
 
   const toggleSecret = (secret: VaultSecret) => {
+    if (allApps) return;
     if (pendingSecretIds.has(secret.id)) return;
     const existing = grantBySecretId.get(secret.id);
     markPending(secret.id, true);
@@ -158,14 +167,20 @@ function AppKeysPanel({ appId, appName }: { appId: string; appName: string }) {
             Keys for {appName}
           </p>
           <p className="text-[11px] text-muted-foreground">
-            {grantedCount} of {typedSecrets.length} granted
+            {allApps
+              ? `${typedSecrets.length} available`
+              : `${grantedCount} of ${typedSecrets.length} granted`}
           </p>
         </div>
         <Button
           type="button"
           variant="outline"
           size="sm"
-          disabled={syncMutation.isPending || grantedCount === 0}
+          disabled={
+            syncMutation.isPending ||
+            typedSecrets.length === 0 ||
+            (!allApps && grantedCount === 0)
+          }
           onClick={() => syncMutation.mutate({ appId })}
           className="h-7 px-2"
         >
@@ -180,24 +195,37 @@ function AppKeysPanel({ appId, appName }: { appId: string; appName: string }) {
 
       <div className="max-h-[320px] space-y-1.5 overflow-y-auto rounded-md border border-border bg-card p-1.5">
         {isLoading ? (
-          <p className="px-3 py-3 text-xs text-muted-foreground">Loading…</p>
+          <div className="space-y-1.5 p-1.5">
+            {Array.from({ length: 3 }).map((_, index) => (
+              <div
+                key={index}
+                className="flex items-start gap-3 rounded-md px-2.5 py-2"
+              >
+                <Skeleton className="mt-0.5 h-4 w-4 shrink-0 rounded" />
+                <div className="flex-1 space-y-1.5">
+                  <Skeleton className="h-3 w-1/2" />
+                  <Skeleton className="h-3 w-3/4" />
+                </div>
+              </div>
+            ))}
+          </div>
         ) : typedSecrets.length === 0 ? (
           <p className="rounded-md border border-dashed border-border px-3 py-3 text-xs text-muted-foreground">
             No vault keys yet. Add one from the Vault page.
           </p>
         ) : (
           typedSecrets.map((secret) => {
-            const granted = grantBySecretId.has(secret.id);
+            const granted = allApps || grantBySecretId.has(secret.id);
             const pending = pendingSecretIds.has(secret.id);
             return (
               <button
                 key={secret.id}
                 type="button"
                 aria-pressed={granted}
-                disabled={pending}
+                disabled={pending || allApps}
                 onClick={() => toggleSecret(secret)}
                 className={`flex w-full items-start gap-3 rounded-md px-2.5 py-2 text-left text-sm disabled:cursor-not-allowed disabled:opacity-60 ${
-                  pending ? "" : "cursor-pointer"
+                  pending || allApps ? "" : "cursor-pointer"
                 } ${
                   granted
                     ? "border border-primary/45 bg-primary/5"
@@ -218,7 +246,9 @@ function AppKeysPanel({ appId, appName }: { appId: string; appName: string }) {
                     {secret.credentialKey}
                   </span>
                   <span className="block truncate text-xs text-muted-foreground/70">
-                    {secret.provider || secret.name || "Vault secret"}
+                    {allApps
+                      ? "Available to this app"
+                      : secret.provider || secret.name || "Vault secret"}
                   </span>
                 </span>
               </button>

package/src/components/create-app-popover.tsx

@@ -44,6 +44,8 @@ interface WorkspaceResourceOption {
   updatedAt?: number;
 }
 
+type VaultAccessMode = "all-apps" | "manual";
+
 interface CreateAppPopoverProps {
   /**
    * Custom trigger element. Defaults to a dashed-border tile that matches the
@@ -78,11 +80,15 @@ function buildAppCreationPrompt(input: {
   prompt: string;
   selectedKeys: string[];
   selectedResources: WorkspaceResourceOption[];
+  vaultAccessMode: VaultAccessMode;
 }): string {
   const keyList = input.selectedKeys.join(", ");
-  const grantRequest = keyList
-    ? `Requested Dispatch vault key grants for this app: ${keyList}`
-    : `Requested Dispatch vault key grants for this app: none`;
+  const grantRequest =
+    input.vaultAccessMode === "all-apps"
+      ? `Dispatch vault access: all saved vault keys are available to every workspace app by default. No per-app vault grants are needed.`
+      : keyList
+        ? `Requested Dispatch vault key grants for this app: ${keyList}`
+        : `Requested Dispatch vault key grants for this app: none`;
   const resourceList = input.selectedResources.length
     ? input.selectedResources
         .map(
@@ -98,6 +104,7 @@ function buildAppCreationPrompt(input: {
     ``,
     `Suggested app name: ${input.appId} (you may adjust the slug if it conflicts)`,
     `User prompt: ${input.prompt.trim()}`,
+    `Generate a concise one-sentence app description from the user prompt before coding; save it in apps/${input.appId}/package.json "description" so Dispatch and A2A can describe the app.`,
     `If the user mentions a product or company such as Granola, Loom, Superhuman, Linear, or Notion, treat it as product inspiration unless they explicitly ask to connect to that service. Do not invent or require third-party API keys like GRANOLA_API_KEY just because a product is named.`,
     grantRequest,
     `Requested Dispatch workspace resources for this app:\n${resourceList}`,
@@ -112,18 +119,20 @@ function buildAppCreationPrompt(input: {
     `Do not clone first-party templates, create wrapper apps, or scaffold child apps/routes for Mail, Calendar, Analytics, etc. inside apps/${input.appId} just so this app can access them. If the request is a cross-app dashboard or overview, build only the new dashboard/overview app and delegate to the existing apps for domain work.`,
     `Only create another first-party app copy when the user explicitly asks for a customized fork/copy of that app; otherwise keep using the hosted/shared app so improvements to the base template keep flowing to users.`,
     `Do not satisfy this by adding a route, page, component, or file inside apps/starter or another existing app unless the user explicitly asks to modify that existing app.`,
-    keyList
-      ? `After the app exists, grant the selected Dispatch vault keys to appId "${input.appId}" and sync them once the app server is available. Treat these as requested grants, not active grants before creation succeeds.`
-      : `Do not grant any Dispatch vault keys unless the user asks later.`,
+    input.vaultAccessMode === "all-apps"
+      ? `Do not create per-app Dispatch vault grants unless the workspace switches vault access to manual or the user explicitly asks for manual grants.`
+      : keyList
+        ? `After the app exists, grant the selected Dispatch vault keys to appId "${input.appId}" and sync them once the app server is available. Treat these as requested grants, not active grants before creation succeeds.`
+        : `Do not grant any Dispatch vault keys unless the user asks later.`,
     input.selectedResources.length
       ? `After the app exists, grant the selected Dispatch workspace resources to appId "${input.appId}" and sync them once the app server is available. Add a short note to apps/${input.appId}/AGENTS.md telling the app agent to read relevant shared resources under context/ or the selected resource paths before doing GTM/domain work.`
       : `Do not grant any Dispatch workspace resources unless the user asks later.`,
     ``,
     `App readiness requirements before handing off:`,
-    `- Ensure apps/${input.appId}/package.json exists; Dispatch discovers workspace apps from apps/<app-id>/package.json, not a separate app registry.`,
+    `- Ensure apps/${input.appId}/package.json exists with displayName/name and a concise description; Dispatch discovers workspace apps from apps/<app-id>/package.json, not a separate app registry.`,
     `- Update the app manifest/package/deploy metadata needed by the existing workspace deployment model.`,
     `- Ensure the React Router client entry preserves APP_BASE_PATH/VITE_APP_BASE_PATH via appBasePath() so /${input.appId} hydrates correctly.`,
-    `- Verify the app's agent card/A2A metadata is ready so Dispatch can discover and delegate to the app after deployment.`,
+    `- Verify the app's agent card/A2A metadata is ready so Dispatch can discover and delegate to the app after deployment. Every sibling workspace app is available over A2A by default through call-agent, with names and descriptions from the workspace app registry.`,
     `When it is ready, start or update the workspace dev server and navigate the user to the absolute path /${input.appId} on the workspace origin. Do not prefix with /dispatch/, /apps/, /workspace/, or any other Dispatch tab — the new app is mounted at the workspace root, not under Dispatch. If you have a navigate tool available, pass /${input.appId} verbatim; if you only have a window.location-style escape hatch, set it to /${input.appId}.`,
   ].join("\n");
 }
@@ -170,6 +179,8 @@ export function CreateAppFlow({
   const [selectedResourceIds, setSelectedResourceIds] = useState<string[]>([]);
   const [secrets, setSecrets] = useState<VaultSecretOption[]>([]);
   const [resources, setResources] = useState<WorkspaceResourceOption[]>([]);
+  const [vaultAccessMode, setVaultAccessMode] =
+    useState<VaultAccessMode>("all-apps");
   const [secretsError, setSecretsError] = useState<string | null>(null);
   const [resourcesError, setResourcesError] = useState<string | null>(null);
   const [statusMessage, setStatusMessage] = useState<string | null>(null);
@@ -193,6 +204,15 @@ export function CreateAppFlow({
         setSecrets([]);
         setSecretsError(err?.message || "Could not load Dispatch keys");
       });
+    fetchJson(actionUrl(basePath, "get-vault-access-settings"))
+      .then((data) => {
+        if (cancelled) return;
+        setVaultAccessMode(data?.mode === "manual" ? "manual" : "all-apps");
+      })
+      .catch(() => {
+        if (cancelled) return;
+        setVaultAccessMode("manual");
+      });
     fetchJson(actionUrl(basePath, "list-workspace-resource-options"))
       .then((data) => {
         if (cancelled) return;
@@ -218,9 +238,11 @@ export function CreateAppFlow({
     [resources, selectedResourceIds],
   );
   const selectedSecretLabel =
-    selectedSecretIds.length === 0
-      ? "no keys"
-      : `${selectedSecretIds.length} key${selectedSecretIds.length === 1 ? "" : "s"}`;
+    vaultAccessMode === "all-apps"
+      ? "all keys"
+      : selectedSecretIds.length === 0
+        ? "no keys"
+        : `${selectedSecretIds.length} key${selectedSecretIds.length === 1 ? "" : "s"}`;
   const selectedResourceLabel =
     selectedResourceIds.length === 0
       ? "no resources"
@@ -254,8 +276,12 @@ export function CreateAppFlow({
     const message = buildAppCreationPrompt({
       appId,
       prompt: trimmed,
-      selectedKeys: selectedSecrets.map((s) => s.credentialKey),
+      selectedKeys:
+        vaultAccessMode === "manual"
+          ? selectedSecrets.map((s) => s.credentialKey)
+          : [],
       selectedResources,
+      vaultAccessMode,
     });
     setIsSubmitting(true);
     setStatusMessage(null);
@@ -279,7 +305,10 @@ export function CreateAppFlow({
             body: JSON.stringify({
               prompt: trimmed,
               appId,
-              secretIds: selectedSecretIds.length > 0 ? selectedSecretIds : [],
+              secretIds:
+                vaultAccessMode === "manual" && selectedSecretIds.length > 0
+                  ? selectedSecretIds
+                  : [],
               resourceIds:
                 selectedResourceIds.length > 0 ? selectedResourceIds : [],
             }),
@@ -351,7 +380,11 @@ export function CreateAppFlow({
               <IconKey size={12} />
               Dispatch keys
             </div>
-            {secretsError ? (
+            {vaultAccessMode === "all-apps" ? (
+              <p className="rounded-md border border-dashed border-border px-3 py-3 text-xs text-muted-foreground">
+                Every saved Dispatch vault key is available to new apps.
+              </p>
+            ) : secretsError ? (
               <p className="rounded-md border border-dashed border-border px-3 py-3 text-xs text-muted-foreground">
                 {secretsError}
               </p>

package/src/components/dispatch-shell.tsx

@@ -1,17 +1,17 @@
 import { type ReactNode } from "react";
 import {
-  Tooltip,
-  TooltipContent,
-  TooltipTrigger,
-} from "@/components/ui/tooltip";
+  Popover,
+  PopoverContent,
+  PopoverTrigger,
+} from "@/components/ui/popover";
 import { IconInfoCircle } from "@tabler/icons-react";
 import { useSetPageTitle } from "@/components/layout/HeaderActions";
 
 /**
- * DispatchShell renders the per-page title (with optional description tooltip)
- * into the global header via the HeaderActions store. The actual chrome
- * (sidebar, AgentSidebar, header bar with AgentToggleButton) is provided by
- * `Layout` mounted in `root.tsx`.
+ * DispatchShell renders the per-page title (with an optional click-to-open
+ * description popover) into the global header via the HeaderActions store.
+ * The actual chrome (sidebar, AgentSidebar, header bar with AgentToggleButton)
+ * is provided by `Layout` mounted in `root.tsx`.
  */
 export function DispatchShell({
   title,
@@ -28,23 +28,24 @@ export function DispatchShell({
         {title}
       </h1>
       {description ? (
-        <Tooltip>
-          <TooltipTrigger asChild>
+        <Popover>
+          <PopoverTrigger asChild>
             <button
               type="button"
-              className="text-muted-foreground/60 hover:text-foreground cursor-pointer"
+              className="inline-flex h-6 w-6 items-center justify-center rounded-md text-muted-foreground/70 hover:bg-accent hover:text-foreground cursor-pointer"
               aria-label={`About ${title}`}
             >
               <IconInfoCircle className="h-3.5 w-3.5" />
             </button>
-          </TooltipTrigger>
-          <TooltipContent
+          </PopoverTrigger>
+          <PopoverContent
             side="bottom"
+            align="start"
             className="max-w-72 text-xs leading-relaxed"
           >
             {description}
-          </TooltipContent>
-        </Tooltip>
+          </PopoverContent>
+        </Popover>
       ) : null}
     </div>,
   );

package/src/components/layout/Layout.tsx

@@ -229,10 +229,16 @@ function dispatchNavLinkTarget(path: string): string {
   if (typeof window === "undefined") return path;
   const basePath = appBasePath();
   if (!basePath) return path;
-  const context = (
-    window as Window & { __reactRouterContext?: { basename?: string } }
-  ).__reactRouterContext;
-  return context?.basename === basePath ? path : appPath(path);
+  // Mirror the basename calculation entry.client.tsx uses to configure the
+  // router (basePath iff the current URL is under that mount, "" otherwise).
+  // Reading the live URL directly avoids races with the previous check on
+  // `__reactRouterContext.basename`, which could read undefined before the
+  // entry script set it — that race produced /dispatch/dispatch/<route>
+  // history entries that 404'd on back-button navigation.
+  const pathname = window.location.pathname;
+  const routerHasBasename =
+    pathname === basePath || pathname.startsWith(`${basePath}/`);
+  return routerHasBasename ? path : appPath(path);
 }
 
 export function NavContent({
@@ -424,7 +430,7 @@ export function Layout({
         <AgentSidebar
           position="right"
           defaultOpen={false}
-          emptyStateText="Create apps, grant keys, and route work across the workspace."
+          emptyStateText="Create apps, manage vault keys, and route work across the workspace."
           suggestions={SIDEBAR_SUGGESTIONS}
         >
           {appContent}