[auto-closed: stale > 24h]
Regenerated nginx dev routes via Radagast (install_dev_routes) — the /dev/agent-access/ route was missing because the app post-dated the last route gen; now returns 302 to admin login (correct).
App JS used absolute /api/* paths but the app is served under the /dev/agent-access/ prefix, so the browser fetched /api/access|policies|sessions at the domain root -> 404 -> .map TypeErrors.
Renamed access apps to Access Mgmt - Users (7130) and Access Mgmt - Agents (7201).
Both apps now share ONE template via the canonical shared components (topbar, app-header, footer) + a single shared renderer driven by a kind flag (users|agents) - identical look, only data differs.
Radagast refused all app-restarts because its initiative check read the old on-disk initiatives DB, which is now a sessions-only leftover after the move to Elrond writer daemon.
Root cause of empty Activity Tracker: the initiatives relay silently mishandles named (:param) DB binds.
Added a proper access-control schema to the registry (the SST): principals (agents+humans, typed), artifacts (apps/droids/services/blocks, with type+owner), a role catalog, a permission catalog, role->permission, and principal->role->artifact grants.
The session approve/reject gate now enforces via the RBAC schema instead of the legacy per-agent list.