diff --git a/lib/loopctl_web/controllers/dispatch_controller.ex b/lib/loopctl_web/controllers/dispatch_controller.ex
index 272a96a..418547b 100644
--- a/lib/loopctl_web/controllers/dispatch_controller.ex
+++ b/lib/loopctl_web/controllers/dispatch_controller.ex
@@ -7,6 +7,8 @@ defmodule LoopctlWeb.DispatchController do
 
   alias Loopctl.Dispatches
 
+  action_fallback LoopctlWeb.FallbackController
+
   plug LoopctlWeb.Plugs.RequireRole, [role: :orchestrator] when action in [:create]
   plug LoopctlWeb.Plugs.RequireRole, [role: :agent] when action in [:show, :index]
 
diff --git a/lib/loopctl_web/controllers/route_discovery_controller.ex b/lib/loopctl_web/controllers/route_discovery_controller.ex
index 758139b..c6a3f62 100644
--- a/lib/loopctl_web/controllers/route_discovery_controller.ex
+++ b/lib/loopctl_web/controllers/route_discovery_controller.ex
@@ -21,6 +21,21 @@ defmodule LoopctlWeb.RouteDiscoveryController do
         path: "/api/v1/tenants/me",
         description: "Update current tenant (settings.knowledge_auto_extract, etc.)"
       },
+      %{
+        method: "POST",
+        path: "/api/v1/tenants/:id/rotate-audit-key",
+        description: "Rotate tenant audit signing keypair (requires WebAuthn)"
+      },
+      %{
+        method: "POST",
+        path: "/api/v1/tenants/:id/bootstrap-audit-key",
+        description: "Generate initial audit keypair for legacy tenants (user role + ownership)"
+      },
+      %{
+        method: "GET",
+        path: "/api/v1/tenants/:id/audit_public_key",
+        description: "Public endpoint — tenant Ed25519 audit signing public key (PEM or JWK)"
+      },
 
       # API key management
       %{