docs(gururmm): record dashboard beta-first channel + memory

- wiki/projects/gururmm.md: beta-first dashboard channels (rmm-beta) + wiring
- .claude/memory: feedback_dashboard_beta_first + index line
- bump guru-rmm submodule pointer to the beta-channel commit

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.claude/memory/MEMORY.md

@@ -65,6 +65,7 @@
 ### GuruRMM
 - [GuruRMM operational rules](feedback_gururmm.md) — Six rules: (1) RMM dev = Mike, never Howard (368/0 commits); GuruScan is Howard's. (2) Agent parity Win+Linux+macOS in same change. (3) Builds via Gitea webhook pipeline only, never SSH. (4) #bot-alerts only for client/ticket impact, skip internal infra/dev. (5) Identify agents by IP, not by reconning candidates. (6) UNC paths in user_session need [char]92 — literals get halved.
 - [Build channel default = beta](feedback_gururmm_build_channel_default.md) — New agent builds must be tagged BETA by default (stable = explicit promote re-tag); distinct from agents defaulting to the stable CHANNEL (correct). Fixed build-windows/linux.sh 2026-06-01; macOS already correct. Enables beta-first canary.
+- [Dashboard beta-first deploy](feedback_dashboard_beta_first.md) — Dashboard auto-builds to rmm-beta.azcomputerguru.com on push; prod (rmm.azcomputerguru.com) is explicit promote-only via promote-dashboard.sh --confirm. Never hand-rsync prod. One artifact, nginx sub_filter BETA banner. Stood up 2026-06-02.
 
 ### Cascades
 - [Cascades operational rules](feedback_cascades.md) — Two active rules: (1) folder redirection (fdeploy) needs subfolders PRE-CREATED before first logon or it caches a failure forever; recovery via fix-shell-redirect.ps1. (2) ALWAYS ask which security group(s) a new user goes into — never auto-derive from OU.

.claude/memory/feedback_dashboard_beta_first.md

@@ -0,0 +1,15 @@
+---
+name: feedback_dashboard_beta_first
+description: GuruRMM dashboard has a beta-first deploy model — push auto-builds to rmm-beta, prod is explicit promote only; never hand-rsync prod
+metadata:
+  type: feedback
+---
+
+The GuruRMM dashboard deploys **beta-first** (stood up 2026-06-02 at Mike's request, partly to keep Howard's changes off prod until reviewed). Mirrors the agent beta/stable channel model.
+
+- **beta** — https://rmm-beta.azcomputerguru.com, web root `/var/www/gururmm/dashboard-beta`. Auto-builds on every push to `main` touching `dashboard/` (`/opt/gururmm/build-dashboard.sh`, dispatched by the webhook alongside agent/server builds, change-gated on `last-built-commit-dashboard`). Shows a BETA banner.
+- **prod** — https://rmm.azcomputerguru.com, web root `/var/www/gururmm/dashboard`. Updated ONLY via `sudo /opt/gururmm/promote-dashboard.sh --confirm` (dry-run by default; backs up prod, keeps last 10; `--rollback` restores).
+
+**Why:** A preview channel lets dashboard changes soak before they hit the production RMM that ~55 agents and clients use; explicit promotion makes prod deploys deliberate and reversible.
+
+**How to apply:** Never `npm run build && rsync ... /var/www/gururmm/dashboard/` by hand — that's superseded and bypasses backup/soak. One artifact serves both channels (Vite bakes in the absolute prod API URL `rmm-api.azcomputerguru.com`, so beta uses shared prod data and is byte-identical to prod); beta is branded by an nginx-layer `sub_filter` banner, so promotion is a plain rsync. Serving: 2nd nginx vhost on .30 (`deploy/nginx/rmm-beta.conf`), Cloudflare `rmm-beta` A→72.194.62.10 proxied (mirrors `rmm`), Jupiter NPM host id=11 → .30:80 presenting cert id=10 (zone SSL mode is Full). Full wiring in `deploy/build-pipeline/README.md` (Dashboard channels). Related: [[feedback_gururmm_build_channel_default]], [[feedback_gururmm_builds]], [[reference_gitea_internal]].

wiki/projects/gururmm.md

@@ -284,11 +284,14 @@ Gitea push to main
 
 **Build channel classification:** New agent builds are tagged `beta` by default (`build-windows.sh` and `build-linux.sh` fixed 2026-06-02; macOS already did this). Promotion to `stable` is an explicit step: `echo stable > /var/www/gururmm/downloads/<binary>.channel`. This is distinct from agents defaulting to the `stable` *channel* (correct and unchanged) — agents on the stable channel receive only the latest `stable`-tagged binary; beta agents receive the absolute-latest.
 
-**Dashboard deploy** — separate manual step:
-```bash
-cd /home/guru/gururmm/dashboard && sudo -u guru npm run build
-sudo rsync -av --delete /home/guru/gururmm/dashboard/dist/ /var/www/gururmm/dashboard/
-```
+**Dashboard channels — BETA-FIRST (2026-06-02):** mirrors the agent beta/stable model. Every push to `main` touching `dashboard/` auto-builds to **beta**; **prod is explicit-promote only**.
+
+| Channel | URL | Web root | Updates |
+|---|---|---|---|
+| beta | https://rmm-beta.azcomputerguru.com | `/var/www/gururmm/dashboard-beta` | auto on push — `build-dashboard.sh` (now dispatched by the webhook alongside agent/server builds, change-gated on `last-built-commit-dashboard`) |
+| prod | https://rmm.azcomputerguru.com | `/var/www/gururmm/dashboard` | explicit only — `sudo /opt/gururmm/promote-dashboard.sh --confirm` (backs up prod; `--rollback` restores) |
+
+**Do NOT hand-rsync into the prod web root** (the old `npm run build && rsync ... dashboard/` is superseded). One artifact serves both channels — the Vite build bakes in the absolute prod API URL (`rmm-api.azcomputerguru.com`), so beta uses shared prod data and is byte-identical to prod; beta is branded by an nginx-layer `sub_filter` BETA banner (`deploy/nginx/rmm-beta.conf`), so promotion is a plain rsync. **Serving/TLS:** second nginx vhost on `.30` (`server_name rmm-beta`, specific name beats prod `_`), Cloudflare `rmm-beta` A→`72.194.62.10` proxied (mirrors `rmm`), Jupiter NPM proxy host **id=11** → `.30:80` presenting cert **id=10** (zone SSL mode is Full; if ever Full-Strict, beta needs its own SAN/cert).
 
 **DB migrations** — manual; must insert SHA-384 checksum into `_sqlx_migrations` or server crashes on start.