diff --git a/session-logs/2026-05-31-mike-spec004-sprint-deploy.md b/session-logs/2026-05-31-mike-spec004-sprint-deploy.md
index 2915c0e..9f93996 100644
--- a/session-logs/2026-05-31-mike-spec004-sprint-deploy.md
+++ b/session-logs/2026-05-31-mike-spec004-sprint-deploy.md
@@ -136,3 +136,61 @@ reports/2026-05-31-gc-audit.md (commit 1601745). Roadmap banner updated to mark
 A1-A4 done+deployed (ghosts purged 19->8); B1/B2 done (v0.3.0 signed); C1 done (Phase-1 exit); D1 done
 (v0.3.0 published). ONLY C2 (#4) remains: live HW-H.264 cross-GPU validation (beast agent -> 5070 viewer),
 then decide DEFAULT_PREFER_H264 (stays false until validated). Not a Phase-1 blocker.
+
+## Update: 19:37 PT — C2 H.264 test staging, dashboard creds vaulted, coord handling, migrate-fleet descope
+
+Staged the C2 beast->5070 H.264 cross-GPU test. Confirmed both GURU-5070 and GURU-BEAST-ROG are
+GuruRMM-enrolled (v0.6.50). Beast recon via RMM (user_session context): active interactive console
+session (user guru), relay 172.16.3.30:3002 reachable, v0.3.0 download reachable (200), no GC agent
+running. Staged beast via RMM user_session: downloaded the signed v0.3.0 guruconnect.exe (hash verified
+bc4767f4...), wrote a tagged config (agent_id=h264test-beast, tags=["h264-test"]), launched it
+--verbose detached. The RMM command "timed out" (90s server reaper) on the foreground download+sleeps,
+but the detached agent launched and connected: relay shows "Agent connected: GURU-BEAST-ROG
+(h264test-beast)" version 0.3.0-e967cce1-dirty, idle, session bf6f1439-1733-4dfa-ab06-6e549f0d6747.
+The actual stream test (connect 5070 viewer + drive beast activity, or watch via the dashboard web
+viewer) is PARKED awaiting Mike's go (touches beast's active desktop). Beast agent left running/idle.
+
+Found + vaulted the GuruConnect dashboard admin creds. Earlier (during the ghost purge) I wrongly
+concluded no GC dashboard creds existed; a thorough session-log search found them captured in
+2026-05-30-session.md (portal reset 2026-05-30, change-on-first-login). Created vault entry
+projects/guruconnect/portal.sops.yaml (sops age-encrypted, round-trip verified), committed+pushed the
+vault repo (5dbb76c..d8949a1).
+
+Coord: Howard's session sent a "Deploy needed: gururmm dashboard (PR #29 merged)" message routed to
+GURU-5070 on the false premise that the deploy "runs from your machine." Mike (Discord) corrected: it
+does NOT run from his machine. Read guru-rmm/build-server.sh — it runs ON the gururmm server
+(172.16.3.30) via sudo/systemctl + /opt/gururmm/ paths + a flock, auto-triggered by the push-to-main
+webhook; NOT pinned to a workstation. Also: build-server.sh builds the Rust SERVER, but PR #29 is
+DASHBOARD/frontend (static files at /var/www/gururmm/dashboard/) — a server rebuild won't deploy it,
+which is the likely reason it's still v0.2.32 despite the 529b0b2 merge. Bounced this back to
+Howard-Home/claude-main via coord (msg 553777c3) with that correction; marked the request read. Did
+NOT run the deploy.
+
+Descoped the "migrate fleet" tasks per Mike (no legacy clients). #7 (migrate fleet to cak_ keys) closed
+as moot — no production fleet exists. #5 (retire shared AGENT_API_KEY) reframed: not a migration;
+real prerequisite is a cak_-provisioning path for PERSISTENT agents (the managed-agent installer
+SPEC-007, or a manual mint) — attended/support-code agents already bind cak_. Low priority (shared-key
+path is fail-closed + WARN-logged, audit-confirmed safe; only the h264-test test agents use it now).
+
+### Credentials & Secrets (this update)
+- GuruConnect portal (connect.azcomputerguru.com) admin logins — now vaulted at
+  projects/guruconnect/portal.sops.yaml. admin: WNwKn-qp4eW-jkXAs ; howard: iWACa-Ks5PP-nrP6x.
+  Reset 2026-05-30 change-on-first-login (may be stale if logged in since). Access:
+  bash .claude/scripts/vault.sh get-field projects/guruconnect/portal.sops.yaml credentials.admin.password
+- GC shared agent test key (h264 test agents): x7m9p2k8v4n1q5w3r6t0y2u8i5o3l7m9p2k8 (deprecated shared AGENT_API_KEY fallback).
+
+### Pending / next
+- C2 (#4): run the beast->5070 H.264 stream test (3 options: dashboard web viewer w/ admin login [best
+  visual proof] / native 5070 viewer + RMM-driven beast activity + decode-error logs / hybrid). Beast
+  agent h264test-beast idle on session bf6f1439. Then decide DEFAULT_PREFER_H264. CLEANUP owed: stop
+  h264test-beast on beast + remove its temp dir; stop/clean the leftover GURU-5070 test session.
+- #5 retire shared key (low pri, gated on SPEC-007 installer). #10 agent verifies update-binary
+  signature (defense-in-depth; agent is signed via B2 but doesn't verify on auto-update yet).
+- guru-rmm dashboard deploy (PR #29) is Howard's session's to retry — frontend build to
+  /var/www/gururmm/dashboard/, not a GURU-5070 task.
+
+### Reference (this update)
+- beast GC agent: h264test-beast, session bf6f1439-1733-4dfa-ab06-6e549f0d6747, v0.3.0-e967cce1-dirty.
+- RMM agent ids: GURU-5070 c043d9ac..., GURU-BEAST-ROG 5233d75b-f589-43c4-b96e-cfa75365a78d.
+- coord: reply msg 553777c3 to Howard-Home/claude-main; their request 9b247556 marked read.
+- guru-rmm build-server.sh: runs on 172.16.3.30, deploys /opt/gururmm/gururmm-server, webhook-driven.