diff --git a/session-logs/2026-05-29-session.md b/session-logs/2026-05-29-session.md
index 8c04279..66c64f1 100644
--- a/session-logs/2026-05-29-session.md
+++ b/session-logs/2026-05-29-session.md
@@ -447,3 +447,74 @@ Cut the upgraded `/config` into the production `DockerUISP` container (reversibl
 - Image upgrade mechanism: `/migrate.sh` (old PG binaries under `/postgres/<ver>/bin`); `init-postgres` does initdb-or-use-as-is, version-mismatch triggers migrate.
 - Old data version: UISP 2.4.206; new: 3.0.147. Shared migration head: `20250317150507-change_error_data_type_to_bigint`.
 - `setting.value` is `jsonb` in 3.0.147; extract with `value#>>'{}'`.
+
+---
+
+## Update: 17:35 PT — GuruConnect CI quality-gate hardening + Gitea endpoint diagnosis
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** GURU-5070
+- **Role:** admin
+
+### Session Summary
+
+Re-tightened the two GuruConnect CI quality gates (build-and-test.yml) from informational to hard-fail, completing deferred items from SPEC-001. Both had been loosened during the native-Windows-build work: clippy ran without `-D warnings` (~65 warnings, mostly dead-code) and `cargo audit` ran with `|| echo [WARNING]`. Enumerated the real debt on the Linux build host (172.16.3.30) using a detached git worktree of origin/main so the production deploy checkout was untouched.
+
+Clippy debt was 66 warnings (mostly duplicates), ~28 distinct: unused imports, collapsible if, unit let-bindings, 2 unused vars, one 11-arg function, a Cargo "profile in non-root member" warning, and dead-code (future API for native-remote-control). Cleared via `clippy --fix` (mechanical), `_`-prefix (unused vars), `#[allow(clippy::too_many_arguments)]` on 3 protocol-mirroring fns, targeted `#[allow(dead_code)]` + TODO comments on future-API items (not deleted), and moving `[profile.release]` to the workspace root (it was silently ignored in the server member — a latent bug; release optimizations were not being applied).
+
+cargo audit reported 1 vulnerability + 9 warnings. Traced all via `cargo tree`: the rsa Marvin advisory (RUSTSEC-2023-0071) is unfixable and unreachable in the active dependency tree; the entire gtk-rs/glib family (8 advisories) comes from tray-icon's Linux backend (libappindicator/muda) and is empty on the x86_64-pc-windows-msvc target — never compiled into the shipping agent; proc-macro-error is build-time only. Made the gate hard-fail with per-ID `--ignore` flags (cargo-audit 0.22.1 does not read a repo-root audit.toml), documented inline. New advisories still fail the build.
+
+Delegated implementation to the Coding Agent (worked + verified on the build host), then mandatory Code Review Agent (APPROVE — independently re-ran both gates, confirmed no behavioral changes). Landed via Gitea Agent: guru-connect commit ccc6ba9 pushed to main (Cargo.lock pre-existing drift excluded), claudetools submodule pointer bumped (e211a30). CI build-and-test triggered; Build Server (Linux, clippy gate) and Build Agent (Windows, Pluto) both succeeded; Security Audit still running at session end.
+
+Finally diagnosed a suspected Gitea API token failure / port limitation — both turned out to be non-issues. The token (services/gitea.sops.yaml api.api-token) is valid (returns azcomputerguru admin from all paths). Internal http://172.16.3.20:3000 is reachable cross-host from the workstation and build host (HTTP 200). The earlier failures were a transient: Gitea container restarted during an NPM SSL-reload blip, briefly taking down both :3000 and the public git.azcomputerguru.com at the same instant a check ran.
+
+### Key Decisions
+
+- Enumerate + fix lint debt on a detached worktree of origin/main on the build host, not the production deploy checkout (which has a diverged local commit 1bfd476).
+- Keep dead-code as future API with targeted `#[allow(dead_code)]` + TODO(native-remote-control), rather than deleting — the roadmap marks it as the integration surface.
+- Use explicit `--ignore RUSTSEC-...` flags in CI rather than audit.toml — cargo-audit 0.22.1 does not read a repo-root config; flags keep per-ID granularity so new advisories still fail.
+- Exclude the pre-existing Cargo.lock 0.1.0->0.2.0 drift from the gate commit to keep it focused; CI regenerates the lock.
+- No Gitea token rotation — the credential is valid; the failure was transient infrastructure, not the token.
+
+### Problems Encountered
+
+- clippy/cargo not on the build host's non-interactive SSH PATH -> run remote cmds as `bash -lc "export PATH=$HOME/.cargo/bin:$PATH; ..."`.
+- Build host deploy checkout (~/guru-connect) diverged (1 local commit + 14 behind) -> used a detached worktree (/tmp/gc-main) instead of touching it.
+- Server clippy needs sqlx state -> `SQLX_OFFLINE=true CARGO_BUILD_TARGET=x86_64-unknown-linux-gnu`; offline data was present, no macro failures.
+- Suspected dead Gitea token + unreachable :3000 -> proved both fine; root cause was a transient Gitea restart coinciding with an NPM 502 blip. Internal :3000 verified reachable from workstation + build host.
+
+### Configuration Changes
+
+- guru-connect repo (commit ccc6ba9): `.gitea/workflows/build-and-test.yml` (clippy -> `-- -D warnings`; audit -> hard-fail with 10 documented `--ignore` flags); root `Cargo.toml` (+`[profile.release]`); `server/Cargo.toml` (-`[profile.release]`); 18 `server/src/*.rs` files (allow-attributes, import cleanup, `_`-prefixes). 21 files, +92/-55.
+- claudetools (commit e211a30): submodule pointer projects/msp-tools/guru-connect -> ccc6ba9.
+- .claude/current-mode -> dev.
+
+### Credentials & Secrets
+
+- Gitea API token (valid, verified): `9b1da4b79a38ef782268341d25a4b6880572063f` — vault services/gitea.sops.yaml credentials.api.api-token. Account azcomputerguru (admin), password Gptf*77ttb123!@#-git (alt Window123\!@#-git). Use via internal http://172.16.3.20:3000/api/v1 (bypasses NPM 502 blips).
+
+### Infrastructure & Servers
+
+- Gitea 1.25.2: container `gitea` on Jupiter (172.16.3.20), docker net gitea_gitea (172.18.0.3), docker-proxy publishes 0.0.0.0:3000 (HTTP API/git) + 2222 (ssh). Reachable cross-host at http://172.16.3.20:3000. Public git.azcomputerguru.com via NPM (intermittent 502 during SSL reloads).
+- GC build hosts: server/audit/clippy on a Gitea Actions ubuntu runner; Windows agent on Pluto (windows-msvc runner). Build host repo: guru@172.16.3.30:~/guru-connect.
+
+### Commands & Outputs
+
+- Debt enumeration (build host worktree): `cd /tmp/gc-main/server && SQLX_OFFLINE=true CARGO_BUILD_TARGET=x86_64-unknown-linux-gnu cargo clippy --all-targets --all-features -- -D warnings` (exit 0 after fixes); `cargo audit --ignore RUSTSEC-2023-0071 --ignore RUSTSEC-2024-0413/-0416/-0412/-0418/-0415/-0420/-0419 --ignore RUSTSEC-2024-0429 --ignore RUSTSEC-2024-0370` (exit 0).
+- Dependency tracing: `cargo tree -i gtk --target x86_64-pc-windows-msvc` (empty -> Linux-only).
+- CI read (reliable path): `curl -H "Authorization: token <tok>" http://172.16.3.20:3000/api/v1/repos/azcomputerguru/guru-connect/actions/tasks?limit=8`.
+- CI result ccc6ba9: Build Server (Linux) success, Build Agent (Windows) success, Security Audit running at session end.
+
+### Pending / Incomplete Tasks
+
+- Confirm Security Audit job conclusion for ccc6ba9 (was running; background poll b7wc4magr watching).
+- Optional: reconcile docs/FEATURE_ROADMAP.md — signing, versioning, audit-gate, feature-request items shipped but still marked [ ] (use /gc-audit docs pass).
+- Remaining GC roadmap P2 items: per-machine agent keys, multi-monitor switching, native-RC broker contract, frame-ancestors allowlist.
+
+### Reference Information
+
+- guru-connect commit: ccc6ba9c0289ef7fbd892c9eaafba1ef113f2a8c. claudetools commit: e211a3045af2530f4fe23b33c43916a5e744f790.
+- Coord: lock 189a4e60 (released); component guruconnect/server -> built.
+- CI run URL: https://git.azcomputerguru.com/azcomputerguru/guru-connect/actions/runs/23
+- Advisories ignored: RUSTSEC-2023-0071 (rsa), -2024-0413/0416/0412/0418/0415/0420/0419 (gtk-rs), -2024-0429 (glib), -2024-0370 (proc-macro-error).