diff --git a/session-logs/2026-05-31-howard-gururmm-roadmap-and-features.md b/session-logs/2026-05-31-howard-gururmm-roadmap-and-features.md
new file mode 100644
index 0000000..2d00143
--- /dev/null
+++ b/session-logs/2026-05-31-howard-gururmm-roadmap-and-features.md
@@ -0,0 +1,95 @@
+# Session Log — 2026-05-31 (Howard — GuruRMM roadmap reconciliation + UI features) [work spanned 2026-05-30 evening → 2026-05-31]
+
+## User
+- **User:** Howard Enos (howard)
+- **Machine:** Howard-Home
+- **Role:** tech
+
+## Session Summary
+
+Started by reviewing the GuruRMM roadmap for small fixes, produced an HTML "show notes" summary, and then built and deployed an app-wide React ErrorBoundary for the dashboard. Reconciled the roadmap against actual code: confirmed BUG-008/013/014 were already fixed (commits e7ccc4e, 94234af) and corrected their stale "Open" statuses. Deployed the ErrorBoundary to production (dashboard v0.2.30) via the manual dashboard deploy path (paramiko SSH, no authorized key on Howard-Home so password auth from vault).
+
+Ran a full roadmap reconciliation: 6 parallel general-purpose agents verified every checkbox-bearing section of the 2055-line FEATURE_ROADMAP.md + UI_GAPS.md against the live code (submodule 26f9779). The dominant finding was that the roadmap badly UNDERSTATED what is built. Applied 17 corrections: 8 bug status lines (BUG-001 agent temp collection landed; BUG-002/006 merged via PR #22; BUG-003 build-server.sh hardened in repo; BUG-007 all sqlx query! macros removed; BUG-009/010 isError handled; BUG-011 down to 3 :any); System Tray subsection (tray icon + connection-status flipped to [x] — a full gururmm-tray crate ships in the MSI, watchdog-supervised; 3 sub-items to [~]); per-site credentials, org multi-tenancy header, and discovery fleet view to [~]. Server/API (80+ items), Reporting, Bulk Actions, Client Portal, most Integrations, and Security/Infra all confirmed accurate as-is. Committed 070c50a.
+
+Then executed the "finish in-flight partials" track (user-selected). Built + reviewed + deployed two UI-only features over already-complete backends: (1) MSPBackups agent↔backup mappings/verify UI (commit 22598c2) and (2) dev-admin user impersonation UI (commit 21c98dc — useAuth session swap with localStorage stash + full reload, app-wide amber banner in Layout, gated Impersonate button in Organizations). Discovered the planned third item (Discovery fleet-wide view) is NOT a pure partial — no all-sites aggregation endpoint exists, it needs new backend + RBAC-scoped cross-site query — so it was dropped (no stakeholder provenance; audit-generated). Deployed dashboard v0.2.32 with both features (origin-verified).
+
+Lined up the remaining bug tails. Fixed BUG-009 + BUG-011 tails (commit def0d34, pushed, not yet deployed). Settled #4 (dashboard fleet counts): the Dashboard already loads the full agent list to render the prioritized-agents panel, so recomputing counts is free — wiring /stats would be redundant; the only cleanup is removing the unused /agents/stats + /metrics/summary endpoints (server change, deferred). Per user decision, #3 (AgentDetail Client row enrich) is server-only and was deferred behind the documented build-server.sh outage risk (BUG-003).
+
+Finally, in response to a Howard feature request (the logged-in user now shows correctly post-BUG-013 but doesn't indicate local vs domain), wrote SPEC-021 (logged-in user domain & account-type detection) and added it to the roadmap with provenance. Spec covers Windows WTSDomainName + GetComputerNameEx (local-vs-domain) + NetGetJoinInformation (machine join state), a 4-field data model, and DOMAIN\user display with Local/Domain badges. Committed 932c701 → pushed 31d7f39.
+
+## Key Decisions
+
+- Wrote Howard-namespaced session logs (other users' logs exist for the same dates) rather than appending to the shared `*-session.md`.
+- Delegated all production code generation to Coding Agents and all git ops to the Gitea Agent (some doc/trivial commits done directly for momentum), per the coordinator model. Reviewed every diff before commit (mandatory-review rule).
+- Roadmap reconciliation: did NOT auto-change judgment-call markings (MSPBackups Phase-1 items, macOS agent [ ]→[~], code signing, dashboard "WebSocket live data" [x], BUG-001 roadblock prose) — surfaced them for a product decision instead.
+- Dropped Discovery fleet-wide view: it has no stakeholder provenance (audit-generated) and isn't a UI-only partial (needs an RBAC-scoped backend endpoint — a security decision). Corrected my own earlier mis-bucketing of it.
+- Impersonation design: full page reload on swap/exit (window.location.assign("/")) to guarantee no cross-identity React Query cache bleed; original admin token stashed in localStorage and restored on exit; logout clears impersonation keys.
+- Deferred all server-touching tails (#3 Client row, #4 dead-endpoint removal) behind the build-server.sh risk documented in BUG-003 (2026-05-25 migration crash-loop outage; deployed copy still unhardened). Server rebuilds are not to be triggered casually as part of a bug sweep.
+- SPEC-021 chosen over inline build: captured the Howard request as a spec first (provenance) before building, since it is full-stack (agent MSI rebuild + server migration + dashboard).
+
+## Problems Encountered
+
+- **Submodule fetch failure on /sync** (`fatal: not our ref d1b35f4`): an orphaned intermediate guru-connect submodule pointer from a rebased history broke `git fetch --recurse-submodules`. Resolved by recognizing the local auto-commit was redundant (both submodule SHAs already matched origin/main) and `git reset --hard origin/main`, then re-running sync cleanly.
+- **paramiko helper UnicodeEncodeError**: vite's `✓` char crashed cp1252 stdout. Fixed by writing raw bytes via `sys.stdout.buffer.write`.
+- **Multiline SSH command mangled**: Python `repr()` escaped newlines to literal `\n`. Fixed by base64-encoding the script and `base64 -d | bash` on the remote.
+- **No authorized SSH key on Howard-Home** for guru@172.16.3.30: used paramiko password auth (vault) instead of system OpenSSH.
+- **Public dashboard URL returns 403 to curl**: Cloudflare bot challenge (`cf-mitigated: challenge`), not a deploy failure — verified deploys at the origin nginx (localhost + Host header) instead.
+- **Repeated non-fast-forward pushes** on the gururmm submodule: the build server's webhook auto-bumps dashboard package.json version ([ci-version-bump]) on each push. Handled by rebasing each commit onto the version bump (non-conflicting).
+
+## Configuration Changes
+
+GuruRMM submodule (`projects/msp-tools/guru-rmm`, repo azcomputerguru/gururmm):
+- **Created:** `dashboard/src/components/ErrorBoundary.tsx`
+- **Created:** `docs/specs/SPEC-021-logged-in-user-domain-detection.md`
+- **Modified:** `dashboard/src/App.tsx` (ErrorBoundary wiring)
+- **Modified:** `dashboard/src/api/client.ts` (mappings types + methods)
+- **Modified:** `dashboard/src/pages/MSPBackups.tsx` (Backup Mappings section)
+- **Modified:** `dashboard/src/hooks/useAuth.tsx` (impersonation session swap)
+- **Modified:** `dashboard/src/components/Layout.tsx` (impersonation banner)
+- **Modified:** `dashboard/src/pages/Organizations.tsx` (Impersonate button)
+- **Modified:** `dashboard/src/pages/Logs.tsx` (BUG-009 tail — analysis-runs isError)
+- **Modified:** `dashboard/src/pages/Updates.tsx` (BUG-011 tail — removed 3 :any)
+- **Modified:** `docs/FEATURE_ROADMAP.md` (17 reconciliation edits + SPEC-021 entries)
+- **Modified:** `docs/UI_GAPS.md` (reconciliation + 2 gaps marked complete)
+
+ClaudeTools root:
+- **Created:** `gururmm-small-fixes.html` (show-notes artifact, committed earlier in session)
+
+Production build server (172.16.3.30): dashboard rebuilt + rsynced twice (v0.2.30, then v0.2.32) to `/var/www/gururmm/dashboard/`; backups under `/var/www/gururmm/dashboard.bak-*` (pruned to 3).
+
+## Credentials & Secrets
+
+- **gururmm-build server (172.16.3.30) SSH + sudo password:** `Gptf*77ttb123!@#-rmm` — vault path `infrastructure/gururmm-server.sops.yaml` (field under credentials; SSH password == sudo password). Used for paramiko deploys. No new secrets created.
+
+## Infrastructure & Servers
+
+- **Build/app server:** 172.16.3.30 (gururmm / gururmm-build), Ubuntu 22.04. SSH guru@172.16.3.30 (password auth from this machine — no key installed). Dashboard nginx root `/var/www/gururmm/dashboard/` (guru-owned); repo clone `/home/guru/gururmm`; build pipeline `/opt/gururmm/`.
+- **Public dashboard:** https://rmm.azcomputerguru.com — fronted by Cloudflare (bot challenge 403s plain curl; verify at origin). API host rmm-api.azcomputerguru.com (not challenged).
+- **Dashboard deploy (manual):** `cd /home/guru/gururmm && git pull; cd dashboard && npm run build; sudo rsync -a --delete dist/ /var/www/gururmm/dashboard/`. Webhook pipeline only builds agents/server, NOT dashboard.
+- **Coord component updated:** gururmm/dashboard → deployed, v0.2.32.
+
+## Commands & Outputs
+
+- Deploy verify (origin, bypassing Cloudflare): `curl -fsS -H "Host: rmm.azcomputerguru.com" http://127.0.0.1/` → HTTP 200; bundle grep confirmed feature strings ("Backup Mappings", "Impersonating") present.
+- Submodule sync recovery: `git reset --hard origin/main` (dropped redundant auto-commit referencing orphaned submodule ref).
+- paramiko SSH pattern: base64-encode script locally → `echo <b64> | base64 -d | bash` (or `sudo -S -p '' bash`) on remote; `sys.stdout.buffer.write` for byte-safe output.
+
+## Pending / Incomplete Tasks
+
+- **Deploy BUG-009 + BUG-011 tails** (commit def0d34) — pushed, not deployed; trivial dashboard rsync whenever.
+- **#3 AgentDetail Client row enrich** — server-only (get_agent hardcodes client_name: None; enrich via site→client JOIN, add client_id to AgentResponse). Deferred behind build-server.sh risk. Scoped: `server/src/db/agents.rs` (From<Agent> at :68, AgentWithDetails JOIN at :315-319), `server/src/api/agents.rs` get_agent at :124.
+- **#4 Remove dead endpoints** `/agents/stats` + `/metrics/summary` (unused; Dashboard recompute is correct since it loads the list anyway) — server change, deferred.
+- **BUG-015** (agent not in Programs & Features) — WiX ARP props per SPEC-011; needs MSI rebuild + Windows verification. Howard-reported.
+- **SPEC-021** (logged-in user domain/account-type) — spec written; build pending (agent Windows + migration + dashboard; full multi-deploy).
+- **Judgment-call roadmap markings** to settle: MSPBackups Phase-1 items (verify alert-emission path then likely [x]), macOS agent [ ]→[~]?, agent code signing [ ]→[~]?, dashboard "WebSocket live data" [x]→[~]?, BUG-001 roadblock prose (stale — a Windows LHM-via-WMI reader path now exists in code).
+- **Server batch (BUG-003 prerequisite):** consider hardening the DEPLOYED build-server.sh before any server rebuild.
+
+## Reference Information
+
+- **gururmm commit SHAs:** ErrorBoundary 5dd7d80; roadmap reconcile 070c50a; MSPBackups mappings 22598c2; impersonation 21c98dc; UI_GAPS complete 9ff9c52; BUG-009/011 tails def0d34; SPEC-021 932c701 → final pushed tip 31d7f39. (Interleaved [ci-version-bump] commits: 26f9779, 43d2bef, 8283ca2, etc.)
+- **claudetools parent sync tips:** a26b410, c444166, 6fbc5a0, 1ff8a72.
+- **Already-fixed bug commits:** BUG-008 e7ccc4e; BUG-013/014 94234af; BUG-002/006 PR #22 (943edd0/98b97bd, merge e6d1e9c); BUG-003 hardening 7146f4b; BUG-007 macros removed.
+- **Specs:** SPEC-021 `docs/specs/SPEC-021-logged-in-user-domain-detection.md`; related SPEC-010 (agent UX), SPEC-011 (ARP/BUG-015), SPEC-018 (valuable errors / BUG-008 successor).
+- **Roadmap:** `projects/msp-tools/guru-rmm/docs/FEATURE_ROADMAP.md` (2055 lines), `docs/UI_GAPS.md`.
+- **Dashboard versions deployed:** v0.2.30 (ErrorBoundary), v0.2.32 (mappings + impersonation). Live bundle index-Di8C-nbq.js.
+- **BUG-013 agent code:** `agent/src/metrics/mod.rs:541-554` (WTSGetActiveConsoleSessionId + WTSQuerySessionInformationW) — SPEC-021 extends this.