diff --git a/session-logs/2026-04-21-session.md b/session-logs/2026-04-21-session.md
index 3cb6530..a5f4be9 100644
--- a/session-logs/2026-04-21-session.md
+++ b/session-logs/2026-04-21-session.md
@@ -274,3 +274,88 @@ VIP_NO_AUTODISCOVER, VPN_Ports, Webhost_Internal
 2. **Cloudflare alias** — consider applying to WAN rules to restrict to CF IPs only (security hardening)
 3. **Broad WAN pass rule** — review and tighten if possible
 4. **22 M365 tenants** — still need initial Tenant Admin consent (unchanged from earlier session)
+
+---
+
+## Note for Howard
+
+**Vault + SOPS age key setup required on ACG-Tech03L before remediation-tool will work.**
+
+### 1. Clone the vault repo
+
+Run in Git Bash (real terminal, not Claude Code shell):
+
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git D:/vault
+```
+
+Password: `Gptf*77ttb123!@#-git`
+
+### 2. Install the SOPS age key
+
+Create this file: `C:\Users\howard\.config\sops\age\keys.txt`
+
+Content (copy exactly):
+```
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+```
+
+### 3. Add vault_path to identity.json
+
+Edit `.claude/identity.json` in your ClaudeTools folder, add:
+```json
+"vault_path": "D:/vault"
+```
+
+### 4. Test
+
+```bash
+bash C:/claudetools/.claude/skills/remediation-tool/scripts/get-token.sh grabblaw.com investigator
+```
+
+Expected: JWT token starting with `eyJ...`
+
+---
+
+## Note for Mike (Mac)
+
+**Vault + SOPS age key setup required on Mikes-MacBook-Air before remediation-tool will work.**
+
+### 1. Clone the vault repo
+
+Run in a real terminal (not Claude Code shell):
+
+```bash
+git clone http://azcomputerguru@172.16.3.20:3000/azcomputerguru/vault.git ~/vault
+```
+
+Password: `Gptf*77ttb123!@#-git`
+
+### 2. Install the SOPS age key
+
+```bash
+mkdir -p ~/.config/sops/age
+cat > ~/.config/sops/age/keys.txt << 'AGEEOF'
+# created: 2026-03-30T13:53:19-07:00
+# public key: age1qz7ct84m50u06h97artqddkj3c8se2yu4nxu59clq8rhj945jc0s5excpr
+AGE-SECRET-KEY-1DE3V6V0ZLLZ45A7GA77M79CTN4LZQMTRCURP8VRGNLV6T2FSZEEQXUW2EU
+AGEEOF
+chmod 600 ~/.config/sops/age/keys.txt
+```
+
+### 3. Add vault_path to identity.json
+
+Edit `/Users/azcomputerguru/ClaudeTools/.claude/identity.json`, add:
+```json
+"vault_path": "/Users/azcomputerguru/vault"
+```
+
+### 4. Test
+
+```bash
+bash ~/ClaudeTools/.claude/skills/remediation-tool/scripts/get-token.sh grabblaw.com investigator
+```
+
+Expected: JWT token starting with `eyJ...`