diff --git a/phase9_security.sh b/phase9_security.sh
index cef23c3..357832e 100755
--- a/phase9_security.sh
+++ b/phase9_security.sh
@@ -32,6 +32,7 @@ TEMP_BASE="/tmp/gitea-migration-security"
 GITEA_BASE_URL="${GITEA_INTERNAL_URL%/}"
 ASKPASS_SCRIPT=""
 
+# Clean up cloned repos and ephemeral auth script on exit (even on failure).
 cleanup() {
   rm -rf "$TEMP_BASE"
   if [[ -n "$ASKPASS_SCRIPT" ]]; then
@@ -40,6 +41,9 @@ cleanup() {
 }
 trap cleanup EXIT
 
+# Create an ephemeral GIT_ASKPASS script so tokens are never embedded in
+# git remote URLs. Git calls this script with "Username for ..." or
+# "Password for ..." and the script responds from environment variables.
 setup_git_auth() {
   ASKPASS_SCRIPT=$(mktemp)
   cat > "$ASKPASS_SCRIPT" <<'EOF'