diff --git a/frontend/src/lib/components/PersonMentionEditor.svelte b/frontend/src/lib/components/PersonMentionEditor.svelte
index e194e0e2..57c6102b 100644
--- a/frontend/src/lib/components/PersonMentionEditor.svelte
+++ b/frontend/src/lib/components/PersonMentionEditor.svelte
@@ -94,6 +94,11 @@ function scheduleSearch(q: string) {
 	}
 	debounceTimer = setTimeout(async () => {
 		try {
+			// SECURITY: relies on the SvelteKit Vite proxy injecting the auth_token
+			// cookie as the Authorization header (vite.config.ts) and on the
+			// browser's same-origin policy for the /api/* path. Mounted in
+			// transcribe mode behind WRITE_ALL — never reachable to unauthenticated
+			// users.
 			const res = await fetch(`/api/persons?q=${encodeURIComponent(q)}`);
 			if (res.ok) {
 				const data: Person[] = await res.json();