diff --git a/krillnotes-core/src/core/storage.rs b/krillnotes-core/src/core/storage.rs
index 8e286959..3db5eef2 100644
--- a/krillnotes-core/src/core/storage.rs
+++ b/krillnotes-core/src/core/storage.rs
@@ -33,6 +33,9 @@ impl Storage {
     pub fn create<P: AsRef<Path>>(path: P, password: &str) -> Result<Self> {
         let conn = Connection::open(path)?;
         if !password.is_empty() {
+            // SQLCipher's PRAGMA key doesn't support parameterized queries (?-binding),
+            // so string interpolation is required. Single-quote doubling ('') is the
+            // standard SQL literal escape and is sufficient to prevent injection here.
             let escaped = password.replace('\'', "''");
             conn.execute_batch(&format!("PRAGMA key = '{escaped}';\n"))?;
         }
@@ -58,6 +61,9 @@ impl Storage {
     pub fn open<P: AsRef<Path>>(path: P, password: &str) -> Result<Self> {
         let conn = Connection::open(path.as_ref())?;
         if !password.is_empty() {
+            // SQLCipher's PRAGMA key doesn't support parameterized queries (?-binding),
+            // so string interpolation is required. Single-quote doubling ('') is the
+            // standard SQL literal escape and is sufficient to prevent injection here.
             let escaped = password.replace('\'', "''");
             conn.execute_batch(&format!("PRAGMA key = '{escaped}';\n"))?;
         }