diff --git a/lib/pipelock.sh b/lib/pipelock.sh
index f09197f..ef9291e 100644
--- a/lib/pipelock.sh
+++ b/lib/pipelock.sh
@@ -330,6 +330,20 @@ pipelock_start() {
   # boot it with `sh -c 'mkdir + sleep'`, cp the file in, then start
   # the real pipelock by docker exec'ing it as PID-N. A simpler
   # approach: `docker create` + `docker cp` + `docker start`. Use that.
+  #
+  # Sidecar argv verification (PR #1 review). The pinned digest
+  # (CLAUDE_BOTTLE_PIPELOCK_IMAGE above) has:
+  #   ENTRYPOINT ["/pipelock"]
+  #   CMD        ["run", "--listen", "0.0.0.0:8888"]
+  # `pipelock run --help` documents `-l, --listen` (default
+  # 127.0.0.1:8888) as the forward-proxy listen address — the
+  # `--mcp-listen` flag is for the separate MCP HTTP listener and is
+  # not what we want here. `--config` reads the YAML and hot-reloads
+  # on file change; values in YAML can also drive the listen address
+  # via `fetch_proxy.listen`, but the CLI flag takes precedence and
+  # is the simpler contract for our launcher. Smoke-tested 2026-05-08
+  # by running this exact argv against the digest and confirming the
+  # /health endpoint responded on :8888.
   if ! docker create \
       --name "$name" \
       --network "$internal_network" \