diff --git a/bin/update_sops.sh b/bin/update_sops.sh
index da368a0..f7535f2 100755
--- a/bin/update_sops.sh
+++ b/bin/update_sops.sh
@@ -3,6 +3,7 @@
 set -euo pipefail
 
 function fn_gpg_extract_fpr(){
+  # PURPOSE: get fingerprint from gpg keyfile
   gpgkeyfile=$1;shift;
   # fingerprint
   # caveat: restrict to netgo.de email, use-case:
@@ -14,6 +15,7 @@ function fn_gpg_extract_fpr(){
 }
 
 function fn_gpg_extract_uid(){
+  # PURPOSE: get user-id from gpg keyfile
   gpgkeyfile=$1;shift;
   # user id
   # caveat: restrict to netgo.de email, use-case:
@@ -25,6 +27,7 @@ function fn_gpg_extract_uid(){
 }
 
 function fn_sops_locate_config_in_git_repo(){
+  # PURPOSE: locate sops config
   # Returns path sops config to be updated; defaults to returning "$(git rev-parse --show-toplevel)/.sops.yaml"
   # sops locates config by recursively walking _up_ the tree from the execeution dir context,
   # + _but_ does not have a mechanism to update the sops config
@@ -54,6 +57,7 @@ function fn_sops_locate_config_in_git_repo(){
 }
 
 function fn_sops_generate_config(){
+  # PURPOSE: generate sops config based on keyfiles
   # sops.yaml doc: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
   # CAVEAT: dirty hacks, as DRY as feasible within bash
 
@@ -102,7 +106,7 @@ EOM
 }
 
 fn_sops_updatekeys_and_verify(){
-  # call 'sops updatekeys' and dump contents of file so end user can visually verify functionality
+  # PURPOSE: call 'sops updatekeys' and dump contents of file so end user can visually verify functionality
   sops_enc_file="${1}";shift;
   # update keys in secrets file
   test -e "${sops_enc_file}" || exit 1