diff --git a/.gitea/workflows/lint-no-tenant-gitea-token.yml b/.gitea/workflows/lint-no-tenant-gitea-token.yml
index ddd548f9f..d98849f54 100644
--- a/.gitea/workflows/lint-no-tenant-gitea-token.yml
+++ b/.gitea/workflows/lint-no-tenant-gitea-token.yml
@@ -1,4 +1,4 @@
-name: Lint no tenant GITEA/GITHUB token write
+name: Lint no tenant Gitea-GitHub token write
 
 # Task #146 — CI guardrail companion to RFC#523's `lint-forbidden-env-keys.yml`.
 #
@@ -58,6 +58,8 @@ env:
   GITHUB_SERVER_URL: https://git.moleculesai.app
 
 jobs:
+  # bp-exempt: merge protection is enforced through CI / all-required; this
+  # workflow is a component guardrail context rather than a direct BP context.
   scan:
     name: Scan for repo-host token write into tenant workspace surface
     runs-on: ubuntu-latest