diff --git a/pkg/ueps/packet.go b/pkg/ueps/packet.go
index 3ee260e..b133b79 100644
--- a/pkg/ueps/packet.go
+++ b/pkg/ueps/packet.go
@@ -77,28 +77,24 @@ func (builder *PacketBuilder) MarshalAndSign(sharedSecret []byte) ([]byte, error
 		return nil, err
 	}
 
-	// Threat Score is uint16, needs binary packing
+	// binary.BigEndian.PutUint16(threatScoreBytes, 100) → [0x00, 0x64]
 	threatScoreBytes := make([]byte, 2)
 	binary.BigEndian.PutUint16(threatScoreBytes, builder.Header.ThreatScore)
 	if err := writeTLV(buffer, TagThreatScore, threatScoreBytes); err != nil {
 		return nil, err
 	}
 
-	// 2. Calculate HMAC
-	// The signature covers: Existing Header TLVs + The Payload
-	// It does NOT cover the HMAC TLV tag itself (obviously)
+	// messageAuthCode.Write(buffer.Bytes()) → covers all header TLVs before the HMAC tag
 	messageAuthCode := hmac.New(sha256.New, sharedSecret)
-	messageAuthCode.Write(buffer.Bytes())  // The headers so far
-	messageAuthCode.Write(builder.Payload) // The data
+	messageAuthCode.Write(buffer.Bytes())
+	messageAuthCode.Write(builder.Payload)
 	signature := messageAuthCode.Sum(nil)
 
-	// 3. Write HMAC TLV (0x06)
-	// Length is 32 bytes for SHA256
+	// writeTLV(buffer, TagHMAC, signature) → [0x06, 0x20, <32 bytes>]
 	if err := writeTLV(buffer, TagHMAC, signature); err != nil {
 		return nil, err
 	}
 
-	// 4. Write Payload TLV (0xFF) — tag byte only; payload appended length-prefixless.
 	// buffer.Bytes() → [...headerTLVs..., 0x06, 0x20, <hmac32>, 0xFF, <payload...>]
 	buffer.WriteByte(TagPayload)
 	buffer.Write(builder.Payload)