diff --git a/server/src/db/events.rs b/server/src/db/events.rs
index 007b185..e84c404 100644
--- a/server/src/db/events.rs
+++ b/server/src/db/events.rs
@@ -40,9 +40,11 @@ impl EventTypes {
     // Failed connection events (security audit trail)
     pub const CONNECTION_REJECTED_NO_AUTH: &'static str = "connection_rejected_no_auth";
     pub const CONNECTION_REJECTED_INVALID_CODE: &'static str = "connection_rejected_invalid_code";
+    #[allow(dead_code)] // TODO(audit-events): emit on expired-code bind rejection
     pub const CONNECTION_REJECTED_EXPIRED_CODE: &'static str = "connection_rejected_expired_code";
     pub const CONNECTION_REJECTED_INVALID_API_KEY: &'static str =
         "connection_rejected_invalid_api_key";
+    #[allow(dead_code)] // TODO(audit-events): emit on cancelled-code bind rejection
     pub const CONNECTION_REJECTED_CANCELLED_CODE: &'static str =
         "connection_rejected_cancelled_code";
 }
diff --git a/server/src/middleware/rate_limit.rs b/server/src/middleware/rate_limit.rs
index f945ce9..285599c 100644
--- a/server/src/middleware/rate_limit.rs
+++ b/server/src/middleware/rate_limit.rs
@@ -325,12 +325,12 @@ fn too_many_requests(detail: &str, error_code: &str) -> Response {
 // Axum middleware functions (one per protected route)
 // ============================================================================
 
-/// Selects which limiter from [`RateLimitState`] a middleware uses.
-///
-/// Each protected route gets its own `from_fn_with_state` middleware pointing at
-/// the matching limiter; keeping them as distinct functions avoids threading an
-/// extra "which limiter" parameter through the layer and keeps the wiring in
-/// `main.rs` self-documenting.
+// Selects which limiter from `RateLimitState` a middleware uses.
+//
+// Each protected route gets its own `from_fn_with_state` middleware pointing at
+// the matching limiter; keeping them as distinct functions avoids threading an
+// extra "which limiter" parameter through the layer and keeps the wiring in
+// `main.rs` self-documenting.
 
 /// Rate-limit middleware for `POST /api/auth/login`.
 pub async fn login_rate_limit(