diff --git a/pkg/node/peer.go b/pkg/node/peer.go
index 9fde5f5..3254fe2 100644
--- a/pkg/node/peer.go
+++ b/pkg/node/peer.go
@@ -153,7 +153,8 @@ func NewPeerRegistryWithPath(peersPath string) (*PeerRegistry, error) {
 	return pr, nil
 }
 
-// SetAuthMode sets the authentication mode for peer connections.
+// registry.SetAuthMode(PeerAuthAllowlist) // require pre-registration
+// registry.SetAuthMode(PeerAuthOpen)      // allow any peer (default)
 func (r *PeerRegistry) SetAuthMode(mode PeerAuthMode) {
 	r.allowedPublicKeyMutex.Lock()
 	defer r.allowedPublicKeyMutex.Unlock()
@@ -161,14 +162,14 @@ func (r *PeerRegistry) SetAuthMode(mode PeerAuthMode) {
 	logging.Info("peer auth mode changed", logging.Fields{"mode": mode})
 }
 
-// GetAuthMode returns the current authentication mode.
+// if registry.GetAuthMode() == PeerAuthAllowlist { /* enforce allowlist */ }
 func (r *PeerRegistry) GetAuthMode() PeerAuthMode {
 	r.allowedPublicKeyMutex.RLock()
 	defer r.allowedPublicKeyMutex.RUnlock()
 	return r.authMode
 }
 
-// AllowPublicKey adds a public key to the allowlist.
+// registry.AllowPublicKey(peer.PublicKey) // permit this key without pre-registration
 func (r *PeerRegistry) AllowPublicKey(publicKey string) {
 	r.allowedPublicKeyMutex.Lock()
 	defer r.allowedPublicKeyMutex.Unlock()
@@ -176,7 +177,7 @@ func (r *PeerRegistry) AllowPublicKey(publicKey string) {
 	logging.Debug("public key added to allowlist", logging.Fields{"key": safeKeyPrefix(publicKey)})
 }
 
-// RevokePublicKey removes a public key from the allowlist.
+// registry.RevokePublicKey(peer.PublicKey) // block this key on next connect attempt
 func (r *PeerRegistry) RevokePublicKey(publicKey string) {
 	r.allowedPublicKeyMutex.Lock()
 	defer r.allowedPublicKeyMutex.Unlock()