diff --git a/authority/authority.go b/authority/authority.go
index ae8b9a56..c3155d96 100644
--- a/authority/authority.go
+++ b/authority/authority.go
@@ -94,7 +94,7 @@ type Authority struct {
 	// If true, do not initialize the authority
 	skipInit bool
 
-	// If true, does not output initialization logs
+	// If true, do not output initialization logs
 	quietInit bool
 }
 
@@ -603,9 +603,13 @@ func (a *Authority) init() error {
 			return admin.WrapErrorISE(err, "error loading provisioners to initialize authority")
 		}
 		if len(provs) == 0 && !strings.EqualFold(a.config.AuthorityConfig.DeploymentType, "linked") {
+			// Migration will currently only be kicked off once, because either one or more provisioners
+			// are migrated or a default JWK provisioner will be created in the DB. It won't run for
+			// linked or hosted deployments. Not for linked, because that case is explicitly checked
+			// for above. Not for hosted, because there'll be at least an existing OIDC provisioner.
 			var firstJWKProvisioner *linkedca.Provisioner
 			if len(a.config.AuthorityConfig.Provisioners) > 0 {
-				// Existing provisioners detected; try migrating them to DB storage
+				// Existing provisioners detected; try migrating them to DB storage.
 				a.initLogf("Starting migration of provisioners")
 				for _, p := range a.config.AuthorityConfig.Provisioners {
 					lp, err := ProvisionerToLinkedca(p)
@@ -621,14 +625,12 @@ func (a *Authority) init() error {
 					// Mark the first JWK provisioner, so that it can be used for administration purposes
 					if firstJWKProvisioner == nil && lp.Type == linkedca.Provisioner_JWK {
 						firstJWKProvisioner = lp
-						a.initLogf("Migrated JWK provisioner %q with admin permissions", p.GetName()) // TODO(hs): change the wording?
+						a.initLogf("Migrated JWK provisioner %q with admin permissions", p.GetName())
 					} else {
 						a.initLogf("Migrated %s provisioner %q", p.GetType(), p.GetName())
 					}
 				}
 
-				// TODO(hs): test if this works with LinkedCA too. Also could be useful
-				// for printing out where the configuration is read from in case of LinkedCA.
 				c := a.config
 				if c.WasLoadedFromFile() {
 					// TODO(hs): check if prerequisites for writing files look OK (user/group, permission bits, etc) as
@@ -659,7 +661,7 @@ func (a *Authority) init() error {
 				if err != nil {
 					return admin.WrapErrorISE(err, "error creating first provisioner")
 				}
-				a.initLogf("Created JWK provisioner %q with admin permissions", firstJWKProvisioner.GetName()) // TODO(hs): change the wording?
+				a.initLogf("Created JWK provisioner %q with admin permissions", firstJWKProvisioner.GetName())
 			}
 
 			// Create first super admin, belonging to the first JWK provisioner
diff --git a/pki/pki.go b/pki/pki.go
index cf7c7d09..df65a721 100644
--- a/pki/pki.go
+++ b/pki/pki.go
@@ -900,7 +900,7 @@ func (p *PKI) GenerateConfig(opt ...ConfigOption) (*authconfig.Config, error) {
 			// TODO(hs): the logic for creating the provisioners and the super admin
 			// is similar to what's done when automatically migrating the provisioners.
 			// This is related to the existing comment above. Refactor this to exist in
-			// a single place and ensure it happensonly once.
+			// a single place and ensure it happens only once.
 			_db, err := db.New(cfg.DB)
 			if err != nil {
 				return nil, err