diff --git a/packages/core/src/notify_bridge_core/providers/immich/client.py b/packages/core/src/notify_bridge_core/providers/immich/client.py
index 5a31f37..93b2a86 100644
--- a/packages/core/src/notify_bridge_core/providers/immich/client.py
+++ b/packages/core/src/notify_bridge_core/providers/immich/client.py
@@ -61,14 +61,15 @@ class ImmichClient:
         # SSRF guard — admin-set Immich URLs are loaded from provider config
         # which can be mutated via PATCH /api/providers or imported via
         # prepare-restore, so we revalidate at construction time rather than
-        # trusting DB state. ``NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1`` bypasses
-        # for dev against localhost Immich.
+        # trusting DB state. Homelab deployments pointing at RFC1918 targets
+        # must set ``NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1`` in the runtime env.
         if self._url:
             try:
                 validate_outbound_url(self._url)
             except UnsafeURLError as err:
                 raise UnsafeURLError(
-                    f"Refusing to build ImmichClient for unsafe URL {self._url!r}: {err}"
+                    f"Refusing to build ImmichClient for unsafe URL {self._url!r}: {err}. "
+                    "If this is a LAN/homelab Immich, set NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1."
                 ) from err
 
     @property
@@ -81,9 +82,8 @@ class ImmichClient:
 
     @external_domain.setter
     def external_domain(self, value: str | None) -> None:
-        # Mirror the constructor's SSRF guard — external_domain is used to
-        # build URLs that leak into rendered notifications, but any code path
-        # that eventually fetches this URL would otherwise bypass the check.
+        # Mirror the constructor's SSRF guard.  Set
+        # ``NOTIFY_BRIDGE_ALLOW_PRIVATE_URLS=1`` for LAN/homelab targets.
         if value:
             try:
                 validate_outbound_url(value)