diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 0000000..42734ef
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,11 @@
+## What changed and why
+
+## Dry-run result
+
+- [ ] Triggered:
+      `gh workflow run safe-settings-sync.yml --repo IntegratedDynamic/admin --ref $BRANCH -f nop=true`
+- [ ] Output reviewed — no unexpected diffs
+- [ ] Known safe-settings bugs not triggered:
+  - `bypass_pull_request_allowances` not added to any suborg file
+  - `contexts:` uses `[]`, not a placeholder string
+  - No subdirectory added to `.github/suborgs/`
diff --git a/CLAUDE.md b/CLAUDE.md
index 95a888f..a751cf4 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -68,7 +68,8 @@ Only declare what **changes** at each level — everything else is inherited via
 
 Controls the safe-settings **process** (not individual repos):
 
-- `restrictedRepos.exclude` — repos safe-settings will never touch (currently: `admin`, `.github`)
+- `restrictedRepos.exclude` — repos safe-settings will never touch (currently: `.github` only —
+  `admin` is managed like any other repo)
 - `configvalidators` — validate a single setting value (e.g. block admin collaborator permission)
 - `overridevalidators` — validate when a suborg/repo overrides an org setting (e.g. block lowering
   `required_approving_review_count` below org baseline)
diff --git a/deployment-settings.yml b/deployment-settings.yml
index 151822d..0b6047d 100644
--- a/deployment-settings.yml
+++ b/deployment-settings.yml
@@ -9,10 +9,7 @@
 # Add any repo that manages its own settings independently.
 restrictedRepos:
   exclude:
-    - admin # the settings repo itself
     - .github # org-level .github repo
-    # safe-settings repo deleted — app runs from github/safe-settings via GitHub Actions
-    # gitops and infrastructure are now managed — remove to re-exclude
 
 # configvalidators: validate a setting value in isolation.
 # The script receives `baseconfig` (the setting being applied) and must return true/false.