diff --git a/.gitignore b/.gitignore
index 7fed7c1..34cbf23 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,13 @@
 .env.*.local
 *.pem
 *.key
+*.pfx
+*.p12
+*.token
+*.kdbx
+credentials.json
+secrets.json
+service-account*.json
 
 # Python
 __pycache__/
@@ -25,8 +32,6 @@ build/
 
 # Node / Frontend
 node_modules/
-dist/
-build/
 .vite/
 coverage/
 .eslintcache
@@ -40,6 +45,11 @@ test-results/
 *.o
 *.obj
 *.pdb
+*.lib
+*.exp
+*.idb
+*.ilk
+*.tlog
 
 # IDE
 .vscode/
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 38b3b9c..739f3e0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # Changelog
 
-All notable changes to Mimic. Format inspired by [Keep a Changelog](https://keepachangelog.com).
+All notable changes to Mimic. Format inspired by Keep a Changelog (https://keepachangelog.com).
 Versioning starts at `0.1.0` when sprint 0 lands.
 
 ## [Unreleased]
diff --git a/README.md b/README.md
index 01d2e6f..861426e 100644
--- a/README.md
+++ b/README.md
@@ -32,8 +32,8 @@ In-repo documentation:
 
 - **Backend** Python 3.12 / Flask / Flask-SocketIO / SQLAlchemy 2 / Pydantic 2 / Alembic / WeasyPrint / pytest + testcontainers / ruff / mypy strict
 - **Frontend** TypeScript / React 18+ / Vite / Tailwind 4 / TanStack Query 5 / Recharts / Playwright
-- **Storage** Postgres (prod) / SQLite (unit tests only)
-- **Deploy** Docker + Ansible
+- **Storage** Postgres (prod) / SQLite (pure-logic unit tests) / testcontainers Postgres (audit log, RBAC, write-only role — incl. unit tests of Postgres-specific behavior, per H38)
+- **Deploy** Docker images + Ansible deployment playbook (per D-010). Reverse proxy (Caddy + TLS + IP allowlist) handled by existing RT infrastructure, out of Mimic scope (D-007).
 
 ## Layout
 
@@ -54,3 +54,7 @@ mimic/
 ## Build & run
 
 `make` targets land at the end of sprint 0. For now the repo is skeleton-only.
+
+## Licensing
+
+Internal — proprietary, RT use only. Do not redistribute.
diff --git a/tasks/spec-decisions.md b/tasks/spec-decisions.md
index d4f3c2a..e6ac316 100644
--- a/tasks/spec-decisions.md
+++ b/tasks/spec-decisions.md
@@ -72,6 +72,15 @@ scope extension:
 - Any drift between seeded group permissions and the F11 matrix is a spec
   violation, not a configuration choice.
 
+### D-010 — Ansible for the deployment playbook
+**Context.** Spec §7 names `Docker` only on the deploy line, but D-007 references
+a "deployment playbook" wiring Mimic behind the existing reverse proxy. The RT
+team uses Ansible for infrastructure automation across projects.
+**Decision.** Deployment artifacts are Docker images (built in repo) plus an
+Ansible playbook (lives outside the application repo, in the RT infra repo).
+Mimic itself ships only the Dockerfile and a sample compose for dev; production
+roll-out is Ansible-driven. The README stack line is updated accordingly.
+
 ### D-009 — `ttp_version` table forbidden (H32 reaffirmed)
 **Context.** Sprint 0 plan (B0.2) lists `ttp_version` among the initial tables.
 Spec hypothesis **H32** explicitly excludes this: *"Snapshot de rejouabilité =