chore: tighten gitignore, align README stack, formalize D-010 (Ansible)

- .gitignore: add Keycloak/Mythic/Fernet secret patterns (pfx, p12, token, kdbx,
  credentials.json, secrets.json, service-account*.json), MSVC artifacts
  (lib, exp, idb, ilk, tlog), dedup dist/build/ between Python and Node blocks.
- README.md: align Storage line on H38 (testcontainers Postgres for Postgres-
  specific behavior, incl. unit tests of audit log / RBAC / write-only role).
- README.md: align Deploy line on D-007/D-010 — Docker + Ansible playbook,
  reverse proxy explicitly out-of-Mimic.
- README.md: add proprietary internal use notice.
- CHANGELOG.md: convert markdown link to inline URL (no dangling reference).
- tasks/spec-decisions.md: add D-010 (Ansible for deployment playbook).

Addresses code-reviewer M1/M2/M3 + N2/N3/N4/N6 on commit 047583e.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

README.md

@@ -32,8 +32,8 @@ In-repo documentation:
 
 - **Backend** Python 3.12 / Flask / Flask-SocketIO / SQLAlchemy 2 / Pydantic 2 / Alembic / WeasyPrint / pytest + testcontainers / ruff / mypy strict
 - **Frontend** TypeScript / React 18+ / Vite / Tailwind 4 / TanStack Query 5 / Recharts / Playwright
-- **Storage** Postgres (prod) / SQLite (unit tests only)
-- **Deploy** Docker + Ansible
+- **Storage** Postgres (prod) / SQLite (pure-logic unit tests) / testcontainers Postgres (audit log, RBAC, write-only role — incl. unit tests of Postgres-specific behavior, per H38)
+- **Deploy** Docker images + Ansible deployment playbook (per D-010). Reverse proxy (Caddy + TLS + IP allowlist) handled by existing RT infrastructure, out of Mimic scope (D-007).
 
 ## Layout
 
@@ -54,3 +54,7 @@ mimic/
 ## Build & run
 
 `make` targets land at the end of sprint 0. For now the repo is skeleton-only.
+
+## Licensing
+
+Internal — proprietary, RT use only. Do not redistribute.