chore: tighten gitignore, align README stack, formalize D-010 (Ansible)

- .gitignore: add Keycloak/Mythic/Fernet secret patterns (pfx, p12, token, kdbx,
  credentials.json, secrets.json, service-account*.json), MSVC artifacts
  (lib, exp, idb, ilk, tlog), dedup dist/build/ between Python and Node blocks.
- README.md: align Storage line on H38 (testcontainers Postgres for Postgres-
  specific behavior, incl. unit tests of audit log / RBAC / write-only role).
- README.md: align Deploy line on D-007/D-010 — Docker + Ansible playbook,
  reverse proxy explicitly out-of-Mimic.
- README.md: add proprietary internal use notice.
- CHANGELOG.md: convert markdown link to inline URL (no dangling reference).
- tasks/spec-decisions.md: add D-010 (Ansible for deployment playbook).

Addresses code-reviewer M1/M2/M3 + N2/N3/N4/N6 on commit 047583e.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tasks/spec-decisions.md

@@ -72,6 +72,15 @@ scope extension:
 - Any drift between seeded group permissions and the F11 matrix is a spec
   violation, not a configuration choice.
 
+### D-010 — Ansible for the deployment playbook
+**Context.** Spec §7 names `Docker` only on the deploy line, but D-007 references
+a "deployment playbook" wiring Mimic behind the existing reverse proxy. The RT
+team uses Ansible for infrastructure automation across projects.
+**Decision.** Deployment artifacts are Docker images (built in repo) plus an
+Ansible playbook (lives outside the application repo, in the RT infra repo).
+Mimic itself ships only the Dockerfile and a sample compose for dev; production
+roll-out is Ansible-driven. The README stack line is updated accordingly.
+
 ### D-009 — `ttp_version` table forbidden (H32 reaffirmed)
 **Context.** Sprint 0 plan (B0.2) lists `ttp_version` among the initial tables.
 Spec hypothesis **H32** explicitly excludes this: *"Snapshot de rejouabilité =