chore: tighten gitignore, align README stack, formalize D-010 (Ansible)

- .gitignore: add Keycloak/Mythic/Fernet secret patterns (pfx, p12, token, kdbx,
  credentials.json, secrets.json, service-account*.json), MSVC artifacts
  (lib, exp, idb, ilk, tlog), dedup dist/build/ between Python and Node blocks.
- README.md: align Storage line on H38 (testcontainers Postgres for Postgres-
  specific behavior, incl. unit tests of audit log / RBAC / write-only role).
- README.md: align Deploy line on D-007/D-010 — Docker + Ansible playbook,
  reverse proxy explicitly out-of-Mimic.
- README.md: add proprietary internal use notice.
- CHANGELOG.md: convert markdown link to inline URL (no dangling reference).
- tasks/spec-decisions.md: add D-010 (Ansible for deployment playbook).

Addresses code-reviewer M1/M2/M3 + N2/N3/N4/N6 on commit 047583e.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -4,6 +4,13 @@
 .env.*.local
 *.pem
 *.key
+*.pfx
+*.p12
+*.token
+*.kdbx
+credentials.json
+secrets.json
+service-account*.json
 
 # Python
 __pycache__/
@@ -25,8 +32,6 @@ build/
 
 # Node / Frontend
 node_modules/
-dist/
-build/
 .vite/
 coverage/
 .eslintcache
@@ -40,6 +45,11 @@ test-results/
 *.o
 *.obj
 *.pdb
+*.lib
+*.exp
+*.idb
+*.ilk
+*.tlog
 
 # IDE
 .vscode/

CHANGELOG.md

@@ -1,6 +1,6 @@
 # Changelog
 
-All notable changes to Mimic. Format inspired by [Keep a Changelog](https://keepachangelog.com).
+All notable changes to Mimic. Format inspired by Keep a Changelog (https://keepachangelog.com).
 Versioning starts at `0.1.0` when sprint 0 lands.
 
 ## [Unreleased]

README.md

@@ -32,8 +32,8 @@ In-repo documentation:
 
 - **Backend** Python 3.12 / Flask / Flask-SocketIO / SQLAlchemy 2 / Pydantic 2 / Alembic / WeasyPrint / pytest + testcontainers / ruff / mypy strict
 - **Frontend** TypeScript / React 18+ / Vite / Tailwind 4 / TanStack Query 5 / Recharts / Playwright
-- **Storage** Postgres (prod) / SQLite (unit tests only)
+- **Storage** Postgres (prod) / SQLite (pure-logic unit tests) / testcontainers Postgres (audit log, RBAC, write-only role — incl. unit tests of Postgres-specific behavior, per H38)
-- **Deploy** Docker + Ansible
+- **Deploy** Docker images + Ansible deployment playbook (per D-010). Reverse proxy (Caddy + TLS + IP allowlist) handled by existing RT infrastructure, out of Mimic scope (D-007).
 
 ## Layout
 
@@ -54,3 +54,7 @@ mimic/
 ## Build & run
 
 `make` targets land at the end of sprint 0. For now the repo is skeleton-only.
+
+## Licensing
+
+Internal — proprietary, RT use only. Do not redistribute.

tasks/spec-decisions.md

@@ -72,6 +72,15 @@ scope extension:
 - Any drift between seeded group permissions and the F11 matrix is a spec
   violation, not a configuration choice.
 
+### D-010 — Ansible for the deployment playbook
+**Context.** Spec §7 names `Docker` only on the deploy line, but D-007 references
+a "deployment playbook" wiring Mimic behind the existing reverse proxy. The RT
+team uses Ansible for infrastructure automation across projects.
+**Decision.** Deployment artifacts are Docker images (built in repo) plus an
+Ansible playbook (lives outside the application repo, in the RT infra repo).
+Mimic itself ships only the Dockerfile and a sample compose for dev; production
+roll-out is Ansible-driven. The README stack line is updated accordingly.
+
 ### D-009 — `ttp_version` table forbidden (H32 reaffirmed)
 **Context.** Sprint 0 plan (B0.2) lists `ttp_version` among the initial tables.
 Spec hypothesis **H32** explicitly excludes this: *"Snapshot de rejouabilité =