docs: align doc references with compose.yml rename (code-reviewer M1)

Three docs still referenced the old docker-compose.yml path. Replace
with compose.yml so a future reader cloning at this hash finds the
file at the documented path.

- CHANGELOG.md:31 — backend skeleton recap line.
- docs/architecture.md:28 — deployment artifacts note (D-010 scope).
- tasks/todo.md:9 — B0.1 task description.

Also adds a "CI follow-ups (sprint 1+)" section to tasks/todo.md
capturing the 3 MINOR + 6 NIT deferred from code-reviewer's review
of chore/podman-and-ci, plus a FERNET-KEY tracker for the secret
provisioning before c2_credential.config_fernet (D-004) is wired.

tasks/todo.md

@@ -6,7 +6,7 @@ Repo skeleton + foundational modules. Nothing that depends on PR1/PR2/PR3.
 
 - [x] B0.1 — `backend/` Python 3.12+ project: `pyproject.toml` (ruff, mypy strict, pytest,
       coverage 70 %), `Makefile` (Docker/Podman auto), multi-stage `Dockerfile`,
-      `docker-compose.yml` for Postgres dev DB, `.env.example`.
+      `compose.yml` for Postgres dev DB, `.env.example`.
 - [x] B0.2 — Alembic baseline migration `202605210001_initial_schema` creates every table,
       enum, index, and the idempotent grants for the audit write-only Postgres role. **No
       `ttp_version` table** (D-009). Groups `rt_operator`, `rt_lead`, `soc_analyst` seeded
@@ -111,6 +111,34 @@ Tracked from code-review verdict on `feature/backend-skeleton` @ 12d131c:
 - [ ] R0.2 — Verify mypy strict and ruff clean before approving any backend PR.
 - [ ] R0.3 — Verify TS strict, no `useEffect(fetch)`, exhaustive deps before approving any frontend PR.
 
+## CI follow-ups (sprint 1+) (`devops`)
+
+Raised by `code-reviewer` during review of `chore/podman-and-ci` (M2-M3 + N1-N6).
+None blocking, all deferred to sprint 1+.
+
+- [ ] M2 — `backend/Makefile` `$(COMPOSE)` detection: invert legacy `docker-compose` v1
+      probe, prefer the Compose v2 plugin (`$(CONTAINER) compose`) first.
+- [ ] M3 — `.gitea/workflows/ci.yml` backend job: chain `apt-get update && apt-get install`
+      in one `RUN`-style step and drop `rm -rf /var/lib/apt/lists/*` (no-op in an
+      ephemeral CI container).
+- [ ] N1 — Smoke workflow `cat /etc/os-release | head -3` → use `head -3 /etc/os-release`
+      (moot once smoke.yml is removed; track here in case smoke is reintroduced).
+- [ ] N2 — `.gitea/workflows/ci.yml` `pull_request:` trigger: restrict to `branches: [main]`
+      to avoid double-running on PR retargets.
+- [ ] N3 — Anticipate single-runner serialization: jobs will queue. Plan a second
+      runner (different host or `capacity: >1`) before scaling sprint 2+ workload.
+- [ ] N4 — Add top-level `concurrency: { group: ${{ github.ref }}, cancel-in-progress: true }`
+      to cancel superseded PR runs.
+- [ ] N5 — CI uses `MIMIC_DATABASE_AUDIT_URL == MIMIC_DATABASE_URL` (same role).
+      Acceptable for unit tests; integration tests covering the audit write-only
+      role must provision a separate `mimic_audit_writer` role in the Postgres
+      service before they can run.
+- [ ] N6 — Cache pip + npm via `actions/cache@v4` (verify Gitea Actions fork support
+      before adoption; fallback to manual cache volume on the runner if unsupported).
+- [ ] FERNET-KEY — Provision `FERNET_KEY_TEST` Gitea repo secret before sprint 1
+      wires `c2_credential.config_fernet` (D-004). `config.py:32` accepts an empty
+      default at boot but `Fernet(b"")` raises `ValueError` at first use.
+
 ## Conventions
 
 - Branches: `feature/<scope>`, `fix/<scope>`, `docs/<scope>`, `chore/<scope>`. Long-lived: `main`.