diff --git a/Home.md b/Home.md
index 09f0cd7..4f41c24 100644
--- a/Home.md
+++ b/Home.md
@@ -89,6 +89,21 @@ Code mode      (implementation — new plate-auth repo + InspectFlow refactor +
 
 ---
 
+## 📦 Distribution
+
+- **License:** Apache-2.0 placeholder for v0.1.0 (see `LICENSE.md` in the repo root). plate-auth lives in a private Gitea repo today, so the license is dormant — it only activates if/when the project is open-sourced. Apache-2.0 was chosen over MIT for the explicit patent grant.
+- **Maven artifact:** `de.platesoft:plate-auth-starter:0.1.0` — Gitea Maven Package Registry
+- **npm artifact:** `@platesoft/auth:0.1.0` — Gitea npm Package Registry
+- **Lockstep:** Both artifacts ship from the same `v0.x.y` git tag. Frontend `0.2.0` implies backend `0.2.0` is the required peer.
+
+---
+
+## 📜 Decisions log
+
+- **2026-06-24** — 11 plate-auth decisions locked (F1, F2, Q01, Q05, Q10) and 6 sparkboard decisions locked. See [Open-Questions § 4 Decided (history)](Open-Questions) for the canonical list.
+
+---
+
 ## 🔗 External links
 
 - **Repo:** https://git.plate-software.de/pplate/plate-auth
diff --git a/Open-Questions.md b/Open-Questions.md
index 661ed7b..bfd48b8 100644
--- a/Open-Questions.md
+++ b/Open-Questions.md
@@ -28,16 +28,16 @@ When a question is decided, this doc gets updated; the decision is also reflecte
 
 | ID | Topic | Status | Decide by |
 |----|-------|--------|-----------|
-| Q01 | Concrete org table abstraction (Company → generic Organization?) | 🟡 Leaning | Before W4 (SPI design) |
+| Q01 | Concrete org table abstraction (Company → generic Organization?) | ✅ Decided (2026-06-24) | n/a |
 | Q02 | Microsoft Entra ID in v0.1 or defer to v0.2 | 🟡 Leaning | Before W2 starts |
 | Q03 | Flyway migration strategy (separate schema_history vs baseline reset) | 🟡 Leaning | Before W5 (Flyway work) |
 | Q04 | Email magic-link provider in v0.1 or v0.2 | ⏭️ Deferred | n/a |
-| Q05 | npm package name (`@platesoft/auth` vs alternatives) | 🟡 Leaning | Before W3 starts |
+| Q05 | npm package name (`@platesoft/auth` vs alternatives) | ✅ Decided (2026-06-24) | n/a |
 | Q06 | SemVer policy details — peer-version lockstep enforcement | 🟡 Leaning | Before v0.1.0 release |
 | Q07 | Gitea publishing pipeline (Gitea Actions vs manual deploy) | 🟡 Leaning | Before W6 |
 | Q08 | Spring Boot version pin (4.0.7 vs 4.1.0 vs latest milestone) | ✅ Decided | n/a (4.1.0) |
 | Q09 | Frontend bundler — `tsup` vs `tsc` vs `unbuild` | 🟠 Open | Before W3-A |
-| Q10 | License — MIT, Apache-2.0, or internal proprietary | 🟠 Open | Before v0.1.0 release |
+| Q10 | License — MIT, Apache-2.0, or internal proprietary | ✅ Decided (2026-06-24) | n/a |
 | Q11 | First-class i18n in `@platesoft/auth`/react? | ⏭️ Deferred | n/a |
 | Q12 | Audit emit channel — DB rows only, or also event stream? | 🟡 Leaning | Before W2 |
 
@@ -47,7 +47,7 @@ When a question is decided, this doc gets updated; the decision is also reflecte
 
 ### Q01 — Concrete org table abstraction
 
-**Status:** 🟡 Leaning toward: **Keep org as polymorphic FK validated by SPI; do NOT ship a concrete `organizations` table in plate-auth 0.1**
+**Status:** ✅ **Decided 2026-06-24** — Option **A**: polymorphic FK `(org_type, org_id)` validated by `OrgValidator` SPI. plate-auth does NOT ship a concrete `organizations` table in 0.1.
 
 **Context.** InspectFlow's [`Membership`](backend/src/main/java/de/platesoft/inspectflow/entity/Membership.java) entity references `Company` (concrete entity). Sparkboard will have its own org table (probably `Project` or `Studio`). plate-auth must support both without leaking either domain.
 
@@ -59,11 +59,9 @@ When a question is decided, this doc gets updated; the decision is also reflecte
 | B) Generic `organizations` table in plate-auth, consumers reference it | Real FK; consistent schema | Consumers must mirror their own org table into ours; cross-DB sync nightmare |
 | C) Abstract `@MappedSuperclass` consumers extend | Type-safe at JPA level | Forces JPA inheritance; cross-app reuse breaks |
 
-**Leaning:** Option **A**. Matches [Architecture.md § 4 SPI seams](Architecture.md) and was already designed into Sprint 14.2 ([`SPRINT-14.2-MEMBERSHIP-PLAN.md`](docs/SPRINT-14.2-MEMBERSHIP-PLAN.md:1)).
+**Decision:** Option **A**. Matches [Architecture.md § 4 SPI seams](Architecture.md) and was already designed into Sprint 14.2 ([`SPRINT-14.2-MEMBERSHIP-PLAN.md`](docs/SPRINT-14.2-MEMBERSHIP-PLAN.md:1)). The runtime-validation gap is closed by the mandatory `OrgValidator` SPI (default `PermissiveOrgValidator` with per-call WARN — see [Architecture.md § 3.4](Architecture.md)).
 
-**Decision deadline:** Before W4 (SPI design) starts.
-
-**Owner:** Patrick.
+**Owner:** Patrick. Locked 2026-06-24.
 
 ---
 
@@ -126,11 +124,11 @@ When a question is decided, this doc gets updated; the decision is also reflecte
 
 ### Q05 — npm package name
 
-**Status:** 🟡 Leaning toward: **`@platesoft/auth`**
+**Status:** ✅ **Decided 2026-06-24** — npm: `@platesoft/auth` · Maven: `de.platesoft:plate-auth-starter`.
 
 **Context.** The npm scope must be registered on the Gitea npm registry, which means it must be unique within our setup. We control the registry, so collisions aren't a concern; aesthetics + intent are.
 
-**Options:**
+**Options considered:**
 
 | Option | Pros | Cons |
 |--------|------|------|
@@ -139,11 +137,9 @@ When a question is decided, this doc gets updated; the decision is also reflecte
 | `plate-auth` (unscoped) | Simpler | No org scope — collides with NPM-public name space if we ever publish there |
 | `@plate-software/auth` | Verbose but explicit | Long imports |
 
-**Leaning:** `@platesoft/auth`. Matches the Gitea org slug `platesoft`. Maven group is `de.platesoft` (reverse-DNS) → npm scope is `@platesoft` (shortened).
+**Decision:** `@platesoft/auth` (npm) paired with `de.platesoft:plate-auth-starter` (Maven). Matches the Gitea org slug `platesoft`. Maven group is `de.platesoft` (reverse-DNS) → npm scope is `@platesoft` (shortened). Both artifacts ship in lockstep from the same `v0.x.y` git tag.
 
-**Decision deadline:** Before W3-A starts (first `package.json` written).
-
-**Owner:** Patrick.
+**Owner:** Patrick. Locked 2026-06-24.
 
 ---
 
@@ -226,15 +222,13 @@ When a question is decided, this doc gets updated; the decision is also reflecte
 
 ### Q10 — License
 
-**Status:** 🟠 Open
+**Status:** ✅ **Decided 2026-06-24** — Apache-2.0 **placeholder** for v0.1.0.
 
-**Options:** MIT, Apache-2.0 (with explicit patent grant — recommended for libs), or internal proprietary.
+**Options considered:** MIT, Apache-2.0 (with explicit patent grant — recommended for libs), or internal proprietary.
 
-**Note:** plate-auth lives in a private Gitea repo. License only matters if/when we decide to open-source. For Sprint 0 we ship with `LICENSE.md` set to `Apache-2.0` placeholder; flip to proprietary if Patrick decides later.
+**Decision.** plate-auth ships `LICENSE.md` set to **Apache-2.0** as a placeholder for v0.1.0. The repo lives in private Gitea, so the license is dormant — it only activates if/when we choose to open-source. Apache-2.0 was picked over MIT for the explicit patent grant (standard for libraries that consumers will depend on). Patrick may flip to proprietary or another OSI license before any public release.
 
-**Decision deadline:** Before v0.1.0 tag.
-
-**Owner:** Patrick.
+**Owner:** Patrick. Locked 2026-06-24.
 
 ---
 
@@ -265,6 +259,11 @@ When a question is decided, this doc gets updated; the decision is also reflecte
 | Q08 | Spring Boot 4.1.0 minimum | 2026-06-24 | Architecture.md |
 | Q04 | Magic-link → v0.2 | 2026-06-24 | Roadmap.md |
 | Q11 | i18n → consumer-supplied | 2026-06-24 | this doc |
+| Q01 | Polymorphic FK `(org_type, org_id)` validated by `OrgValidator` SPI; no concrete `organizations` table in 0.1 | 2026-06-24 | Architecture.md § 3.4, this doc |
+| Q05 | npm: `@platesoft/auth` · Maven: `de.platesoft:plate-auth-starter` (lockstep versions) | 2026-06-24 | Architecture.md § 9, this doc |
+| Q10 | Apache-2.0 placeholder for v0.1.0 (dormant until open-sourced) | 2026-06-24 | Home.md § Distribution, this doc |
+| F1 | `PermissiveOrgValidator` ships as default `OrgValidator`, logs WARN on every call | 2026-06-24 | Architecture.md § 3.4, Sprint-0-Plan.md § 4.5, Sprint-0-Testplan.md T-UT15, Integration-Guide.md § 3.3 |
+| F2 | plate-auth ships **6** Flyway migrations (V1..V6) in `db/migration/auth/`; `V5__add_microsoft_tenant_id_index.sql` is a standalone index migration | 2026-06-24 | Architecture.md § 8.1, Sprint-0-Plan.md § 7.2, Sprint-0-Testplan.md T-IT01 |
 
 ---