diff --git a/README.md b/README.md
index 04487ac..05d4112 100644
--- a/README.md
+++ b/README.md
@@ -535,7 +535,7 @@ Planned hardening should remain tied to production-relevant gaps.
 
 Credible next improvements include:
 
-- immutable image tags instead of deploying `latest`
+- extend immutable image tagging consistently across manual and Terraform-driven deployment paths
 - HTTPS listener with ACM certificate
 - optional HTTP-to-HTTPS redirect
 - private ECS task networking without public task IPs
diff --git a/docs/TRACKER.md b/docs/TRACKER.md
index 2b43f95..8117793 100644
--- a/docs/TRACKER.md
+++ b/docs/TRACKER.md
@@ -382,7 +382,7 @@ Good next candidates:
 
 - document the AWS smoke-test workflow clearly without exposing raw keys or account-specific sensitive values
 - keep README, tracker, and AWS deployment docs aligned with the implemented runtime
-- move from `latest` image deployments to immutable image tags
+- extend immutable image tagging consistently across manual and Terraform-driven deployment paths
 - add HTTPS/ACM support for the ALB
 - add private ECS task networking using NAT Gateway or VPC endpoints
 - add Terraform remote state