diff --git a/index.html b/index.html
index cd69775..d4c7c09 100644
--- a/index.html
+++ b/index.html
@@ -1409,6 +1409,7 @@ Notice: Applied catalog in 12.34 seconds
       <ul>
         <li>The payoff slide — the "vs" framing was a trap. They stack.</li>
         <li>Terraform provisions → Ansible configures → Puppet enforces. Three layers.</li>
+        <li>Ansible also covers one-off ops — push a single patch across the fleet on demand (the push model). Puppet handles the continuous side; Ansible the punctual side.</li>
         <li>"Which should I use?" → depends which layer of the problem you have.</li>
       </ul>
     </aside>
@@ -1429,7 +1430,7 @@ Notice: Applied catalog in 12.34 seconds
       <rect x="120" y="104" width="560" height="64" rx="10" fill="#CC0000" fill-opacity="0.1" stroke="#CC0000" stroke-width="2"/>
       <text x="220" y="132" fill="#CC0000" font-size="18" font-weight="bold" font-family="sans-serif">Ansible</text>
       <text x="306" y="132" fill="#a00" font-size="16" font-family="sans-serif">— Configure</text>
-      <text x="220" y="150" fill="#cc3333" font-size="11" font-style="italic" font-family="sans-serif">packages, services, app deployment</text>
+      <text x="220" y="150" fill="#cc3333" font-size="11" font-style="italic" font-family="sans-serif">packages, services, deploys, on-demand patching</text>
       <!-- Arrow between Ansible and Puppet -->
       <line x1="400" y1="172" x2="400" y2="194" stroke="#4d5592" stroke-width="2.5" marker-end="url(#a-down)"/>
       <!-- Puppet layer -->
@@ -1445,14 +1446,15 @@ Notice: Applied catalog in 12.34 seconds
     <h2>A common production setup:</h2>
     <ol>
       <li><span class="tf-col">Terraform</span> provisions the VM</li>
-      <li><span class="ansible-col">Ansible</span> configures it and deploys the app</li>
+      <li><span class="ansible-col">Ansible</span> configures it, deploys the app, and pushes one-off patches</li>
       <li><span class="puppet-col">Puppet</span> continuously enforces compliance</li>
     </ol>
     <aside class="notes">
       <ul>
         <li>Concrete recap of how they fit together end to end.</li>
         <li>You don't have to use all three — but they layer cleanly when you do.</li>
-        <li>Pick by your actual need: just provisioning? Terraform. Ad-hoc ops? Ansible. Drift control? Puppet.</li>
+        <li>Ansible's role isn't only first-time setup — it's also the tool for punctual ops, like pushing a single patch across the fleet on demand (slide on Operations). Puppet then keeps that state from drifting.</li>
+        <li>Pick by your actual need: just provisioning? Terraform. Ad-hoc ops / one-off patch? Ansible. Drift control? Puppet.</li>
       </ul>
     </aside>
   </section>