diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 39c4698..3fb52e4 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -19,6 +19,15 @@ repos:
     rev: v24.12.2  # keep in sync with requirements.txt
     hooks:
       - id: ansible-lint
+        # Only run on Ansible content. ansible-lint loads the play context, which
+        # auto-decrypts inventories/*/group_vars/all/vault.yml via the wired
+        # vault_password_file (→ rbw) — so it needs `rbw unlock`. The upstream hook is
+        # always_run+pass_filenames:false (lints the whole project, every commit); we
+        # override always_run:false and add a files filter so docs-/config-only commits
+        # skip it (no vault needed). pass_filenames stays false → still a project lint
+        # when any Ansible file is staged.
+        always_run: false
+        files: ^(roles|playbooks|inventories)/.*\.ya?ml$
         additional_dependencies:
           - ansible-core==2.17.*  # pin (not >=) — keep in sync with requirements.txt
 
diff --git a/Makefile b/Makefile
index 3f00912..1b4bca3 100644
--- a/Makefile
+++ b/Makefile
@@ -75,12 +75,12 @@ test:
 ifndef ROLE
 	$(error ROLE is required: make test ROLE=<rolename>)
 endif
-	cd roles/$(ROLE) && ../../$(MOLECULE) test
+	cd roles/$(ROLE) && PATH="$(CURDIR)/$(VENV)/bin:$$PATH" molecule test
 
 test-all:
 	@for role in roles/*/; do \
 	  echo "── Testing $$role ──"; \
-	  cd $$role && ../../$(MOLECULE) test; cd ../..; \
+	  cd $$role && PATH="$(CURDIR)/$(VENV)/bin:$$PATH" molecule test; cd ../..; \
 	done
 
 # ── Playbook execution ────────────────────────────────────────────────────────