- compose-service.shuffle-orborus.json is the authored docker-compose.yml service block (yq-extracted); a profile-filtered docker compose config could not be used because soc-profile services depend_on wazuh.manager and profile filtering invalidates the project.
- Capture used the already-running aptl project (soc profile up) per operator direction and did not run aptl lab stop -v && aptl lab start; this bundle is a steady-state observation of that local lab, not a clean-reset rebuild proof.
- shuffle-orborus has no named Docker volume; its only mount is the host /var/run/docker.sock bind. No docker-volume.*.json is emitted for this asset.
- shuffle-orborus joins aptl-security with the static address 172.20.0.7 (pinned via the compose service's ipv4_address) and publishes NO host ports; its network identity is recorded in docker-inspect.container.json and docker-network.aptl-security.json. The address was previously DHCP-assigned, which let it drift between capture runs and made this bundle internally inconsistent; it is now pinned for reproducible capture.
- PRIVILEGED HOST-CONTROL SURFACE: shuffle-orborus bind-mounts the host /var/run/docker.sock read-write into the container (Mode=rw). This grants the orborus process full control of the host Docker daemon: it spawns/stops Shuffle worker containers (SHUFFLE_WORKER_IMAGE=ghcr.io/shuffle/shuffle-worker:latest) via the host daemon. A compromise of orborus is effectively host-Docker root. The mount source/destination/RW flag is captured verbatim in docker-inspect.container.json (Mounts) and orborus-state.txt (--docker-sock-mount--).
- source-checksums.txt covers only docker-compose.yml; the shuffle-orborus service has no repo-authored bind files (its single mount is the host /var/run/docker.sock, not a repo-tracked file), and the rootfs is the upstream image.
- The /orborus Go binary was NEVER executed during capture: invoking it (even with --version) starts the orborus daemon, which would poll the backend and spawn worker containers via the host docker.sock. Binary identity is therefore captured from file metadata, the image-shipped /orborus.go source, embedded Go-version and Shuffle-image strings, and the trivy/syft go-module SBOM catalog instead of a runtime version flag.
- filesystem-tree.txt and filesystem-checksums.txt scope the curated manifest (and the SDL filesystem_inventory rows) to the orborus application surface (the /orborus Go binary, the image-shipped /orborus.go source, and /etc/os-release); the FULL Alpine rootfs manifest is retained as evidence in filesystem-tree-full.txt.gz (no per-file checksums beyond the curated set; rootfs integrity is evidenced by the registry image digest and the SBOMs). The host /var/run/docker.sock bind is a socket on the host, not part of the container rootfs manifest, and is captured in docker-inspect.container.json and orborus-state.txt.
- Syft CycloneDX output was deterministically normalized by stripping syft:location:* properties; component identity remains and filesystem provenance is captured in filesystem-tree.txt and filesystem-checksums.txt.
- Trivy and Syft CycloneDX SBOM evidence is committed as deterministic gzip-compressed minified JSON to satisfy the repository's added-file size gate; compression is lossless.
- osquery apt_sources table is not meaningful for an Alpine (apk) target; recorded as unavailable.
- osquery installed_applications table unavailable in the digest-pinned Linux scanner image.
- osquery programs table unavailable in the digest-pinned Linux scanner image.
