- compose-service.misp-suricata-sync.json is the authored docker-compose.yml service block (yq-extracted); a profile-filtered docker compose config could not be used because soc-profile services depend_on wazuh.manager and profile filtering invalidates the project. The authored MISP_API_KEY value is an ${MISP_API_KEY:?...} interpolation template and is captured exactly as authored.
- Docker Buildx imagetools inspection failed for aptl-misp-suricata-sync:latest because it is a locally built tag with no registry manifest; see docker-buildx-imagetools.image.err. Image identity is the local config ID in docker-inspect.image.json plus the build recipe in source-checksums.txt.
- Recaptured after ADR-043 (issue #325) on a clean-rebuilt lab: two consecutive 'aptl lab stop -v && aptl lab start' cycles preceded this capture, so the bundle reflects the named-volume-seeded steady state, not the pre-fix host-bind topology.
- MISP_API_KEY (runtime env) is the lab MISP admin API key — the same secret_fixture value already disclosed on nodes.techvault.misp (ADMIN_KEY). It is retained verbatim in committed evidence and SDL because it is TechVault scenario content.
- /var/run/suricata is the shared suricata_command_socket volume owned by the suricata asset; only the socket path/metadata is recorded here. /var/lib/suricata/rules/misp is the shared suricata_misp_rules named volume (ADR-043; seeded at lab start, formerly a .aptl host bind) whose misp-iocs.rules content is generated by this service and recorded as a runtime-created file.
- source-checksums.txt covers the compose file, Dockerfile, pyproject.toml, and the executed aptl.services.misp_suricata_sync package sources. The Dockerfile COPYs the entire repo src/ tree into /app; that full copy is evidenced by the in-image filesystem manifest under /app and /usr/local/lib/python3.11/site-packages/aptl, not by per-file repo checksums of unrelated aptl subpackages.
- filesystem-tree.txt.gz scopes the manifest to the application surfaces (/app, installed aptl package, console script, CA input, rules output, socket dir, os-release) and excludes __pycache__ bytecode and third-party site-packages dependency trees; the dependency closure is evidenced by the SBOMs and pip list instead.
- Syft CycloneDX output was deterministically normalized by stripping syft:location:* properties; filesystem provenance is captured in filesystem-tree.txt.gz and filesystem-checksums.txt.xz.
- osquery installed_applications table unavailable in the digest-pinned Linux scanner image.
- osquery programs table unavailable in the digest-pinned Linux scanner image.
- osquery apt_sources reflects the host-side scanner vantage; the target rootfs Debian apt state is captured directly in os-packages.txt.
