- compose-service.shuffle-frontend.json is the authored docker-compose.yml service block (yq-extracted); a profile-filtered docker compose config could not be used because soc-profile services depend_on wazuh.manager and profile filtering invalidates the project.
- Capture used the already-running aptl project (soc profile up) per operator direction and did not run aptl lab stop -v && aptl lab start; this bundle is a steady-state observation of that local lab, not a clean-reset rebuild proof.
- shuffle-frontend has no named Docker volume (its rootfs is the upstream image); it only bind-mounts the three soc_certs TLS files read-only. No docker-volume.*.json is emitted for this asset.
- The bind-mounted /etc/nginx/privkey.pem (host ./config/soc_certs/shuffle-frontend/server.key) is the frontend TLS PRIVATE KEY: captured as scenario fixture content in filesystem-tree.txt, filesystem-checksums.txt, and filesystem-sensitive-paths.txt.
- config/soc_certs/shuffle-frontend/server.pem is not present in this checkout; the running container bind target is captured from Docker/runtime evidence.
- config/soc_certs/shuffle-frontend/server.key is not present in this checkout; the running container bind target is captured from Docker/runtime evidence.
- config/soc_certs/lab-ca.pem is not present in this checkout; the running container bind target is captured from Docker/runtime evidence.
- source-checksums.txt covers docker-compose.yml and any generated Shuffle frontend TLS source inputs present in this checkout; missing generated inputs are paired with runtime Docker/container evidence.
- filesystem-tree.txt scopes the manifest to the application surfaces (/etc/nginx config, /usr/share/nginx/html static React build, /etc/lab-ca CA, /etc/os-release); the rest of the upstream Debian rootfs is out of manifest scope (covered by os-packages.txt and the SBOMs). filesystem-checksums.txt includes /etc/nginx/privkey.pem as scenario TLS fixture content.
- osquery installed_applications table unavailable in the digest-pinned Linux scanner image.
- osquery programs table unavailable in the digest-pinned Linux scanner image.
- osquery apt_sources reflects the host-side scanner vantage; the target rootfs Debian apt state is captured directly in os-packages.txt.
