- Compose service evidence was extracted from docker-compose.yml with yq because the full local compose project has an unrelated invalid dependency reference that prevents docker compose config from rendering.
- Capture used the already-running aptl project per operator direction and did not run aptl lab stop -v && aptl lab start; this bundle is a steady-state observation of that local lab, not clean-reset rebuild proof.
- Full filesystem evidence is captured as compressed manifests. SDL encodes load-bearing participant-visible paths and structured runtime surfaces directly; byte-identical rebuild proof remains out of scope for this inventory issue.
- Shuffle persistent state lives in the shuffle-opensearch datastore, not in the aptl_shuffle_data volume (which is empty at steady state). Application state was captured via the Shuffle backend HTTP API and OpenSearch _cat/indices with scenario values retained verbatim.
- Scenario fixture secret values, including the admin password, SHUFFLE_DEFAULT_APIKEY, and OpenSearch password, are retained verbatim because they are TechVault scenario content.
- shuffle-backend mounts only the host docker.sock and the aptl_shuffle_data named volume; it has no first-party local config files under config/. The Wazuh-side custom-shuffle integration that posts alerts to this backend is owned by the wazuh-manager inventory, not this asset.
- Go compiler/toolchain is not present in the runtime image; the authoritative Go module dependency table is sourced from the trivy/syft SBOMs (go-module catalog), not from an in-image go list.
- Syft CycloneDX output was deterministically normalized by stripping syft:location:* properties; filesystem provenance is captured in filesystem-tree.txt.gz and filesystem-checksums.txt.xz.
- osquery apt_sources table is not meaningful for an Alpine (apk) target; recorded as unavailable.
- osquery installed_applications table unavailable in the digest-pinned Linux scanner image.
- osquery programs table unavailable in the digest-pinned Linux scanner image.
