- compose-service.thehive.json is the authored docker-compose.yml service block (yq-extracted); a profile-filtered docker compose config could not be used because soc-profile services depend_on wazuh.manager and profile filtering invalidates the project. The authored command retains the committed scenario fixture '--secret aptl-thehive-lab-secret-key-2024-purple' (secret_fixture, visible in docker-compose.yml), not an operator secret.
- Capture used the already-running aptl project (soc profile up) per operator direction and did not run aptl lab stop -v && aptl lab start; this bundle is a steady-state observation of that local lab, not a clean-reset rebuild proof.
- /etc/thehive/keystore.p12 is the lab-CA-signed TLS keystore generated at aptl lab start; it is scenario fixture material and is included in filesystem metadata and checksum evidence.
- config/soc_certs/thehive/keystore.p12.password injects HTTPS_KEYSTORE_PASSWORD into the runtime environment; the live value is captured verbatim in docker-inspect.container.json and runtime-baseline.txt.
- thehive_data and thehive_index volume contents (/opt/thp/thehive/data, /opt/thp/thehive/index) are runtime data and out of manifest scope; only top-level directory rows are recorded in filesystem-tree.txt.gz and a top-level ls in thehive-state.txt.
- The entrypoint-generated /tmp/thehive-*.conf Play configuration (assembled at start from the compose command args, including the committed --secret scenario fixture) is runtime-created and out of manifest scope; its authored inputs are the compose command and /etc/thehive/application.conf.
- The TheHive image does not include ss, netstat, or ps; listener and connection evidence falls back to raw /proc/net/tcp,tcp6,udp tables and the process tree to a /proc PID walk, complemented by docker top and osquery namespace-sharing evidence.
- config/soc_certs/lab-ca.pem is not present in this checkout; the running container bind/env value is captured from Docker/runtime evidence.
- config/soc_certs/thehive/keystore.p12 is not present in this checkout; the running container bind/env value is captured from Docker/runtime evidence.
- config/soc_certs/thehive/keystore.p12.password is not present in this checkout; the running container bind/env value is captured from Docker/runtime evidence.
- source-checksums.txt covers the compose file, TheHive application.conf overlay, lab CA certificate, and any generated TheHive TLS source inputs present in this checkout; missing generated inputs are paired with runtime Docker/container evidence.
- osquery installed_applications table unavailable in the digest-pinned Linux scanner image.
- osquery programs table unavailable in the digest-pinned Linux scanner image.
- osquery apt_sources reflects the host-side scanner vantage; the target rootfs Debian apt state is captured directly in os-packages.txt.
