services:
  # ── PostgreSQL Database (required by LiteLLM's database_url config) ──
  litellm-db:
    image: postgres:15-alpine
    container_name: litellm-db-35030
    environment:
      POSTGRES_DB: litellm
      POSTGRES_USER: litellm
      POSTGRES_PASSWORD: litellm123
    ports:
      - "5432:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U litellm -d litellm"]
      interval: 5s
      timeout: 3s
      retries: 10

  # ── Mock OIDC Provider ──────────────────────────────────────────────
  oidc-mock:
    build: ./oidc-provider
    container_name: oidc-mock
    ports:
      - "8000:8000"
    healthcheck:
      test: ["CMD-SHELL", "python3 -c \"import urllib.request; exit(0 if urllib.request.urlopen('http://localhost:8000/health').status == 200 else 1)\""]
      interval: 5s
      timeout: 3s
      retries: 10

  # ── Vulnerable LiteLLM (v1.82.x — OIDC cache key collision) ────────
  litellm-vuln:
    build: ./litellm-vuln
    container_name: litellm-cve-35030-vuln
    ports:
      - "4000:4000"
    volumes:
      - ./litellm_config.yaml:/app/config.yaml
    environment:
      - LITELLM_MASTER_KEY=sk-litellm-master-key
      - DATABASE_URL=postgresql://litellm:litellm123@litellm-db:5432/litellm
    depends_on:
      oidc-mock:
        condition: service_healthy
      litellm-db:
        condition: service_healthy
    restart: unless-stopped

  # ── Fixed LiteLLM (v1.83.0+ — sha256 cache key, not token[:20]) ───
  litellm-fixed:
    build: ./litellm-fixed
    container_name: litellm-cve-35030-fixed
    ports:
      - "4001:4000"
    volumes:
      - ./litellm_config.yaml:/app/config.yaml
    environment:
      - LITELLM_MASTER_KEY=sk-litellm-master-key
      - DATABASE_URL=postgresql://litellm:litellm123@litellm-db:5432/litellm
    profiles:
      - fixed
    depends_on:
      oidc-mock:
        condition: service_healthy
      litellm-db:
        condition: service_healthy
    restart: unless-stopped