services:
  # PostgreSQL database for LiteLLM user management
  db:
    image: postgres:15-alpine
    container_name: litellm-47102-db
    environment:
      POSTGRES_DB: litellm
      POSTGRES_USER: litellm
      POSTGRES_PASSWORD: litellm123
    ports:
      - "5434:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U litellm -d litellm"]
      interval: 5s
      timeout: 3s
      retries: 10
    restart: unless-stopped

  # Vulnerable LiteLLM v1.83.7-stable — CVE-2026-47102 (user_role self-modification)
  # /user/update endpoint allows any user to modify their own user_role field
  # Fixed in v1.83.10+
  litellm:
    image: ghcr.io/berriai/litellm@sha256:af0152ca6dfb6703b35c0d4899effa9ac132bce9a4fbcbe1dc6ef145c100db26
    container_name: litellm-47102-privesc
    ports:
      - "4002:4000"
    environment:
      - LITELLM_MASTER_KEY=sk-litellm-master-key
      - DATABASE_URL=postgresql://litellm:litellm123@db:5432/litellm
    volumes:
      - ./config.yaml:/app/config.yaml:ro
    command: ["--config", "/app/config.yaml", "--port", "4000"]
    depends_on:
      db:
        condition: service_healthy
    restart: unless-stopped

  # Fixed: LiteLLM v1.83.10-stable (patched — user_role field restriction in /user/update)
  litellm-fixed:
    image: ghcr.io/berriai/litellm@sha256:6c82d338a60e7b273ae46bf1d8db814d2856ae010f96c44eeadde574d3893f76
    container_name: litellm-47102-fixed
    ports:
      - "4003:4000"
    environment:
      - LITELLM_MASTER_KEY=sk-litellm-master-key
      - DATABASE_URL=postgresql://litellm:litellm123@db:5432/litellm
    volumes:
      - ./config.yaml:/app/config.yaml:ro
    command: ["--config", "/app/config.yaml", "--port", "4000"]
    profiles:
      - fixed
    depends_on:
      db:
        condition: service_healthy
    restart: unless-stopped