services:
  # Primary: VULNERABLE NGINX 1.30.0 (<=1.30.0), ASan-instrumented.
  nginx:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        NGINX_REF: release-1.30.0
        NGINX_COMMIT_EXPECTED: 6e14e954aaacce9a433d9b07b4653809c7594ab8
    image: cve-2026-42945-nginx:1.30.0-asan
    container_name: cve-2026-42945-nginx
    # SYS_PTRACE lets AddressSanitizer symbolize its own backtrace.
    cap_add:
      - SYS_PTRACE
    ports:
      - "127.0.0.1:19321:80"
    healthcheck:
      test: ["CMD", "curl", "-fsS", "http://127.0.0.1/healthz"]
      interval: 5s
      timeout: 3s
      retries: 10
      start_period: 5s
    restart: "no"

  # Discriminator: PATCHED NGINX 1.30.1 (>=1.30.1) -> same request must NOT crash.
  nginx-patched:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        NGINX_REF: release-1.30.1
        NGINX_COMMIT_EXPECTED: 9a503b1317c283e1fd0f27008428ea441c1ac9ee
    image: cve-2026-42945-nginx:1.30.1-asan
    container_name: cve-2026-42945-nginx-patched
    cap_add:
      - SYS_PTRACE
    ports:
      - "127.0.0.1:19322:80"
    healthcheck:
      test: ["CMD", "curl", "-fsS", "http://127.0.0.1/healthz"]
      interval: 5s
      timeout: 3s
      retries: 10
      start_period: 5s
    restart: "no"