services:
  vulnerable:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        TOMCAT_TAG: "10.1.54-jre17"
    image: cve-2026-43515-tomcat:10.1.54
    container_name: cve-2026-43515-tomcat-vulnerable
    ports:
      - "127.0.0.1:8080:8080"
    healthcheck:
      # Unauthenticated GET to the protected resource must be WITHHELD (401):
      # proves Tomcat is up AND the auth-constraint is wired.
      test: ["CMD-SHELL", "code=$$(curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:8080/protected/secret.html); [ \"$$code\" = \"401\" ]"]
      interval: 5s
      timeout: 5s
      retries: 20
      start_period: 20s

  patched:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        TOMCAT_TAG: "10.1.55-jre17"
    image: cve-2026-43515-tomcat:10.1.55
    container_name: cve-2026-43515-tomcat-patched
    ports:
      - "127.0.0.1:8081:8080"
    healthcheck:
      test: ["CMD-SHELL", "code=$$(curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:8080/protected/secret.html); [ \"$$code\" = \"401\" ]"]
      interval: 5s
      timeout: 5s
      retries: 20
      start_period: 20s