server {
    listen 80;
    server_name advisory-fixture.stella-ops.local;

    default_type application/json;

    # -----------------------------------------------------------------------
    # Advisory data endpoints (for pipeline sync tests)
    # -----------------------------------------------------------------------

    # KEV catalog — realistic CISA Known Exploited Vulnerabilities feed
    location = /kev/known_exploited_vulnerabilities.json {
        alias /etc/nginx/data/kev-catalog.json;
        add_header Content-Type "application/json";
        add_header ETag '"e2e-kev-v1"';
    }

    # GHSA list — GitHub Security Advisories (REST-style)
    location = /ghsa/security/advisories {
        alias /etc/nginx/data/ghsa-list.json;
        add_header Content-Type "application/json";
        add_header X-RateLimit-Limit "5000";
        add_header X-RateLimit-Remaining "4990";
        add_header X-RateLimit-Reset "1893456000";
    }

    # EPSS scores — Exploit Prediction Scoring System (CSV)
    location = /epss/epss_scores-current.csv {
        alias /etc/nginx/data/epss-scores.csv;
        add_header Content-Type "text/csv";
    }

    # -----------------------------------------------------------------------
    # Source health/connectivity endpoints (for onboarding tests)
    # -----------------------------------------------------------------------

    # CERT-In (India) - unreachable from most networks
    location /cert-in {
        return 200 '{"status":"healthy","source":"cert-in","description":"CERT-In fixture proxy"}';
    }

    # FSTEC BDU (Russia) - unreachable from most networks
    location /fstec-bdu {
        return 200 '{"status":"healthy","source":"fstec-bdu","description":"FSTEC BDU fixture proxy"}';
    }

    # StellaOps Mirror - does not exist yet
    location /stella-mirror {
        return 200 '{"status":"healthy","source":"stella-mirror","version":"1.0.0","description":"StellaOps Advisory Mirror fixture"}';
    }

    # VEX Hub - local fixture
    location /vex {
        return 200 '{"status":"healthy","source":"vex","description":"VEX Hub fixture proxy"}';
    }

    # Exploit-DB - blocks automated requests
    location /exploitdb {
        return 200 '{"status":"healthy","source":"exploitdb","description":"Exploit-DB fixture proxy"}';
    }

    # AMD Security - blocks automated requests
    location /amd {
        return 200 '{"status":"healthy","source":"amd","description":"AMD Security fixture proxy"}';
    }

    # Siemens ProductCERT - blocks automated requests
    location /siemens {
        return 200 '{"status":"healthy","source":"siemens","description":"Siemens ProductCERT fixture proxy"}';
    }

    # Ruby Advisory DB (bundler-audit) - GitHub raw content issues
    location /bundler-audit {
        return 200 '{"status":"healthy","source":"bundler-audit","description":"Ruby Advisory DB fixture proxy"}';
    }

    # Catch-all health endpoint
    location /health {
        return 200 '{"status":"healthy","service":"advisory-fixture"}';
    }

    location / {
        return 200 '{"status":"healthy","service":"advisory-fixture"}';
    }
}