chore: Deploy do mesh com docker-compose

[o-pauloroberto]

Templates para subir o mesh usando docker-compose de forma simples e rápida.

Summary by CodeRabbit

• Documentation

  • Added a comprehensive Docker Compose README covering quick start, configuration, auth setup, security notes, monitoring, troubleshooting, updating, and detailed backup/restore workflows.

• Chores

  • Added Docker Compose templates for local deployment (SQLite default, optional PostgreSQL).
  • Added example environment and authentication configuration files, including SSO/email and magic-link examples.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[cloudflare-workers-and-pages]

Deploying decocms-admin-frontend with    Cloudflare Pages

Latest commit:	9f38a4f
Status:	✅  Deploy successful!
Preview URL:	https://ca4cfa50.admin-decocms-frontend.pages.dev
Branch Preview URL:	https://feature-deploy-mesh-docker.admin-decocms-frontend.pages.dev

View logs

[coderabbitai]

Walkthrough

Adds Docker Compose deployment artifacts and documentation for running the Mesh locally, including example auth and env configuration files, a SQLite-based compose, and an optional PostgreSQL compose with backup/restore and troubleshooting instructions.

Changes

Cohort / File(s)	Summary
Documentation deploy/README.md	New comprehensive Docker Compose README describing prerequisites, quick start, .env and auth-config.json usage, SQLite (default) and PostgreSQL options, monitoring, troubleshooting, update, and backup/restore procedures.
Auth configuration examples deploy/conf-examples/auth-config.json.example, deploy/conf-examples/auth-config-sso-email.json.example	Added two auth-config examples: a minimal email/password-enabled example, and a fuller SSO+email example including Google/GitHub OAuth placeholders, SAML toggle, magic link settings, and an email provider example.
Environment example deploy/conf-examples/env.example	New example .env template with IMAGE_REPOSITORY/IMAGE_TAG, PORT, NODE_ENV, BETTER_AUTH_URL, BASE_URL, BETTER_AUTH_SECRET guidance, and DATABASE_URL/Postgres variable examples and notes.
Docker Compose (SQLite) deploy/docker-compose.yml	New compose for single mesh service using a configurable image, mounts persistent mesh-data volume, read-only auth-config.json, healthcheck against /health, environment variable support, and runs as user 1001:1001.
Docker Compose (Postgres) deploy/docker-compose.postgres.yml	New compose adding a postgres service (postgres:15-alpine) with volume, healthcheck, and a mesh service configured to depend on Postgres healthy state; includes volume and network definitions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify env variable names and default examples match runtime expectations in the app.
• Confirm auth-config.json mount path and file permissions align with the container image.
• Check healthcheck command and /health endpoint behavior.
• Validate volume paths (/app/data) and user 1001:1001 are correct for the image.
• Review Postgres healthcheck and dependency ordering in docker-compose.postgres.yml.

Poem

🐰 I tunneled a README, tidy and bright,
Auth files and envs tucked in just right,
SQLite naps or Postgres can play,
Volumes keep carrots safe day by day,
Hop, spin the compose — containers delight! 🌿

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is vague and does not follow the provided template structure; it lacks required sections like 'What is this contribution about?' with detailed explanation, 'Screenshots/Demonstration', and 'Review Checklist'.	Follow the repository template by adding detailed sections explaining what was changed and why, including the Review Checklist with appropriate items marked. Currently only a brief Portuguese description is provided.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding Docker Compose deployment templates and configuration files for the Deco mesh application.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/deploy-mesh-docker

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

deploy/conf-examples/auth-config-sso-email.json.example (1)

1-34: Consider more explicit placeholders for secrets and IDs

Config is structurally solid and matches the README example. To reduce the chance of someone interpreting empty strings as “optional”, consider using explicit placeholders (e.g. "<GOOGLE_CLIENT_ID>", "<RESEND_API_KEY>") or adding a short comment near this file reminding users these values are required in real deployments and must not be committed with real secrets.

deploy/docker-compose.postgres.yml (1)

4-21: Tighten Postgres defaults for non-local use

For local dev this setup is fine, but note the combination of:

• A weak default password (POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-change-this-password})
• Port 5432 exposed on the host

If this file is ever reused in shared/staging/prod environments, this can be risky. Consider either:

• Making the password default obviously unusable in real environments (e.g. comment it out and force explicit configuration), and/or
• Limiting the port binding (e.g. 127.0.0.1:5432:5432) and documenting that non-local access requires an explicit change.

Please double-check your intended usage contexts and adjust comments or defaults so nobody accidentally reuses this as-is in production.

deploy/README.md (2)

7-18: Fix TOC anchors and minor Markdown lint issues

A few small docs polish points that will improve navigation and tooling support:

• The TOC entries for Configuração, Monitoramento and Troubleshooting don’t currently match any heading IDs (markdownlint MD051). Either adjust the link fragments or add matching headings so these links work.
• Before and after the environment variables table (around “Principais variáveis”), add blank lines so the table is surrounded by empty lines (MD058).
• The fenced block showing the auth-config.json path (lines 160–162) has no language tag; using something like ```text will satisfy MD040.

These are cosmetic but easy wins to keep the README nicely rendered and linter‑clean.

You can run markdownlint locally to confirm all MD051/MD058/MD040 warnings are resolved after the tweaks.

Also applies to: 72-83, 160-162

---

72-83: Clarify how DATABASE_URL is derived (SQLite vs PostgreSQL)

The README currently suggests that docker-compose.yml will automatically montar DATABASE_URL para PostgreSQL quando POSTGRES_USER estiver definido, and that DATABASE_URL covers both SQLite and PostgreSQL transparently. Given the current compose file logic, this “auto-mount from POSTGRES_*” behavior is either fragile or not actually happening (see comments on deploy/docker-compose.yml and deploy/conf-examples/env.example).

To avoid surprises:

• Clearly state that the default when using docker-compose.yml is SQLite at /app/data/mesh.db.
• Explain that for PostgreSQL there are two explicit paths:
  • Use docker-compose.postgres.yml (Option 1) with the POSTGRES_* variables.
  • Or set DATABASE_URL manually for an external DB (Option 2).
• Remove or adjust wording that claims POSTGRES_USER alone is enough to auto‑build DATABASE_URL in the base compose file, unless you also update the compose/env templates to actually guarantee that behavior.

After updating docs and/or compose files, please sanity‑check with docker compose config to confirm the final DATABASE_URL seen by the mesh container in each scenario (SQLite default, postgres compose, and external DB).

Also applies to: 104-148

deploy/conf-examples/env.example (1)

41-57: Align DATABASE_URL and POSTGRES_* comments with actual compose behavior

The comments here say:

• DATABASE_URL será montado automaticamente pelo docker-compose.yml se você definir POSTGRES_USER abaixo
• And that docker‑compose will montar DATABASE_URL automaticamente usando as variáveis POSTGRES_*.

Given how deploy/docker-compose.yml currently works (and especially once simplified as suggested), that’s misleading: the base compose file effectively treats:

• DATABASE_URL as the source of truth, defaulting to /app/data/mesh.db (SQLite)
• POSTGRES_* are not enough on their own to switch the app to PostgreSQL.

To avoid confusion, I’d recommend:

• Keeping DATABASE_URL=/app/data/mesh.db as the documented default for SQLite.
• Clarifying that:
  • For PostgreSQL via docker-compose.postgres.yml, the POSTGRES_* vars are used to configure both Postgres and the app’s DATABASE_URL.
  • For external/managed PostgreSQL with the base docker-compose.yml, users should set DATABASE_URL manually (as already shown in the last commented example).
• Dropping or rewriting the lines that say docker-compose “montará automaticamente o DATABASE_URL” from POSTGRES_* in the base file, unless you rework docker-compose.yml to guarantee that.

After you adjust this file and docker-compose.yml, please re‑check that the README examples for SQLite, Postgres via docker-compose.postgres.yml, and Postgres externo all match the actual env resolution.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b37a180 and 9f38a4f.

📒 Files selected for processing (6)

• deploy/README.md (1 hunks)
• deploy/conf-examples/auth-config-sso-email.json.example (1 hunks)
• deploy/conf-examples/auth-config.json.example (1 hunks)
• deploy/conf-examples/env.example (1 hunks)
• deploy/docker-compose.postgres.yml (1 hunks)
• deploy/docker-compose.yml (1 hunks)

🧰 Additional context used

🪛 LanguageTool

deploy/README.md

[inconsistency] ~79-~79: O URL contém o caratére inválido segundo RFC 1738. Os caratéres especiais podem ser codificados com % seguido de dois números hexadecimais. Context: ...mbiente Node.js | |BETTER_AUTH_URL|http://localhost:3000` | URL para autenticação | | BASE_URL ...

(URL_VALIDATION)

---

[inconsistency] ~80-~80: O URL contém o caratére inválido segundo RFC 1738. Os caratéres especiais podem ser codificados com % seguido de dois números hexadecimais. Context: ... URL para autenticação | |BASE_URL|http://localhost:3000` | URL base da aplicação | | `BETTER_AUT...

(URL_VALIDATION)

---

[locale-violation] ~102-~102: “Performance” é um estrangeirismo. É preferível dizer “desempenho”, “atuação”, “apresentação”, “espetáculo” ou “interpretação”.
Context: ...ia (não escalável horizontalmente) - ⚠️ Performance limitada para grandes volumes de dados ...

(PT_BARBARISMS_REPLACE_PERFORMANCE)

---

[locale-violation] ~151-~151: “performance” é um estrangeirismo. É preferível dizer “desempenho”, “atuação”, “apresentação”, “espetáculo” ou “interpretação”.
Context: ... (escalabilidade horizontal) - ✅ Melhor performance para grandes volumes - ✅ Recursos avanç...

(PT_BARBARISMS_REPLACE_PERFORMANCE)

---

[style] ~168-~168: Para conferir mais clareza ao seu texto, evite pleonasmos.
Context: ...onfig.jsondeve existir na pasta raiz, junto com o docker-compose para subir a stack: ...

(REDUNDANCY_JUNTO_COM)

---

[style] ~177-~177: Para conferir mais clareza ao seu texto, evite pleonasmos.
Context: ... ./auth-config.json (arquivo na raiz, junto com o docker-compose) - Destino: `/app/...

(REDUNDANCY_JUNTO_COM)

---

[locale-violation] ~185-~185: “Password” é um estrangeirismo. É preferível dizer “senha”.
Context: ...inicialização para configurar: - Email/Password authentication - Social providers (Goog...

(PT_BARBARISMS_REPLACE_PASSWORD)

---

[grammar] ~367-~367: Possível erro de concordância.
Context: ... volume vazio docker compose up -d ``` O flag -v remove os volumes nomeados definid...

(ERRO_DE_CONCORDNCIA_DO_GÉNERO_MASCULINO_O)

🪛 markdownlint-cli2 (0.18.1)

deploy/README.md

10-10: Link fragments should be valid

(MD051, link-fragments)

---

15-15: Link fragments should be valid

(MD051, link-fragments)

---

16-16: Link fragments should be valid

(MD051, link-fragments)

---

73-73: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

---

160-160: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cloudflare Pages

🔇 Additional comments (1)

deploy/conf-examples/auth-config.json.example (1)

1-5: Auth minimal example looks correct

JSON is valid and clearly documents the “email + senha” only setup; good as a safe, non-secret template.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's see the full docker-compose.yml file structure
find deploy -name "*.yml" -o -name "*.yaml" | head -20

Repository: decocms/admin

Length of output: 117

---

🏁 Script executed:

# Read the full docker-compose.yml to understand the context
cat deploy/docker-compose.yml

Repository: decocms/admin

Length of output: 1953

---

🏁 Script executed:

# Check for postgres-specific compose files
ls -la deploy/ | grep -i compose

Repository: decocms/admin

Length of output: 205

---

🏁 Script executed:

cat deploy/docker-compose.postgres.yml

Repository: decocms/admin

Length of output: 2538

---

🏁 Script executed:

# Test docker compose config to see how duplicates are handled
cd deploy && docker-compose config 2>&1 | grep -A 10 "DATABASE_URL"

Repository: decocms/admin

Length of output: 39

---

🏁 Script executed:

# Verify YAML parsing behavior with a quick test
python3 << 'EOF'
import yaml

# Simulate the docker-compose environment structure
yaml_test = """
environment:
  - DATABASE_URL=${DATABASE_URL:-${POSTGRES_USER:+postgresql://user}}
  - DATABASE_URL=${DATABASE_URL:-/app/data/mesh.db}
"""

# Parse and show what happens
data = yaml.safe_load(yaml_test)
print("YAML parsed result:")
print(data)
print("\nNote: List items with duplicate keys keep both entries")
print("But docker-compose treats environment as key-value pairs,")
print("so the last occurrence wins in actual container setup.")
EOF

Repository: decocms/admin

Length of output: 383

---

Fix DATABASE_URL fallback logic – last definition overrides in docker-compose

The DATABASE_URL is declared twice on consecutive lines:

- DATABASE_URL=${DATABASE_URL:-${POSTGRES_USER:+postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST:-localhost}:${POSTGRES_PORT:-5432}/${POSTGRES_DB:-mesh_db}}}
- DATABASE_URL=${DATABASE_URL:-/app/data/mesh.db}

In docker-compose environment lists, when the same key appears multiple times, the last definition takes precedence. This means:

• If DATABASE_URL is not set, the container always receives /app/data/mesh.db, regardless of whether POSTGRES_USER, POSTGRES_PASSWORD, etc. are defined.
• The documented behavior ("automatically mounts PostgreSQL when POSTGRES_USER is set") never actually takes effect.

Simplify this to a single, explicit default:

      # Database URL
      # Padrão: SQLite em /app/data/mesh.db
      # Para usar PostgreSQL (externo ou gerenciado), defina DATABASE_URL explicitamente no .env
      - DATABASE_URL=${DATABASE_URL:-/app/data/mesh.db}

This makes the behavior predictable and clear. For PostgreSQL, users can either set DATABASE_URL explicitly in .env or use docker-compose.postgres.yml, which already configures it correctly.

🤖 Prompt for AI Agents

In deploy/docker-compose.yml around lines 24 to 29, there are two consecutive
DATABASE_URL entries where the later one always overrides the earlier one;
remove the duplicated PostgreSQL fallback line and replace with a single
explicit default (SQLite: /app/data/mesh.db), update the comment to state that
to use PostgreSQL users must set DATABASE_URL in .env or use
docker-compose.postgres.yml, and ensure only one DATABASE_URL environment
variable is present so compose behavior is deterministic.

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9f38a4f and d97d2d7.

📒 Files selected for processing (4)

• deploy/README.md (1 hunks)
• deploy/conf-examples/env.example (1 hunks)
• deploy/docker-compose.postgres.yml (1 hunks)
• deploy/docker-compose.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• deploy/docker-compose.postgres.yml
• deploy/docker-compose.yml
• deploy/conf-examples/env.example

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

deploy/README.md

16-16: Link fragments should be valid

(MD051, link-fragments)

---

73-73: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

---

160-160: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (3)

deploy/README.md (3)

1-54: Comprehensive and well-structured documentation.

The Quick Start section is clear and progressively discloses complexity. Instructions are actionable with proper context (e.g., secret generation guidance at lines 40-42). The organization from prerequisites through configuration options to troubleshooting follows a logical progression that supports both newcomers and advanced users.

---

154-302: Clear authentication configuration guidance with appropriate examples.

The separation of simple (basic email/password) and advanced (SSO + email providers) authentication examples is helpful. The mount path documentation (lines 156-179) correctly explains how auth-config.json is loaded, which aligns with the docker-compose setup. The security callout about not committing secrets (line 302) is important.

---

356-432: Comprehensive data management and reset procedures.

The progressive reset methods (simple, targeted, backup-first, selective) give users appropriate options for different scenarios. Clear warnings about data loss (lines 429-432) prevent accidents. The guidance on volume naming variations (lines 379-382) accounts for different deployment contexts.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix Table of Contents link fragments to work with emoji headings.

The TOC links include a leading dash (e.g., #-overview) but the markdown processor strips emojis from heading IDs, generating fragments like #overview instead. This breaks all TOC navigation links.

Remove the leading dash from each link fragment to match the actual heading IDs generated by the markdown processor:

- [Overview](#-overview)
- [Prerequisites](#-prerequisites)
- [Quick Start](#-quick-start---get-started-in-4-steps)
- [Configuration](#️-configuration)
- [Using SQLite (Default)](#-using-sqlite-default)
- [Using PostgreSQL](#-using-postgresql)
- [Authentication Configuration](#-authentication-configuration-auth-configjson)
- [Security](#-security)
- [Monitoring](#-monitoring)
- [Troubleshooting](#-troubleshooting)
- [Updating](#-updating)
- [Backup and Restore](#-backup-and-restore)
+ [Overview](#overview)
+ [Prerequisites](#prerequisites)
+ [Quick Start](#quick-start---get-started-in-4-steps)
+ [Configuration](#configuration)
+ [Using SQLite (Default)](#using-sqlite-default)
+ [Using PostgreSQL](#using-postgresql)
+ [Authentication Configuration](#authentication-configuration-auth-configjson)
+ [Security](#security)
+ [Monitoring](#monitoring)
+ [Troubleshooting](#troubleshooting)
+ [Updating](#updating)
+ [Backup and Restore](#backup-and-restore)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 📋 Table of Contents
	- [Overview](#-overview)
	- [Prerequisites](#-prerequisites)
	- [Quick Start](#-quick-start---get-started-in-4-steps)
	- [Configuration](#️-configuration)
	- [Using SQLite (Default)](#-using-sqlite-default)
	- [Using PostgreSQL](#-using-postgresql)
	- [Authentication Configuration](#-authentication-configuration-auth-configjson)
	- [Security](#-security)
	- [Monitoring](#-monitoring)
	- [Troubleshooting](#-troubleshooting)
	- [Updating](#-updating)
	- [Backup and Restore](#-backup-and-restore)
	## 📋 Table of Contents
	- [Overview](#overview)
	- [Prerequisites](#prerequisites)
	- [Quick Start](#quick-start---get-started-in-4-steps)
	- [Configuration](#configuration)
	- [Using SQLite (Default)](#using-sqlite-default)
	- [Using PostgreSQL](#using-postgresql)
	- [Authentication Configuration](#authentication-configuration-auth-configjson)
	- [Security](#security)
	- [Monitoring](#monitoring)
	- [Troubleshooting](#troubleshooting)
	- [Updating](#updating)
	- [Backup and Restore](#backup-and-restore)

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

16-16: Link fragments should be valid

(MD051, link-fragments)

🤖 Prompt for AI Agents

In deploy/README.md around lines 5 to 18, the Table of Contents link fragments
include a leading dash (e.g. `#-overview`) which doesn't match heading IDs
generated when emojis are stripped; update each TOC link to remove the leading
dash so fragments match actual IDs (e.g. change `#-overview` to `#overview`,
`#-prerequisites` to `#prerequisites`, etc.), ensuring all entries in this block
use the dash-free fragment form.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add blank line before table.

The table at line 73 should be preceded by a blank line per markdown formatting standards (MD058).

 Main variables:
+
 | Variable | Default | Description |

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Main variables:
	| Variable | Default | Description |
	|----------|---------|-------------|
	| `IMAGE_REPOSITORY` | `ghcr.io/decocms/admin/mesh` | Image repository |
	| `IMAGE_TAG` | `latest` | Image tag |
	| `PORT` | `3000` | Port exposed on host |
	| `NODE_ENV` | `production` | Node.js environment |
	| `BETTER_AUTH_URL` | `http://localhost:3000` | URL for authentication |
	| `BASE_URL` | `http://localhost:3000` | Application base URL |
	| `BETTER_AUTH_SECRET` | **required** | Authentication secret |
	| `DATABASE_URL` | `/app/data/mesh.db` | Database URL (SQLite or PostgreSQL) |
	Main variables:
	| Variable | Default | Description |
	|----------|---------|-------------|
	| `IMAGE_REPOSITORY` | `ghcr.io/decocms/admin/mesh` | Image repository |
	| `IMAGE_TAG` | `latest` | Image tag |
	| `PORT` | `3000` | Port exposed on host |
	| `NODE_ENV` | `production` | Node.js environment |
	| `BETTER_AUTH_URL` | `http://localhost:3000` | URL for authentication |
	| `BASE_URL` | `http://localhost:3000` | Application base URL |
	| `BETTER_AUTH_SECRET` | **required** | Authentication secret |
	| `DATABASE_URL` | `/app/data/mesh.db` | Database URL (SQLite or PostgreSQL) |

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

73-73: Tables should be surrounded by blank lines

(MD058, blanks-around-tables)

🤖 Prompt for AI Agents

In deploy/README.md around lines 72 to 83, the Markdown table listing main
variables is missing a blank line before it; add a single blank line immediately
above the table (line 72) so the table is separated from the preceding paragraph
per MD058, leaving the rest of the table unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Specify language for fenced code block or use inline formatting.

Line 160 uses a fenced code block without a language specifier (MD040). Since the content is a file path rather than executable code, consider using inline code or specifying an appropriate language.

-```
+```text
 /app/apps/mesh/auth-config.json
-```
+```

Alternatively, use inline code:

-```
-/app/apps/mesh/auth-config.json
-```
+`/app/apps/mesh/auth-config.json`

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

160-160: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

In deploy/README.md around lines 160 to 162, the fenced code block contains a
file path but lacks a language specifier; replace the fenced block with either a
fenced block that specifies a non-executable language such as "text" (e.g.,
```text ... ```) or convert it to inline code formatting (e.g.,
`/app/apps/mesh/auth-config.json` wrapped in backticks) so the Markdown linter
rule MD040 is satisfied.