feat(helm)!: Replace hostPath-based aws_config_directory with chart-managed Secret (resolves #2162).

[junhaoliao]

Description

The Helm chart's aws_config_directory volume uses hostPath, which mounts a directory from the Kubernetes node's filesystem. This doesn't work on managed Kubernetes clusters (e.g., EKS) where hostPath is either unavailable or restricted by PodSecurityStandards.

This PR replaces the hostPath-based aws_config_directory value with a new aws_config object.
Users provide their AWS config file contents via Helm's --set-file flag, and the chart creates a Kubernetes Secret from those contents. The Secret is then mounted as a volume in all pods that need AWS config access (compression-scheduler, compression-worker, query-worker, garbage-collector, webui).

Usage:

helm install <release> <chart> \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config

Changes:

• values.yaml: Replaced aws_config_directory: null with aws_config: null and documented
  --set-file usage.
• templates/aws-config-secret.yaml (new): Creates a Secret from aws_config.credentials and
  aws_config.config file contents.
• templates/_helpers.tpl: clp.awsConfigVolume now emits a secret volume instead of hostPath; clp.awsConfigVolumeMount hardcodes /opt/clp/.aws as the mount path.
• templates/configmap.yaml: Condition and rendered path updated to use aws_config.
• 5 deployment templates: Condition updated from aws_config_directory to aws_config.

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a
  breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

helm template renders no AWS resources when aws_config is null (default)

Task: Verify that when aws_config is not set (default null), no AWS-related resources are
rendered.

Command:

helm template test tools/deployment/package-helm/ 2>&1 | grep -c "aws"

Output:

0

No AWS resources are emitted when aws_config is disabled — all deployments omit the volume and volumeMount, and no Secret is created.

helm template renders Secret and mounts correctly with aws_config

Task: Verify that setting aws_config via --set-file creates a Secret and mounts it in all 5 deployments.

Command:

helm template test tools/deployment/package-helm/ \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config \
  2>&1 | grep -c "secretName: test-clp-aws-config"

Output:

5

All 5 deployments (compression-scheduler, compression-worker, query-worker, garbage-collector,
webui) reference the chart-managed Secret as a volume source.

Command (verify configmap sets aws_config_directory):

helm template test tools/deployment/package-helm/ \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config \
  2>&1 | grep -A1 "aws_config_directory"

Output:

    aws_config_directory: "/opt/clp/.aws"

The configmap correctly hardcodes the aws_config_directory path when aws_config is provided.

Single-node cluster: S3 compress, search, and stream extraction

Task: Deploy with set-up-test.sh, upgrade with S3 + aws_config, and verify compress, search, and stream extraction all work.

Command:

cd tools/deployment/package-helm && bash set-up-test.sh

Output:

All jobs completed and services are ready.

Command (upgrade with S3 + aws_config):

helm upgrade test ../../tools/deployment/package-helm/ \
  -f test-s3-values.yaml \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config

Output:

Release "test" has been upgraded. Happy Helming!
STATUS: deployed
REVISION: 2

Command (verify Secret exists and contains expected keys):

kubectl get secret test-clp-aws-config -o jsonpath='{.data}' | python3 -c "import sys,json; print(list(json.load(sys.stdin).keys()))"

Output:

['config', 'credentials']

Command (submit S3 compression job):

curl -sv -X POST http://localhost:30302/s3_scanner -H "Content-Type: application/json" \
  -d '{"bucket_name": "<BUCKET_NAME>", "key_prefix": "<KEY_PREFIX>", \
       "region": "<REGION>", "timestamp_key": "timestamp", \
       "buffer_config": {"flush_threshold_bytes": 1, "timeout_sec": 10}}'

Output:

{"id":1}

Command (check compression worker logs):

kubectl logs -l app.kubernetes.io/component=compression-worker --tail=5

Output:

[job_id=1 task_id=1] COMPRESSION STARTED.
Uploading archive 69daee8f-9d42-40b8-ac63-efbd842f2e80 to S3...
Finished uploading archive 69daee8f-9d42-40b8-ac63-efbd842f2e80 to S3.
[job_id=1 task_id=1] COMPRESSION COMPLETED.

Explanation: The compression worker successfully read the AWS credentials from the Secret-mounted volume at /opt/clp/.aws, connected to S3, and uploaded the archive.

Command (search via Playwright):

Search for postgres in the WebUI.

Result: Success - search job 3 found 10 results in 0.301 seconds (13.4 kB/s)

Command (stream extraction via Playwright):

Click "Original file" link on a search result.

Result: New tab opens showing the decompressed stream file contents from S3 — confirms the
webui correctly reads AWS config from the Secret-mounted volume.

Multi-node shared cluster: S3 compress and search

Task: Deploy with set-up-multi-shared-test.sh, upgrade with S3 + aws_config, and verify
compress and search work across worker nodes.

Command:

cd tools/deployment/package-helm && bash set-up-multi-shared-test.sh

Output:

All jobs completed and services are ready.

Command (upgrade + compress + search):

helm upgrade test ../../tools/deployment/package-helm/ \
  -f test-s3-values.yaml \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config \
  --set "distributedDeployment=true" \
  --set "compressionWorker.replicas=2" \
  --set "queryWorker.replicas=2" \
  --set "reducer.replicas=2"

Output:

Release "test" has been upgraded. Happy Helming!
STATUS: deployed
REVISION: 2

Result: S3 compression completed successfully. Search found 10 results in 0.352 seconds.

Multi-node dedicated cluster: S3 compress, search, and stream extraction

Task: Deploy with set-up-multi-dedicated-test.sh, upgrade with S3 + aws_config (including nodeSelector), and verify compress, search, and stream extraction work on dedicated worker nodes.

Command:

cd tools/deployment/package-helm && bash set-up-multi-dedicated-test.sh

Output:

All jobs completed and services are ready.

Command (upgrade with nodeSelector):

helm upgrade test ../../tools/deployment/package-helm/ \
  -f test-s3-values.yaml \
  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
  --set-file clpConfig.aws_config.config=$HOME/.aws/config \
  --set "distributedDeployment=true" \
  --set "compressionWorker.replicas=2" \
  --set "compressionWorker.scheduling.nodeSelector.yscope\.io/nodeType=compression" \
  --set "queryWorker.replicas=2" \
  --set "queryWorker.scheduling.nodeSelector.yscope\.io/nodeType=query" \
  --set "reducer.replicas=2" \
  --set "reducer.scheduling.nodeSelector.yscope\.io/nodeType=query"

Output:

Release "test" has been upgraded. Happy Helming!
STATUS: deployed
REVISION: 2

Result: S3 compression completed successfully. Search found 10 results in 0.317 seconds. Stream extraction via "Original file" link opened a new tab showing the decompressed file contents from S3.

Summary by CodeRabbit

• Chores

  • Bumped Helm chart version to 0.3.2-dev.2.
  • AWS config is now supplied inline via chart values and rendered as a chart-managed Secret instead of mounting a host directory.
  • AWS config is mounted into pods at a fixed path and inclusion is controlled by a new aws_config setting.

• Documentation

  • Clarified Helm deployment guidance to use --set-file for providing AWS config/credentials.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Chart version bumped; AWS config input renamed from aws_config_directory → aws_config. Helm now creates an aws-config Secret from provided contents and mounts it at /opt/clp/.aws when .Values.clpConfig.aws_config is set; deployment templates and ConfigMap updated accordingly.

Changes

Chart Version

Layer / File(s)	Summary
Metadata tools/deployment/package-helm/Chart.yaml	Chart version updated from 0.3.2-dev.1 → 0.3.2-dev.2.

AWS config secret & mount

Layer / File(s)	Summary
Values / API tools/deployment/package-helm/values.yaml	Removed clpConfig.aws_config_directory; added clpConfig.aws_config to accept AWS config file contents (supports null).
Config shape / ConfigMap tools/deployment/package-helm/templates/configmap.yaml	When .Values.clpConfig.aws_config is set, emits aws_config_directory: "/opt/clp/.aws" into clp-config.yaml; otherwise omits the key.
Template helpers tools/deployment/package-helm/templates/_helpers.tpl	Added clp.awsConfigMountPath returning "/opt/clp/.aws"; clp.awsConfigVolumeMount uses that mountPath (readOnly); clp.awsConfigVolume changed from hostPath to secret referencing {{ include "clp.fullname" . }}-aws-config.
Secret resource tools/deployment/package-helm/templates/aws-config-secret.yaml	New template: conditionally renders a Secret named {{ include "clp.fullname" . }}-aws-config with optional stringData.credentials and stringData.config sourced from .Values.clpConfig.aws_config.
Wiring / Deployments tools/deployment/package-helm/templates/*-deployment.yaml (compression-scheduler, compression-worker, garbage-collector, query-worker, webui)	Volume mount and volume inclusion conditionals now check .Values.clpConfig.aws_config (instead of .Values.clpConfig.aws_config_directory), so the secret-backed volumeMount/volume are rendered only when aws_config is set.

Sequence Diagram(s)

sequenceDiagram
  participant Helm as Helm renderer
  participant K8sAPI as Kubernetes API
  participant Pod as Pod / Container
  Helm->>Helm: Read `.Values.clpConfig.aws_config`
  alt aws_config set
    Helm->>K8sAPI: Render & apply Secret `{{ include "clp.fullname" . }}-aws-config`
    Helm->>K8sAPI: Render Deployments referencing Secret volume
    K8sAPI->>Pod: Mount Secret at /opt/clp/.aws
    Pod->>Pod: Application reads AWS config from /opt/clp/.aws
  else aws_config not set
    Helm->>K8sAPI: Do not render Secret or mounts
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing hostPath-based aws_config_directory with a chart-managed Secret in the Helm chart.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/deployment/package-helm/values.yaml`:
- Around line 259-265: Add a new Helm Secret template named
aws-config-secret.yaml that mirrors the pattern used by database-secret.yaml,
queue-secret.yaml, and redis-secret.yaml: read clpConfig.aws_config.credentials
and clpConfig.aws_config.config values and create a Secret (named using the
release name, e.g., {{ include "clp.fullname" . }}-aws-config) with keys for
credentials and config so the clp.awsConfigVolume helper can mount them into
pods; ensure the template is conditional on .Values.clpConfig.aws_config not
being null and uses proper tpl/quote handling for multi-line file content.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ae49a1b6-74b2-4506-9b0e-e4a84879baf6

📥 Commits

Reviewing files that changed from the base of the PR and between 22c1275 and de74347.

📒 Files selected for processing (9)

• tools/deployment/package-helm/Chart.yaml
• tools/deployment/package-helm/templates/_helpers.tpl
• tools/deployment/package-helm/templates/compression-scheduler-deployment.yaml
• tools/deployment/package-helm/templates/compression-worker-deployment.yaml
• tools/deployment/package-helm/templates/configmap.yaml
• tools/deployment/package-helm/templates/garbage-collector-deployment.yaml
• tools/deployment/package-helm/templates/query-worker-deployment.yaml
• tools/deployment/package-helm/templates/webui-deployment.yaml
• tools/deployment/package-helm/values.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/deployment/package-helm/templates/aws-config-secret.yaml`:
- Around line 8-14: When .Values.clpConfig.aws_config is present but neither
.Values.clpConfig.aws_config.credentials nor .Values.clpConfig.aws_config.config
is provided, the two with-blocks in the stringData section (credentials and
config) are skipped producing an empty stringData; add a Helm validation check
that detects this case and fails early with a clear message (e.g., using an if
that tests .Values.clpConfig.aws_config and the absence of both
.Values.clpConfig.aws_config.credentials and
.Values.clpConfig.aws_config.config, then call fail with a descriptive message)
so templates/aws-config-secret.yaml does not render an empty secret.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: adb2ccca-9f56-4fa3-b055-208d60aca59b

📥 Commits

Reviewing files that changed from the base of the PR and between de74347 and 48424d4.

📒 Files selected for processing (1)

• tools/deployment/package-helm/templates/aws-config-secret.yaml

[hoophalab]

Overall good. Some comments.

[hoophalab]

Can we comment that this variable needs to be in sync with CONTAINER_AWS_CONFIG_DIRECTORY in clp_py_utils/clp_config.py?

[junhaoliao]

i created a named template helper to avoid the magic string: clp.awsConfigMountPath

[hoophalab]

Since the package doesn't actually handle the volume mount in Helm, this variable could be set to any string, null, or even omitted entirely, right?

[junhaoliao]

the package still read the awsConfigMount volume - it's just that the volume content (i.e., config) no longer comes from some file on some host's filesystem, but rather the k8s secret, which composes these files in the containers when launched:

• /opt/clp/.aws/credentials
• /opt/clp/.aws/config

[hoophalab]

Shall we update https://docs.yscope.com/clp/main/user-docs/guides-using-object-storage/aws-s3/clp-config.html#profile as well?

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tools/deployment/package-helm/Chart.yaml`:
- Line 3: The Chart.yaml chart version was only incremented from "0.3.2-dev.1"
to "0.3.2-dev.2" but the PR changes the values schema in a breaking way
(renaming aws_config_directory → aws_config); update the chart's version to the
next breaking-major series (e.g. change the version field value in Chart.yaml to
"0.4.0-dev.1" or another appropriate 0.4.x semantic-major bump) so operators and
upgrade tooling detect the breaking change.

In `@tools/deployment/package-helm/templates/_helpers.tpl`:
- Around line 366-370: The AWS secret volume definition "clp.awsConfigVolume"
currently omits a defaultMode, leaving files with Kubernetes' default 0644;
update the template for clp.awsConfigVolume to add defaultMode: 0400 under the
secret stanza so the mounted AWS credential file is owner-read only (0400),
preserving readOnly mounts and using the existing include "clp.fullname" for
secretName.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: dd2ec6f1-7d79-4806-b493-802b58d5d466

📥 Commits

Reviewing files that changed from the base of the PR and between 48424d4 and 4dc834b.

📒 Files selected for processing (9)

• tools/deployment/package-helm/Chart.yaml
• tools/deployment/package-helm/templates/_helpers.tpl
• tools/deployment/package-helm/templates/compression-scheduler-deployment.yaml
• tools/deployment/package-helm/templates/compression-worker-deployment.yaml
• tools/deployment/package-helm/templates/configmap.yaml
• tools/deployment/package-helm/templates/garbage-collector-deployment.yaml
• tools/deployment/package-helm/templates/query-worker-deployment.yaml
• tools/deployment/package-helm/templates/webui-deployment.yaml
• tools/deployment/package-helm/values.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use a breaking-level chart version bump for this values schema change.

Line 3 bumps 0.3.2-dev.1 → 0.3.2-dev.2, but this PR introduces a breaking values contract change (aws_config_directory → aws_config). Please bump to the next breaking-compatible series (for example 0.4.0-dev.1) so upgrade tooling and operators can detect risk correctly.

Suggested change

-version: "0.3.2-dev.2"
+version: "0.4.0-dev.1"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/deployment/package-helm/Chart.yaml` at line 3, The Chart.yaml chart
version was only incremented from "0.3.2-dev.1" to "0.3.2-dev.2" but the PR
changes the values schema in a breaking way (renaming aws_config_directory →
aws_config); update the chart's version to the next breaking-major series (e.g.
change the version field value in Chart.yaml to "0.4.0-dev.1" or another
appropriate 0.4.x semantic-major bump) so operators and upgrade tooling detect
the breaking change.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Add defaultMode: 0400 to restrict AWS credential file permissions.

The Secret volume uses Kubernetes' default mode (0644), making credential files group- and world-readable within the container. Since the mount is already readOnly: true, setting defaultMode: 0400 (owner read-only) aligns with AWS SDK best-practice and eliminates the world-readable warning that AWS tooling emits.

🔒 Proposed fix

 {{- define "clp.awsConfigVolume" -}}
 name: "aws-config"
 secret:
   secretName: {{ include "clp.fullname" . }}-aws-config
+  defaultMode: 0400
 {{- end }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tools/deployment/package-helm/templates/_helpers.tpl` around lines 366 - 370,
The AWS secret volume definition "clp.awsConfigVolume" currently omits a
defaultMode, leaving files with Kubernetes' default 0644; update the template
for clp.awsConfigVolume to add defaultMode: 0400 under the secret stanza so the
mounted AWS credential file is owner-read only (0400), preserving readOnly
mounts and using the existing include "clp.fullname" for secretName.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/src/user-docs/guides-using-object-storage/aws-s3/clp-config.md (1)

181-184: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Clarify the note for deployment-specific context.

The note references aws_config_directory generically, but the required action differs between Docker Compose and Helm deployments:

• Docker Compose: Users should comment out or set aws_config_directory to null when not using profiles.
• Kubernetes (Helm): Users should simply omit the --set-file clpConfig.aws_config.* flags when not using profiles; they don't directly configure aws_config_directory.

Consider updating the note to reflect this distinction, similar to the tabbed approach used above, to avoid confusion for Helm users.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/user-docs/guides-using-object-storage/aws-s3/clp-config.md` around
lines 181 - 184, Update the generic note about aws_config_directory to
distinguish deployment types: instruct Docker Compose users to comment out or
set aws_config_directory to null when not using profiles, and instruct
Kubernetes/Helm users to omit the --set-file clpConfig.aws_config.* flags
(instead of editing aws_config_directory) when not using profiles; reference the
aws_config_directory setting and the --set-file clpConfig.aws_config.* Helm
flags so readers can quickly find the relevant configuration block.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/src/user-docs/guides-using-object-storage/aws-s3/clp-config.md`:
- Around line 169-170: Replace the vague sentence "aws_config_directory is set
automatically by the chart" with a clearer statement that the chart manages the
AWS config and that users should supply the AWS config file contents via
--set-file; mention that the chart creates a Secret and mounts it at
/opt/clp/.aws and the ConfigMap references that mount (referencing
aws_config_directory, /opt/clp/.aws, ConfigMap, and --set-file to locate the
change).
- Line 157: Add a comma after the linking adverb "Typically" at the start of the
sentence (i.e., change "Typically X" to "Typically, X"); locate the sentence
that begins with "Typically" in clp-config.md and insert the comma immediately
after the word to correct the grammar.

---

Outside diff comments:
In `@docs/src/user-docs/guides-using-object-storage/aws-s3/clp-config.md`:
- Around line 181-184: Update the generic note about aws_config_directory to
distinguish deployment types: instruct Docker Compose users to comment out or
set aws_config_directory to null when not using profiles, and instruct
Kubernetes/Helm users to omit the --set-file clpConfig.aws_config.* flags
(instead of editing aws_config_directory) when not using profiles; reference the
aws_config_directory setting and the --set-file clpConfig.aws_config.* Helm
flags so readers can quickly find the relevant configuration block.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: af8ae836-f7bc-4d54-97f4-530953419337

📥 Commits

Reviewing files that changed from the base of the PR and between edb90fc and 48d0ce4.

📒 Files selected for processing (1)

• docs/src/user-docs/guides-using-object-storage/aws-s3/clp-config.md

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Add comma after linking adverb for clarity.

The linking adverb "Typically" at the start of the sentence should be followed by a comma for proper grammar.

✏️ Proposed grammar fix

-Typically `~/.aws`:
+Typically, `~/.aws`:

🧰 Tools

🪛 LanguageTool

[uncategorized] ~157-~157: A comma may be missing after the conjunctive/linking adverb ‘Typically’.
Context: ...tab-item} Docker Compose :sync: docker Typically ~/.aws: ```yaml aws_config_directory...

(SENT_START_CONJUNCTIVE_LINKING_ADVERB_COMMA)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/user-docs/guides-using-object-storage/aws-s3/clp-config.md` at line
157, Add a comma after the linking adverb "Typically" at the start of the
sentence (i.e., change "Typically X" to "Typically, X"); locate the sentence
that begins with "Typically" in clp-config.md and insert the comma immediately
after the word to correct the grammar.