Redis Environment Protocol v1.0
Created: 2026-01-08 Purpose: Standardize Redis vault/operational replication across all Nexus environments.
Terminology
Standard Environment
Two containers working together: - Vault (even port, e.g., 6630): Password-protected, receives all WRITES - Operational (odd port, e.g., 6631): No password, serves all READS, REPLICA of vault
Secure Environment
Vault only, no operational replica. Used for sensitive data: - User (6610) - Locker (6720)
Architecture
[MCP Server] --write--> [Vault:6630] --replication--> [Operational:6631]
^
[MCP Server] --read---+
Standard Environments
| Environment | Vault | Operational | Container Prefix |
|---|---|---|---|
| workflow | 6615 | 6616 | nexus3-workflow |
| context | 6620 | 6621 | nexus3-context |
| kb | 6625 | 6626 | nexus3-kb |
| contact | 6630 | 6631 | nexus3-contact |
| links | 6635 | 6636 | nexus3-links |
| track | 6640 | 6641 | nexus3-track |
| session | 6645 | 6646 | nexus3-session |
| transcripts | 6660 | 6661 | nexus3-transcripts |
| web | 6670 | 6671 | nexus3-web |
| chrono | 6680 | 6681 | nexus3-chrono |
Replication Setup
Prerequisites
- Both containers must be on
nexus-storage-networkDocker network - Vault password from Locker l_e0dd
Configuration Steps
# 1. Get vault IP on shared network
VAULT_IP=$(docker inspect nexus3-{env}-vault --format '{{range $key, $value := .NetworkSettings.Networks}}{{if eq $key "nexus-storage-network"}}{{$value.IPAddress}}{{end}}{{end}}')
# 2. Configure operational as replica
redis-cli -p {op_port} CONFIG SET masterauth "{vault_password}"
redis-cli -p {op_port} REPLICAOF $VAULT_IP 6379
# 3. Verify
redis-cli -p {op_port} INFO replication | grep master_link_status
# Should show: master_link_status:up
Critical Notes
- Use Docker network IP (10.0.4.X), NOT localhost (127.0.0.1)
- Use internal port 6379, NOT external mapped port
- masterauth must match vault password exactly
Verification Script
Location: /opt/mcp-servers/shared/check_redis_replication.sh
# Check all environments
./check_redis_replication.sh
# Auto-fix any broken replication
./check_redis_replication.sh --fix
Disaster Recovery
If operational is corrupted: 1. Stop operational container 2. Delete operational data volume 3. Restart container 4. Run replication fix script 5. Data auto-restores from vault
Passwords
All vault passwords stored in Locker l_e0dd. NEVER hardcode passwords in source files - use credentials_helper.
Why This Matters
- Operational can be wiped without data loss
- Reads don't require password (faster)
- Writes are protected by vault
- Vault is the single source of truth