page

Secure Environment Pattern

Secure Environment Pattern

A Secure Environment has only one Redis instance - a password-protected vault with no operational replica.

When to Use Secure Pattern

  • User Environment: Contains authentication data, PINs, user profiles
  • Locker Environment: Contains all system credentials
  • Any environment with highly sensitive data

Architecture

[MCP Server] --read/write--> [Vault:6XXX] (password required)

No replication, no read replica. All operations go through authenticated vault.

Security Model

  1. Password required for ALL operations (read AND write)
  2. No unauthenticated access path exists
  3. Latency slightly higher than Standard (no read replica)
  4. Trade-off: Security over speed

Performance Consideration

Tested latency difference between vault and operational: ~0.14ms This is negligible for most use cases. Security benefit outweighs performance cost.

Container Setup

docker run -d \
  --name nexus3-{env}-vault \
  --restart unless-stopped \
  --network nexus-storage-network \
  -p {vault_port}:6379 \
  -v /data/nexus3/{env}/vault:/var/lib/falkordb/data \
  falkordb/falkordb:latest \
  redis-server --loadmodule /var/lib/falkordb/bin/falkordb.so

Then set password at runtime:

redis-cli -p {vault_port} CONFIG SET requirepass {password}

Directory Structure

/data/nexus3/{env}/
└── vault/
    ├── redis.conf          # Password config
    ├── dump.rdb            # Data snapshot
    └── appendonlydir/      # AOF persistence

No operational directory needed.

MCP Server Configuration

In Secure environments, the MCP server uses the same connection for reads and writes:

# SECURE ENVIRONMENT: vault only, no operational replica
self.vault_redis = redis.Redis(
    host='localhost',
    port=vault_port,
    password=vault_password,  # From credentials_helper
    decode_responses=True
)

# Alias for compatibility with code expecting operational
self.operational_redis = self.vault_redis

Current Secure Environments

Environment Vault Port Purpose
User 6610 User profiles, authentication, sessions
Locker 6720 System credentials, API keys, passwords

Checklist for New Secure Environment

  • [ ] Choose vault port (typically 66X0)
  • [ ] Create data directory: /data/nexus3/{env}/vault
  • [ ] Create vault container on nexus-storage-network
  • [ ] Set vault password at runtime
  • [ ] Create locker entry for credentials
  • [ ] Update credentials_helper with new environment
  • [ ] Create/update MCP server with vault-only config
  • [ ] NO operational container needed
ID: 3f42f42c
Path: Nexus 3.0 Architecture > Nexus Environment Setup Guide > Secure Environment Pattern
Updated: 2026-01-03T15:42:49
🌳 View Tree