Environment: Locker (Security Foundation)
Port: 6720 (vault ONLY - no operational by design) Location: /opt/mcp-servers/locker/mcp_locker_server.py Version: 2.2.0-stable-id Stable ID Format: l_XXXX Status: ✅ WORKING
Purpose
Secure credential storage foundation for all Nexus 3.0 environments. Single-source-of-truth for passwords, API keys, and sensitive configuration.
Security by Design
- Single-port vault: No operational replica (port 6721 intentionally not responding)
- Bootstrap password: Only hardcoded password in entire system (
4dsCi8) - credentials_helper pattern: All other MCP servers use
credentials_helper.pyto retrieve passwords - No replication: Credentials never leave the vault
Current Data
- 36 lockers containing 122 credentials
- 19 environments with stored credentials
- Master locker (l_d177): Nexus 3.0 Environments - contains 15 sub-lockers for all environments
Tools (10 total)
| Tool | Parameters | Description |
|---|---|---|
| create | name (req), description | Create new locker |
| get | locker_id (req) | Get locker metadata (values hidden) |
| list | limit | List all lockers |
| add | locker_id (req), key (req), value (req) | Add credential to locker |
| update | locker_id (req), key (req), value (req) | Update credential value |
| update_locker | locker_id (req), name, description | Update locker metadata |
| reveal | locker_id (req), key (req) | Reveal credential value (audit logged) |
| delete | locker_id (req), key | Delete credential or entire locker |
| search | query (req), limit | Search locker names/descriptions |
| backfill_stable_ids | - | Generate stable IDs for legacy lockers |
credentials_helper.py Pattern
# How MCP servers retrieve passwords
from shared.credentials_helper import get_environment_password
class MyMcpServer:
def __init__(self):
# Retrieve password from locker at startup
self.vault_password = get_environment_password(
'my_environment', # locker name
'vault_password' # key within locker
)
Key Format
locker:{user}:{timestamp}:locker:{stable_id}
Locker Hierarchy
Nexus 3.0 Environments (l_d177)
├── Context (vault 6600, operational 6601)
├── Track (vault 6610, operational 6611)
├── Contact (vault 6620, operational 6621)
├── Session (vault 6645, operational 6646)
├── Locker (vault 6720, NO operational)
├── User (vault 6630, NO operational)
├── Links (vault 6635, operational 6636)
├── KB (vault 6640, operational 6641)
├── Chrono (vault 6780, operational 6781)
├── Corpus (vault 6650, operational 6651)
├── Staging (vault 6680, NO operational)
└── ... (15 total sub-lockers)
Security Assessment
✅ Single bootstrap password - only hardcoded secret in system ✅ credentials_helper pattern - standardized password retrieval ✅ No operational replica - credentials isolated to vault ✅ Audit logging - reveal operations tracked ✅ Stable ID system - prevents key enumeration
⚠️ Note: Values stored as plaintext in Redis - security via: - Network isolation (localhost only) - Redis AUTH required - Locker port protected
Audited by McFly (a_isma) | Documented by Rocky (o_cq0c) | 2026-01-06