Document 3 / 3

SOFTWARE STACK, SECURITY & SCALING

This page now distinguishes the real current stack from later-stage infrastructure options, so Nexus reads like an honest operating system instead of a generic platform pitch.

Current StackRecommendationsSecurity

Live foundation

Host environment

TC’s current setup is a Hostinger VPS on Ubuntu 24.04.4 LTS, with OpenClaw running in Docker and the Nexus Portal living inside that working environment.

Hostinger VPSUbuntu 24.04Docker

Live foundation

Portal + data layer

Nexus Portal is a Next.js application in this repo, currently backed by Prisma with a local SQLite database in the checked build.

Next.jsPrismaSQLite

Live foundation

Execution model

OpenClaw provides the assistant runtime, session orchestration, browser control, memory tools, and background execution paths; the key real-world use case is controlling TC’s browser session via Browser Relay.

OpenClawsessionsBrowser Relay

Later-stage options

Recommended upgrades when justified

Postgres

Good upgrade path when Nexus needs stronger multi-user durability, richer relational querying, or safer production operations.

Redis

Worth adding for shared cache, counters, rate limits, and short-lived coordination once those patterns are real needs.

Managed queue or broker

Add only when background execution volume, retries, and worker separation justify a dedicated async layer.

Container orchestration

Docker or Kubernetes should follow proven operational pain, not appear just because a strategy page can name them.

Truth boundary

What this repo does not prove

  • This build does not prove a Kubernetes deployment.
  • This build does not prove Redis, RabbitMQ, Kafka, or Postgres are running for Nexus today.
  • This build does prove a repo-level Next.js + Prisma + SQLite portal, but not a large distributed platform.
  • The known live operating path is VPS + Docker + OpenClaw + Tailscale-assisted browser control, not a fictional hyperscale topology.

Security baseline

Minimum hardening stance

  • Keep the OpenClaw gateway and internal services private by default; TC’s preferred access path is via Tailscale rather than open internet exposure.
  • Use reverse proxying and TLS at the edge only where external access is genuinely required.
  • Back up the workspace, Prisma/SQLite state, and Docker-mounted data before pretending the system is production-hardened.
  • Pin versions for production changes instead of drifting on vague latest tags.
  • Document the real ports, services, mounts, and relay path on the VPS so the stack page stays tied to reality.