DB-007 recommended general

Redis documented if storing critical data

If Redis stores critical data (sessions, queues), connection and usage must be documented. Cache-only usage is acceptable without documentation.

Question to ask

"If Redis restarts, what critical data evaporates with it?"

Verification guide

Severity: Recommended

Check automatically:

  1. Detect Redis usage:

    grep -r "REDIS_URL\|redis://" .env.example .env.local 2>/dev/null
grep "ioredis\|redis" package.json 2>/dev/null
grep -r "redis:" docker-compose*.yml 2>/dev/null

  2. If Redis found, scan for critical data patterns:

    # Session storage
grep -r "connect-redis\|RedisStore\|express-session" --include="*.ts" --include="*.js"

# Job queues
grep -r "BullMQ\|Bull\|bee-queue" --include="*.ts" --include="*.js"

# Pub/sub for critical events
grep -r "\.subscribe\|\.publish" --include="*.ts" --include="*.js" | grep -i redis

  3. Check for cache-only indicators (all operations have TTL):

    grep -r "\.set\|\.setex" --include="*.ts" --include="*.js" | grep -i redis

Pass criteria:

  • No Redis used, OR
  • Redis is cache-only (all keys have TTL), OR
  • Critical Redis usage is documented (connection users, data stored, backup strategy)

Fail criteria:

  • Redis stores critical data (sessions, queues) without documentation

Evidence to capture:

  • Redis usage type (cache-only, sessions, queues, etc.)
  • Documentation location if critical data stored

Section

05. Database & Connections

Database & Data

← Previous

DB-006

Soft delete pattern implemented

 Next →

DB-008

DB admin tools on-demand and Zero Trust protected