Scope
Design a resilient, local-first install where a Gatekeeper answers first touch and completes scheduling even if the internet is down. The hardware pattern is intentionally boring, serviceable, and recoverable.
The Four Boxes (roles, not brands)
- Modem (WAN handoff)
• Cable/DSL/Fiber ONT. Terminates ISP link and exposes a single WAN port (Ethernet).
• Statutory role: raw connectivity for backups, model updates, and optional cloud mail relays.
• Not a trust anchor; if it dies, autonomy should continue for phones. - Router (LAN firewall + Wi-Fi)
• NAT, DHCP, VLANs; optionally the site’s Wi-Fi access point.
• Houses the Gatekeeper’s management IP and the local admin UI.
• Should support WPA3 and a dedicated SSID/VLAN for “edge devices.” - POTS Voice Terminal (separate business line)
• The “little box” from the telco that presents a true analog business line (RJ-11).
• Technical names you’ll see: POTS handoff, eMTA (for cable voice), ONT FXS port (for fiber), or an ATA if converting SIP to analog.
• Why it exists: voice survivability when the internet is down, plus dial-backup for legacy card terminals.
• Interfaces:
– FXS (it supplies dial tone) out to your premises.
– Battery module (recommended) to keep dial tone during power outages. - Gatekeeper (edge appliance)
• First-touch agent with local policy, calendar, and customer graph.
• Storage: encrypted database on device; off-site backup = a single zero-knowledge blob (provider cannot decrypt).
• Telephony: at least one FXO port (to consume the analog line) and one FXS port (to pass dial tone to existing handsets or a small key system).
• Network: Ethernet and Wi-Fi; optional LTE/5G for out-of-band health pings and time sync.
• Power: runs on UPS; can answer calls with the router or internet completely down.
Two Reference Topologies
A) “Closet Wired” (early-2028 installs)
[ISP]──coax/fiber──[MODEM]──Ethernet──[ROUTER]──Ethernet──[GATEKEEPER]
│
PSTN/copper or telco handoff──RJ11─┴──[POTS VOICE TERMINAL (FXS)]──RJ11──[GATEKEEPER FXO]
└──RJ11 (FXS passthrough)──[handset/PBX]
• Pros: simple, serviceable; everything co-located.
• Cons: visible and theft-prone; easiest to “sledgehammer.”
B) “Stealth Wireless” (mid-/late-2028 predominant)
[MODEM]──Ethernet──[ROUTER] ……… Wi-Fi ……… [GATEKEEPER]
PSTN/voice handoff──RJ11──[POTS VOICE TERMINAL (FXS)]──concealed RJ11 lead──[GATEKEEPER FXO]
└──RJ11 (FXS)──[failover handset near front desk]
• Pros: GK is hidden (ceiling space/locked panel). A thief can’t trivially find or yank it.
• Cons: requires a concealed RJ-11 run to the GK; slightly more install effort.
Ports & Paths (what plugs where)
• Voice path: PSTN → POTS Terminal (FXS) → Gatekeeper (FXO).
– Normal operation: GK answers first; if policy says “ring through,” GK bridges out its FXS to the house handsets.
– If GK loses power, a relay should hard-bypass FXO to FXS so a basic wall phone still has dial tone.
• Data path: Gatekeeper ↔ Router (Ethernet or Wi-Fi). Internet only for blob backup, time, and optional outbound email/SMS relays. All call control and scheduling are on-device.
Power & Resilience
• UPS sizing: give the POTS terminal and Gatekeeper at least 4–8 hours; router is optional on UPS if you only care about voice continuity.
• Ground rules for outages:
– Internet down: GK still answers via PSTN; confirms against local calendar; queues any non-voice messages for later send.
– Router down: if GK is Wi-Fi-joined, it keeps operating; if Ethernet-only, it still handles PSTN calls and writes state locally.
– Power out: if UPS expires, the POTS terminal’s own battery should maintain basic dial tone to an emergency handset; GK powers back with a sealed log to reconcile.
– POTS down: GK auto-announces a graceful failure (“We’re experiencing line issues; may I text you from our business number?”) and uses SMS/email once internet is available.
Database, Keys, and the Backup Blob
• The database (customers, cadence, prices, staff, rules, schedule) is sealed with a device key tied to a hardware enclave/TPM.
• Off-site backup is one opaque blob rotated on schedule (e.g., every 5–15 minutes). No transactional mirroring; no cloud-side indexing.
• Recovery ritual (the “sledgehammer day” plan):
- Buy a replacement GK (same model class).
- Authenticate owner via out-of-band factors (hardware card + recovery phrase).
- Pull the latest blob; device derives keys; verify integrity with passphrase-split secret.
- Replay sealed event log from POTS call records and local queue; resume normal service.
• Degraded “buffer agent”: if storage is momentarily unavailable (e.g., filesystem check), GK still answers calls, gathers intent, issues dated receipts, and later attaches each interaction to the restored schedule.
Policy & Telephony Details (small but important)
• FXO/FXS vocabulary: FXO = “office” (it listens to dial tone); FXS = “service” (it provides dial tone). The POTS box is FXS; the GK must have FXO to consume it.
• Ring-through logic: VIPs, emergency services, or policy flags can immediately bridge to human extensions while GK keeps the transcript and updates the calendar in the background.
• Caller ID hygiene: GK must preserve and present upstream CNAM/ANI; never re-originate calls from a pooled cloud trunk—that’s how trust erodes.
• DTMF and IVR: keep it human-first. The GK should answer with natural voice; only fall back to DTMF menus on poor-audio or high-noise detection.
Operational Practices (what owners and installers actually do)
• Label nothing. Physical ports inside the closet are labeled, but the GK chassis is unmarked; documentation is digital, behind owner auth.
• Split knowledge: only the owner knows the GK’s location; the service pro knows cabling and VLANs but not the recovery phrase.
• Health pings: daily local self-test (PSTN seize + short ringback) logged on device; weekly out-of-band heartbeat that proves the blob is current.
• UPS drills: quarterly power-pull test; verify GK continues to answer and that the POTS handset still receives a bypass dial tone if GK is hard-off.
• Merchant fallback: if you still run a legacy dial-backup card terminal, home it to the POTS terminal’s second FXS port; do not share through the GK.
Bill of Materials (abstracted)
• 1× Modem/ONT compatible with ISP.
• 1× Router with VLANs, WPA3, and at least one hidden SSID.
• 1× POTS Voice Terminal (FXS handoff) with battery pack.
• 1× Gatekeeper appliance with: FXO+FXS, Wi-Fi + Ethernet, secure enclave, UPS-friendly power draw, optional LTE/5G.
• 1× UPS sized for GK + POTS for multi-hour survivability.
• Cabling: RJ-11 (voice), Cat-6 (data), short concealed RJ-11 run to the GK in stealth installs.
Why this pattern wins (and sticks)
• Physical custody clarifies data custody. The thing that owns the schedule also owns the conversation and the log.
• Survivability is native. Voice autonomy does not depend on WAN health.
• Recovery is procedural, not heroic. “New box + blob + phrase” is a same-day event.
• Service economy re-localizes. Every town quietly gets its “gatekeeper pro,” just like the “computer guy” era—because there’s a box, wiring, and a routine.
What not to do (hard rules)
• No live mirroring of transactional state to a multi-tenant cloud. Backups only, as a sealed blob.
• No cloud-side “helpful suggestions” that route demand to competitors when slots are full. The GK is your agent, not a marketplace front-end.
• No single point of knowledge: never store the recovery phrase on-device; never give the installer owner-level auth.