Gatekeeper Recovery Architecture — Sledgehammer Mode

Posted on

Gatekeeping · Recovery

Great—let’s lock the recovery architecture

The business landline stays the authority, but if the “back-wall” gets sledgehammered (or drenched), calls auto-route to the right mobiles, and personal gatekeepers run a buffer agent—without ever duplicating the business database.

Gatekeeping Hardware (steady-state)

  • Modem/ONT → Router → (hidden) Gatekeeper box
  • Separate POTS/FXS voice terminal for the analog business line
  • Handsets as needed (or none; GK can be first-touch)

We’ll treat voice survivability and recovery as a network-level function (carrier control-plane), not an on-prem “keep dial tone alive” function. That keeps the model simple and resilient.

Sledgehammer Mode: Design Principles

  1. The business number never moves.
    It remains a telco-hosted landline (POTS/FXS or equivalent). All resilience is achieved by pre-authorized forwarding at the carrier, not by mirroring state to a cloud PBX and not by keeping an on-prem line alive.
  2. Routing is a software switchover at the carrier.
    When the GK/voice box is gone or unreachable, the carrier forwards inbound calls to a ranked list of mobiles (owner → manager → front desk, etc.). Outbound from mobiles still presents the business caller ID.
  3. Personal gatekeepers run a buffer agent only.
    They collect intent, give receipts, and promise confirm-backs. No customer database, no schedule, no prices are synced to phones—only a thin recovery playbook (non-sensitive policy text) is pre-positioned.
  4. Recovery is hours, not days.
    A new GK is plugged in, the encrypted blob is restored, the buffer queue is ingested, and the carrier is switched back to normal routing.

Carrier Routing: What to Pre-Provision (before anything breaks)

On the business landline account (the number your customers dial):

  • CFNA/CFB policy:
    • Call Forward No Answer after N rings → Mobile Group (ordered list).
    • Call Forward Busy → same Mobile Group.
  • Remote Access to Call Forwarding (RACF) with PIN:
    • Lets any authorized person flip the number to “Forward All” from any phone via DTMF code if the line is physically severed.
  • Disaster Redirect / Line-Down Policy (many carriers offer this):
    • If the central office sees repeated no-answer + loss of loop current for X minutes, auto-flip to Mobile Group.
  • Business Caller ID attestation for mobiles:
    • Pre-register specific mobiles (owner, manager, accountant) to place outbound calls that present the business number with STIR/SHAKEN attestation. This avoids “I’m calling you back from my cell” confusion and spam labeling.
  • Hunt/Rollover behavior:
    • Ordered list with time windows (e.g., owner 7a–3p, manager 3p–10p, overflow to front desk, then to a last-resort voicemail on the owner’s device—not in a third-party cloud).

This uses the carrier’s signaling only. No recordings, no transcripts, no analytics at the carrier—stays inside your “no cloud state” rule.

Personal Gatekeepers: The Buffer Agent

Each authorized mobile runs its personal GK. In recovery:

What it has

  • The Recovery Playbook (thin): hours, generic service catalog, rescheduling policy text, deposit/cancellation rules, VIP rules, and a templated promise:
    “We’re in recovery mode today. I’ll capture your request and confirm your exact time once our scheduling system is back up. You’ll get a timestamped receipt now.”
  • A local, encrypted buffer queue for tickets (on the phone): caller number, time, free-text intent, requested window, staff/room preference, and a priority tag.

What it never has

  • Customer graph, cadence history, prices by customer, the calendar, staff private data. None of that leaves the GK box or the blob.

Receipts

  • SMS or email receipts are issued from the business identity (pre-authorized sender) with a recovery ticket ID.
  • Language is careful: “pending confirm.”

Conflict handling while blind

  • The buffer agent offers time windows (“between 2 and 4 pm with Ana”) rather than hard slots.
  • If a hard commitment is demanded (e.g., medical), the script defers: “We’ll confirm the exact time as soon as systems are restored; you’ll have priority.”

When the GK is restored, it pulls each phone’s encrypted buffer via owner auth, matches callers to the real customer graph, and resolves windows into confirmed slots. The phones then purge their buffers.

Failover Flow (what actually happens)

Inbound call → Carrier sees normal state → rings business line
   ↳ If GK alive: GK answers first-touch as usual
   ↳ If ring-no-answer or line-down:
        Carrier forwards to Mobile Group (owner → manager → front desk)
            Mobile personal GK answers:
                1) Identifies as the business
                2) Explains recovery mode
                3) Captures intent into local encrypted buffer
                4) Issues receipt (business caller ID / business SMS)
                5) Sets priority (VIP, urgent, routine)

Outbound during recovery:

  • Authorized mobiles place calls/SMS that present the business identity (pre-provisioned at the carrier).
  • The personal GK never queries the business DB; it uses scripts + common sense + priority.

Thin Recovery Playbook (what is allowed to live on phones)

  • Hours by day; closure rules.
  • Generic service types and standard durations (no customer-specific prices).
  • Staff names and skills (public-facing only).
  • Cancellation/deposit policy text.
  • VIP list by alias only (e.g., “Mayor’s office,” “Hospital triage line”), not phonebook.
  • Triage sentences: late arrival, outage apology, escalation phrases.
  • “Windowing” logic (offer ranges, not slots) and deferral script.

This is text, versioned and signed by the GK, synced to mobiles whenever policies change. No private history.

Owner Runbook (two cards you print)

A. “It’s broken” (60 seconds from anywhere)

  1. Dial the carrier’s RACF code → enter business number → enter PIN → set Forward All to your first mobile.
  2. Text “RECOVERY ON” to the team thread (signals personal GKs to use recovery script).
  3. Put the UPS switch to OFF (if safe) to avoid half-alive gear confusing the line state.

B. “Bring it back” (under 2–4 hours)

  1. Install spare Gatekeeper, power, and voice leads (or fetch new).
  2. Owner unlocks: hardware token + recovery phrase → fetches blob → verifies integrity → restores DB.
  3. Ingest phone buffers (owner approves each device).
  4. Carrier: unset Forward All; restore normal CFNA/CFB policies.
  5. Team text “RECOVERY OFF.” GK sends confirmations to all pending tickets.

Why this fits your constraints

  • No duplication of the DB: phones hold only tickets + scripts; everything real is in the blob and comes back with the box.
  • Autonomy continues: your agents keep answering and promising next actions; humans don’t have to improvise.
  • Business identity preserved: inbound and outbound keep the same number and caller reputation.
  • Hours, not days: carrier flip is instant; full restore is hardware swap + blob—procedural, not heroic.

Edge Cases & Guardrails

  • One mobile off? The carrier hunts to the next. Personal GKs share only the “RECOVERY ON/OFF” state and the thin playbook—nothing else.
  • POTS outage across the neighborhood? RACF to mobiles still works; outbound to customers uses business identity from authorized mobiles.
  • Customer demands a hard time? Script: “We’re honoring your window; you’ll receive a precise time with a confirmation number as soon as our scheduler is restored (today).”
  • Legal/PHI calls: personal GK flags “do not summarize”; capture only callback window; defer details to restored GK.

Minimal Pre-Install Checklist (do this once)

  • Carrier features enabled: CFNA/CFB, RACF+PIN, disaster redirect, business caller-ID attestation for the mobile list.
  • Personal GKs installed on the approved mobiles; thin playbook synced and signed.
  • Spare GK on site in a sealed box; owner holds recovery phrase separate from installer docs.
  • Quarterly drill: flip to Forward All for five minutes; take one live call; restore; ingest a test ticket; purge phone buffers.

If you’d like, I can turn this into a single-page Recovery Sheet (operator-facing) plus a laminated RACF quick code card with the exact sequences and a one-paragraph customer script.

CategoriesArtificial Intelligence

Author: John Rector

Co-founded E2open with a $2.1 billion exit in May 2025. Opened a 3,000 sq ft AI Lab on Clements Ferry Road called "Charleston AI" in January 2026 to help local individuals and organizations understand and use artificial intelligence. Authored several books: World War AI, Speak In The Past Tense, Ideas Have People, The Coming AI Subconscious, Robot Noon, and Love, The Cosmic Dance to name a few.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from John Rector

Subscribe now to keep reading and get access to the full archive.

Continue reading