YBA Edge Foothold — Master Scoping Document

The complete internal product, pricing, marketing, infrastructure, LLM-cost, and customer-success scope for the YBA Edge Foothold tier. This is the single source of truth Captain works from.

5-specialist synthesis. Compiled by Niki, 2026-05-07.

Executive Summary

YBA Edge Foothold is the entry-tier AI concierge product in the YBA Edge ladder, priced at R2,400/mo + R3,500 once-off onboarding. Each customer gets a dedicated 3-container pod on the existing Hostinger VPS — n8n + brain (FastAPI + Anthropic SDK + markdown vault) + Telegram bot — at a per-tenant cost of ~R200/mo to operate. Capacity ceiling on current hardware: 25–30 paying tenants before sharding.

Unit economics: R2,400 revenue – R200 COGS – ~R80 support = R2,120/mo gross margin per customer (_{88%). At 30 customers (full single-VPS capacity), MRR is R72,000 with R63,000 net before sales/marketing —} R756k/year from one VPS. With realistic tier-mix uplift (50/20/15/15 across the four tiers): ~R1.12M/year.

First customer locked: Eastern Cape aquaponic farm owner. Onboarded as Foothold customer #1 in pilot/equity-adjusted terms.

The decisions Captain has to make this week (~25 specific items below) unblock the entire product launch.

Architecture lock (added 2026-05-07): LLM access is API per-tenant with prompt caching + scope cap — TOS-clean, ~R178/tenant/mo, drifts to ~R130 after optimisations. Captain’s “Max 20× per server” instinct on cost-predictability is structurally elegant but TOS-fatal — the 3-stage roadmap (API → volume API at #25 → Enterprise at #50) lands the same economics legitimately. Customer access architecture: Telegram bot (per tenant) + WhatsApp Business + email + scheduled Zoom — no web dashboard at Foothold tier. Brain follows the “always quiet by default” rule.

Vertical #2 — Dental Specialist Practices (added 2026-05-07): Foothold architecture extends to dental specialist practices at a custom Practice tier (R8,000/mo + R12,000 onboarding). 5-specialist research on Matrix Dental Specialist (Cape Town) confirms: same per-tenant pod + markdown vault + Anthropic + n8n + WhatsApp/Telegram pattern works. Dental adds vertical-specific code (PMS integration, scheme rules engine, voice dictation, quote-approval bot) — not architectural change. Anthropic + n8n + markdown vault wins over ChatGPT and OpenClaw. OpenClaw stays parallel track (YBAFlow build-layer, not dental product). First dental tenant live in 30-45 engineer-days from Captain’s go. Cost ceiling per practice tenant: R1,500/mo all-in (LLM + Whisper + infra) at 85 %+ gross margin. Full case study: dental-case-study.html.

1. LLM Access Strategy

Captain’s “Max 20× per server” idea analysed + the legitimate path that delivers the same economics.

1.1 Captain’s Hypothesis (his words)

“Why not run one Anthropic Max 20× plan ($200/mo ≈ R3,800) per server, cap each server to 20 customers, and start the next server when full? Costs stay fixed per server-tenant batch, customers don’t get capped. The cap isn’t request count — it’s scope: is this question within your business interest?”

The instinct underneath is correct: make Claude cost a fixed, predictable amount per server cohort so margins don’t drift, and replace usage-metering with scope-metering so customers feel unlimited.

1.2 Verdict — Honest TOS Analysis

No, do not run Max 20× as a backend for paying tenants. Structurally elegant, legally indefensible, commercially fatal at the moment Anthropic notices.

Why it fails:

• Max plans are licensed to a single seat — a human, not a server. Anthropic’s Consumer Terms (governing Pro and Max) explicitly bind the subscription to one identified user. Running Claude Code as a backend for 20 paying customers = sublicensing without a sublicense right = breach of contract on day one.
• Claude Code via Max isn’t an API. It’s a CLI tool tuned for one developer’s workflow. Routing 20 tenants through it requires either (a) impersonating a single user across all tenants — clear abuse, or (b) automating Claude Code in fragile ways the tool wasn’t designed for.
• Anthropic’s abuse team will notice. A residential or VPS IP making sustained, programmatic, multi-context Claude Code requests at Max-plan rates is the pattern they look for. They protect this aggressively because it cannibalises API + Enterprise revenue.
• The revocation risk kills you, not the TOS itself. Anthropic can suspend with no notice, no refund, no appeal. With 20 paying tenants on the server, you have ~24 hours of furious customers, no Plan B, and reputational damage in a market where word travels fast.

A business that can be ended by one email from Anthropic Trust & Safety is not a business — it’s a bet.

1.3 Anthropic Plan Landscape

The single dividing line: API and Enterprise are the only two channels Anthropic has built and licensed for reselling Claude inside your software.

1.4 The 3-Stage Roadmap — Same Economics, Legitimately

Stage 1 — Now to ~25 customers: API per-tenant + caching + scope cap

Trigger: today. EC farm goes live next week. Architecture: each tenant brain authenticates with API key (per-tenant or shared org-level). Economics: - Baseline: ~$9.45/tenant/mo (R178), drifting to ~$6-7/mo (R114-130) after caching + scope cap - Per-tenant margin at R2,400 MRR: ~94 %

Per-server math at 20 tenants (after the trifecta below): - LLM spend: ~$140/mo (R2,650) - Server: R1,299 - Total fixed-ish per-server cost: R3,949 (R1,150 cheaper than the Max 20× hypothesis) - Revenue: R48,000 - Margin: ~92 %

Functionally identical to the Max 20× idea — TOS-clean, future-proof, scales into Stage 3 naturally.

Stage 2 — Customer #25: open conversation with Anthropic

Trigger: customer #25 onboarded, ~3 months of revenue history, ~$300-450/mo Anthropic spend. Niki drafts: an email to sales@anthropic.com with tenant count, MRR, monthly spend trajectory, growth forecast. Ask for: (a) negotiated volume API discount (10-30 % typical), (b) Team plan structure for internal YBA staff (legitimate), (c) early Enterprise sandbox / design-partner programs. Cost impact: 20 % discount → per-tenant cost drops $6.50 → $5.20. Small in absolute terms, but earns a dedicated account contact and sets up Stage 3.

Stage 3 — Customer #50: Anthropic Enterprise

Trigger: customer #50, MRR R120k+ (~$6,500), unoptimised Anthropic spend ~$400-500/mo. Why Enterprise: typical floor $20-50k/year ($1,667-4,167/mo). At 50 customers you’re already approaching the lower floor on pure usage. What it unlocks: - Volume discount of 50-70 % off list pricing — net per-tenant cost drops from $6 → $3-4 - Dedicated capacity guarantees — no rate-limit surprises - BYOK options for tenants who require it - SLA + dedicated support — named account manager, named SE - Custom features / early access — pre-release windows - Flat-rate commit with rollover — functionally identical to the Max 20×/server model, but built for this

This is where Captain’s “fixed cost per cohort” instinct gets fully realised — legitimately. Per-tenant cost lands at $3-4/mo. At 50 tenants ~$175-200/mo total LLM spend on R240k MRR = 97-98 % margin on the AI layer.

1.5 Captain’s Scope-Based Cap — How to Actually Implement It

The instinct is correct: don’t meter by request count, meter by relevance. A customer who asks 200 in-scope questions is generating value. A customer who asks 50 out-of-scope questions (homework, side projects, generic ChatGPT chat) is a cost leak with no upside.

Default scope-cap paragraph (per-tenant CLAUDE.md)

“You exist to serve [Customer Co.] in the running of their [industry] business. You answer questions, draft documents, run workflows, and coordinate operations within that scope. You decline politely when asked about things outside it — personal homework, unrelated side projects, hobbies, general-knowledge chat — and steer the user back to their business. When unsure, ask: ‘Is this part of running [Customer Co.]?’ If the user answers no, decline warmly and offer to help with something business-related instead.”

Customisation per tenant (Day 0 discovery)

Capture during onboarding: 1. Business name + industry — slots into the template 2. Top 5 in-scope work types — explicit “yes” examples 3. Common edge cases — for the EC farm: “weather questions are in-scope (affects fish), generic gardening tips for home use are out-of-scope” 4. Owner-vs-staff scope split — owners often have wider scope than staff

Two-layer enforcement in brain code

1. System prompt (free): the scope paragraph above. Model self-polices in 95 %+ of cases. No API call wasted because the model declines inline.
2. Pre-flight scope check (cheap): for tenants flagged as drift-prone, an initial Haiku call (~$0.0001) classifies in-scope / out-of-scope / ambiguous before the main call runs. Out-of-scope → templated polite decline. Ambiguous → clarifying question. In-scope → proceeds.

Edge cases

• Single off-topic question: politely declined inline, no escalation. One freebie — they’re testing the boundary.
• Persistent off-topic (3+ in a session): brain logs it, pings FM channel: “User is repeatedly asking out-of-scope. Please clarify scope expectations.”
• Owner expanding scope: if owner says “from now on, also help me with X” and X is meaningful (legal, financial advice), brain confirms with FM/Captain via Ops Center before scope widens.

1.6 Cost Predictability — The Trifecta

How to engineer Captain’s “fixed cost per server” outcome legitimately:

Combined: average tenant cost drifts from $9.45 → ~$6-7/mo. 25-30 % margin uplift on the AI layer.

1.7 Final Recommendation (4 lines)

• Now: API per-tenant with caching + scope cap + soft cap. R178/tenant/mo, dropping to ~R130.
• At customer #25: email Anthropic Sales for volume API or Team negotiation. Lock 10-30 % off.
• At customer #50: sign Anthropic Enterprise contract for fixed-cost certainty + dedicated capacity. Per-tenant cost lands $3-4/mo.
• Don’t: run Max 20× as a backend for paying tenants. TOS-grey, single revocation kills the business — and the legitimate path delivers the same economics anyway.

2. Customer Access + Agent Feedback Architecture

How customers reach their agent and how the agent talks back.

2.1 Customer Access Architecture

The brain is reached through the channels SA SME owner-operators already live in. We do not invent new software for them to learn.

Why this shape works in SA: - WhatsApp is non-negotiable. It’s where SA SME trust + habit live. Customers, suppliers, staff, family — all on WhatsApp. - Telegram covers the tech-curious tier. Bot UX is cleaner, voice notes work natively, file handling is better. - Email is the laptop channel. Long-form digests, files, anything stakeholder-shareable. - Web only when necessary. OAuth needs a browser. Multi-seat governance needs a screen. Everything else stays in the messaging app.

2.2 The Three Modes of Interaction

Every interaction with the brain is one of three modes:

Mode 1 — Push (the brain initiates)

• Customer sees: Telegram message at 09:00, Friday email, alert when a rule triggers
• Customer does: Reads. Optionally replies, taps an action button, forwards
• Brain does: Watched the inbox / calendar / logs overnight, composes the brief, delivers
• EC farm example: 09:00 Monday — “Heat pump parts arriving today, Right Air confirmed 11:00. Hatchery temp run overdue from Friday — please log when done. No new urgent emails.”

Mode 2 — Pull (customer asks)

• Customer sees: Question echoed and answered in same chat
• Customer does: Types or sends a voice note: “Log: 3 mortalities in nursery tank 2” / “What did I commit to with Sipho yesterday?” / “Draft a reply to that supplier”
• Brain does: Resolves against tenant brain — logs entry, retrieves memory, drafts message. Replies in same channel
• EC farm example: Hatchery supervisor sends voice note “Stocked tank 4, two thousand fingerlings, water at twenty-six point two.” Brain transcribes, logs, confirms: “Logged: tank 4, 2,000 fingerlings stocked, 26.2 °C. Daily total in tank 4 is now 2,000.”

Mode 3 — Workflow (background, no UI)

• Customer sees: Nothing during run. Sees result in next push (brief, alert, digest)
• Customer does: Nothing. Set up once during onboarding, runs forever
• Brain does: Triages email continuously, logs WhatsApp threads to right project, summarises calendar events, watches for trigger conditions
• EC farm example: Supplier email lands at 14:30. Brain reads it, classifies as quote — needs reply by Friday, files under “Suppliers / Right Air”, adds line to tomorrow’s brief: “Right Air sent revised quote — needs your call by Friday.” Customer never saw the raw email.

2.3 Per-Tenant Telegram Bot Setup

One bot per tenant. No shared YBA bot.

• Bot creation: during provisioning, Niki creates the bot via BotFather (Telegram’s official bot-creation system). 60 seconds.
• Bot name format: @{CompanyName}BrainBot — for the EC farm: @ECAquaponicBrainBot
• Bot token: stored in tenant’s /srv/tenants/{slug}/.env. Never shared, never leaves the pod
• First-time pairing: owner + each staff member messages the bot once with /start. Bot greets by name (from onboarding form), confirms identity, registers Telegram chat ID
• No forced group chats. Every staff member gets a 1:1 thread
• Optional shared “Operations” group (Tier 2+): single group chat where bot posts the team-wide brief. Off by default

Why per-tenant matters: branding (bot is the customer’s brand), trust (their bot, not a shared bot), privacy (each tenant’s data stays in its own pod), scale (Telegram rate-limits per bot — each tenant gets their own ceiling).

2.4 WhatsApp Business Architecture

• Channel: WhatsApp Business API (Meta’s official commercial channel via BSP — Business Solution Provider)
• Number: customer’s existing WhatsApp Business number stays theirs; we connect via Meta’s BSP relationship
• Same agent, second door. A message to WhatsApp routes to the same brain as a message to Telegram. Customer can fluidly switch channels mid-conversation; brain keeps state
• Onboarding implication: WhatsApp Business connection is one of the 4 OAuth flows on Day 2-3 of onboarding
• Cost: ~R0.50-R1.50 per outbound message via BSP. Typical Foothold tenant: 5-10 outbound WhatsApp/day. Inbound free. Negligible at this volume — built into R2,400 fee

2.5 Email — What Belongs Here

Email is the laptop channel. For things you read on a screen, not on a phone walking between hatchery tanks.

Email never does: real-time alerts (Telegram is faster + felt sooner), casual replies (Telegram/WhatsApp own that), quick questions (nobody reaches for Gmail to ask their assistant a question).

2.6 Five Agent Feedback Patterns

Every outbound message from the brain fits one of these five patterns.

Pattern 1 — Scheduled Push (the daily brief)

• Trigger: 09:00 SAST every workday
• Format: Telegram message, markdown, max 200 words. Mirror to email
• EC farm owner example: “Good morning, Captain. Today: Right Air heat pump parts arriving 11:00. Sipho promised lease quote follow-up by EOD — still open from yesterday. Tomorrow’s water-quality readings due. One supplier email needs a draft reply — I’ve prepared it, reply ‘send’ to send.”

Pattern 2 — Real-Time Alert (event-driven)

• Trigger: tenant-specific rule fires (mortality threshold, flagged-sender email, calendar event in 30 min, etc.)
• Format: Telegram message ~30 words + 1-tap action buttons: Acknowledged / Remind in 1 hr / More info
• EC farm example: “Alert 09:42 — flagged email from SARS, subject ‘PAYE filing reminder’. Want me to draft a reply?” with buttons

Pattern 3 — Conversational Reply (pull)

• Trigger: customer messages the brain
• Latency target: <10 sec for Haiku, <30 sec for Sonnet escalation
• Format: matches input — text in, text out; voice note in, text-or-voice-note out (customer-configurable)

Pattern 4 — Weekly Digest (Friday 16:00)

• Format: Email (markdown body, stats table + bullet lists) + same content posted to Telegram for phone-readers. 600-1,000 words
• Contents: what happened this week, what slipped, who was busy, who wasn’t, what’s coming next week

Pattern 5 — Quarterly Review (90-day cadence)

• Format: 30-min Zoom call. Captain, customer, optional key staff
• Pre-read: brain auto-generates a 90-day review document (usage stats, key wins, missed opportunities, suggested workflow for next quarter). Customer receives 2 days before call

2.7 The Two Foundational Promises

“Always Quiet by Default”

“The brain stays quiet unless it’s the daily brief, a real-time alert, or you’ve asked it something. We never spam. We never ping you with ‘helpful suggestions.’ If we’re not adding value, we’re not in your phone.”

Why it matters: SA SMEs are saturated with WhatsApp groups, marketing emails, software notifications. The brain that earns trust is the brain that knows when to be silent. Builds the habit: “When my brain pings, it matters.” Drives open rate to 90 %+.

“Same Agent, Many Doors”

“Whether you message your brain on Telegram, WhatsApp, or via the web wizard during onboarding, you’re talking to the same agent with the same memory. There is one brain per business; it just has multiple doors.”

Tech consequence: every channel writes to the same per-tenant vault + database. No silos. Memory is unified. A voice note to WhatsApp at 06:00 informs the Telegram brief at 09:00.

2.8 Channel Setup — Day 0 to Day 5

2.9 Hard Rules — The Communication Never-Do List

1. Never send unsolicited “helpful tips” — only briefs, alerts, replies
2. Never DM staff outside business hours unless explicitly configured per-staff
3. Never reply on a different channel than the customer reached out on without asking
4. Never auto-send on the customer’s behalf at Foothold tier — read-only / draft-only. Sending requires explicit confirmation
5. Never use group chats for individual briefs — privacy
6. Never store customer messages outside their tenant’s vault — no central log
7. Never share data, memory, or context across tenants
8. Never break the “quiet by default” rule with marketing nudges, upsell prompts, feature announcements
9. Never say “I don’t know” without offering to find out — escalates to Captain via Niki
10. Never expose the underlying model name (Anthropic, Claude, etc.) — the brain is their brain, not a third-party product

3. Pricing & Portfolio Fit

3.1 The Tier Ladder

The Edge ladder is built on one principle: each rung removes a specific friction the customer has just outgrown. No upsell is artificial — the customer hits a wall, the next tier is the door.

R1,800 between rungs. Big enough to fund the new capability (~R250 incremental COGS at T2) and pays for support. Small enough that growth pressure overrides it. Mirrors SA SaaS upgrade rhythm — local SMEs metabolise R1,500–R2,000 increments well; jumps of R3,000+ trigger committee approval and stall.

The forcing functions (what moves customers up):

3.2 Bundling Matrix

Foothold ↔︎ Edge Agency: Two separate sales designed to cross-pollinate. Agency client gets discounted Foothold for life at R1,800/mo as a relationship retainer — turns one-off agency revenue into recurring. A Foothold customer who outgrows their website becomes a warm Agency lead.

3.3 Competitor Anchoring (SA Market)

3.4 Margin Math (Internal — Captain’s View)

Per Foothold customer monthly:

Onboarding economics (R3,500 once-off): - Captain time: 4 hours @ R600/hr = (R2,400) - Niki provisioning: ~15 min = (R40) - Onboarding profit: R1,060 — break-even-plus, gates serious commitment

At 30 tenants full capacity (single VPS): - MRR (pure Foothold): R72,000 - Realistic tier-mix MRR (50/20/15/15): ~R102,600 - Gross margin (~85 %): ~R87,200/mo = R1.05M/yr before sales/marketing

3.5 Discount Discipline

3.6 Pricing Risks

1. “Why pay 6× ChatGPT Plus?” Mitigation: lead with daily-brief demo. ChatGPT structurally cannot do that.
2. “Why pay extra for AI on top of Zapier?” Mitigation: demo the judgement layer.
3. T2 upgrade jump feels steep. Mitigation: bundle a free month at upgrade.
4. Onboarding fee scares first conversions. Mitigation: split-payment option, never headline discount.
5. Tenant resource overrun. Mitigation: per-tenant LLM cap at $20/mo (R380); soft warning at $15.

4. Marketing & Naming

4.1 Naming Recommendation

5 names evaluated. Pick: YBA Edge Foothold.

Three reasons: 1. It tells the truth — Foothold matches the price (R2,400 = careful first commitment) and customer psychology (afraid of big numbers cold). Pilot/Spark over-promise; Foothold under-promises and lets the product over-deliver. 2. It builds the ladder — “Get your foothold first. When you’re ready, we move you to the full brain.” That’s a sales script, not just a name. 3. It’s defensible — low trademark crowding in SA SaaS. Pilot and Spark are not.

Hold “Lighthouse” in reserve for a future strategic-advisory tier between Foothold and Office Brain.

4.2 Customer Persona — “Pieter / Thandi / Sanjay, the Owner-Operator”

• Age: 42–55
• Role: Owner / MD / Founder
• Business: 4–8 staff, R2M–R15M revenue, 5–20 years trading
• Industry: Professional services, agriculture, light manufacturing, trades, healthcare practice
• Location: Joburg North, Cape Town suburbs, KZN coastal, EC towns
• Tools today: Gmail/Outlook, WhatsApp Business (primary client comms), Google Sheets/Excel, Xero/Sage/QuickBooks, maybe a free CRM
• AI-readiness: Curious-but-cautious. Tried ChatGPT 1–3 times.
• Budget authority: Can sign solo up to R5k/mo. R2,400/mo + R3,500 once-off sits inside that ceiling — this is the entire reason Foothold’s pricing works
• Decision triggers: Another SA business owner he respects says “we use them, it works”; concrete deliverable he can picture; 30/60/90-day exit clause; real human he can call when something breaks
• Risk fears: Data leak (POPIA), staff feeling threatened, another tool he pays for and doesn’t use, complicated to set up

4.3 Channel Mix — Where to Market

SA market notes: - LinkedIn is small but elite — every SA business owner with R1M+ revenue is on it - WhatsApp beats cold email 10:1 - TikTok growing fast but the buyer (40–55) isn’t there yet — 2-year brand-awareness play - In-person matters more in SA than US/UK - Facebook organic dying for B2B (groups still work, broadcast doesn’t)

4.4 Launch Sequence — Months 1–6

Month 1 — Soft Launch: - EC farm onboarded as Customer #1 - Foothold landing page live at ybaedge.com/foothold - Captain’s LinkedIn announcement post - 3 follow-up posts unpacking philosophy - Goal: 3–5 inbound conversations

Month 2 — Case Study + Content: - 90-day check-in with EC farm → publish case study - 3 short videos cut from a Captain + EC farm conversation - First cold-outreach round (50 hand-researched emails, single niche) - First newsletter issue - Goal: Customer #2 signed

Months 3–4 — Scale Outreach: - Customers #2–#5 (target 1 per fortnight) - LinkedIn ads R3k/mo, single creative - Newsletter cadence locked - 2 podcast guest spots - One chamber/association partnership - Goal: 5 paying customers, R12k MRR + R17.5k onboarding

Months 5–6 — Mid-Game: - 8–12 paying customers, first unprompted referrals - Webinar: “How AI saves my team 2 hours a day — live walkthrough with three Foothold customers” - Affiliate programme activated (10% recurring, 12 months) - LinkedIn ads to R8k/mo - Begin SEO blog - Goal: 12 paying customers, R28.8k MRR, repeatable acquisition motion

4.5 Content Pillars

1. Before/After Day in the Life — Show, don’t sell. One real staff member’s day before vs after.
2. Stop Being the Bottleneck — Owner-operators trap their business inside their own inbox.
3. AI Is a Tool, Not a Replacement — Address the staff-replacement fear directly.
4. Build vs Buy vs Hire — The math. Owner-operators love clear cost comparisons.
5. Case Study Deep-Dive — Real customers. Real numbers. Real quotes.

4.6 Niche Targets

1. Agricultural consultants & specialised farming (EC farm wedge — case study resonates) — AgriSA, Farmer’s Weekly, commodity WhatsApp groups
2. Small accounting & bookkeeping firms (1–10 staff) — they convert their own SME clients — SAIPA/SAICA, Xero/Sage partner communities
3. Boutique professional services (small law, recruitment, niche consulting, 3–10 staff) — highest willingness to pay — LinkedIn-heavy, BNI, APSO/LSSA branches

Avoid initially: medical (regulated, slow buying, POPIA paranoia), e-commerce (margin-compressed), large corporates (wrong tier).

4.7 Three Messages to Avoid

• “AI-powered productivity platform” — too corporate, generic
• “Boost your business with AI” — every snake-oil seller says this
• “Future-proof your business” — meaningless, buzzword fatigue

Replace with: “Your daily brief, ready by 7am” / “Hand off your inbox, not your business” / “R2,400/mo. Cancel anytime. Onboarded in 14 days.”

5. Infrastructure & Scaling

5.1 Tier-by-Tier Infrastructure Plan

5.2 Monitoring + Alerting Stack

All alerts land in one Telegram channel: “Foothold Ops” (Niki + Captain).

1. Uptime Kuma — pings every tenant subdomain + brain /healthz + Telegram bots, 60-sec interval
2. External liveness check (free Pingdom or BetterStack) — VPS-down detection from outside
3. Container health alerts — Coolify + Docker HEALTHCHECK
4. Postgres metrics — connection count, slow query log, disk-space watermarks 70/85/95 %
5. VPS host metrics — CPU, RAM, disk, network (Coolify built-in + netdata at 15+ tenants)
6. LLM API metrics — brain emits OpenTelemetry to Grafana Cloud free tier
7. Per-tenant heartbeat — daily-brief delivery flag; missing > 24 hr alerts

Alert routing: red >2 min → Foothold Ops; red >15 min → Captain DM; red >60 min and customer-impacting → status-page event.

5.3 Failover + Disaster Recovery

5.4 Backup + Restore

• Postgres: nightly pg_dump per schema, encrypted with age, → Backblaze B2. Weekly full snapshots. Retention math: ~50 MB × 30 tenants × 30 days ≈ 45 GB. Trivial cost
• Tenant vaults: each git init’d, brain commits after every write. Nightly rsync of /srv/tenants/ → B2
• Configs + secrets: docker-compose, Traefik, Coolify export → private GitHub yba-edge-infra-config + B2 mirror. Secrets in Docker secrets, never in git
• Restore drill — monthly: First Sunday, Niki picks random tenant, restores to restore-test.tenants.ybaedge.com, verifies brain. A backup that’s never been restored isn’t a backup.

5.5 Security Posture (Day-One)

• UFW: inbound only 22 (SSH), 80/443 (HTTPS), 22000 + 21027 (Syncthing). Default outbound allow.
• SSH: key-only, password auth disabled, root login disabled. Captain + Niki keys only. Fail2ban watching auth log.
• Postgres: per-tenant role with USAGE-only on its own schema. RLS belt-and-suspenders. Audit table write-only for app roles.
• Filesystem: per-UID isolation (uid 20000 + tenant ordinal). Vault 0700 mode, owned by tenant UID.
• LLM keys: Docker secrets, mounted read-only. Rotated quarterly.
• Telegram bot tokens: per-tenant .env mode 0600, root-readable only.
• HTTPS-only: HSTS, Let’s Encrypt DNS challenge for wildcard cert.
• Audit log: every admin action → append-only Postgres table. Reviewed weekly.
• Dependency hygiene: docker scout weekly. High/critical CVEs patched within 7 days.

5.6 When to Move to Managed Postgres

Self-hosted is fine to 30 tenants. Move to managed only when all three are true:

1. Customer count > 30, AND
2. At least one customer requires uptime > 99 %, AND
3. Captain/Niki spend > 5 hr/mo on Postgres ops

Cost band: R1,500–R3,500/mo for ~50 tenants. Migration window: 4–6 hr in maintenance window. Procedure: pg_dump → restore → switch connection string → 24 hr dual-write → cut over → keep old read-only 7 days.

5.7 Capacity & Cost Projections

Margin curve dips slightly at customer 1 (high fixed-cost share) and again at 50 (second full node + managed Postgres territory). Between, margin is essentially flat at 86–88 %. Foothold works as a business — per-tenant infra cost stays in low double-digit rand.

6. LLM Cost Architecture

6.1 Plain-English Primer

• Token — smallest unit a model “sees”. Roughly 0.75 of an English word.
• MTok — million tokens. Anthropic’s billing unit.
• Input tokens — what you send (system prompt + retrieved context + user question). Cheap.
• Output tokens — what the model writes back. ~5× more expensive than input.
• Prompt caching — Anthropic feature. Mark a chunk as cacheable. On next request within 5 min, that chunk is ~90 % cheaper.
• Haiku / Sonnet / Opus — Anthropic’s three tiers. Haiku is fast and cheap (80 % of asks). Sonnet is the workhorse. Opus is heavyweight. Foothold uses Haiku + Sonnet only.

6.2 Cost Model Per Tenant — Exact Math

Assumptions: 50 messages/day, ~2k input / 500 output tokens each, 80/20 Haiku/Sonnet split, FX $1 = R18.80.

Locked target: $10/tenant/mo (R188) ceiling. That’s 7.4 % of MRR — well within healthy SaaS gross-margin territory.

6.3 Routing Logic — When the Brain Escalates to Sonnet

Hard triggers (auto-escalate): - Input prompt > 2,000 tokens - Prompt contains markers: plan, compare, analyze, design, decide between, explain why, pros and cons, trade-off, strategy, what should I - User explicitly requests deep thinking - Last 3 conversation turns involved multi-step reasoning

Default: Haiku 4.5.

6.4 Cost Scaling — Linear at ~7 % of MRR

Predictability win — unlike infrastructure (step-function), LLM scales linearly.

6.5 Optimization Triggers

Combined at 30 customers: baseline $9.45/tenant → ~$6/tenant. Savings retained: R64/tenant/mo × 30 = R1,920/mo extra margin. LLM as % of MRR drops 7.4 % → 4.7 %.

6.6 Opus Access Policy

Opus 4.7 is too expensive for default use. Tier-gated access:

Opus alone at 5 queries/day = ~R190/tenant/mo — half the gross margin on Foothold. Cap protects unit economics.

6.7 BYOK Policy

6.8 Cost-Risk Scenarios

1. Runaway tenant (10× usage). Detection: per-tenant 7-day cost monitor. Mitigation: soft cap 200 msgs/day, hard cap 500/day. At 3 consecutive days at hard cap, FM escalates to upsell conversation.
2. Anthropic price increase. <20 % → YBA absorbs. 20–50 % → 30-day notice, tier prices rise proportionally. >50 % → procurement review (alternatives: OpenAI, Mistral, self-hosted Llama).
3. Prompt regression sends 10× context. Detection: avg-tokens-per-request alert >30 % deviation from rolling 7-day baseline. Mitigation: PR gate with token-cost diff, A/B rollout 10 % → 100 %, auto-rollback if exceeded.

7. Customer Journey, Support & T&Cs

7.1 Onboarding — 5-Day Playbook

Day 0 (the yes): Captain emails Onboarding Pack (T&Cs + 6-question form + payment link). Customer signs + pays R3,500 + fills form. No payment, no provisioning.

Day 1: Niki runs provision_tenant.sh (~5 min). Subdomain live, BotFather bot created, wizard URL generated. Captain sends “your brain is ready” email + 90-sec walkthrough video.

Day 2–3: Customer clicks through OAuth flows for Gmail, Calendar, WhatsApp (~20 min). Captain runs 30-min “Teach the Brain” Zoom call. Niki writes tenant CLAUDE.md + files reference docs into wiki.

Day 4 (Dry Run): Captain runs test daily-brief, reviews, tunes. Email triage in read-only mode. Customer’s staff get 5-min walkthrough video — “Watch this. Tomorrow morning at 09:00 your phone will ping.”

Day 5 (Monday — Go-Live): 09:00 first daily brief lands on every staff phone. Captain on standby 09:00–17:00. End-of-day check-in call.

7.2 Support Tier Matrix

Foothold-specific rules: - Single shared Telegram support group — not Captain’s DM. Keeps attention scalable, customers see they’re not alone. - Async only — same-day response, not real-time. - 30 min/mo included. Over: R450/hr in 30-min increments. - Niki responds first if documented. Escalates to Captain only when novel.

Escalation tree: L1 Niki AI auto-response → L2 Niki summary to Captain → L3 Captain in shared support group → L4 Captain calls customer (security/data only).

7.3 Customer Success Cadence — 90-Day Journey

7.4 Terms & Conditions — Foothold Master Agreement

YBA Edge Foothold — Service Agreement. Plain English. South African Law. POPIA + ECTA compliant. Effective from date of signature.

1. Definitions — Customer, YBA, Service, Customer Data, Subscription Period, Onboarding Fee.

2. The Service — Daily Telegram brief; email triage; WhatsApp/CRM logger; weekly digest; one custom workflow per quarter; async support per Foothold tier.

3. Fees — R3,500 once-off Onboarding (non-refundable). R2,400/mo recurring. First month pro-rated. Debit order or EFT, due by 7th. Late grace 14 days then suspension on 7-day notice. Annual prepay R25,920 (10 % off).

4. Subscription Term + Cancellation — Month-to-month, 7-day written notice via email/Telegram/WhatsApp. No refund of unused portion. Onboarding non-refundable. Data handled per Clause 5.

5. Customer Data + POPIA — Customer is data controller, YBA is data processor. Hosted in SA. YBA does not sell, share, or use Customer Data to train AI models. Export anytime: markdown for wiki, SQL dump for DB, JSON for n8n. After cancellation: 90-day suspension, then permanent deletion. Data breach notification within 72 hours.

6. Customer Obligations — Accurate credentials, single point of contact, no shared logins, comply with own data laws, no unlawful use, pay on time.

7. YBA Obligations — Provide service per Clause 2. Reasonable best-effort uptime (no formal SLA at Foothold tier — formal SLAs from T3). Maintenance window Sundays 02:00–05:00 SAST. Notice for >30 min maintenance.

8. Confidentiality — Mutual NDA, 3 years post-termination.

9. Intellectual Property — YBA owns platform/code/prompts. Customer owns own data + customisations. Case-study/testimonial use requires explicit written consent.

10. Limitation of Liability — Total liability capped at fees paid in preceding 3 months. No indirect/consequential damages. Standard SA carve-outs (fraud, gross negligence, wilful misconduct) cannot be limited.

11. Force Majeure — Anthropic/Hostinger/Google/Meta outages, government action, natural disaster. Outage > 24 continuous hours = pro-rata credit on next invoice.

12. Modifications — 30 days’ written notice. If materially adverse, customer can cancel within 30 days without penalty + pro-rata refund.

13. Governing Law — Republic of South Africa, jurisdiction Cape Town.

14. Dispute Resolution — 30 days good-faith negotiation → AFSA arbitration, Cape Town, English. Final + binding. Court only for urgent interim relief.

15. Notices — Email, Telegram, or WhatsApp valid. Email deemed delivered same day if no bounce. 7-day notice to update.

7.5 Kill Switch (Cancellation Flow)

1. Customer sends 7-day notice via email/Telegram/WhatsApp
2. Captain confirms within 24 hr by reply with stop date
3. Day 7: Niki suspends container. Service stops. Data preserved.
4. Customer offered data export within 48 hr (zip vault + n8n CSV + SQL dump)
5. Day 90 from suspension: permanent deletion
6. Confirmation email closes the relationship cleanly

7.6 Pricing Page FAQ

1. What if I cancel after 1 month? Pro-rata, no refund of current month, full export. No questions.
2. Is my data safe? POPIA-compliant, SA-hosted, never used to train models, encrypted at rest.
3. Can I integrate with my CRM? Almost certainly. Confirmed during Day 0 discovery.
4. What if Anthropic goes down? Cached responses + alerts. Degraded, not dead.
5. Can I export my data? Anytime. Markdown + SQL + JSON.
6. Why R2,400 vs ChatGPT Plus at R400? ChatGPT is a chatbox. Foothold operates on your business — connected to your tools, your team, your data.
7. Do I need technical skills? No. We do the setup. Your staff use Telegram.
8. What if it doesn’t work for us? 7 days’ notice, no questions. We’d rather lose you cleanly than hold you hostage.

8. Decision Log — Captain’s Calls This Week

~33 specific items that unblock launch. Updated 2026-05-07 with LLM access architecture + customer-channel decisions.

LLM Access Strategy (4 items — NEW)

• Approve Stage 1 architecture: API per-tenant + prompt caching + scope cap (TOS-clean, ~R178/tenant/mo)
• Approve scope-cap CLAUDE.md template (brain refuses out-of-scope work, customised per tenant on Day 0)
• Approve the 3-stage Anthropic roadmap (Stage 1 API now → Stage 2 volume API at #25 → Stage 3 Enterprise at #50)
• Reject Max 20×/server idea — TOS-grey, single-revocation business risk. Same economics achieved legitimately via Stage 1 trifecta.

Customer Access + Agent Feedback (5 items — NEW)

• Approve channel mix: Telegram bot (per tenant) + WhatsApp Business + email + Zoom (CS cadence) for Foothold tier
• Approve no web dashboard at Foothold — Telegram + WhatsApp = entire UX. Web dashboard at T3+ only.
• Approve per-tenant Telegram bot via BotFather (@{CompanyName}BrainBot naming, one bot per tenant, no shared YBA bot)
• Approve WhatsApp Business via Meta BSP (customer’s existing number stays theirs)
• Approve “always quiet by default” rule — brain only outputs daily brief, real-time alerts, or replies. No marketing nudges, no upsell prompts.

Pricing (5 items)

• Approve R2,400/mo + R3,500 once-off as final Foothold pricing
• Approve tier ladder R2,400 → R4,200 → R5,400 → R6,000 with R1,800 rungs
• Approve discount discipline policy (founding-customer rate, annual prepay 10 %, no headline discounts, no free trials)
• Approve Edge Agency client gets discounted Foothold for life @ R1,800/mo
• Approve per-tenant LLM cap $20/mo (R380); soft warning at $15

Naming + Marketing (3 items)

• Lock “YBA Edge Foothold” as the public product name
• Approve launch sequence Months 1–6 (soft launch → case study → scale outreach → mid-game)
• Approve content pillars + niche targets (agricultural / accounting / professional services as the first three)

Infrastructure (8 items)

• Approve current VPS as Foothold home (vs dedicated Foothold-only VPS)
• Approve sharding trigger at customer #25 (provision 2nd full node before signing #25)
• Approve hot-standby Postgres VPS at customer #5 (+R600/mo)
• Approve Backblaze B2 for off-box backups at customer #10 (+R200/mo)
• Approve Uptime Kuma + Foothold Ops Telegram channel as day-one monitoring
• Approve security baseline (UFW, SSH key-only, RLS, per-UID vault isolation)
• Approve monthly restore drill as recurring Niki task (~2 hr/mo)
• Approve Cloudflare in front of Traefik at customer #15 (free tier)

LLM (5 items)

• Approve Haiku 4.5 default + Sonnet 4.6 escalation (vs Sonnet-only — 3× cost)
• Approve YBA-billed model for Foothold (vs BYOK — kills “it just works”)
• Approve prompt caching at customer #5 (Tier 1 optimization)
• Approve soft cap 200/day, hard cap 500/day per tenant
• Approve Opus access policy (R200/incident at Foothold, 5/day cap at T2, unlimited at T3+)

Customer Journey (4 items)

• Approve 5-day onboarding playbook (Day 0 yes → Day 5 Monday go-live)
• Approve support tier matrix (Foothold async-only, shared Telegram group, 30 min/mo included)
• Approve escalation tree (Niki L1 → Niki summary L2 → Captain L3 → Captain call L4)
• Approve 90-day customer success cadence (welcome → go-live → 7d → 14d → 30d → Q1 → 90d)

T&Cs (1 item — review the whole document)

• Review and approve T&Cs document (Section 5.4) — sign for first customer use

9. What Niki Builds Once Captain Says Go

Build sequence (2–3 days from green light):

1. provision_tenant.sh — full automation script
2. ybaedge/tenant-brain:v1 Docker image (FastAPI + Anthropic + vault tooling)
3. ybaedge/tenant-tgbot:v1 Docker image
4. Vault template — pre-filled CLAUDE.md, index.md, log.md skeletons
5. Traefik wildcard cert for *.tenants.ybaedge.com
6. Onboarding wizard page on ybaedge.com/foothold/onboard — handles 4 OAuth flows
7. Foothold landing section on ybaedge.com/foothold with pricing + discovery-call CTA
8. ERPNext “contract signed” → n8n workflow → provision_tenant.sh trigger
9. Uptime Kuma deployment + Foothold Ops Telegram channel wiring
10. T&Cs PDF + Onboarding Pack template
11. EC farm provisioned as customer #1 — pilot/equity-adjusted terms

At customer #5: add hot-standby Postgres VPS. At customer #10: add Backblaze B2 backups. At customer #15: add Cloudflare in front of Traefik. At customer #25: provision 2nd full node, ready to shard.

Closing

Foothold is fully scoped. The path to first revenue is short: Captain approves the ~25 decisions above → Niki spends 2–3 days building infrastructure → EC farm onboards → first weekly briefs ping → case study writes itself → Customer #2.

Run the rhythm, sell the output, the system runs you.

— Niki / YBA Edge Operations

10. Customer Interface Architecture

Where customers actually talk to the brain. Where the brain hands work back. Mapped per use-case, per tier.

10.1 The Three Interaction Surfaces

The brain lives in three places. Same brain, same memory across all three. A voice note to WhatsApp at 06:00 informs the Telegram brief at 09:00.

Foothold tier explicitly excludes: web dashboard, custom mobile app, browser plugin. Onboarding stays simple, channels stay messaging-first.

10.2 Where the Customer Asks Questions

Rule: brain replies in the same channel the customer wrote in. Never switches channels without asking. “Same agent, many doors” applies to direction-of-conversation too.

10.3 Where the AI Delivers Daily Briefs

09:00 SAST every workday. Per staff member. Personalised to their role.

The brief lands first on the phone (Telegram). Email mirror exists so the owner can re-read on a laptop later. Email never delivers the brief alone — Telegram is primary.

10.4 Where the AI Delivers Reports

10.5 Where the AI Delivers Files

Three delivery methods, picked by file size + use case:

Method 1 — Telegram document attachment (default for <50 MB)

• Brain returns: “Here’s your draft contract” + PDF attached
• Customer downloads with one tap, opens in their phone’s PDF viewer
• Use case: drafts, summaries, exports, snippets, anything immediate

Method 2 — Email attachment (formal / laptop / large)

• Brain emails the file directly to the customer’s inbox
• Use case: monthly reports, multi-page exports, invoices, formal documentation

Method 3 — Per-tenant private file area (large or shared)

• URL pattern: {slug}.tenants.ybaedge.com/files/{id} with one-time access token (24-hr expiry)
• Brain pings: “File ready — link expires tomorrow at this time”
• Customer clicks, downloads
• Use case: large data exports (>50 MB), sharing with third parties (the link is auth-gated), permanent reference docs
• Foothold: read-only — customer downloads, can’t upload. T3+ unlocks two-way file sharing.

Direction of file flow: - Customer → Brain: Telegram or WhatsApp document upload, ingested into the tenant vault - Brain → Customer: per the table above, picked by file size + use case

10.6 Where the AI Delivers Email Drafts

This is the tier-dependent one. Foothold is read-only / draft-only — the brain never sends on the customer’s behalf.

Foothold tier (R2,400) — draft-and-notify

1. Brain reads incoming email (Gmail / Outlook OAuth, read access)
2. Brain classifies every email — urgent, needs-reply, FYI, newsletter, spam
3. For “needs-reply” emails: brain composes a draft reply
4. Brain saves the draft to the customer’s email Drafts folder via Gmail/Outlook API
5. Brain pings the customer in Telegram: “Right Air emailed about quote. Drafted reply saved to Drafts — want me to read it to you here?”
6. Customer opens their email app (Gmail mobile, Outlook, whatever they use), sees the draft, edits if needed, clicks Send themselves
7. The brain never clicks Send at Foothold tier — non-negotiable. Builds trust, prevents PR disasters.

Tier 2 — Workshop (R4,200) — one-tap approve

• Same as Foothold PLUS: Telegram message includes an “Approve & send” button
• Customer reviews draft in Telegram, taps Approve → brain sends directly via Gmail/Outlook API
• Saves the trip into the email app

Tier 3 — Operator (R5,400) — approval bot

• Brain shows full draft in Telegram with action buttons: Approve / Edit / Reject
• Edit opens an inline text-edit interface in Telegram — customer modifies before approving
• Every send logged to per-tenant audit trail (governance/compliance for multi-staff orgs)

Office Brain (R6,000) — full origination

• Brain can originate outbound — “Send a follow-up to Sipho about the quote, ask for an update by Friday”
• Brain composes, sends, logs. Customer sees the trail in their Sent folder + Telegram digest
• Twilio for SMS, Gmail API for email, WhatsApp Business for WA
• Full compliance logging on every outbound send

Critical UX detail: at Foothold tier, the customer always feels in control because they always click Send themselves. That’s the trust building block. The upsell pressure to T2+ comes naturally when they get tired of opening Gmail to send the brain’s pre-drafted reply.

10.7 Voice Note Flow

Foothold transcription: at this tier, the brain transcribes via the LLM directly (Haiku handles short voice notes cheaply). Deepgram is a T3+ unlock for higher-accuracy long-form transcription (calls, meetings).

10.8 Onboarding Flow — When Each Surface Comes Online

The web onboarding wizard (a single one-time URL given to the customer on Day 1) handles the OAuth flows. After Day 3 the wizard is no longer needed — all subsequent interaction is via Telegram, WhatsApp, and email.

10.9 Tier-by-Tier Interface Unlock Matrix

10.10 Architecture Diagram (text)

┌─────────────────────────────────────────────────────────────┐
│  CUSTOMER (owner + staff)                                   │
│                                                              │
│   📱 Telegram          📱 WhatsApp         💻 Email          │
│   (per-tenant bot)    (Business API)      (Gmail/Outlook)   │
│       │                     │                  │             │
└───────┼─────────────────────┼──────────────────┼─────────────┘
        │                     │                  │
        ▼                     ▼                  ▼
┌─────────────────────────────────────────────────────────────┐
│  TENANT POD on YBA Edge VPS                                 │
│  (subdomain: {slug}.tenants.ybaedge.com)                    │
│                                                              │
│   ┌──────────┐    ┌──────────────┐    ┌──────────┐          │
│   │ tgbot-   │◄──►│ brain-{slug} │◄──►│ n8n-     │          │
│   │ {slug}   │    │ FastAPI +    │    │ {slug}   │          │
│   │          │    │ Anthropic +  │    │ workflows│          │
│   │          │    │ vault        │    │          │          │
│   └──────────┘    └──────┬───────┘    └────┬─────┘          │
│                          │                  │                │
│                          ▼                  ▼                │
│   /srv/tenants/{slug}/vault/  ──►  Postgres schema         │
│   (markdown source of truth)       (n8n state + audit)     │
└─────────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────────┐
│  EXTERNAL APIs (read-only at Foothold tier)                 │
│                                                              │
│   Anthropic API · Gmail API · Calendar API · WhatsApp BSP   │
│   (Drafts only at Foothold — never sends)                   │
└─────────────────────────────────────────────────────────────┘

10.11 What This Means for the Build

For Niki to deliver the interface architecture per the spec above, the following components ship in the first build wave:

1. provision_tenant.sh — creates pod, subdomain, Telegram bot, vault skeleton, BotFather call, OAuth wizard URL
2. tenant-brain Docker image — FastAPI + Anthropic SDK + vault retrieval + scope cap + per-channel adapters (Telegram + WhatsApp + Email)
3. tenant-tgbot Docker image — python-telegram-bot listener, /start handler, message router, action-button handler
4. tenant-emailbridge Docker image — Gmail/Outlook OAuth listener, email triage, draft writer, “send” handler (T2+)
5. tenant-wabridge Docker image — Meta BSP webhook receiver, message router (mirrors Telegram bot logic)
6. Web onboarding wizard — single page on ybaedge.com/foothold/onboard?key={one_time} for the 4 OAuth flows
7. Per-tenant file area — static file server scoped to /srv/tenants/{slug}/files/, signed-URL generation
8. Vault template — pre-filled CLAUDE.md (with locked scope-cap paragraph), index.md, log.md
9. Traefik wildcard cert — *.tenants.ybaedge.com
10. Foothold Ops Telegram channel — Captain + Niki, monitoring alerts

Order of build: items 1, 2, 3, 8, 9 ship first (this gets EC farm to “daily brief on Telegram”). Items 4, 5, 6 ship second (full email + WhatsApp). Item 7 (file area) ships third. Item 10 throughout.

EC farm goes live with items 1-5 + 8-9 functioning. File area is nice-to-have for week 1.