brexit
architectural prototype · not a regulated product

An enterprise spend platform,
built far enough to be evaluated.

brexit · read it as "brex, it"

Brexit is a portfolio artifact: the architecture of a corporate spend platform: cards, banking, bill pay, expenses, accounting sync, in-house ledger, in-house fraud. The latency-critical pieces actually wired against vendor sandboxes and the rest honestly marked as sketches over the same real schema. It exists so the design can be read, run, and evaluated on its own merits; it is not a regulated product and no real money moves.

sign in as a demo persona →read the architecturegithub.com/syntaqx/brexit

vendor adapters scaffolded

  • lithic
  • increase
  • plaid
  • persona
  • mindee
  • quickbooks
  • workos
  • cloudflare

the posture

Local-first.
Sandbox-ready.
Production-shaped.

Every capability has three tiers behind the same port. Selection is per-capability, per-customer, resolved at request time. There is no environment-tier default and no implicit fallback.

  • localthe default

    Postgres-backed simulations of every vendor. Clone, make dev, make seed. No credentials, no signups, full webhook code paths exercised.

  • sandboxthe demo upgrade

    Real Lithic, Increase, Plaid, Persona, Mindee, QuickBooks sandboxes. Flip the per-capability env var, drop in your sandbox key, the rest of the platform doesn't notice.

  • productionthe documented path

    Same adapter code as sandbox, different credentials. Going live needs a sponsor bank, BSA/AML program, and SOC 2. See the architecture docs for the realistic path.

what's in the box

The surface of an enterprise spend platform, end-to-end.

full capability matrix →
  • money movementcorporate cards

    Virtual + physical cards, sub-100ms authorization budget, single-writer ledger holds. Local issuer by default; flip BREXIT_CARDS to lithic-sandbox to drive real Lithic auths.

  • money movementbanking

    ACH and wire shaped against the Increase API surface. Local rails settle instantly; the same code paths run unchanged against the Increase sandbox. RTP is on the roadmap, not yet wired.

  • money movementbank linking

    Plaid-shaped Linker port. Local adapter seeds 60d of plausible transactions; the Plaid sandbox adapter drops in with one env var swap.

  • spend platformbill pay

    Upload-or-API intake (OCR via Mindee adapter), approval chains via the generic approvals engine, vendor records, scheduled payment via the banking rails. Email-to-bill ingestion and check/virtual-card rails are scaffolded but not yet wired.

  • spend platformexpense management

    Receipt submission with manual transaction linking, in-house policy engine evaluated in the auth hot path, approval thresholds that fire real workflows. Receipt-to-transaction auto-match and reimbursement payout are on the roadmap.

  • spend platformaccounting sync

    QuickBooks-shaped Sync port with per-customer connection state. Local adapter persists journal entries to a fake QBO; the real adapter calls /v3 unchanged.

  • in-house enginesfraud decisioning

    Explainable feature-based scorer, runs inside the auth budget, every decision streams into an operator-reviewable queue with the signal breakdown.

  • in-house enginesmerchant enrichment

    Exact -> prefix -> substring match against an in-house canonical merchant DB, operator endpoints for alias curation. A dedicated training UI in Sudo is on the roadmap; today operators curate via the API.

  • in-house enginescredit underwriting

    Reads linked bank data and produces a tiered decision with reasoning. A/B/C/D/decline based on the section 12.4 formula with industry + stage multipliers. Continuous re-evaluation against fresh bank data is on the roadmap.

< 100msp99 auth-path budget
8vendor adapters ready
8seeded demo personas
100%in-house double-entry ledger

what's worth looking at

The architecture is the product.

  • 01

    Capability-port architecture

    Every external dependency lives behind a domain-shaped interface. Local, sandbox, and production adapters all implement the same port and are independently selectable per-customer per-capability.

    // internal/ports/cards/cards.go
type Issuer interface {
    CreateCard(ctx, req) (*Card, error)
    Authorize(ctx, auth) (Decision, error)
    ...
}
  • 02

    Three-tier adapter model

    local · sandbox · production. Most capabilities ship with all three already scaffolded; the sandbox + production tiers are the same code with different env vars.

    BREXIT_CARDS=local            # default
BREXIT_CARDS=lithic-sandbox   # opt in
BREXIT_CARDS=lithic-production # gated
  • 03

    The authorization hot path

    Card resolve → status checks → fraud score → policy → velocity → ledger hold, serialized per-account via SELECT FOR UPDATE. Sub-100ms p99 target end-to-end.

    // internal/domain/auth_engine
decision, err := engine.Authorize(ctx, AuthInput{
    CardID:        cardID,
    AmountMinor:   amount,
    MerchantMCC:   mcc,
})
  • 04

    In-house engines for the differentiators

    Fraud, merchant enrichment, credit underwriting, policy, rewards. These are the systems where off-the-shelf vendors either don't exist at the required quality or don't fit the latency budget.

    // internal/domain/fraud
score := scorer.Score(ctx, AuthInput{...})
// → 0-100 + confidence + top-3 signals

what isn't built

The honest gap list.

The capability blurbs above describe the shape of the platform; this band describes where the shape stops. If you're evaluating architecture, this is the more useful section. Anything not listed here is either built or honestly labeled in the capability matrix.

claimed elsewhere, not built yet
  • Email-to-bill ingestion via Cloudflare Email Routing. Bills today come from upload or API.
  • Receipt-to-transaction auto-matching. OCR runs; the join back into expenses is manual.
  • Card controls beyond velocity caps. No MCC blocks, merchant allow/deny, time-of-day, or geo-fencing.
  • Budget enforcement in the auth hot path. Budgets are tracked and queryable; the policy engine doesn't consult them yet.
  • Disputes. No port, no UI, no workflow yet.
  • Continuous re-underwriting. A decision is produced once at onboarding; nothing re-evaluates against fresh bank data.
  • Outbound webhooks to customers. Inbound vendor webhooks verify and process; outbound delivery isn't wired.
  • Customer-facing audit export. The operator audit query is live; the customer-side surface isn't.
designed for, but currently single-implementation
  • Multi-currency. The schema carries currency fields; the ledger and FX path are USD-only today.
  • Workflows engine. River on Postgres is the only implementation; the Temporal adapter is a documented stub.
  • Identity (business + watchlist). Local deterministic adapters only; Middesk and ComplyAdvantage are planned, not contracted.
  • HRIS. Local roster generator only; Merge.dev and Finch slot in behind the same port.
  • Notifications. Email via Resend works; SMS is local-only, push isn't started, in-product inbox isn't built.
performance + measurement caveats
  • Sub-100ms p99 on the auth path is a design target, not a measured number. There are no benchmarks in the repo.
  • Vendor sandbox adapters compile and follow each vendor's API shape, but only the local tier is exercised end-to-end in CI.

what going live would require

The prototype intentionally stops at the technology line.

Architecture is months of work. A regulated fintech is years. Brexit is built so the platform side stays close to what production wants - but the rest of the list below has to be true before a single real dollar moves. None of it is true today, and the project is not pursuing it.

regulatory
  • Sponsor bank relationship (Emigrant / Lead Bank / Column / Cross River)
  • BSA/AML program with a designated BSA officer
  • Customer Identification Program (largely built on top of the existing KYC/KYB ports)
  • State Money Transmitter Licenses where required
  • GLBA + GDPR + CCPA data-handling posture
compliance
  • SOC 2 Type I followed by SOC 2 Type II (12-month observation window)
  • PCI DSS scope analysis (Brexit stays out of scope by tokenizing through the card issuer)
  • Annual independent AML program test
  • Pen-test cadence + documented incident response plan
capital + ops
  • Working-capital facility from a debt lender, with an underwriting model defensible to that lender
  • Loss reserves for fraud + chargebacks
  • 24/7 on-call rotation across cards + banking + fraud
  • Sponsor-bank-approved production access to Lithic, Increase, Persona, and friends

Realistic timeline from “the prototype is excellent” to “first production customer” for a well-capitalized team: 12–18 months. Brexit as it stands today has none of the above and is not pursuing them.

try it

Two surfaces. Two sign-ins. Same backend.

Pick the customer experience or the operator console. Each sign-in page lists the seeded personas; one click in, full seeded state on the other side. Local SSO is enabled: type any email to spin up a fresh user, or pick one of the prebuilt scenarios.

app.brexit.devCustomer product

Cards, transactions, balances, approvals, bills, expenses. Five seeded customers across owner / manager / employee / bookkeeper roles.

customer sign-in →sudo.brexit.devOperator console

Ops queues and CRM bridge. Fraud, enrichment, KYC, impersonation, adapter switcher. Four seeded operator roles (admin / ops / crm / viewer).

operator sign-in →

what this isn't

Brexit is not a real fintech company. It has no sponsor bank, no money transmitter licenses, no BSA/AML compliance program, no SOC 2, no PCI DSS, and is not pursuing any of those. It is not soliciting customers and does not handle real customer money.

No real money moves. No real cards are issued. No real KYC results are produced. No real bank accounts are linked. Brexit is not affiliated with, endorsed by, or pretending to be any real financial-services brand. The name is a play on brex + exit.