RBS Ecosystem Architecture

Last Updated: March 21, 2026 Company: Red Broom Software S.A.S. (RFC: RBS2201168S7) Developer: Brillo (solo) — juliositgespomares@gmail.comVision: Self-managing SaaS ecosystem for Mexican SMBs — every department is an app, every app is a product

Core Philosophy

RBS is a vertically-integrated ecosystem of 21 apps. The company uses its own tools to run itself (dogfooding), then sells those same tools to other businesses.

Each RBS platform is a Camino organization. Colectiva manages equity and operations. Constanza handles accounting. The ecosystem manages itself.

Separation of concerns:

Role	App	What It Owns
Identity + Marketing + Sales	Camino	SSO, content API, AI copilot, WhatsApp routing, lead nurture
Brains + Operations	Colectiva	Decision Spaces, workspace boards, AI Oracle, payments, escrow, equity
Finance + Compliance	Constanza	CFDI 4.0, accounting, ISR/IMSS, bank reconciliation, RESICO optimizer
Legal	Agora	Contracts, IOLTA trust accounts, AI drafting
Infrastructure	ecosystem-sdk + MCP server	Webhooks, auth, AI metering, app registry

No code duplication — shared functionality is centralized. Industry-specific logic stays in vertical apps.

System Architecture

                    ┌──────────────────────────────────┐
                    │     CAMINO (SSO IdP + Marketing)  │
                    │  OAuth2 PKCE · Content API · AI   │
                    │  WhatsApp Agent · Sales Copilot   │
                    └───────────┬──────────────────────┘
                                │ SSO + webhooks to all apps
        ┌───────────────────────┼───────────────────────┐
        │                       │                       │
        ▼                       ▼                       ▼
┌───────────────┐      ┌───────────────┐      ┌───────────────┐
│  COLECTIVA    │      │  CONSTANZA    │      │  BANXICO µsvc │
│  Brains/Ops   │      │  Accounting   │      │  CoDi/SPEI    │
├───────────────┤      ├───────────────┤      ├───────────────┤
│ Decision Space│      │ CFDI 4.0      │      │ QR codes      │
│ Workspace     │◄────►│ Polizas       │◄─────│ Transfers     │
│ AI Oracle     │      │ Payroll sync  │      │ Balance       │
│ MercadoPago   │      │ ISR/IMSS      │      │ MXC coins     │
│ Escrow/Wallet │      │ Bank recon    │      │               │
│ Equity mgmt   │      │ RESICO optim  │      │               │
└───────┬───────┘      └───────┬───────┘      └───────────────┘
        │                      │
        └──────────┬───────────┘
                   │ webhooks + API calls
    ┌──────┬───────┼───────┬──────┬──────┬──────┐
    ▼      ▼       ▼       ▼      ▼      ▼      ▼
 Caracol La Hoja  Comal  Cosmos Plenura Mancha  Rito
  POS    ERP/POS  eCom    Vet   Therapy Reserv  REPE

Platform Details

Camino — SSO IdP + Headless Marketing Engine

URL: camino.redbroomsoftware.com Stack: SvelteKit 5 + Svelte 5 runes, Supabase (PostgreSQL), Vercel Scale: 214 API routes, 90+ DB migrations, 18 daily dispatcher sub-jobs + 2 pg_cron jobs, 8 AI integrations

What Camino does:

SSO Identity Provider: OAuth2 PKCE for 15 apps. Every ecosystem app authenticates through Camino.
Headless Marketing Engine: Structured JSON content API (GET /api/public/page/{slug}), apps consume it for landing pages. AI generates content, A/B tests it, optimizes automatically.
Tracking SDK: camino-track.js (3KB) embeds on all surfaces, feeds personalization engine.
AI Sales Copilot: Lead scoring, nurture sequences, conversion optimization.
WhatsApp Agent Routing: Routes WhatsApp conversations to 7 apps based on context.
Subscription Management: Trial lifecycle, upgrade checkout, billing across all apps.
Email Automation: Resend integration (welcome, trial expiry 7d/3d/1d, nurture sequences).
Developer Sessions: HMAC-signed session cookies for cross-app admin access.
Daily Cron Dispatcher: Vercel Cron at 14:00 UTC, consolidates 5 daily jobs.

Integration Levels (per tenant):

Level	What Tenant Gets	Cost
L0	SSO, consolidated billing, ecosystem identity	Free (part of app sub)
L1	Activity feed, basic analytics	Included with Camino Free
L2	Abandoned cart recovery, promo emails, AI landing pages	Camino Pro
L3	Business advisor, predictive analytics, self-optimizing pages	Camino Business

Colectiva — Brains + Operations

URL: colectiva.redbroomsoftware.com Stack: SvelteKit 5 + Svelte 5 runes, Firebase (Firestore), Vercel

Colectiva is NOT just a wallet. It is the operational brain of the enterprise.

Operations:

Decision Spaces — structured decision-making with participation agreements
Workspace boards — progress tracking, project management
AI Oracle — operational intelligence
Equity management — founder equity accrual, cap table, blockchain CPI registry
Workflow orchestration across ecosystem apps

Payments:

MercadoPago fully integrated (marketplace splits, refunds, chargebacks)
CoDi QR generation
Wallet system (MXC + Red Wallet)
Escrow for marketplace transactions
AI metering — all AI usage across ecosystem reports here

Scheduled Jobs: 12 cron jobs (revenue recognition, distributions, ecosocialismo transfers)

Constanza — AI Accounting + Tax Compliance

URL: constanza.redbroomsoftware.com Stack: SvelteKit 5 + Svelte 5 runes, Firebase (Firestore), Vercel

CFDI 4.0 stamping (SmartWeb PAC, test + production)
Poliza/journal entries with audit trail
Fiscal Optimizer AI (RESICO monitoring + alerts)
SAT chart of accounts
Payroll sync from Colectiva and Plenura
ISR/IMSS calculations
e.Firma/FIEL certificate management
Fiscal calendar with automatic reminders
CFDI automatic download from SAT
Organization lifecycle management
DataGrid migration completed (Syncfusion)
9 ecosystem app integrations

Banxico Microservice — Payment Infrastructure

Stack: Node.js, TypeScript, Express, PostgreSQL Deployment: Oracle Cloud VM (http://40.233.27.208:3000)

CoDi QR code generation (Banxico API, beta environment)
SPEI bank transfers
MXC coin system (1 MXN = 1 MXC, instant internal transfers)
API key auth middleware (hardened March 2026)

Vertical Apps

Caracol — Restaurant/Wine POS

URL: caracol.redbroomsoftware.com Stack: SvelteKit 5 + Svelte 5 runes, Firebase, Vercel Revenue: ~$7,000 MXN/month (~$84K/year) — licensing Status: Production (sole revenue-generating app)

Table management, order taking, kitchen integration
FIFO inventory tracking, menu management
CFDI stamping + REP payment complements
CoDi + MercadoPago payments
Consumer portal API
QStash scheduler for failed stamp retries (exponential backoff)
SAT cancellation status query
Bulk invoicing, picking list print, cash register sessions
3 worktrees with unpaid client work (DO NOT TOUCH)

La Hoja — Restaurant ERP + POS

URL: hoja.redbroomsoftware.com Stack: Next.js 15, Firebase (Firestore), Vercel Status: Production

POS with payment processing, tipping, discounts, coupons
Production planning (plans, batches, quality control)
Recipe management (ingredients, sub-recipes, cost tracking)
Inventory with merma (waste) tracking
Kitchen order queue (real-time), Kitchen Display System
Loyalty and rewards program
Mancha reservation sync (real-time POS panel)
24 webhook event types (22 received, 2 sent) — ecosystem reference implementation
All 5 ecosystem services connected

Comal — E-Commerce SaaS

URL: comal.redbroomsoftware.com Stack: SvelteKit 5 + Svelte 5 runes, Supabase, Vercel Status: Production (Phase 1), first client: Moken Matcha ($20K deal)

Self-service store creation + onboarding
Products, variants, inventory (simple + bulk_conversion models)
Checkout with MercadoPago
Subscription clubs with trials
Customer accounts + membership tracking
Shipping zones + Skydropx
Tier limit enforcement (Pro=100, Business=500, Enterprise=2000 products)
Auto-provisioning via Camino webhook

Plenura — Therapy/Wellness Marketplace

URL: plenura.redbroomsoftware.com Stack: SvelteKit 5 + Svelte 5 runes, Supabase, Vercel Status: Production, zero paying subscribers

Therapy marketplace with real therapist data
Video sessions (JaaS), booking flow, escrow
5 AI features
Subscription tiers (Free/Pro/Business/Enterprise)

Cosmos Pet — Veterinary Clinic Management

URL: cosmospet.redbroomsoftware.com Stack: SvelteKit 5 + Svelte 5 runes, Firebase, Vercel Status: Active development, feature-rich, zero adoption

SOAP notes, vaccinations, surgery tracking, grooming
POS, appointment scheduling, medical history
Patient records, inventory (medications, supplies)

Mancha — Restaurant Reservations

URL: mancha.redbroomsoftware.com Stack: SvelteKit 5 + Svelte 5 runes, Supabase, Vercel Status: Active development (503 — Supabase auto-paused)

B2B dashboard + B2C consumer booking
Real-time sync with Caracol and La Hoja POS

Agora — Legal Practice Management

URL: agora.redbroomsoftware.com Stack: SvelteKit 5 + Svelte 5 runes, Supabase, Vercel Status: Active development, zero customers

Matters, clients, IOLTA trust accounts
Ghost timer, HITL AI review, AI drafting

Rito — REPE Fund Management

URL: rito.redbroomsoftware.com Stack: SvelteKit 5 + Svelte 5 runes, Supabase, Vercel Status: Production, real data, manually onboarded

Deal underwriting + fund dashboard
AI copilot with 8 tools (Claude)
Multi-tenant by fund

Shelf Code (deployed but inactive)

App	URL	Stack	Notes
Servilleta	servilleta.redbroomsoftware.com	SvelteKit + Firebase	TaskRabbit-style marketplace
Goodbay	goodbay.redbroomsoftware.com	SvelteKit + Firebase	Vacation rentals, coin economy
Baul	baul.redbroomsoftware.com	SvelteKit + Supabase	Self-storage management
Cookie Monster	cookies.redbroomsoftware.com	SvelteKit + Firebase	Consumer portal for Caracol
Puppy Love	puppylove.redbroomsoftware.com	SvelteKit + Firebase	Pet dating demo
Continua	continua.redbroomsoftware.com	SvelteKit + Firebase	Blood donation tracker
Hospitality	—	—	Concept only

Shared Infrastructure

Ecosystem SDK (v0.4.1)

Published to GitHub Packages as @rbs/ecosystem-sdk. Consumed by all 17 apps.

App registry (17 apps)
HMAC-SHA256 webhook signing and verification
OAuth2 PKCE client for Camino SSO
Webhook handler and sender factories
AI metering (reports usage to Colectiva)

MCP Server (15 tools)

12 code tools + 3 business knowledge tools. Used for cross-app development.

list_apps, check_consistency, get_event_registry
validate_webhook_contract, get_cross_references
scaffold_webhook_handler, scaffold_event_sender, rename_app_identity
check_deployment_health (pings all app URLs)
get_platform_info, get_pricing, get_competitive_landscape
3 Rito-specific tools

RBS Website

URL: redbroomsoftware.com Stack: SvelteKit 2 + Svelte 5, Vercel (migrated from GitHub Pages March 2026)

/plataformas page consumes Camino content API with personalization
Tracking SDK embedded

Integration Patterns

Authentication

User → App login → Camino OAuth2 PKCE → JWT → App session

Supabase apps: Supabase Auth + Camino SSO
Firebase apps: Firebase Auth + Camino SSO
Developer sessions: HMAC-signed cookies, httpOnly, server-side verification
Admin routes: Tenant isolation enforced on all admin routes

Webhook Flow

Source App → HMAC-SHA256 sign payload → POST to target /api/webhooks/{source}
Target App → Verify HMAC → Idempotency check → Process → ACK

30+ event types across the ecosystem
13 target apps receive webhooks from Camino
Idempotency via ecosystem_events_received collections
Retry with exponential backoff on failure

CFDI Invoicing Flow

POS App → Camino (stamp allocation check) → Constanza (SmartWeb PAC) → CFDI 4.0 XML
Failed stamps → QStash retry queue → exponential backoff (5m → 15m → 45m → 2h → 6h)

Subscription Lifecycle

User registers (app-first OR Camino-first)
  → Camino creates trial subscription
  → Webhook: subscription.trial_started → Target app auto-provisions
  → Trial expiry emails (7d/3d/1d/expired)
  → User upgrades → Colectiva processes payment
  → Webhook: payment confirmed → Camino activates plan

Both entry flows are valid:

App-first: User signs up at Comal directly, SSO via Camino
Camino-first: User signs up at Camino, enables apps, auto-provisioning via webhook

Headless Marketing Flow

AI generates content → Camino stores structured JSON
  → GET /api/public/page/{slug} → App renders landing page
  → Tracking SDK (camino-track.js) collects visitor data
  → Personalization rules match visitor context
  → AI optimizes content via A/B testing

4 personalization rules active: restaurant, ecommerce, therapy campaigns + returning visitor.

Scheduled Jobs

Full infrastructure audit: ECOSYSTEM_INFRASTRUCTURE.md Total: 70+ scheduled jobs across Vercel Cron, Upstash QStash, and Supabase pg_cron.

Three-Layer Scheduling

Layer	Who	Count
Vercel Cron	Camino (18-job dispatcher), Constanza (2), Baúl (2), Ecosystem API (1)	23 jobs
Upstash QStash	Colectiva (15 jobs), Caracol (1 — stamp retry every 15 min)	16 jobs
Supabase pg_cron	7 apps — keep-alives + Camino internal HTTP (voice, invoice sync)	11 jobs

Critical Dependency: Colectiva Heartbeat

Colectiva runs an ecosystem heartbeat every 30 minutes that fans out to Agora, La Hoja, and Servilleta. These three apps have no vercel.json cron of their own — their background jobs depend on Colectiva staying up.

Decision Criteria

Ecosystem-wide or cross-app job → Camino daily dispatcher
Firebase app scheduled job → App's own QStash
Supabase app DB-internal job → pg_cron in that project
Keep-alive for free-tier Supabase → pg_cron keep-alive-ping migration (7 projects use identical pattern)

Security (March 2026 Hardening)

30+ security commits across 17 repos on March 21, 2026.

What was hardened:

HMAC-signed developer session cookies on all 15 Vercel-deployed apps
timingSafeEqual for ALL secret comparisons (crons, API keys, webhooks, sessions)
All NODE_ENV === 'development' bypasses removed from signature verification
Tenant isolation enforced on all admin routes
Camino: 20 vulnerabilities fixed (forgeable dev session, payment bypass, OAuth redirect, API key exposure, cron timing attacks, state machine bypasses)
Banxico: API key auth middleware added (was zero auth on financial endpoints)
Colectiva: MercadoPago live_mode bypass removed, DEV_MODE flags removed
Constanza: JWT signature verification added, dev bypasses removed
Developer mode amber banner on all admin layouts (server-side data, not client cookie)
DEVELOPER_SESSION_SECRET set on all 15 Vercel projects
SOFT_ENFORCE remains true until payment flows tested in production

Permanent rules:

HMAC-SHA256 for all webhook signing — never weaken
No dev bypasses in signature verification — ever
Tenant isolation on every admin route — no exceptions

Database Distribution

Database	Apps
Supabase (PostgreSQL)	Camino, Comal, Plenura, Rito, Agora, Mancha, Baul
Firebase (Firestore)	Caracol, Colectiva, Constanza, La Hoja, Cosmos Pet, Servilleta, Goodbay, Cookie Monster, Puppy Love, Continua

4 free Supabase accounts host 7 projects. Free plan auto-pauses databases after 7 days of inactivity, causing 503 errors on affected apps.

Revenue Reality

Source	Monthly (MXN)	Annual (MXN)	Status
Caracol restaurant licensing	~$7,000	~$84,000	Active — cash invoices, outside Colectiva
Moken Matcha (Comal)	$20,000 one-time	—	Pending — dev fee + top tier
SaaS subscriptions	$0	$0	Pipeline built, no paying customers
Colectiva commissions	$0	$0	Processing works, no volume

Total recurring digital revenue: $0/month. The financial pipeline is fully wired but has never processed real subscription money. End-to-end self-serve payment test is the top pending validation.

Status Summary

Status	Apps
Production	Caracol, La Hoja, Camino, Colectiva, Constanza, Comal, Plenura, Rito
Active Development	Mancha, Agora, Cosmos Pet
Shelf Code	Servilleta, Cookie Monster, Puppy Love, Goodbay, Baul, Continua, Hospitality

Tech Stack Summary

Component	Technology
Frontend framework	SvelteKit 5 + Svelte 5 runes (16 apps), Next.js 15 (La Hoja)
Databases	Supabase PostgreSQL (7 apps), Firebase Firestore (10 apps)
Auth	Supabase Auth + Camino SSO (Supabase apps), Firebase Auth + Camino SSO (Firebase apps)
Hosting	Vercel (all web apps), Oracle Cloud (Banxico microservice)
Email	Resend
Payments	MercadoPago (primary), CoDi/SPEI (Banxico), OXXO
AI	Claude (Anthropic) — copilots, content generation, fiscal optimization
Cron	Vercel Cron (Camino dispatcher), QStash/Upstash (Firebase apps)
CFDI	SmartWeb PAC (test + production)
SDK	@rbs/ecosystem-sdk v0.4.1 (GitHub Packages)
MCP	15 tools (12 code + 3 business)
Webhooks	HMAC-SHA256, 30+ event types, 13 target apps

RBS Ecosystem Architecture ​

Core Philosophy ​

System Architecture ​

Platform Details ​

Camino — SSO IdP + Headless Marketing Engine ​

Colectiva — Brains + Operations ​

Constanza — AI Accounting + Tax Compliance ​

Banxico Microservice — Payment Infrastructure ​

Vertical Apps ​

Caracol — Restaurant/Wine POS ​

La Hoja — Restaurant ERP + POS ​

Comal — E-Commerce SaaS ​

Plenura — Therapy/Wellness Marketplace ​

Cosmos Pet — Veterinary Clinic Management ​

Mancha — Restaurant Reservations ​

Agora — Legal Practice Management ​

Rito — REPE Fund Management ​

Shelf Code (deployed but inactive) ​

Shared Infrastructure ​

Ecosystem SDK (v0.4.1) ​

MCP Server (15 tools) ​

RBS Website ​

Integration Patterns ​

Authentication ​

Webhook Flow ​

CFDI Invoicing Flow ​

Subscription Lifecycle ​

Headless Marketing Flow ​

Scheduled Jobs ​

Three-Layer Scheduling ​

Critical Dependency: Colectiva Heartbeat ​

Decision Criteria ​

Security (March 2026 Hardening) ​

Database Distribution ​

Revenue Reality ​

Status Summary ​

Tech Stack Summary ​